Date: Sun, 03 Apr 94 10:40:41 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V4#048 Computer Privacy Digest Sun, 03 Apr 94 Volume 4 : Issue: 048 Today's Topics: Moderator: Leonard P. Levine Re: Anonymous Phoning Re: Anonymous Phoning Re: Anonymous phoning Re: Anonymous Phoning Australian Gov't Regulation of BBSs Telemarketing Re: Clipper Chip How does lack of Clipper change the "status quo"? Re: Clipper Chip Activist list subpoenaed Protecting Privacy What is legal? The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. Back issues are available via anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The archives are in the directory "pub/comp-privacy". Archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: alexandr@fconvx.ncifcrf.gov (Jerry N. Alexandratos) Date: 31 Mar 94 10:10:48 -0500 Subject: Re: Anonymous Phoning Organization: Frederick Cancer Research and Development Center Leonard: Italy has the telephone card system which you discussed. Ten thousand Lira instead of ten dollars; the cards are read by a magnetic strip reader only in certain telephones; and are sold in tobacco shops. Otherwise, they're exactly what you described, and work very well for Italy and Italians. There is absolutely no reason why this will not work anywhere else. Ours could be based on the current calling card protocols with *no* changes to hardware. Americans are just getting used to credit and no privacy, that's all. ------------------------------ From: Bruce Taylor Date: 31 Mar 1994 13:49:21 -0500 (EST) Subject: Re: Anonymous Phoning Prof. L. P. Levine (levine@blatz.cs.uwm.edu) wrote: There is even more. If the caller enters a *67 before dialing, then the card vendor could keep no link between the incoming callerid and the outgoing number. You then can call this 800 number from a residence, and since the call is made out of the card owners pool number, there is no sure trace possible of which incoming call was connected to which outgoing call. If no data is kept, no subpeonaed... Unfortunately, *67 has no effect on whether the caller's number is delivered to the 800 service. The caller's number is *always* delivered to the 800 service account holder, either by paper or by more realtime means. One other point -- The carrier will also have copies of the ANI data from a particular 800 account. While there are certainly safguards of various sorts in place to prevent random riffling thru the records, I would feel much safer with the payphone method (call it "one call in a million" security). [Moderator: There were several other people who pointed out my error:] brumba@maize.rtsg.mot.com (Alan J. Brumbaugh) added: This has been discussed several times in the comp.dcom.telecom group. Many people seem unaware that an 800 number provides no privacy, and there are no guarantees of what the recipient of your number will do. roy@sendai.cybrspc.mn.org (Roy M. Silvernail) added: Much more risky, actually. I'm afraid you have confused Calling Number ID with Automatic Number Identification. CNID is a residential/business option that can be blocked and typically only operates within an exchange. ANI is the delivery of the originating number as billing information. It's available on 800 lines (in real time, if the purchaser wants it that fast), and it's _not_ blockable. The 800 provider number will always know the originating phone number, regardless of the *67 code being used. ------------------------------ From: Sharon Shea Date: 31 Mar 1994 17:48:32 -0500 (EST) Subject: Re: Anonymous phoning I can't agree that anonymous phone calling is a privacy right. While we all agree that we want the right to privacy, we have to recognize where that is - and is not - appropriate. You (should) have the right to do your private thing in your own home, or say, with your own stuff. However, when making a phone call, you have engaged another person in the space that you are defining as a private area. If we're taking about your _home_, we can get into all the usual privacy issues. But what about you entering mine? Do the same rights follow you in my door, so to speak? It's pretty standard expectation that if you want entrance to another's territory, you'd better be prepared to present ID. I think this concept extends to getting me on the phone. If you want to engage My space, you have to concede that I have some rights as well. Otherwise, what you are asking for is privacy in your territory - and your privacy in mine. Phone calling is obviously and act that requires more than one person. Both people's rights have to be respected. ------------------------------ From: roedder@netcom.com (Spencer Roedder) Date: 1 Apr 1994 00:17:10 GMT Subject: Re: Anonymous Phoning Organization: NETCOM On-line Communication Services (408 241-9760 guest) Prof. L. P. Levine (levine@blatz.cs.uwm.edu) wrote: One of the issues that is often addressed in privacy groups is that of anonymous phone calls. Making calls from