Date: Sun, 24 Apr 94 08:20:40 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V4#057 Computer Privacy Digest Sun, 24 Apr 94 Volume 4 : Issue: 057 Today's Topics: Moderator: Leonard P. Levine HR 1900 Solicitation via the Internet Helpful Police face Lawsuit Re: Long Distance Companies Re: Long Distance Companies Lord Have Mercy On Us All :-( Re: Lord Have Mercy On Us All :-( Re: Lord Have Mercy On Us All :-( The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. Back issues are available via anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The archives are in the directory "pub/comp-privacy". Archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: jonescpp@aol.com Date: 22 Apr 94 12:30:39 EDT Subject: HR 1900 Professor Levine, Attached is the article which was published in the March issue of Security Concepts. I hope it is helpful to you and others in the newsgroup. H.R. 1900, A Bill To Prevent Abuses of Electronic Monitoring In The Work Place Privacy vs. Security by Patrick Jones, CPP copyright 1994 Permission given to reproduce and/or publish article. Entire article must be printed. If article is published, please send copy to: Patrick Jones, CPP 1807 S. Washington Suite 106 Naperville, Illinois 60565 Scenario #1 An airplane crashes. There was no communication with the aircraft or crew prior to the crash. The investigation of the crash will be severely hampered because there is no "Black Box". House Resolution 1900, if passed, will require each crew member to be notified in writing as to electronic monitoring of their performance. This will include the type of monitoring device used, the data to be collected and the hour and day of the week of the monitoring. Scenario #2 A company doing very sensitive research and development of electronics parts is missing valuable information. The information was taken between Saturday morning 9:00 a.m. and Sunday afternoon 3:00 p.m. There is no way to determine who entered the research labs. The access control system does not record this information. House Resolution 1900, if passed, will severely limit the use of the audit control function on the access control system. Scenario #3 A large sum of money is discovered to be missing from a financial institution. Money was transferred by means of a computer to a foreign account. House Resolution 1900, if passed, could limit the use of software that would record these transactions and identify the offender. Why was not an appropriate electronic safeguard in place to either prevent or apprehend the perpetrator? If H.R. 1900 reintroduced by Representative Pat Williams (D-MT), is successfully adopted, these safeguards will be extremely difficult to use to protect lives, property and prevent loss. The bill does not prohibit most uses of CCTV, Access Control Systems, or other electronic security measures. It does, however require a complicated and detailed notification process, adding costs and placing restrictions on already burdened security. Record keeping alone, in a very large company may even require the addition of a new department. Surgical procedures recorded by CCTV for training and research may no longer be used because of the extensive notification and record keeping required by H.R. 1900. The information recorded could be used to evaluate an employee's performance. Access control systems that provide identification of entry and exit times and dates would also be included because they provide data by which an employee's performance could be judged. Computer software identifying an individual and his log on and log off time and date would be unusable for the same reasons. This bill appears to define electronic monitoring to include: audit control software in access control systems, guard watch clocks, CCTV and alarm systems that provide opening and closing information by individual. In a very broad interpretation, employee time clocks would be included as an electronic monitoring item and would require notification and the keeping of records. Only 100% mechanical time clocks would be excluded. The litany of electronic security system devices goes on and on. The intent of H.R. 1900, "A Bill To Prevent Potential Abuses of Electronic Monitoring in the Workplace," is to limit the use of electronic monitoring devices in the workplace, used to evaluate an employee's performance. Regardless of its intent, the Bill, in its present form eliminates or greatly restricts the use of a wide variety of electronic monitoring devices currently in use today. It is important to understand several definitions as they relate to the bill. The legislation defines electronic monitoring as "the collection, storage, analysis, and reporting of any information concerning an employee's activities by means of a computer, electronic observation and supervision, remote telephone surveillance, telephone call accounting, or other form of visual, auditory, or computer based surveillance conducted by any transfer of signs, signals, writing, images, sounds, data or intelligence of any nature transmitted in whole or in part by a wire,radio, electromagnetic, photo-electronic, or photo optical system." Personal data is defined in the bill as "any information concerning an employee which, because of name, identifying number, mark, or