Date: Thu, 04 Aug 94 15:44:05 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V5#017 Computer Privacy Digest Thu, 04 Aug 94 Volume 5 : Issue: 017 Today's Topics: Moderator: Leonard P. Levine What Is Propietary Information? Privacy Book Project Fingerprinting Rules Set Top Boxes The Best of Full Disclosure Magazine Re: SSN Required by Sprint in U.S. Re: SSN Required by Sprint in U.S. Re: Many Phone Taps are now Legal Re: Questions about using "discussion list" membership lists --------------------------------------------------------------------- Housekeeping information is located at the end of this Digest. ---------------------------------------------------------------------- From: dave@lydian.scranton.com (Dave D. Cawley) Date: 04 Aug 1994 00:21:59 GMT Subject: What Is Propietary Information? Organization: Internet Cafe, 426 Spruce Street, Scranton PA I'm one of the owners of The Internet Cafe in Scranton, PA and we were recently hacked into by one if not two people, the hacks were from two different sites, but maybe the same person. One person from a local educational institution ftped into us and ftped a password file that had nothing in it. I talked to the sys manager about this and he has the name of the person who did it, but is waiting to find out what kind of information he can give us or what channels we need to go thru to get the info on the guy. Then a day later someone called and asked if we had a guest account. Our sys manager told him no, but we could set up an account for him and if he liked it he could pay on August 1st (three days away). He spent his time on trying to unmount our disks, get into root and generally trying to trash our system. He also ftped our password file to a local BBS/Internet provider/competitor. Then from an administrative account on that system, most of our users were spammed with unsolicited mail telling them that accounts had been setup and they had a full year of free access if they switched from our service. The accounts *were* in fact set up on that system, we had someone use their acccount on that system. We called the people at that system and they said they knew nothing of what happened, the account that the spam was mailed from doesn't exist and that an account in their name can't be created. We asked how what happened happened and their answer was it was some hacker that broke into our system but kept saying that nobody could have done it from their system. Meanwhile, we have that person in our ftp log ftped in from 3 of their machines and from a Sprint Network machine (they are part of sprintnet). Now that you know my story...my questions are: 1. What is considered proprietary property? 2. Can this be considered wire fraud in anyway? 3. what legal recourse do we have? 4. What do we need to prove they were in the know? And anything else you might think of...Thanks! -- ****************************************************************************** Dave D. Cawley | Listen, strange women lyin' in ponds distributing Maitre d' | swords is no basis for a system of government. The Internet Cafe | Supreme executive power derives from a mandate Scranton, Pennsylvania | from the masses, not from some farcical aquatic dave@lydian.scranton.com | ceremony. -Dennis ****************************************************************************** ------------------------------ From: g.scott3@genie.geis.com Date: 04 Aug 94 06:36:00 UTC Subject: Privacy Book Project PRIVACY BOOK PROJECT: REVIEWERS, QUOTES WANTED I wanted to let all know that I have a book on privacy: THE BATTLE FOR PERSONAL PRIVACY which will be published next year by Insight and Plenum Books in New York, scheduled for the Spring. It is designed to provide a broad overview of the subject for the general reader, and covers a wide range of topics, including search and seizure, press and publicity, government records, employment issues including drug testing and monitoring, high tech privacy topics including BBs, E- mail, and encryption, financial privacy, medical records, privacy in litigation, etc. It includes some history of privacy from the 1800s to the present, and focuses on the results of battles over privacy that have ended up in court in the 1992 and 1993, and recent developments since then. The book has just gone to the typesetter for the first galleys. My publisher has asked me to contact people in the field who might be interested in reviewing the book, and if they like it, providing comments that can be used in the book or in information about it. Besides the people I already plan to contact, this is to let others know about it. If you're interested, please contact me by E-mail, and please include an address where my publisher can send the galleys. You can reach me on E-mail through AOL at GiniS, Genie at G.SCOTT3, and on Prodigy at MBMV32A. Also, please feel free to repost this message on other BBs and newsletters. -- Gini Graham Scott ------------------------------ From: "Prof. L. P. Levine" Date: 04 Aug 1994 06:00:36 -0500 (CDT) Subject: Fingerprinting Rules Organization: University of Wisconsin-Milwaukee The following was posted anonymously in alt.privacy. Since alt.privacy is an