residences is now far from private what with the presence of callerid capabilities. I have always been a staunch advocate of privacy, but I find I come down on the opposite side from a lot of people, who bemoan the lack of privacy brought about by CallerID. They are concerned about the caller's privacy; I find more to be concerned about in the callee's privacy. As I see it, the ability to make an anonymous phone call is a historical anomaly which has only been with us for the last century. Before that time, if you wanted to talk to someone you came to their door or confronted them in public; the only alternative was the much-maligned anonymous letter. I see CallerID as simply restoring the historic status quo: the _right_ of a person "called to the door" of his own home to know who is on the other side of the door. I acknowledge two specific situations where the current assumption of anonymity seems to serve society better. The most important one is the need for people in certain rare situations, such as a battered women's shelter, to make phone calls without identifying where they are. Such organizations should be able to block CallerID. The other is the concern that commercial establishments might use CallerID to collect the IDs of people who contact them. This could be handled in several ways: (1) Make a law against it (though who wants yet another law). (2) Create a culture where it's just not the "right" thing to do, by having people object strenuously to any actual _use_ of such a list. (3) Minimize the value of such lists by making it illegal to sell them. (4) Allow per-call blocking so that when I call an organization that I _really_ don't want keeping track of me, I can explicitly block it. The one "fix" I don't think is right is the complete "per-line" block of CallerID that has been made a condition for institution of CallerID in some areas. To me, this tilts the scale too far toward the privacy of the anonymous caller, which I previously pointed out is a historical fluke. ------------------------------ From: "Prof. L. P. Levine" Date: 31 Mar 1994 09:54:02 -0600 (CST) Subject: Australian Gov't Regulation of BBSs Organization: University of Wisconsin-Milwaukee Copied from CUD the Computer underground Digest Wed Mar 30, 1994 (6:28). The privacy implications of this sort of this are obvious. Date: 29 Mar 1994 14:35:32 +1000 (EST) From: Mr Rhys Weatherley Subject: File 3--Gov't Regulation of BBSes in Australia Well, it's finally on. The Australian government has announced a task force that is to develop options for regulating BBS'es here in Oz. Attached is the call for submissions which was posted to the aus.* newsgroups by Tom Worthington of the Australian Computer Society (ACS). Tom has given me permission to re-post it here. Comments can be posted to CuD, or sent to Roger Clarke who is preparing the ACS's submission, or sent to me for my submission. Roger's e-mail address is roger.clarke@anu.edu.au and mine is rhys@fit.qut.edu.au. As odious as the prospect of BBS regulations are, there's not much that can be done except ensure that the regulations address the concerns of the net population rather than being railroaded through. I for one am adamant that any regulations have built-in protections for the network community alongside any control measures. Maybe we can get the much-needed "common carrier" like protections if it is worded carefully in the submissions. I must say that I'm not surprised at this move by the government, given the recent stories with the usual bogey-men of "computer porn" and "information about making bombs" that the traditional media have been reporting. Computer games were recently placed under the Australian censorship scheme, and BBS'es were the next down the list. *sigh* Any assistance would be greatly appreciated. Any ideas, no matter how radical are welcome: I'll take care of toning them down from the setting of "foaming-at-the-mouth lunatic" to just plain "lunatic". :-) Once I have a draft, I'll be sure to post it to CuD for comments before hitting the Australian government with it. The deadline for submissions is 29 April 1994. Cheers, Rhys. From: tomw@ccadfa.cc.adfa.oz.au (Tom Worthington) Subject--Regulation of computer bulletin boards call for submissions Summary: Australian Attorney-General investigating BBS regulations Organization: Australian Defence Force Academy, Canberra, Australia Date: 21 Mar 1994 03:26:45 GMT ATTORNEY-GENERAL'S DEPARTMENT Call for submissions on the regulation of computer bulletin boards The Attorney-General and the Minister for Communications and the Arts have established a joint Task Force to develop options for the regulation of computer bulletin hoards. SUBMISSIONS The Task Force invites submissions from members of the public on options for the regulation of computer bulletin board systems. Submissions may include comments on the feasibility of a Code of Practice governing the use of bulletin board