description, can be readily associated with a particular individual, and such terms include information contained in printouts, forms, or written analyses or evaluations." Some requirements of the act are: Employers who engage in electronic monitoring shall post and maintain such notice in conspicuous places on his premises where notices to employees are customarily posted. Employers shall provide notification to each employee who will be electronically monitored, prior written notice describing: The forms of electronic monitoring to be used, the personal data to be collected, the use made of personal data collected, interpretation of personal data collected, existing production standards, interpretation of statistics and other records collected through electronic monitoring, and methods used for determining production standards. [ Section 3 (a)] If the public may be monitored, they also must be given notice. [Section 4 (e)] There are exceptions to notification. If an employer has a "reasonable suspicion" that an employee is engaged a criminal act or gross civil misconduct, the employer must execute a statement stating the circumstances of the suspicion, an identification of the specific economic loss or injury to the business, and shall maintain the statement for a three year period, or until judgment is rendered in an action brought by the employee. Random or periodic monitoring may not be conducted on an employee with a cumulative employment period of at least five years [Section 5 (2)]. Restrictions vary as to time of employment. The bills require notification in writing: when, where, how, and why you are monitoring or may monitor an employee's activities. This may be interpreted in the courts as prohibiting monitoring. A great number of industries will be affected if this law is passed as written: Airports, Department of Defense facilities, government facilities, warehouse operations, jails, banks, retail establishments, nuclear facilities, brokers and hospitals. If you suspect an employee of theft, and wish to monitor that employee's computer transactions or use CCTV to monitor his actions, you must inform him in writing in advance of any such surveillance. There is also a provision prohibiting the waiving of any rights granted in the bill as a condition of employment. The courts have ordered businesses, in judicial decisions, to provide a safe environment to work and conduct business. In many cases, the courts have indicated in their findings that there was not enough CCTV, electronic security systems, or that accountable access control systems were inadequate. Electronic surveillance is a necessary and cost effective tool to protect assets and personnel. It is used to prevent theft, keeping companies solvent, protecting jobs - for the honest hardworking employee. It is also used to promote and monitor safety procedures, protecting the physical well being of employees. An employee's rights should be protected. There are a number of existing laws that provide for this protection. An employee may sue civilly for damages both compensatory and punitive, in a court of law if he feels he was unjustly treated. If unjustly fired, the court may order reinstatement of his former position with back pay. Unions also act as mediators when a grievance is made known. This bill, may have good intentions but the effect of this law with it its current language, handcuffs the protection of assets, the safety and well being of employees and customers, and severely hamper the apprehension of law breakers. Copies of the House Bill can be obtained by contacting the Capital switchboard at (202) 225-3456. Legislative status of Bills can be obtained by calling (202) 225-1772. Copyright 1994 Patrick Jones, CPP E-MAIL jonescpp@aol.com Patrick Jones, CPP is a Security Consultant with the Jones Consulting Group, Inc., Naperville, Illinois (708) 983-6877 ------------------------------ From: dwn@dwn.ccd.bnl.gov (Dave Niebuhr) Date: 22 Apr 94 15:38:42 EDT Subject: Solicitation via the Internet I received a missive from that follow who is soliciting readers to obtain a copy of his book (I wish I would have kept the note). It was *exactly* verbatim of what he posted to this group. Below is my response to him. "Thank you for the information but I look quite unfavorably on people who swipe my name/address off of Usenet distribution lists and then use it for other means." By "other means" is a direct solicitation. Dave Niebuhr Internet: dwn@dwn.ccd.bnl.gov (preferred) niebuhr@bnl.gov / Bitnet: niebuhr@bnl Senior Technical Specialist, Scientific Computing Facility Brookhaven National Laboratory Upton, NY 11973 1+(516) 282-3093 FAX 1+(516) 282-7688 ------------------------------ From: "Prof. L. P. Levine" Date: 24 Apr 1994 08:00:59 -0500 (CDT) Subject: Helpful Police face Lawsuit Organization: University of Wisconsin-Milwaukee The San Francisco Examiner recently published a story entitled: San Francisco Police Department facing suit by Stalking Victim Edward Khoury was upset and needed help, so he called the San Francisco police. He got exactly what he needed from the Police Department. Trouble is, the police helped Khoury commit a felony: stalking an ex-girlfriend who had fled the Bay Area to avoid him. At Khoury's request, a police officer