unmoderated forum and since the user had posted through an anonymous posting site, no permission was requested. Does anyone reading this group know about this sort of job requirement? Len Levine, CPD moderator From: an64344@anon.penet.fi Date: 02 Aug 1994 22:43:20 UTC Subject: Need info about (Non)voluntary Fingerprinting for employment in USA Hello. I recently got a job with a commercial bank in New York City (which will remain unnamed.) I went in and filled out all the forms they needed: tax, insurance, medical stuff, job and education history, copy of my birth certificate, etc. Then I got to a form that was titled Fingerprint Authorization. It read similar to the following, but this is from memory: "I voluntarily give authorization to be fingerprinted, and give permission my fingerprints to be used in a manner deemed necessary by ." "I understand that I do not have to have my fingerprints taken and this will not affect any current or future employment with ." Seeing the second sentence, and feeling uneasy about giving my fingerprints I decided that I didn't want to sign this form or be fingerprinted. I turned in all the forms and the secretary said that I needed to sign this fingerprint form. I said I didn't want to be fingerprinted. She looked confused for a second and said that they needed to keep my fingerprints on record and send a copy them to Washington. I said that since I didn't *have* to give my fingerprints, I wasn't going to. I was trying to remain calm and be nice, but she kept pushing. She said that I *had* to sign it. Then I said "But it says right here that I don't have to give my fingerprints." She didn't know what to do, so I asked to speak to someone who might know. She goes back and a few seconds later she comes back with some guy who I guess was a little higher up in the organization. He said that I had to sign the form, everybody signs the form, there is not alternative. I asked why this sentence about not having to sign and give fingerprints was on the form, if I *have* to be fingerprinted. He said "the FDIC makes us put that on there" and that they had no intention of following and that I had to sign the form. Finally, because I wanted this job, and they had no alternative to offer me, I broke down and signed the form and got fingerprinted. I called the FDIC here in NYC, but got transfered to a few departments and no one seemed to know what I was talking about. Does anyone out there know if the FDIC has any rules on this? The guy said that "the FDIC makes them" put that on there, or did I mishear him? Is the FDIC in charge of this kind of thing? Do they have any rules on this? Does some other agency control banks and fingerprints? Do I have any recourse? Is there anybody I might call? I don't feel comfortable with this situation. I don't really like to have my personal stuff floating around. The drug piss-test upset me more than enough, I didn't need this too. Thanks for any information. ------------------------------ From: Jeremy D. Allaire Date: 04 Aug 1994 12:27:16 -0500 (CDT) Subject: Set Top Boxes (the author permits full re-distribution of the post.) Commentary on the advantages and disadvantages of a "filter" or "preference" based news service prompted me to recall the events from a conference I recently attended. It may shed some light on how the major Cable/Telco folks are thinking about bringing this into your home. Essentially, the conference was about how to leverage new interactive technologies for marketing and advertising. Folks from Time-Warner, TCI, US West, Prodigy, and others were there. The basic thrust was that Interactive forms of information posed the threat of breaking the reader/viewer away from the advertisement, because the cold stark fact was that the majority of people prefer the entertainment/information over the advertisements. And, in a world where more control is offered to the user, that could cause some problems. Besides the frequently referenced and revolting notion of turning advertisements into interactive game shows where you win what are essentially coupons, there were several points made about new strategies for controlling the reader/viewer in the interactive age. The upshot was this -- while computers (e.g. set tops or PCs) do allow for refined choices by the consumer, they also allow for refined choices by the advertisers. Major Telco/Cable folks are dying to make deals with credit card companies and banks to get purchasing behavior data with which they may "program" (oh my Orwell) your set-top box or PC data flow. So, one example was this. You go to the store and buy toothpaste, it gets registered in a database, it gets referenced by another database (here, the Cable/Telco company) which performs an operation (e.g. the average time to use a roll of toothpaste equals 2 months) and then programs your set-top to give you a toothpaste add 2 months down the line. The idea is to refine and control the incoming data to meet the advertisers needs. Sound like freedom? IMHO, the bottom line is that all of this technology will continue to be advertiser driven, and, hence, the advertiser will shape the contents of your box more than