Date: Thu, 26 May 94 14:07:00 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V4#072 Computer Privacy Digest Thu, 26 May 94 Volume 4 : Issue: 072 Today's Topics: Moderator: Leonard P. Levine Encryption in The Netherlands Re: SSN & Auto registration Re: the Homolka trial (very long) Privacy of employee email at private businesses The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. Back issues are available via anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The archives are in the directory "pub/comp-privacy". Archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: rcsacw@urc.tue.nl (Christ van Willegen) Date: 26 May 1994 09:36:15 +0200 Subject: Encryption in The Netherlands Organization: Eindhoven University of Technology, The Netherlands Hello I'm new to this newsgroup (have been reading it for a whopping 2 days), but I think I have an important issue here: THe government in The Netherlands is thinking about a law to make all encryption of messages and/or files in The Netherlands a criminal offence. They want to do this because of the encryption used by criminals (so the police etc. won't read their files). As far as I can tell, this law forbids the following: - Encryption of messages across any computer network in The Netherlands - Usage of code text (?) in a phone call (your phone gets locked if you do) - Password-scrambling of files. Also, it is forbidden to import/use ANY program (with exceptions) that can use encryption/scrambling. Lemme get this straight, I thought: - ARJ is out of the question, since it can garble - WP is easy to crack (and legit) - PGP is out of the question etc. name some encrypting program and I can't use it. My favourite Terminal Emulator (TERMINATE) CAN encrypt its phonebook at the end of the program, so noone can read where you call to and how often etc. So if this law is used, I cannot continue to use TERMINATE?! Like someone said, it's like putting all your mail on a postcard instead of an envelope, so everyone can read it Then, there was a letter to a newspaper consisting of 2 paragraphs. The first was (it seemed) a random collection of characters, the second said: "Now, let THEM try to prove if the above is garbage or an encrypted message (note that that's impossible to prove). Anyone have anything to say on this subject? Christ van Willegen (account valid 'till october 1st 1994) ------------------------------ From: peterson@CS.ColoState.EDU (james peterson) Date: 26 May 1994 15:20:23 GMT Subject: Re: SSN & Auto registration Organization: Colorado State University -- Computer Science Department The words you quoted above seem to be in partial compliance with the requirements of the Privacy Act of 1974. The Privacy Act of 1974 (Pub. L. 93-579) requires that any federal, state, or local government agency that requests your Social Security Number has to tell you four things: 1: Whether disclosure of your Social Security Number is required or optional, 2: What statute or other authority they have for asking for your number, 3: How your Social Security Number will be used if you give it to them, and 4: The consequences of failure to provide an SSN. With regard to this last bit, I have recently seen two federal Privacy Act Statements on two unrelated federal forms (one from a grant agency, the other a federal worker form). Both contained words to the effect that "disclosure of the social security number is optional, but it may be impossible to process the form without it." In other words, it's "optional" in the sense that eating is "optional." Anyone want to comment on this way of dodging the Privacy Act? -- james lee peterson peterson@CS.ColoState.edu dept. of computer science colorado state university "Some ignorance is invincible." ft. collins, colorado (voice:303/491-7137; fax:303/491-2466) ------------------------------ From: eye WEEKLY Date: 26 May 1994 11:53:56 -0400 (EDT) Subject: Re: the Homolka trial (very long) The moderator wrote: I am the moderator of the Computer Privacy Digest, an electronic forum that deals with privacy and I have been given the following that is reported to be from your paper: As reported in Toronto's EYE Newspaper [eye@io.org] (similar to New York's Village Voice) dated 19 May 1994: [ summary of article deleted ] Hmmm... not sure I understand, someone gave you that article summary, saying it was from our paper? This is NOT the story printed in eye -- though it's a great summary! The actual story has also been circulated about Usenet -- we upload our articles every week -- and is also stored in the eye gopher at gopher.io.org . eye expressly lets people freely retransmit eye article around cyberspace (as the little closing .sig states). I will follow this post up with the eye cover story on the police