systems. TERMS OF REFERENCE The Task Force is to consider alternatives for developing a regulatory system that would: * allow bulletin board users, parents and guardians to make informed entertainment choices for themselves and those in their care: and * provide adequate protection to children from material that mi~ht be considered harmful or disturbing. The Task Force is also to assess whether: * existing Commonwealth offences covering the misuse of computers and telecommunications services are adequate to deal with bulletin board abuse; * import/export restrictions are capable of controlling the international trafficking and subsequent copying and distribution of otherwise banned material; * State and Territory laws such as those dealing with the misuse of computers and possession of child pornography are adequate to deal with bulletin boards; * current law enforcement powers are adequate to deal with the new technology; and * specific offences should be enacted for the use of bulletin boards for unlawful purposes. For further information contact the Criminal Law Branch on (06) 250 6459. Submissions can he sent to: Bulletin Boards Taskforce Criminal Law Branch Attorney-General's Department Robert Garran Offices BARTON ACT 2600 Or via The Internet address: bbs.taskforce@ag.ausgovag.telememo.au Or via the X.400 address: G=BBS,S=Taskforce,O=AG,PRMD=AUSGOVAG,ADMD=TELEMEMO,C=AU Closing date: The closing date for submissions is Friday 29 April 1994 ------------------- Posted by Tom Worthington , Director of the Community Affairs Board, Australian Computer Society Inc. Fax: +61 6 2496419, as a public service. Please address enquiries and submissions to the Taskforce's e-mail address 21 March 1994 ------------------------------ From: rccall@babel.ho.att.com (Chris Call 908-946-1133) Date: 31 Mar 1994 19:45:36 GMT Subject: Telemarketing Organization: AT&T I once saw an article (I believe in this newsgroup) about laws governing the behavior of telemarketers; in particular, there was a discussion of a law that requires telemarketers to supply their company name and address, and to remove people from their mailing list if they have called those people twice and the people ask to be "de-listed." Can anyone post a reference to the law, or quote the law for me? ------------------------------ From: sutter@verisoft.com (Paul Sutter) Date: 31 Mar 1994 14:38:48 +1700 Subject: Re: Clipper Chip Much of the controversy over the Clipper Chip misses the real privacy issue. The real concern is that the government might attempt to BAN OTHER FORMS OF ENCRYPTION! Clipper by itself is not a privacy problem as compared to unencrypted communication. Clipper itself causes NO LOSS IN PRIVACY. Point-to-point encryption is virtually useless anyway on the internet, or on any future national infobahn. Clipper is simply stupid, not frightening. If Clipper were required in every modem, every communications device, etc... the only problems are the additional expense to pay for that extra hardware, the likely situation that clipper technlogy will trail other developments and hinder the pace of progress in communications equipment, and of course the administrative nightmare of tracking all those keys. Will I have to register the serial number of every modem I buy with the government? The paperwork is the nightmare. Especially for something as irrelevent as Clipper. The horror would be if the government tries to prevent the use of other forms of encryption. Since only end-to-end encryption can be useful, especially during authentication, and since this MUST BE IMPLEMENTED IN SOFTWARE, Clipper cannot be an actual and useful encryption solution. We just need to be sure the government, in its grand ignorance, doesn't prevent us from implementing useful encryption. Paul Sutter Verisoft ------------------------------ From: hoffman@xenon.stanford.edu (David Hoffman) Date: 31 Mar 1994 23:52:17 GMT Subject: How does lack of Clipper change the "status quo"? Organization: Computer Science Department, Stanford University. Last night I was at the Clipper debate at the Law school, and the assistant U.S. attorney's arguments seemed to revolve around the claim that the digital telephony bill and its buddy the Clipper chip don't provide the government with any new wiretapping capability - it simply allows them to keep their current ability to conduct legal wiretaps. Maybe I was asleep when he explained this, but I don't understand how failing to institute this bill would affect the status quo. Since he repeatedly agreed that additional user-provided layers of strong encryption would make federal wiretaps useless, how does a government-encrypted government-tappable network differ from what we have now? Assuming strong crypto for telephones etc. will come commercially whether the digital telephony bill is passed or not, just what ability is the bill supposed to prevent the FBI from losing? I guess my bewilderment revolves