ran an illegal computer check on the license plate of a car owned by a man dating Khoury's former girlfriend. Once he learned the owner's address, Khoury went there -- in violation of a court order -- and allegedly threatened to kill them both if they continued their relationship. Khoury's five-year pursuit and harassment of his ex-girlfriend eventually landed him in jail. He is serving a one-year sentence after pleading no contest to felony stalking charges in San Bernardino County and faces similar charges in Riverside County. In San Francisco, meanwhile, police are facing a lawsuit in which his former girlfriend accuses the department of adding to her trauma by allowing its computers to be used to help Khoury find her and her friends. It also accuses the department of failing to stop leaking information to Khoury, although Corona police say they tipped San Francisco to the leaks more than a year ago. The data leaks are illegal, and are the subject of an internal police investigation. Police Chief Tony Ribera said Monday that he planned to institute a password system within the next 60 days that would limit access to database information and make it easier to trace each user's computer footprints. Police have become more careful recently watching for such abuses, but Khoury's case stands out because he was able to manipulate police, courts, credit agencies and phone companies, as well as many unwitting individuals, into helping him obtain information on every aspect of his ex girlfriend's life -- and keep her living in fear. "This guy is very slick," said Corona Detective Ron Anderson, who has spent nearly two years investigating Khoury. "He was able to find out all sorts of secure, unlisted numbers -- the phone company doesn't even know how. He used other people's phone card numbers and phones to call her. He had other people spread rumors about her. He would conceal his identity and find out all her secrets." The two people had had a romantic relationship which terminated finally when the girlfriend filed the first of what was to become hundreds of reports with Corona police in September 1991. Initially, she did not want to file criminal charges against Khoury, said Detective Anderson -- she just wanted to be left alone. But from then until his arrest last November, Khoury made life miserable for her. And he did it with the help of at least one person within the San Francisco Police Department who helped Khoury obtain addresses from a statewide Department of Motor Vehicles database only legally accessible by law enforcement officials. While all California police officers have access to DMV records via computers, it is illegal to access those records for nonpolice business or to provide confidential information to the public. Because the department's computers lack a personalized password system, investigators do not know who made the DMV inquiries, only the dates they were made and the locations they were made from. The 10 searches were conducted from four different police stations. "It could have been a single officer on six different occasions or six officers on six different occasions," Ribera said. "It could have been a civilian employee. We just don't know. It appears that Mr. Khoury had a friendly relationship with a number of officers." Digested by L. P. Levine, all typos are mine. ------------------------------ From: swd_lrr@afds.cca.rockwell.com () Date: 22 Apr 94 15:26:07 GMT Subject: Re: Long Distance Companies Organization: Rockwell International Rob Goldberg writes: I recently ordered a second phone line to my home and the operator asked if I wanted my social security number to be released to whatever long distance company I happened to use. I told her to forget it. I was wondering: what possible reason would these long distance companies need this information for? More importantly, how did the operator get it? ------------------------------ From: dom@hermes.dna.mci.com (Eric Kessner) Date: 22 Apr 1994 16:20:14 -0600 Subject: Re: Long Distance Companies Organization: MCI Telecommunications Rob Goldberg writes: I recently ordered a second phone line to my home and the operator asked if I wanted my social security number to be released to whatever long distance company I happened to use. I told her to forget it. I was wondering: what possible reason would these long distance companies need this information for? The long distance companies use the SSN in the same way almost every other business uses it, as a "unique" identifier for a customer. I'm strongly against using SSNs for privacy reasons and have convinced the team I work with not to expect that people will necessarily give it to them when asked, or even worse, might just make one up. So, for at least the projects I'm working on here at MCI, no one will tell you that you must give them your SSN because the "computer needs it" :) -- Eric Kessner, MCI Telecommunications | This message does not ekessner@mcimail.com | necessarily reflect MCI dom@hermes.dna.mci.com | policy and opinions. ------------------------------ From: "Arthur R. McGee" Date: 22 Apr 1994 15:08:25 -0700 (PDT) Subject: Lord Have Mercy On Us All :-( If this doesn't scare you, nothing will. :-( ---------- Forwarded message ---------- THE WHITE HOUSE Office of the Vice