you shape the contents of your box. We're obviously talking about a different phenomena than todays PC/Online Newspaper service, but that is what is being built by the Bells and Cable folks, and they are working with their traditional sponsors. -- Jeremy Allaire ------------------------------ From: "Prof. L. P. Levine" Date: 04 Aug 1994 01:00:23 GMT Subject: The Best of Full Disclosure Magazine A rather full description of the book "The Best of Full Disclosure -- Volume One" is now available. According to the material sent to CPD, over 160 pages of interesting and informative articles from Full Disclosure Magazine are contained in it. It's just $24.95 postpaid from the Superior Broadcasting Comnpany, Box 734, Antioch, IL 60002 (Ill res add 6.5% sales tax). The document can be found in the library supported by this digest. You can access the material via anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The document is in the directory "pub/comp-privacy/z-library". People with gopher capability can access the library at gopher.cs.uwm.edu. Mosaic users will find it at gopher://gopher.cs.uwm.edu. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ From: tenney@netcom.com (Glenn S. Tenney) Date: 03 Aug 1994 21:17:36 -0800 Subject: Re: SSN Required by Sprint in U.S. dunn@nlm.nih.gov (Joe Dunn) wrote: From what I remember though, there was provisions to give a number to someone who did not have a SSN. The SSN is used by the system for several reasons. To get adequate voice sample to verify your voice while at the same time not reject you because it doesn't recognize your voice. To facilitate this, the 800 number you call to gain access to the system is determined by your SSN. In that way if it misidentifies a digit, it can decide, that number should not be dialing this 800 number. You don't get billed for some- elses calls because of misidentified numbers. It seems that one simple thing would be to just have the person say the 800 number that they called. Nothing to remember, no SSN, nothing. The person has to have the 800 number to call it and it's the right number of digits plus the system knows that the number is supposed to be that you're saying. Sure seems that it would work... Just defending a legitimate use of a SSN. Well, since you began by noting that the system had provisions for any other number to be used, it's clearly NOT a legitimate use of the SSN. --- Glenn Tenney tenney@netcom.com Amateur radio: AA6ER (415) 574-3420 Fax: (415) 574-0546 ------------------------------ From: dwn@dwn.ccd.bnl.gov (Dave Niebuhr) Date: 04 Aug 94 07:29:44 EDT Subject: Re: SSN Required by Sprint in U.S. dunn@nlm.nih.gov (Joe Dunn) writes: Well, I worked on this project for Sprint and feel pretty confident that there is no privacy issue involved in this one. From what I remember though, there was provisions to give a number to someone who did not have a SSN. Oh there isn't? There are many privacy issues here: income, drivers liscenses, credit cards held, etc. You say "did not have a SSN." Well, why not just go ahead and assign one instead for which you give reasons below. The SSN is used by the system for several reasons. To get adequate voice sample to verify your voice while at the same time not reject you because it doesn't recognize your voice. To facilitate this, the 800 number you call to gain access to the system is determined by your SSN. In that way if it misidentifies a digit, it can decide, that number should not be dialing this 800 number. You don't get billed for some- elses calls because of misidentified numbers. Wouldn't any 9-digit number work as well? The number has to be easily remember by you. When you receive your calling card from Sprint, it tells you to speak a digit plus your SSN. In that way you can carry around your calling card and not worry about losing it and being usable by someone who finds it. If Sprint were to assign you a number, rather than your SSN, you would carry around that card until you memorized the number or to remember the 800 number to dial. Using your SSN protects you and Sprint from someone using your card to make calls that they can't bill you for. The card does not have your SSN printed on it. The protection would be there just the same if a random 9-digit number were used that was familiar to the holder of the card. Let's face it, if someone in Sprint wanted to and I'm not saying that they would, any number of items about people could be found by having access to a SSN. I give my SSN to those entities, both corporate and governmental, that have a LEGITIMATE need for it such as paying income taxes, paying interest on credit card bills which has to be reported as income by the receiver of the money, the bank that pays me what little interest it does these days, etc. Those are real needs that they have.. Another area that is SSN based is medical records. Why should one more item be available to a snoop if it doesn't have to be? Sorry, but Sprint dropped the ball on this one. -- Dave Niebuhr Internet: dwn@dwn.ccd.bnl.gov (preferred) niebuhr@bnl.gov / Bitnet: niebuhr@bnl Senior Technical Specialist, Scientific Computing Facility Brookhaven National Laboratory