Date: Sat, 03 Sep 94 08:30:15 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V5#030 Computer Privacy Digest Sat, 03 Sep 94 Volume 5 : Issue: 030 Today's Topics: Moderator: Leonard P. Levine Re: Online Stalking Re: Online Stalking Cordless Phone Privacy Big Brother (not just) on the Autobahn Re: Post Office Boxes INS Signs Deal to Help Catch Illegals Re: Bank Account Numbers Re: Bank Account Numbers Re: Internet White Pages Re: Internet White Pages Databases, was DM News Article Re: Electronic Cash Re: WA State DOT "Congestion Pricing" Project Re: Fingerprinting/Identifying Children --------------------------------------------------------------------- Housekeeping information is located at the end of this Digest. ---------------------------------------------------------------------- From: beuchaw@ocdis01.tinker.af.mil (Brian Beuchaw) Date: 01 Sep 94 10:15:01 -0500 Subject: Re: Online Stalking "BETH GIVENS" writes: Regarding "What can one do with an e-mail address...Try to stalk me? Haha." We got a call on the Privacy Rights Clearinghouse hotline last year from a woman who was being stalked via e-mail at her job. The stalker worked on the same campus and also made his presence known in the building in which she worked. Because of the persistence of the messages and the threats they contained, she left her job and moved to another city. -- Beth Givens, PRC David A. Honig writes: How could the stalker send email and not incriminate herself? The stalker would need to be root to go around the mailers and systems can be set up to log who becomes root, unless the stalker is cleverer than the rest of the sysops. The stalker could remain unincriminated very easily. There are quite a few anonymous remailers (and a World Wide Web server) that a person could use. The remailers generally strip off the userid, but leave the site that the original email came from in the header (although I understand that some strip all the headers). Brian Beuchaw beuchaw@ocdis01.tinker.af.mil ------------------------------ From: jya@pipeline.com (John Young) Date: 01 Sep 1994 17:29:24 -0400 Subject: Re: Online Stalking Organization: The Pipeline "BETH GIVENS" writes: Regarding "What can one do with an e-mail address...Try to stalk me? Haha." We got a call on the Privacy Rights Clearinghouse hotline last year from a woman who was being stalked via e-mail at her job. A federal bill has been introduced to prohibit electronic harassment: From: "EUGENE VOLOKH" To: Multiple recipients of list Subject: A bill amending the telephone harassment statute to cover e-mail FULL TEXT OF BILLS 103RD CONGRESS; 2ND SESSION IN THE HOUSE OF REPRESENTATIVES AS INTRODUCED IN THE HOUSE H. R. 5015 1994 H.R. 5015; 103 H.R. 5015 SYNOPSIS: A BILL To amend section 223 of the Communications Act of 1934 to prevent the harassment by computer modem or other electronic device. DATE OF INTRODUCTION: AUGUST 21, 1994 DATE OF VERSION: AUGUST 24, 1994 -- VERSION: 2 SPONSOR(S): Mr. MFUME introduced the following bill; which was referred to the Committee on Energy and Commerce TEXT: A BILL To amend section 223 of the Communications Act of 1934 to prevent the harassment by computer modem or other electronic device. * Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may by cited as the "Electronic Anti-Stalking Act of 1994". SEC. 2. AMENDMENT. Section 223(a) of the Communications Act of 1934 (47 U.S.C. 223(a)) is amended by adding at the end thereof the following new sentence: "For purposes of subparagraphs (B), (C), and (D), the terms 'telephone' and 'telephone call' include communications by means of computer modem or any other two-way wire or radio telecommunications device.". FYI, I also attach the text of 47 USC 223(a): | 223. Obscene or harassing telephone calls in the District of Columbia or in interstate or foreign communications (a) Whoever-- (1) in the District of Columbia or in interstate or foreign communication by means of telephone-- (A) makes any comment, request, suggestion or proposal which is obscene, lewd, lascivious, filthy, or indecent; (B) makes a telephone call, whether or not conversation ensues, without disclosing his identity and with intent to annoy, abuse, threaten, or harass any person at the called number; (C) makes or causes the telephone of another repeatedly or continuously to ring, with intent to harass any person at the called number; or (D) makes repeated telephone calls, during which conversation ensues, solely to harass any person at the called number; or (2) knowingly permits any telephone facility under his control to be used for any purpose prohibited by this section, shall be fined not more than $ 50,000 or imprisoned not more than six months, or both. -- Eugene Volokh, Acting Professor, UCLA Law School ------------------------------ From: Shawn Leard <71370.2551@compuserve.com> Date: 02 Sep 94 23:24:16 EDT Subject: Cordless Phone Privacy I am in the process of pondering over purchasing one of these 900 MHz cordless phones and was wondering if anyone has any recommendation? What I am mainly looking for besides good reception is a very solid & secure Tx between the handset and the base. This being unlike the normal cordless phones that Tx in the 400 MHz band and offer so called secure Tx that can still be picked up and understood with a normal scanner. Thanks, Shawn Leard ------------------------------ From: anonymous posting Date: 03 Sep 1994 12:00:00 -0500 (CDT) Subject: Big Brother (not just) on the Autobahn Dear Moderator: Please remove my return address from this message. The following excerpt is from the newsgroup: sci.military Subject: AF News Svc 30 Aug 94 Sender: military@ranger.daytonoh.ncr.com (Sci.military Login) Organization: Hq Air Force News Agency/SCX Date: 31 Aug 1994 16:19:13 GMT 616. Rome to aid highway managers GRIFFISS AFB, N.Y. (AFNS) --- America's highways should become less congested as the result of signal processing and computer technologies developed at the Air Force Material Command's Rome Laboratory here. Rome Laboratory entered into an agreement in July with federal and New York transportation agencies to pioneer development of an automated traffic monitoring system. The system will assist traffic managers in planning for --- and relieving --- congestion on major U.S. highways. The system will make use of advanced signal processing, neural network and distributed systems technology, all of which are major technology areas to Rome Laboratory. By employing video sensors, processors, communications services, and a closed-loop feedback system to monitor expressway traffic, engineers will be able to gain insight into congestion build- up, officials say. This will permit early action --- such as electronic messages to motorists or altering traffic signals --- to reduce or eliminate problems caused by accidents, poor weather conditions or peak driving periods. Rome Laboratory will serve as the executive agent and will have the primary responsibility for managing the program. The Federal Highway Administration will provide funding, while the New York transportation department will provide housings for the monitoring sensors, technical services and expertise to assist with the operational aspects of installing and testing the system. [Obviously the USAF is putting a "government is your friend" spin on this story, but this program is just a small step from more draconian forms of surveillance.] ------------------------------ From: "Dennis G Rears (FSS" Date: 01 Sep 1994 14:53:53 GMT Subject: Re: Post Office Boxes Organization: U.S Army ARDEC, Picatinny Arsenal, NJ Re: the article about PO boxes. There are actually two issues here: 1. The Post Office releasing your address 2. Somebody finding out your address Issue #1: USPS regulations state that to have a PO box the USPS must have your current "real address". To get the Box you must give them your address and they then send you a card at the address which you bring in for your Box. One way around this is to have the card go to your work address or your friend's house. In my case I have moved six times since I originally got my PO Box. I have never given USPS an updated address. Issue #2: Ok, you have gone to USPS and they don't have my correct address. You then try through the phone company (one of my numbers is listed) the address is most likely in the phone book. That doesn't work. You do social engineering through the electric or gas company. If the person owns property you check various tax records in communities around the PO box town. That doesn't work. You then wait untiul the person picks up the mail and follow them. dennis ------------------------------ From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> Date: 01 Sep 94 13:22:42 EDT Subject: INS Signs Deal to Help Catch Illegals The major newswires (AP, UPI, Reuter) all carried stories on 94.08.30 concerning the largest contract in the history of the U.S. Immigration and Naturalisation Service (INS). The $300 million, five-year contract with Electronic Data Systems Corp (EDS) will speed up border agents' work by eliminating paperwork and manual data re-entry. The new systems will also link INS computers with those of other agencies; e.g., the FBI. Database linkages will help identify criminals and reduce fraud, said the press reports. [MK comment: it will be interesting and important to monitor this project to protect highly confidential and critical data and to prevent unauthorized tampering with the files.] M.E.Kabay,Ph.D./DirEd/Natl Computer Security Assn (Carlisle, PA) P.S. COMPUTER PRIVACY participants who have access to CompuServe's NCSAFORUM will find interesting discussions in our Ethics/Privacy section. ------------------------------ From: day11@aol.com (DAY11) Date: 01 Sep 1994 16:18:06 -0400 Subject: Re: Bank Account Numbers Organization: America Online, Inc. (1-800-827-6364) Bank One informed me that if you ARE goint to let a company withdraw funds from your account through ETF, it is VERY IMPORTANT that you include an EXACT AMOUNT on your agreement with the company. Banks can only stop an ETF by an amount number, so if your payment amount is 150.00 and you decide to stop the draw, a company CAN withdraw $149.99, and it will go through (unless your agreement says $150.00) ------------------------------ From: glr@ripco.com (Glen Roberts) Date: 01 Sep 1994 23:27:55 GMT Subject: Re: Bank Account Numbers Organization: Ripco Internet BBS, Chicago (312) 665-0065 Albert Zhou (skypatrl@crl.com) wrote: If the bank decides not to give you money back, then you have to try to collect it, possibly taking them to court. If it's a small amount, you probably don't want to spend a lot of legal fees to pursue it. So you lose