fumblings regarding privacy and Homolka and the Internet. Please don't attribute the summary to us, because it has a couple of errors... such as the opening line -- The London Ontario detachment of the Ontario Provincial Police have The LPD is not a detachment of the OPP, it's a regional force, whereas the OPP would be more like state troopers. And... warrant, and also involved the questioning of the student at the local police station. The student was questioned at the university, in the comp security office. I would like to post this and, if there is additional privacy information available, to post that too. You might find it interesting to be able to report that you made the electronic board Computer Risks (a prestigious electronic magazine) as well as my poorer efforts. Sure. :) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ eye WEEKLY May 19 1994 Toronto's arts newspaper ...free every Thursday ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ COVER STORY COVER STORY POLICING THE NEW MEDIA -- INTERNET USERS HAVE THEIR LIBERTY THREATENED AS LAW ENFORCEMENT AGENCIES BLUNDER ABOUT TRYING (AND FAILING) TO ENFORCE THE HOMOLKA PRESS BAN by K.K. CAMPBELL Karla Homolka was sentenced to 12 years for manslaughter in the deaths of two teenage girls. The ban on publishing details of her trial was imposed to insure husband Paul Teale a fair trial. But Teale's lawyer opposes the ban. Homolka's trial has stopped being the story -- the story has become the ban itself. There's been nothing new to report about the trial for months, but the story keeps coming back because _the ban_ keeps making headlines. Every time the ban causes a magazine to be dramatically pulled from store shelves, every time the ban causes cops to barge into a student's life with unfounded allegations, every time a university censors or snoops out private information, the Homolka case is dragged back into the headlines. Once there, details are rehashed and new ban-breaking potential results. It's a vicious circle from which the attorney-general's office is desperately trying to extricate itself. It's no coincidence Teale's trial was suddenly moved forward. Indeed, the attorney-general seems ready to let police operate with a free hand against Ontarians -- as one university student found out the hard way. 'ABDUL' SCREWS UP It began with one of the all-time great gaffes in Internet history. Late last Jan. 31, 21-year-old Toronto student "Abdul" (not his real name) arrived home to his basement apartment from night classes. After a quick bite, he checked his Internet account for e-mail. To his delight, he found a copy of the revised Karla Homolka computer file in his mailbox -- hot-off-the-CPU from a London, Ont., university student. The file was due to be released the next day to the infamous Internet newsgroup alt.fan.karla-homolka. Abdul, the uncrowned prince of the Homolka-Internet underground, got an advance copy. The file contains a whack of rumors and grisly details about Homolka's secrecy-shrouded quickie-trial last July. Internet convention calls the computer file an "FAQ" -- a collection of answers to "Frequently Asked Questions" about a topic. This topic just happens to be the oh-so-controversial Homolka murder trial and the ban surrounding it. The Homolka FAQ is found wherever computers and Canadians interact. It has undoubtedly been read by tens of thousands of citizens to date. But none of those readers know the identities of the authors, underground computer activists -- only their mysterious aliases: "Abdul, the Electronic Gordon Domm" (abdul@io.com), "Lt Starbuck" (an54835@anon.penet.fi), and "Neal the Trial Ban-Breaker" (an52708@anon.penet.fi). By 2 a.m., after four hours online, Abdul is ready for sleep. But not before he sends the new FAQ to Toronto's major news outlets -- three daily papers and three TV stations. He has e-mail addresses for each. "I was trying to send the FAQ through an e-mail system in Finland that lets the sender remain completely anonymous," Abdul now recalls. "But it kept bouncing back to me unreceived." Eyes red, Abdul finally decided to send the FAQ through a local fax service. "I sent it, and went to bed. I didn't think anything of it." Major mistake: Abdul, perhaps overtired, instructed the fax service to send a copy to the six media outlets -- as well as a copy to Premier Bob Rae and another to Attorney-General Marion Boyd. Fatal mistake: Abdul left the real names of Lt Starbuck and himself on the document. Next morn, sleepy-eyed civil servants found the hefty document awaiting them. The attorney-general's office refuses to comment on its reaction, but suffice to say the shit began shunting through government plumbing -- only to emerge three weeks later directly on the head of