Upton, NY 11973 1+(516) 282-3093 FAX 1+(516) 282-7688 ------------------------------ From: "Harry P. Haas" Date: 04 Aug 1994 14:07:07 GMT Subject: Re: Many Phone Taps are now Legal Organization: Ga Tech Research Inst/Sensors & EM Applications Lab (GTRI/SEAL) Johan Strandberg wrote: Chuck Weckesser writes: [A cordless phone] available from the Sharper Image (A Uniden model) operates on the 900 mghz range, making "accidential" interception impossible. Ha! My cordless headphones operate in the 900 MHz range too and every time they are slightly de-tuned I get treated to numerous phone calls. And I don't even try... I am quite curious about this. I thought that most (all?) 900MHz phones used digital transmission techniques. Is that not so? If it is, what are you picking up if not a cordless phone? (or is this another marketing ploy, i.e. "digital" in that the channel id is "digital") -- Harry Haas GTRI/SEAL | Georgia Tech Research Institute Research Engineer II | 225 North Ave. harry.haas@gtri.gatech.edu | Atlanta Georgia, 30332 "I know engineers . . . . they *love* to change things" - Bones ------------------------------ From: "Prof. L. P. Levine" Date: 04 Aug 1994 12:32:55 -0500 (CDT) Subject: Re: Questions about using "discussion list" membership lists Organization: University of Wisconsin-Milwaukee John Palkovic stated: It seems worth mentioning that if the computer serving the email list is on the internet running sendmail, it is usually possible to query the sendmail daemon remotely via telnet and have it print out all the email addresses on the list. Mr. Palkovic is right; the sendmail process has its problems. Any person who knows the true name of the file that a group is using as its mailing list can use sendmail to either mail to that group or get the eMail addresses of the people on that list. However, that person has to know the true name of the file and that name can be made as cryptic as any other password. He also has to find that file when it actually has data in it. That window can be minimized by careful system design. He also has to know how to probe without being detected if he expects to be successful. There are other problems with the privacy issues of electronic mail. One issue, for example, involves the way that MCI handles its mailing lists. Any mailing to a list of users in that system automatically sends, to each user on that MCI list, the names of all other people on that list. It seems that MCI views mailing lists as discussion groups of individuals who should know who they are talking with. That is not an error on the part of MCI, it is a difference of opinion as to how groups should interact. Computer Privacy Digest is mailed to a list in MCI in such a way that this problem is avoided. There are exploder, or remailer files that are used by some systems to allow a single posting to be made to a system and then automatically remails that posting to an internal list which is held private from external viewing. This can be done for efficiency or for privacy reasons. Those exploder lists also can be probed for the names contained in them. Computer Privacy Digest cannot protect the content of those files. We do not release the names of those files to the public however. People who wish to violate the privacy of others know about these leaks and people who feel otherwise know how to use the system so as to afford adequate privacy wherever that is possible. However, DAVID@SIMSC.SI.EDU (David Bridge) the originator of this thread questioned the ethics of such an action. He said: We are gathering information from two sources: personal contributions, and organization representatives (i.e. e-mail administrators). Since these people are providing the information for the Directory they are "agreeing" to having it included and published. [...] Does using the names of a public list, WITHOUT permission constitute an invasion of privacy? If we include the names without permission, is it: completely legal, "bad form", poor netiquette, or illegal? and What is the "official view" on this subject from different countries, not just the United States? There are those who say that the limits on ethics are the same as the limits on law, if it is legal it is ok. I must feel that the ethical stance is higher than that. Collection of my name and personal data by any means and using that data for other than its intended purpose is outside of my ethics. That includes data collected by banks, newspapers and grocery stores as well as eMail. -- Leonard P. Levine e-mail levine@cs.uwm.edu Professor, Computer Science Office 1-414-229-5170 University of Wisconsin-Milwaukee Fax 1-414-229-6958 Box 784, Milwaukee, WI 53201 ------------------------------ The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. Back issues are available via anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The archives are in the directory "pub/comp-privacy". People with gopher capability can access the library at gopher.cs.uwm.edu. Mosaic users will find it at gopher://gopher.cs.uwm.edu. Archives are also held at ftp.pica.army.mil [129.139.160.133]. End of Computer Privacy Digest V5 #017 ****************************** .