around the government's claim that non-Clipper cryptography will not be made illegal. And you know the Feds wouldn't lie to you. ------------------------------ From: bernie@fantasyfarm.com (Bernie Cosell) Date: 1 Apr 1994 04:40:26 GMT Subject: Re: Clipper Chip Organization: Fantasy Farm, Pearisburg, VA Sixto Armando Roman writes: -Technology enables people to do things that they could not do before. For example, the airplane allowed people to travel all throughout the world. Well, encryption also enables people to do something new. Thanks to encryption, people are better able to protect their confidential information on computer hard disks ... This is mostly incorrect. The current opinion [based on the Federal Rules of Evidence] is that if you are subpoenaed you will have to turn over a *decrypted* version of the file [or go to jail for contempt, of course]. I think it is more than a little hard to make a case [but some of the more wild-eyed fanatics try] for how laudable it is to be able to frustrate subpoenas. -Now imagine a world in which the government places a camera inside of each room in every home, in every auto, in every restaurant, in every airplane, in every bathroom, in short-EVERYWHERE! The government installs these to watch criminal activity. Why would one want to imagine such an outrageous thing? That is almost at the same level of crazy-fantasy as the "CHIPS worse that CLipper" tempest in a teapot. However, the government kindly establishes rules that prevent any law-and-order government agent from turning on any camera indiscriminately. In order to observe people's activities, police officers and federal investigators must obtain warrants and access to the central control rooms for these cameras. Look, this kind of wild paranoia-mongering is really very off the mark. There is *much* to criticize about Clipper, but this is _not_ one of the issues. Clipper doesn't open *ANY* avenue to observation by LEOs with warrants that is not open _now_. This whole 'camera' analogy is basically a load of hogwash. -People will also feel uncomfortable communicating with others and saving their records on disk if the government indeed establishes a "clipper chip" in every encryption device used to prevent others from seeing private information. People will be afraid to save their tax information on disk for fear that someone will just be able to break into it without any serious trouble. Guess what: their tax information is almost certainly NOT now beyond subpoena. The only real arena that clipper directly affects is on-the-air digital communications [be it voice or fax]. And the real issue THERE is nothing at all like the quesiton of a 'camera in every john'. If you voice any objection to anything intrusive that the government does to protect the public, such individuals would say, "What have you got to hide?" Well, this is a double edged argument: first is clipper isn't really an 'intrusion' --- if/when you understand what is going on here, you'll realize taht it is a _preemption_. Which is a very different [and more subtle] matter. Second, we've batted that around before. Back a long time ago [before Prof Levine took over the newsgroup] we debated precisely that point. It is remarkable how _difficult_ it is to make an argument in favor of privacy. especially since [if you actually do some looking into it] you'll see that it is done by _coercion_ rather than by _command_. Folks will be constantly presented [**JUST** as they are now!!] with a tradeoff of money/convenience/availability/functionaligy/whatever for some bit of privacy. And the record is completely clear: left to their own devices, folks unquestionably opt for the short-term-reward and the sacrifice of privacy. [for example, you might ask yourself why a secure-cordless-phone isn't a standard commodity? No problem with standards and compatibility, since the only thing that matters is that your handset and base cooperate. And there are _some_ available [although none that are as secure as the real crypto-crazies would prefer], but the fact is that overwhelmingly folks don't care: so what if their neighbor can overhear their cordless phone, what matters is that it was on sale at K-mart]. The point is that the discussion is MUCH more subtle than the rather shallow "what have you got to hide". What you'll have to deal with is "What have you got to hide that is worth $5/wk on your food bill" or "what have you got to hide that is worth paying an extra $100 for your next cellular phone? or "what have you got to hide that is worth having to carry piles of cash around with you so you don't have to mess with credit cards and checks" or .... In reality Clipper is just mre of the same. MUCH more heavyhanded than most, but still just the same-old tradeoff: you'll have the choice "send it in the clear", "get a cheap and easily available clipperphone" or "go to some bother [and expense] to get some fancy-phone which you