Date: Tue, 09 Aug 94 06:50:05 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V5#021 Computer Privacy Digest Tue, 09 Aug 94 Volume 5 : Issue: 021 Today's Topics: Moderator: Leonard P. Levine Towards Natl ID card? Answering Machine Features Health Care Privacy Alert Re: Are Web Servers Anonymous? Re: Are Web Servers Anonymous? Re: Bank Account Numbers Re: Bank Account Numbers Re: Internet White Pages Re: Internet White Pages Re: Set Top Boxes --------------------------------------------------------------------- Housekeeping information is located at the end of this Digest. ---------------------------------------------------------------------- From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> Date: 08 Aug 94 08:43:38 EDT Subject: Towards Natl ID card? from the Washington Post newswire (94.08.04) via Compuserve's Executive News Service: "Targeting Illegal Workers;Immigration Panel Wants Job Applicants To Prove Identities" By Roberto Suro Washington Post Staff Writer "An influential commission on immigration policy yesterday urged President Clinton to expand the fight against illegal workers by testing a program that would require all job applicants to prove their identities. "The president could launch such a program immediately under existing authority and without the need for new legislation, said former epresentative Barbara Jordan (D-Tex.), chairman of the Commission on Immigration Reform, who unveiled the recommendation yesterday in congressional testimony." Key points from Suro's article: o Computer registry of all authorized workers. o Employers required to verify authorization to work before hiring. o Many groups protest what they see as incremental approach to a national identity card. o Pilot projects would begin in CA, NY, TX, FL and IL, where the INS estimates 80% of the estimated 4 million illegal immigrants live. o Authentication might involve "a more secure Social Security card, a counterfeit-resistant driver's license and a telephone verification system." o If successful, the program would be extended nationally. M. E. Kabay, Ph.D. / Dir Education / Natl Computer Security Assn ------------------------------ From: David Redish Date: 08 Aug 94 10:50:17 -0400 Subject: Answering Machine Features Recently we received (as a present) an answering machine made by AT&T. On reading the manual, we discovered that not only does it have extensive remote facilities (such as changing your message, accessing messages, etc.) protected only by a limited 2 digit code (with some 2-digit pairs locked out, so <<99 possible passwords), it has a feature so that if you know the 2 digit password you can *listen to the room the phone is in*! When we went to AT&T to try to exchange it, we discovered that they don't make phones without all of these remote features. So we went looking for answering machines (of a decent quality) that don't have remote features. It appears none exist. Does anyone know of a quality made answering machine that does not have these highly suspect "bugs" (they called them features, but I know better)? ------------------------------ From: Dave Banisar Date: 08 Aug 1994 21:21:37 EST Subject: Health Care Privacy Alert Organization: Electronic Privacy Information Center FYI, pls respond directly to the address below. Date: 07 Aug 1994 12:43 EDT From: WOODWARD@BINAH.CC.BRANDEIS.EDU (Beverly Woodward) Subject: Health Care Privacy Alert ALERT The health care legislation proposed by Gephardt in the House and Mitchell in the Senate contains provisions which would establish a national health care data network and override most state medical confidentiality laws. All health care providers, whether paid by insurance or not, will be required to provide the network with data from the patient medical record after every clinical encounter. (The data elements will not be limited to what is necessary for billing purposes.) A very weak "privacy" (or "fair information") code will regulate the redisclosure of such patient-identified information. The law will permit person-identified information to be made available in various circumstances to law enforcement officials, medical and social studies researchers, and government authorities without the knowledge or consent of the patient. These legislative provisions are being promoted as administrative simplification and cost-saving measures, but they will seriously erode patient privacy. Unfortunately the general public has not been informed about these sections of the health care reform bills. Legislation of this kind requires intensive debate and should not be folded into a bill to extend insurance coverage and reform health care financing. Contact your Representative and your Senators to urge that the "Administrative Simplification," "National Health Care Data Network," and so-called "Privacy" and "Fair Information Practices" sections of these bills be deleted. The general telephone number for Capitol offices is 202, 224-3121. Watch for further updates! You may contact us at 617, 433-0114. Coaltion for Patient Rights, Massachusetts ------------------------------ From: "Dennis G Rears" Date: 08 Aug 1994 13:54:55 GMT Subject: Re: Are Web Servers Anonymous? Organization: U.S Army