Lt Starbuck at London's University of Western Ontario. BATTLE STARBUCK On Feb. 22, Starbuck, 25, came home from school to find a message waiting: Western's computer and network security officer Reg Quinton wanted him to call. Starbuck did. He was told his Internet account was frozen. He was to meet with London police the next day. Police?! Mind racing, Starbuck hurried to his home computer. He not only deleted anything remotely related to Homolka from his hard drive but "shredded" it via Norton computer utilities. It was an operation to make any politician proud. (Though Starbuck is known to the university and OPP, he requests eye not use his real name, but rather his alias "Lt. Starbuck" -- his favorite character from the TV show Battlestar Galactica.) It seems the attorney-general had notified the OPP, who had passed a copy of the FAQ with Starbuck's real name on it to Detective Sergeant Sandy Wright of the London police. Wright approached Quinton. "I asked what the police wanted done," Quinton (reggers@julian.uwo.ca) told eye. "They wanted the student's account shut down and to meet with him in person. Fine." Quinton called in colleague Dave Martin, who administrates Starbuck's account. No warrant, no subpoena, no problem. The next afternoon, Starbuck death-marched himself over to Quinton's office in the Natural Science Centre. Quinton, Martin and Wright awaited with grim faces. "During the two-hour interrogation, the police showed me the document Abdul sent the attorney-general," Starbuck recalls. "I stared at it in disbelief, whispering to myself, 'Oh shit.' " It was Game Over. Worse still, the police seemed to think Starbuck himself had sent it because of the way e-mail readers save mail. Not understanding what they were looking at, authorities figured Starbuck had faxed it to them, with his real name, in some moment of stratospheric chutzpah. Cornered and terrified, Starbuck vowed to tell everything -- including the real name of Abdul. Wright asked Starbuck to open his Internet account. He complied -- nothing "incriminating" there anyway, his strict policy was to keep no Homolka files in school accounts. Wright said he'd have to inspect Starbuck's home computer. Starbuck explained everything was gone, shredded, but Wright insisted he had to see for himself. (Inexplicably, he set that appointment for the next day -- he found nothing.) WHY ME? Wright informed Starbuck criminal charges still hung over his head. But as long as he stayed clear of Homolka-mongering and remained cooperative, charges would probably not be laid. On Feb. 28, Starbuck had his university account restored. For the next three weeks, he forwarded incoming private e-mail from Abdul to Quinton -- including a list of about 50 people who received updates of the FAQ. There were five more Western Internet addresses. One was Wayne Smith (wlsmith@valve.heart.rri.uwo.ca). Smith would publicly complain on Usenet about the whole Western-LPD investigation: "What they are calling co-operation here is intimidation. It's like the old police state mentality: if you have nothing to hide, why won't you take this lie detector test when we ask?" Starbuck says intimidation was a factor. "I cooperated with Quinton for weeks after the event for the sole reason that I was very afraid I'd get charged if I didn't." Back in Toronto, Abdul was blissfully ignorant of the events in motion in London. He noticed Starbuck didn't seem to answer his e-mail any more. Ironically, it was Wayne Smith's public post just quoted above that alerted him to the momumental gaffe he'd made. He quickly prepared for the police. After all, he was far, far more active than Starbuck had ever been on his best day. But the knock never came on Abdul's door. Which still bewilders Starbuck. "There's no rhyme nor reason to it at all. If they're cracking down, why aren't they cracking down anywhere else? Why me? I just edited a computer file. I got sucked into this whole stupid affair and really feel bruised and battered by it." Abdul believes Starbuck was targeted because Western computer administrators were spineless: "When the police knocked on Quinton's door, it's clear Quinton said, 'Come on in, guys!' " Another source close to the case put it this way: "The LPD asked Starbuck to bend over -- and Quinton applied the vaseline." The police would definitely need a warrant to peek at Abdul's home computer. And then the issue would erupt into the headlines again. CHARGED WITH POSSESSION On March 28, Quinton wrote an "open letter" to the Internet community -- which he says was on the "recommendation of the local police." This letter, apparently carrying police sanction, claims mere possession of the FAQ is a crime. "My understanding is the LPD (and OPP and others) are