may or may not be able to call your mother on]. When the drug-testing debate was raging in the late 1980s, supporters of these tests simply said, "What have you got to hide? If you haven't done anything wrong, then you shouldn't worry about a simple drug test. All that these tests are designed to do is protect the public from hallucinating truck drivers, train operators, etc." -At face value, this argument is strong; however, drug tests are unquestionably intrusive. But once again, you manage to completely miss the point. there are *NO* mandatory drug tests for civilians at the moment. The only folk who are subject to drug testing are folk who: 1) practice a profession that is regulated by the Feds, or 2) whose employer chooses to impose such a test as a condition of employment. Private employers are free NOT to drug test their employees [and even the drug-free-workplace act does not require testing... it just bluffs employers into doing so, but if you consult the "great usenet piss test list" you'll see that there are _plenty_ of places to work that have not knuckled under. Again, by truly exaggerating the case and really stomping roughshod on the real issues, you make for a _very_ difficult discussion. -How can the "What have you got to hide?" argument be more effectively fought against with regard to the "clipper chip"? After all, the "clipper chip" sounds like a simple wiretap. And the government seems to be taking precautionary steps similar to those required for conducting wiretaps that often only require placing alligator clips on a phone line in order to intercept phone conversations. Actually, you're misinformed AGAIN. Clipper isn't taking "precautionary steps similar" --- the administrative stuff people wrangle about all comes *AFTER* the requirements for a wiretap are met. So Clipper's red tape is *on*top* of those precautions. There is nothing in Clipper to change the wiretap laws or make a Clippered-wiretap anything other than a wiretap. Certain segments of the government abused wiretapping through this gigantic hole in privacy protection on telephone lines. However, the courts and lawmakers eventually straightened things out enough that the average phone user does not need to worry about being indiscriminately monitored. Hee hee. Folks who work with LEOs seem to think that there's a lot more illegal wiretapping than you do. But regardless: Clipper will *only*make* *it*harder*. Any protection or mechanism _in_place_now_ will still be in place, and if it is an effective disincentive now it will, presumably, continue to be one. Clipper will make it *harder* for Sheriff Opie to decide that you're a pain in the ass and just cliplead in and see if you're up to anything nasty; perhaps not _impossible_, but unquestionably _harder_ than it is now. I hesitate to say that in your enthusiasm, I think you've managed the nontrivial task of managing not to hit a _single_ substantive clipper issue. You certainly got all the 20pt-headline ones, but those are, and have always been, mostly off the mark. Those are SOP stuff on the more hysteria-prone forums, but I'd hope that here we would focus more on the _real_ issues and leave the grandstanding to the grandstanders. There is MUCH to be discussed in and about clipper [the nature of privacy and its general worth to the average person is a nontrivial component of it!], and I'd just as soon we tried focusing on some of those issues. [sample: it should be obvious that folks largely don't care. They use credit cards, they order stuff over the phone, they DONT particular express any market pressure for a secure cordless phone, computer encryption stuff is mostly the realm of businessfolk and paranoids, but hardly mainstream [would your sister-in-law encrypt her recipe data base?]. This drum-thumping about privacy seems certain to fall on deaf ears when folks _voluntarily_ care so little about their own privacy? How can you convince people that going to some bother and expense for "security" is worth it? Will just defeating Clipper [especially with a tidal wave of misleading and largely incorrect propaganda] serve that purpose? I'd say not [and worse, the general-populace will really have not learned anything at all. If anything, this kind of stuff will lead them to believe that they *have* privacy _now_, which is of course a joke. Same with Lotus Marketplace: the politically correct thumped the drum, circulated petitions, organized marches, got on the evening news. Totally obfuscated the real issues, just as here, and the result: the crowed that they won the battle [when Lotus withdrew it] but the fact is that they completely lost the war, since that info was trivially available before, during and after the brouhaha. Ostrich activism at its finest. And just as here with Clipper, I argued that they were missing the point: they *MISSED* the chance to _educate_ the people. To realize that Lotus Marketplace was the _messenger_ not