money. If it's a charge on the credit card, you can simply refuse to pay. To get money from you, the credit card company has to initiate legal actions against you. If it's small amount, or if they don't think they can won, they'll just forget about it. So you DON'T lose money. See the difference? I am not sure it is an EFT transfer either. What the telemarketers do, is collect the account number and bank number information (from the bottom of the check) and send that information, along with the amount to a service bureau that prints a fascimile check. It looks like the real thing, has encoded numbers at the bottom like the real thing. A deposit slip is written up by the merchant and the back is endorsed like the real thing. Just, it wasn't written nor signed by the issuer. -- Glen L. Roberts, Editor, Full Disclosure Magazine Host Full Disclosure Live (WWCR 5,810 khz - Sundays 7pm central) email glr@rci.ripco.com for information on The Best of Full Disclosure, four volumes to blow your mind. Voice/Fax on demand: (708) 356-9646 email for uuencoded .TIF of T-Shirt Honoring the FBI ------------------------------ From: hedlund@teleport.com (M. Hedlund) Date: 01 Sep 1994 14:55:29 -0700 Subject: Re: Internet White Pages Organization: Teleport - Portland's Public Access (503) 220-1016 Shawn Leard <71370.2551@compuserve.com> wrote: Could someone please post the e-mail address to be taken off the Internet White Pages? To remove yourself: delete@whitepages.com *Be sure to send a message from each account you use!* To add yourself: add@whitepages.com To speak your mind: comments@whitepages.com Obviously, changes will only take effect if and when a second edition is published. I know of no deadline to pull yourself from the second edition; yet another reason why I wish these people would post a monthly announcement to news.announce.important. (They never responded to my request that they do so.) ------------------------------ From: Paul Robinson Date: 02 Sep 1994 12:53:05 -0500 (EST) Subject: Re: Internet White Pages Organization: Tansin A. Darcos & Company, Silver Spring, MD USA John Medeiros <71604.710@compuserve.com>, writes: skypatrl@crl.com (Albert Zhou) writes: What can one do with an e-mail address? Sending junk mails? They are much easier to dispose than paper junk mails. Try to stalk me? Haha.. Tempt not fate, lest those with less regard for you fill (as in several thousand messages) your electronic mailbox with material that an old sailor would find objectionable. Then again, if you don't mind sifting through to find your mail, I guess its okay. Personally, I'd be mad. In alt.sex.stories is an article entitled "The Engineer: Scorched Earth" which, if it hopefully has expired by now, is the kind of thing that gives a bad name to Internet. I have a copy of the article as well as my own replies to it, and I'll send it on to anyone that wants to read it. Let me warn you, if you have any decency at all the story will sicken you. The damn thing facinated me the way a mongoose fascinates a rattlesnake, however. If I wanted to list the worst, most vile and degrading things that could be done to someone, I couldn't have thought up even 1/2 of the things that appear in that article. "Stalk you", laugh not, remember, he who laughs last, laughs best. Some of the crackers around us are quite capable of doing just that. Everything that someone can do to you in the "real world" can be done to you here. Well, almost everything. After reading "The Engineer: Scorched Earth" I realized that there are some people infesting the 'Net who have the kind of perverse ideas that make Marquis DeSade look like a Trappist Monk. --- Paul Robinson - Paul@TDR.COM Voted "Largest Polluter of the (IETF) list" by Randy Bush ------------------------------ From: glr@ripco.com (Glen Roberts) Date: 01 Sep 1994 23:34:36 GMT Subject: Databases, was DM News Article Organization: Ripco Internet BBS, Chicago (312) 665-0065 Prof. L. P. Levine (levine@blatz.cs.uwm.edu) wrote: DM News is a weekly trade newspaper that calls itself "the weekly newspaper of record for direct marketers." A commentary by Ray Schultz in the August 15th issue discusses the opinions of direct marketeers and of privacy advocates with respect to the privacy of the databases they use. In this review of his commentary I have quoted the italicized portions of his remarks, and paraphrased the rest: Discussing a cooperative arrangement of two corporations to combine databases to enhance and model data: He ends with a tongue in cheek comment about how crazy these privacy advocates are. I believe his intent is to warn his industry about improper practice. Even the list buyers are beginning to know that they are going very far and are risking legislation to control them. Well (as I have posted in other areas), a collection agency, Check-Rite, has decided that I am a Lawrence XXX because somewhere they got my home telephone associated with Lawrence. They are SO SURE of themselves, that have has disclosed all the details of Lawrence's alleged financial difficulties to me. They have even persisted after I filed a complaint with the State of Illinois (with whom they have a license), a copy of the first complaint was faxed to Check-Rite. The second complaint was filed today. Remember, the COMPUTER IS ALWAYS RIGHTS! p.s. I spoke with the business that hired