ARDEC, Picatinny Arsenal, NJ MLaroque wrote: A web question: I understand that the administrator of a web server has access to a log of connections made. Correct. For the most part some admins just toss them without looking. How do the logs for the server work ? As a server administrator, can one determine the [1] { } users who web to the server [2] { } sites of the users who web to the server [3] { } sites from which the most adjacent connection was made The asnwer is 2. We can determine the host where the request came from. An example of a log: qa.pica.army.mil [Mon Aug 8 09:16:42 1994] GET /drears/images/blueball.gif HTTP /1.0 zircon.pica.army.mil [Mon Aug 8 09:22:42 1994] GET /sunnet.html/ HTTP/1.0 You will notice the first field is the host. The second if the date. The third/fourth field is the name of the file and the fifth field is version. user on netcom webs to ucla.edu user chooses cs.bu.edu from a menu on ucla Under [3] above, the cs.bu.edu administrator would know that there had been a web connection from ucla, but would not know the the client was on netcom. No. The connection came from netcom. When the user chooses an item on ucla that actually resides on cs.bu.edu. The web client (on netcom) grabs it from cs.bu.edu. Ucla does not grab it for ucla from cs.bu.edu. Essentially, I am wondering about the anonymity of the users connecting to a server. For the most part logs are used to produce overall usage reports or maybe to help diagnose problems with html documents. As a WWW server admin, I like to find out numbers of connections from the top level domains (e.g. mil, com, edu) but I almost never go into my log files. This was the first time in 4 months that I actually went into them. A program call getstats do all my summarizing for me. An admin has better things to do with his time than to look at who (individually) is looking at his stuff. Some pages might have a registration form for you to fill out but that is voluntary. ------------------------------ From: leppik@uxa.cso.uiuc.edu (leppik peter) Date: 08 Aug 1994 19:55:57 GMT Subject: Re: Are Web Servers Anonymous? Organization: University of Illinois at Urbana mlaroque@aol.com (MLaroque) writes: I understand that the administrator of a web server has access to a log of connections made. [.....] Essentially, I am wondering about the anonymity of the users connecting to a server. The log (at least in the implementation of the httpd I use) stores for each "hit" the time of the hit, the machine which made the request, and the file requested. No information is available on the username of the person initiating the request, though sometimes this can be deduced from other information (for example, if you are using Mosaic from a personal computer, all you need to find out is who owns the computer for that IP address....similarly for accessing via SLIP, if your provider keeps logs). If there is sufficient motivation for both the owner of the server, and the owner of the machine from which the reuqest is made (or the owner of the net links), then a lot could probably be discovered (for example, if someone was seriously abusing someone's Web server). No information is available on what page the requester "hit" previous to a particular hit. In general, you're probably safe in assuming that the Web is anonymous, unless (1) you give out your name or address in a form somewhere, or, (2) you do something to really piss someone off, to the point where the operator of the server is REALLY motivated to track you down. -- Peter Leppik-- p-leppi@uiuc.edu I'm Not A Physicist, But I Play One On The Net http://jean-luc.ncsa.uiuc.edu/People/PeterL/HOME.html ------------------------------ From: glr@ripco.com (Glen Roberts) Date: 08 Aug 1994 14:47:06 GMT Subject: Re: Bank Account Numbers Organization: RCI, Chicago, IL amy young-leith (alyoung@kiwi.ucs.indiana.edu) wrote: What I want to ask is: WHEN did I give my bank authorization to allow other people to take money out of my account? How can they allow these "dedictions" with just a signature at a company (most say, "Just fill in your account number and sign below...." The telemarketers have come up with a new trick. Many found it hard to get Visa/MC accounts, because they didn't qualify... Visa/MC ensures good customer service... if you don't like the stuff (mail/phone) it is EASY to have the charges reversed. So, they came up with an idea to do it with checks. Rather than asking for your Credit Card number... they will ask for your bank account number off the bottom of one of your checks. They will then have a "facisimile" check made, that looks like a real check, but in the spot for the signature it, says "no signature required." The telemarketer (or other business) then deposits these checks. This works great... as along as everything is on the up and up and there are no mistakes. What happens if a credit card card of $100 to put in as $1000. Well, you might be turned down one a transaction the next week. What happens if a check of $100 is run through as $1000... you're balance is $900 less than you think, and if you write a check that bounces, you could be arrested for a felony. It would be much worse, of course, if someone stole