the message, and they should have tried to use the public outcry to _really_ address the issues... but just it seems is the case with Clipper, they were more interested in their agendas than they were in actually making a _change_ for the better. It is not too late to strike for _substance_ rather than _form_ in the Clipper debate. ------------------------------ From: bruce@jise.isl.melco.co.jp (Bruce Hahne) Date: 31 Mar 1994 22:46:55 -0600 Subject: Activist list subpoenaed Organization: UTexas Mail-to-News Gateway (Forwarded from the THESEGROUPS mailing list) From: Steve Barber Subject: Activist list subpoenaed Date: 31 Mar 1994 23:11:12 -0500 (EST) The following from today's Edupage: SMOKING OUT THE OPPOSITION Lawyers for the American Tobacco Co. were granted a subpoena for the membership list of a computer network used by anti-smoking groups. The move to acquire SCARCNet's (Smoking Control Advocacy Resource Network) records is believed to be the first legal action of this kind. The subpoena also demands the names of those funding the network and copies of all posted strategy sessions. Attorneys for the Advocacy Institute have filed papers seeking to deny the subpoena on First Amendment grounds. (Wall Street Journal 3/30/94 B1) I don't know about you folks, but I thought subpoenas of this type were outlawed 50 years ago when the Supreme Court found that a subpoena for an NAACP membership list was an improper government intrusion upon the freedom of association. [Moderator: Reading the original article it is clear that the subpoena was issued, but this only means that the information was requested. There are legal steps yet to be taken.] ------------------------------ From: ahooper@eniac.seas.upenn.edu (hoop) Date: 1 Apr 1994 20:44:43 GMT Subject: Protecting Privacy Organization: University of Pennsylvania How worried are you about whether or not your privacy has been compromised? Do you use luggage tags without lids/covers? Do you throw away your name and address on pieces of mail? Do you use mail order? Do you think about how someone could track your life through your phone calls, credit card uses and/or other kinds of similar electronically-recorded "convenience" items? Basically, to what extent do you protect your own privacy? Please email your responses to ahooper@eniac.seas.upenn.edu Andy Hooper---------------University of Pennsylvania--------------- ahooper@eniac.seas.upenn.edu---------------------_--_ -_- .__o - http://www.seas.upenn.edu/~ahooper/hoop.html---_- - _ _-\_<, - "How can I miss you if you won't go away."_______-_-____(*)/'(*)__- ------------------------------ From: "John P. Quinn" Date: 1 Apr 94 16:47:34 -0500 Subject: What is legal? Organization: QCADD I have a few things happening to me that I feel are a bit strange but I'm not quite sure if it's classified illegal or not. Perhaps some of you out here can answer some of my questions. I'm going to itemize the things that have happened in the recent past, they are: 1. Bugging my office. 2. Monitoring my office phone, who I called and who called me. 3. Going through the entire contents of my office, files and everything, in the evening on a regular basis. 4. Finding my all passwords to the company computer system (I'm a MIS Director) and then using them to get in and snoop around. 5. Opening all my mail and perhaps not being given some of it. 6. Going through the beeper records and calling numbers they don't recognize and asking who they are and how do they know me. These are most of the things that have been occurring that I aware of. Please bare in mind that when answering to these outrages, that I have nothing to hide. I know that you don't know that for sure, but for arguments sake. Also take at face value that I'm not conducting illegal business's or giving away secret information or anything of the nature. Just for your information, All the items that have occurred have happened behind my back, and I hav'nt said anything to them about it, and they hav'nt said anything to me. I feel that these items are crossing the line of was is legal. What do you think? Also, why do you think a place of employment would practice such a thing on someone that is just doing a normal good job and has nothing to hide, hell they would have found it with the way they have robbed me of my personal privacy. I think that this would piss anyone off to no end no matter who they are and what they do, I just want to know if it's legal or not and what can I do about it. Thanks in advance... **************************************************************************** John P. Quinn !!! MIS Director !!! XXXXX XXXXXXXXXXX XXXX !!! ---------------------------------------------------------------------------- Internet Email Address: p00737@psilink.com **************************************************************************** ------------------------------ End of Computer Privacy Digest V4 #048 ****************************** .