Check-Rite and they assured me that they would look into it and get back to me today... no call back. But.. I did spend about 2-1/2 minutes of my time, and located the real Lawrence.... Obviously, Ray Schultz needs his privacy raped! -- Glen L. Roberts, Editor, Full Disclosure Magazine Host Full Disclosure Live (WWCR 5,810 khz - Sundays 7pm central) email glr@rci.ripco.com for information on The Best of Full Disclosure, four volumes to blow your mind. Voice/Fax on demand: (708) 356-9646 email for uuencoded .TIF of T-Shirt Honoring the FBI ------------------------------ From: Paul Robinson Date: 02 Sep 1994 13:05:02 -0500 (EST) Subject: Re: Electronic Cash Organization: Tansin A. Darcos & Company, Silver Spring, MD USA Nevin Liber , writes: Paul McKeever wrote: Anonymity is not a problem with digital cash. For example, I hold a card for a photocopier.... The technology you describe is no different than paper cash is today, There isn't much value added by this approach over paper cash ... I'd suspect that it is fairly easy to forge. Often too easy. The saving grace is that unless you work for a department that owns equipment to make magetized tokens (a 'token' meaning an access device similar to the one indicated, e.g. the photocopier card), it's too expensive for casual use EXCEPT and unless the person is SELLING bogus cards. They caught some people doing this with the magnettic cardboard cards issued for train fare by the Washington Metropolitan Transit Authority a few months ago, and I think a few other cities have had this problem every so often. People want to be able to use digital cash for things like paying for goods and services over the Internet. What this does is free me from being physically present when I want to do an anonymous transaction. The scheme above is inadequate for this. I have an idea on what can be done. This solves a number of problems that we currently have on the Internet with respect to the transfer of very tiny charges, e.g. charging someone 2-4c per megabyte for FTP transfers. What we need is some specification for a "funds transfer system" or FTS (so as not to be confused with FTP) protocol that allows me to give to a site an FTS transaction authorization, which would be the following: (1) my authentication (so it knows what account to debit). Note that I can open an FTS account either by mailing money to the operator of the service and specifying my own passcode, or by charging it to a credit card or wiring him the funds via Western Union or American Express, depending on what he wants to offer, or even by paying the owner of a current authorization to transfer funds to create an authentication. I can either ask for an account anonymously by specifying an identifier, or by requesting one directly. I can add money to the account at any time either via direct payment or via someone else sending an FTS transaction to it. I can withdraw money from the account at any time (subject to hold/clearance on escrow transfers) and will receive either a check, travelers' checks or money orders depending on what the request is for. I would be charged a service charge to withdraw money according to the cost of delivery. (2) my passcode (so it knows I am the one who authorized it). This ensures that I am the one who issued the transaction. (3) a possible "magic cookie" (either the result of my last FTS transaction or the next sequence number in a private list). (This prevents "replay" transactions since the sequence number, for maximum protection, should be "one shot" and once used, it can't be reused. (4) the amount of the transaction or a limit maximum. Using a "credit limit" allows me to do a set of transactions without having to get a fresh one each time I need to do something. Once the transaction is completed, then the total amount can be charged. This could be useful for doing a series of ongoing transactions at one time. The FTS recipient would use the FTS transaction identifier to query the fts server for authorization to begin the transaction. The FTS recipient would either be given permission for the transaction or denied for any of various reasons (duplicate cookie, bad cookie, amount requested exceeds value of cookie, amount requested exceeds funds in account, cookie accepted, credit cookie accepted for up to $nn.nnn). The FTS server would charge a small fee, let's say 2c per transaction, in order to recoup costs. Anyone can open an account with any amount of at least, say, $3. There would be a transaction charge to open an account, say $1 to cover postage. Anyone who has an account can use it to either make payments or to receive them. If I want to order something from someone I can give him a cookie for the amount of the order; I don't have to mail him a check or anything else. Further, let's tie the transaction identifier into the recipient's own fts account number; this would then prevent someone intercepting the transaction since they could only use it to credit the destination recipient. What would it take to make this possible? 1. Availability of a standard protocol for making requests for funds transfers. Not difficult. The request and reply should use authentication to prevent spoofing. This could be tied into Kerberos services in a similar manner. 2. Availability of a standard site or sites to handle transactions. Mainly it's the cost of setting this up that's a problem. 