President ____________________________________________________________ For Immediate Release April 20, 1994 GORE JOINS BENTSEN, RENO IN CRIME TECHNOLOGY DEMONSTRATION Vice President Announces Inter-Agency Agreements WASHINGTON -- To illustrate how the use of technology can help fight rising crime, Vice President Al Gore today (4/20) joined Administration officials in a demonstration of wireless and dual-use technologies that can be used for law enforcement purposes. He also announced two inter-agency agreements that will increase cooperation between the Departments of Justice, Treasury, and Defense in using technology to help combat crime. "The technologies demonstrated today provide powerful new weapons in the war against crime," the Vice President said. "Technological advances make it possible to fight crime safer and smarter than ever before. They increase safety, enhance productivity for our law enforcement officials, and save taxpayer dollars." The Vice President joined Treasury Secretary Lloyd Bensten, Attorney General Janet Reno, Deputy Secretary of Defense John Deutch, and Office of National Drug Control Policy Director Lee Brown in the demonstration, which included a wide variety of technologies that will help fight crime or support law enforcement. In addition, the Vice President announced two inter- agency Memorandums of Understandings. The first MOU, between the Departments of Justice and Treasury, establishes an agreement to develop a wireless telecommunications network for use by federal, state, and local law enforcement officials. This agreement implements one of the recommendations of Vice President Gore's National Performance Review to make the federal government work better and cost less. The second MOU, between the Departments of Defense and Justice, is a five-year agreement to jointly develop and share technologies that are necessary for both law enforcement and military operations other than war. Secretary Bentsen said, "We want to invest in crime- fighting technology, we want to do it so local and state police benefit, and we want to do it so costs don't go through the roof. That's why I'm so eager to sign up Treasury in a partnership with Justice to develop cost- effective and efficient technology." "New technologies increase the effectiveness of law enforcement, offer police officers greater options for apprehension, and improve the safety of the public," said Attorney General Reno. "Today's agreements will unite the efforts of the Justice Department with those of Defense and Treasury to help make these technologies available to our nation's law enforcement community." Deputy Secretary Deutch said, "Today's Memorandum of Understanding formalizes our ongoing relationship with the Department of Justice. It comes at a time when budgets are decreasing and yet we need different capabilities and equipment to accomplish our peacekeeping and humanitarian missions. We are finding that these requirements are similar in many cases to the needs of law enforcement agencies, and we look forward to cooperating in this area." The demonstrations included an automated booking system to electronically record fingerprints and mug shots, laser- assisted computer imaging equipment for examining ballistics, and a portable/hand-held/single-step device to retrieve more readable fingerprints at crime scenes. They also viewed technology that provides police cars with mainframe database information such as criminal records and traffic violations, and allows them to file reports from their cars. Several non-lethal weapons for use in pursuit of a suspect or while a suspect is in custody also were displayed. ## ------------------------------ From: tim werner Date: 23 Apr 1994 11:56:23 -0400 Subject: Re: Lord Have Mercy On Us All :-( "Arthur R. McGee" states: if this doesn't scare you, nothing will. :-( ---------- Forwarded message ---------- THE WHITE HOUSE Office of the Vice President ____________________________________________________________ For Immediate Release April 20, 1994 GORE JOINS BENTSEN, RENO IN CRIME TECHNOLOGY DEMONSTRATION Vice President Announces Inter-Agency Agreements ------end Forwarded message ---------- Why is this scary? It was just about police getting better methods of communicating with each other, as far as I could tell. I am not against the idea of police in general, just abuses of government power. How is the concept of police being better able to get fingerprints at the crime scene scary? If you break into my house, I'd like the police to be able to get your fingerprints. The police are a Good Thing when they are protecting me from fraud, theft, and physical attack. ------------------------------ From: Black Unicorn Date: 23 Apr 1994 15:53:28 -0400 Subject: Re: Lord Have Mercy On Us All :-( tim werner said: The police are a Good Thing when they are protecting me from fraud, theft, and physical attack. The most efficent police are those under a dictator. They will protect you from fraud, theft and physical attack too. Are they a good thing? The communications network doesn't really bother me, The formation of a group dedicated to empowering law enforcement with high technology does. ------------------------------ End of Computer Privacy Digest V4 #057 ****************************** .