of the opinion that... to be in possession of such material is to be in violation of the publication ban," Quinton wrote. And such a breach could result in police getting a warrant and seizing entire computer systems. When eye called the LPD's Wright, he repeated this official line, though without the same righteous passion Quinton seems imbued with. Wright said the OPP told him possession of the file constituted a breach of the ban. But OPP Detective Inspector Frank Ryder told eye he doesn't know for certain. He only passes information about possible breaches of the trial ban along to local police departments. "It's their investigation, there is no central OPP investigation," Ryder said. So eye called the attorney-general. Spokeswoman Barbara Krever said she couldn't comment on whether possession of the FAQ was a breach of the ban. In fact, the attorney-general has consistently refused to help Ontarians understand exactly where the Internet fits within the ban. People are left to operate in uncharted territory and law enforcement authorities blunder about, unsure themselves. Meanwhile university students have academic careers, if not their very liberty, threatened. Criminal lawyer Eddie Greenspan has gone on record saying he does not believe the Internet's Homolka-infotrade breaches the ban. He said accessing Internet files defeats the purpose of the ban but doesn't break the ban. "I don't see anything criminally wrong here," he told eye. Greenspan notes the confusion stems from people thinking the ban applies to details of the trial. The ban concerns publishing that information. Simply cruising out on the Internet and grabbing a copy of the Homolka FAQ is not a breach of the ban; nor is holding it in a university computer account. "If it comes between Greenspan and Boyd, Ontario's first non-lawyer attorney-general, I'll take Eddie's opinion every time," Abdul says. Abdul believes courts in the future are going to have to specifically mention the Internet -- "or, if they clue in, they will realize bans are obsolete, it's time to change the system to reflect technology." But how many judges have ever confronted a login? Do they understand the raw power of it? Do they understand how it circumvents all censorious power structures? Former Supreme Court judge William Estey said something similar in an April 21 speech: bans in high-profile cases should cease because they just don't work any more. Estey blamed the proximity of the U.S. news media. The Internet compounds the problem exponentially. He said jurors must be trusted to do their jobs -- that is, be exposed to various information and not let it affect their legal judgment. "The courts can't clamp information any more," Abdul says. "Judge Kovacs stopped the mainstream press, but we aren't the mainstream press -- we are the new media." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ COVER STORY -- SIDEBAR 1 SIDEBAR 1 -- COVER STORY UNIVERSITIES AND POLICE by K.K. CAMPBELL University of Western Ontario's computer security officer Reg Quinton told eye he isn't interested in discussing whether the Homolka FAQ is legal or not -- if the police say it's illegal, that's good enough for him. But Ontario authorities, from the attorney-general on down, are painfully confused about how Karla, the ban and the Internet relate. Yet here we have Western's security officer saying quite bluntly he doesn't care. He will cooperate with police for fear his computers will be confiscated if he doesn't. Quinton's open letter of March 28 addresses Western students: "If you think the University is going to protect your 'right' to break the law, you are sadly mistaken. The law applies here just as much as elsewhere. You don't have a right to violate the publication ban -- don't expect any sympathy or support if you do." Since no one knows how the law applies, Quinton's actually saying: "If you think the University is going to protect you against the police, regardless if they are right or wrong, you are sadly mistaken." Carl M. Kadie (kadie@hal.cs.uiuc.edu), founder of the Internet's Computers and Academic Freedom newsletter, thinks Quinton's position is dangerous -- though he understands university computer staff confusion. Computer administrators have no history of standing up to the police or the state. Librarians, on the other hand, have decades of precedent in demanding subpoenas and warrants when authority comes calling. Computer administrators lack this training and tradition. Karen Adams, executive director of the Canadian Library Association, told eye a librarian would probably have demanded a warrant before revealing if Lt. Starbuck even had an account at a library. Kadie says that computer administrators desperately need to develop similar ethics. "Just as a professional librarian would have been less likely than the computer system administrators to turn over personal information to the police, so professional reporters are less likely than students under the gun to disclose sources to the authorities," Kadie told eye. "The promise of the information superhighway is that we all become librarians and reporters. The danger right now is most people don't understand the responsibilities that come with their new roles." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ COVER STORY -- SIDEBAR 2 SIDEBAR 2 -- COVER STORY KARLA AND THE BOYS by K.K. CAMPBELL Lt. Starbuck remains extremely reluctant about dealing with media. When contacted by eye, after his opening shock at having been called at home, his reaction was to refuse an interview. But he decided to talk only so the story isn't told exclusively by "others." "When I got caught with my pants down, my first worry was criminal charges," he told eye. "My second worry was media coverage, with myself being hailed as some sort of Martyr for Free Speech. What was done to me may indeed be wrong and illegal, but I have no interest in becoming a Gord Domm on the Internet -- besides, Abdul already is and he's still very very active." Starbuck and Abdul have never spoke directly, only through e-mail. Abdul sighs at Starbuck's unbridled hatred for him now. "He has a point. And I've apologized many times. Every time I write a public letter, I apologize again. I know I screwed up and he's suffered." "Abdul says it was an accident," Starbuck says. "I believe him. I also believe he is an idiot." Abdul is not Arabic, by the way -- he's Irish. He picked the alias Abdul in honor of an underground comedy tape by a Hamilton individual who used the named "Abdul" in making a series of crank calls to unsuspecting people. "I was searching for an alias when it struck me the Homolka FAQ is like the Abdul tape -- passed around from person to person, with absolutely no official distribution." Abdul says his activism issues from more than prurient interest. "At some point, someone has to test how Internet will operate in Canada. If we force the issue onto the public agenda now, the less chance do we have of the Internet being censored and regulated out of existence." His net address is abdul@io.com -- not to be confused with io.org, which is Toronto's Internex Online. Io.com is Illuminati Online, in Austin, Texas. It's a game company that was raided by the U.S. Secret Service in its over-zealous war with "hackers," so the company is very aware of the damage computer-illiterate cops may cause in its computer bungling. Abdul was given an operational base in Texas. Many people believe he's a Texan. But he lives in Toronto and only works on a Texas computer. Let's just wait for the legal system to grapple with that -- the concept of where one "is" when in cyberspace. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Retransmit freely in cyberspace Author holds standard copyright Full issue of eye available in archive at gopher.io.org or ftp.io.org eye@io.org "Break the Gutenberg Lock..." 416-971-8421 ------------------------------ From: bernie@fantasyfarm.com Date: 26 May 1994 03:42:44 GMT Subject: Privacy of employee email at private businesses Organization: Fantasy Farm Fibers Many of us have long been pointing out/arguing that employees should expect *NO* privacy when using company computer resources [unless given assurances of such privacy]. There was a recent decision, which I don't have but only the Clarinet report on: =-=-=-=-=-=-=-=-=-=-=-=-=-= Subject: Manager Loses Suit over ``E-Mail'' Firing Copyright: 1994 by Reuters, R [ ... ] Ann Miller, a former human resources manager at insurance firm USF&G Corp, had claimed she was illegally fired after another employee, Allan Lucas, was caught using the electronic mail system to communicate with her. [ ...] U.S. District Judge John Hargrove said there was no evidence Miller was fired because of her sex. ... [ ... ] USF&G spokeswoman Sue Lovell said the company had implemented internal controls and procedures to prevent abuse of electronic mail. =-=-=-=-=-=-=-=-=-=-=-=-=-= I point out that it appears that the plaintiff didn't even *TRY* to make an invasion of privacy argument, nor did the judge mention anything of the kind. So I think this certainly confirms what several of us have been saying all along: if you want private email, go get yourself a private account, but DONT expect personal use of an employer's equipment to be tolerated [much less protected]. /Bernie\ -- Bernie Cosell bernie@fantasyfarm.com Fantasy Farm Fibers, Pearisburg, VA (703) 921-2358 ------------------------------ End of Computer Privacy Digest V4 #072 ****************************** .