your checking account number and took money out. Unlike the credit cards that have a easy procedure for contesting charges... have fun at the bank! -- -------------------------------------- Glen L. Roberts, Editor, Full Disclosure Magazine Host Full Disclosure Live (WWCR 5,810 khz - Sundays 7pm central) email glr@rci.ripco.com for information on The Best of Full Disclosure, four volumes to blow your mind. Voice/Fax on demand: (708) 356-9646 -------------------------------------- ------------------------------ From: makyen@netcom.com (makyen@netcom.com) Date: 09 Aug 1994 07:11:39 GMT Subject: Re: Bank Account Numbers Organization: NETCOM On-line Communication Services (408 261-4700 guest) sherry@meaddata.com (Sherry White) writes: I never felt that I should hide my bank account number because I felt the only thing one could do with it was deposit money into my account. Then I was told that when a company direct deposit your check into the accout they have the previledge to deduct money as well. They say it's incase a mistake is made and needs correction. Could someone e-mail me and tell me what else can be done with my bank account number. I have had money removed from my account by a previous employer. I had set up direct deposit of my paycheck into my checking account. Then one time that I received a statement of my account, I noticed that money had been witdrawn by my employer. As I recall, this has happened twice. makyen ------------------------------ From: Lynne Gregg Date: 08 Aug 94 09:50:00 PDT Subject: Re: Internet White Pages jeffrey@minerva.cis.yale.edu (Jeffrey Licht) said: * Do people posting on Usenet know that their e-mail addresses are being recorded? (I doubt it.) PROBABLY NOT. * Does anyone have the right to publish this information about me. for personal gain, without contacting me first? This is currently done all the time with (snail) mailing lists - is it appropriate for the Internet? YOU BET THEY HAVE THE RIGHT: THIS IS A PUBLIC - NOT PRIVATE - NETWORK. * And if this book calls itself a "White Pages", is there a provision to request an unlisted number? (There may be - I didn't look at it long enough to find out.) IN THAT BOOK, YOU'LL FIND THEIR EMAIL ADDRESS TO REQUEST ADDS/DELETIONS. MY DISCOVERY WAS SIMILAR TO YOUR OWN. ONLY ONE OF MY EMAIL ADDRESSES WAS LISTED. I ASKED FOR THE OTHER TO BE INCLUDED AS WELL. I THINK THE WHITE PAGES IS AN GREAT IDEA - AND OVERDUE. ------------------------------ From: "David A. Honig" Date: 08 Aug 1994 14:13:32 -0700 Subject: Re: Internet White Pages Organization: UC Disneyland, in the Kingdom of Bren jgd@dixie.com (John De Armond) writes: jeffrey@minerva.cis.yale.edu (Jeffrey Licht) writes: * Do people posting on Usenet know that their e-mail addresses are being recorded? (I doubt it.) If a person speaks in public to an audience of thousands, does he know that someone may have written down his name for future use? If he didn't, he should have. I was shocked last year to find a classroom full of computer science grads who hadn't realized that everything they ever posted was stored on tape or CDROM by some TLA for use in security clearances. John's statement should be amended to read, "if someone communicates and computers are involved, assume its stored forever". This is just a corollary of plan for the worst. -- David A. Honig, informivore Prof. D. Denning: fool, fascist or Faust? Only the NSA knows for sure.. Ayatollah:Rushdie::NSA:RSA ------------------------------ From: flb@flb.optiplan.fi (F.Baube[tm]) Date: 08 Aug 94 19:51:44 EET Subject: Re: Set Top Boxes Surely sendmail reeled when thusly spake Marc Thibault: (1) If you had to pay the full cost of delivering television programming to your home, you would spend more time in theatres. A lot of people would choose to do without TV. Advertisers pick up the tab and make TV cheap for us to watch. It is appropriate that they get some compensation in the form of viewer attention. I'm not sure this is strictly privacy-related, but .. There's a third possibility, TV licenses. Call me silly, but I happen to *like* commercial-free TV, and I'm more than willing to pay a reasonable amount for it. (It means movies are still coherent, for one thing.) I'm not sure how such a policy option could translate to the case of the set-top box. Perhaps those opting out of commercials would pay an extra fee that would contribute to a rebate pool for advertisers ? Then *no* marketing data from *any* source could be used to target me. -- * Fred Baube(tm) * "Do you really want to hurt me ? * GU/MSFS/88 * I want your sex ! * baube@optiplan.fi Because I'm bad, I'm bad Jammon, so * #include * Stay just a little bit longer" * * -- Boy George Michael Jackson Browne ------------------------------ The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. Back issues are available via anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The archives are in the directory "pub/comp-privacy". People with gopher capability can access the library at gopher.cs.uwm.edu. Mosaic users will find it at gopher://gopher.cs.uwm.edu. Archives are also held at ftp.pica.army.mil [129.139.160.133]. End of Computer Privacy Digest V5 #021 ****************************** .