3. Legal issues. Doing this may constitute the legal equivalent of running a bank, but since casinos and pawnbrokers routinely handle money transfers, as does Western Union and American Express. Beyond which, the only thing that is being transfered is authorizations; no real money changes hands until someone actually requests that they be sent cash. 4. Soundness of the authenticator. Does the operator have enough resources to cover the cost of operating the network connections and computers, and will they make enough to cover their costs plus profit, and to pay out transactions? 5. Security of the authenticator. Does the authenticator's software have sufficient protections against overdrafts, transaction spoofing, and pre-release of escrowed funds? How fast can he make payment without allowing for scams, where someone sends him a credit card payment, then uses his account to make a transaction to a third party, who then closes their account, gets a refund, and then the original charge is disputed as a charge on a stolen card? 6. Integrity of the authenticator. Does the operator have insurance/bonding against errors and omissions, or embezzlement? Where does he put customer's funds while waiting for actual requests for payment? In a checking account or in T-Bills, and how fast can he redeem funds in the event of a large withdrawal? One example would be if wuarchive.wustl.edu was to start charging, say 2c per megabyte for downloaded files. (The administrator once posted that this was what it would cost them including all overhead, based on the 30 billion bytes of file transfers during one month last year, e.g. about $7500 a month.) With that, the first 1 meg would be 4c to cover the authenticator's service. So a download of a file like the shareware game DOOM, which is about 3 1/2 meg uncompressed, would cost 10c in transfer costs. Not a tremendous amount of money, but enough that a place could afford the cost of "all those leaches" that are sucking down huge amounts of bandwidth using FTPs. At the end of the month, for example, perhaps 40,000 accounts had been debited an average of 19c each for the FTP downloads they made. The service would get the $7500 that this is costing them for the T1 service, the disk space, and the electricity and partial salaries of the service people. The processor would receive $1500 in transaction charges based on possibly 30,000 connections at 2c each. Each of these people would see their Internet cash accounts reduced by the average 19c or whatever they used. A transactional system such as this can be a win-win situation for everyone; people can make lots of small-cost transactions without the huge overhead usually involved (it would be cheaper for me to pay the processor for a transaction [perhaps 10c for small transaction volume users] and include a transaction ID in an E-Mail message for something I want to order, than it would be for me to go buy a money order and mail it [75c for the money order plus 30c for the stamp). There are two basic problems with this scenario. First, is that a lot of people wail and whine about not wanting to pay for resources that are now free, and the second question is whether there is enough interest in automated funds transfers to support this sort of activity. In answer to the first question, the heavy loads and long delays to get access to most of the popular FTP sites shows what happens when there is no way to get others to pay for usage of resources where someone else is consuming them. As it is, with FTS transaction capabilty, all those connections translate into *money* which pays for itself. So you're getting 5,000 people each hour trying to log on. The amount of traffic they generate pays for the amount of traffic they generate. If it keeps up on a regular basis, you use the funds they generate to purchase more equipment, and so on. Anyone care to try a simulated experiment? --- Paul Robinson - Paul@TDR.COM Voted "Largest Polluter of the (IETF) list" by Randy Bush ------------------------------ From: weh@SEI.CMU.EDU (Bill Hefley) Date: 02 Sep 1994 14:49:20 EDT Subject: Re: WA State DOT "Congestion Pricing" Project Organization: The Software Engineering Institute Peter Marshall writes: Proposal for the "Puget Sound Congestion Pricing" project was initiated by United Infrastructure Washington, Inc., and describes "a phased approach to introducing the concept of congestion pricing in the urban growth areas of Puget Sound," involving use of "peak period fees." A recent Scientific American (the same one that had the big article on software, if I recall) also had an article about the theories behind "congestion pricing". Interesting reading, even if you don't agree with their conclusions. -- Bill Hefley Software Engineering Institute, Carnegie Mellon University Pittsburgh, PA 15213 U.S.A. Office: +1-412-268-7793, Fax: +1-412-268-5758, internet: weh@sei.cmu.edu ------------------------------ From: Paul Robinson Date: 02 Sep 1994 11:58:07 -0500 (EST) Subject: Re: Fingerprinting/Identifying Children Organization: Tansin A. Darcos & Company, Silver Spring, MD USA You have reason to doubt me when I tell you that this child is mine, you might even suspect that the child is kidnapped...so you run the kid's prints and discover that your intuition was correct. I might have pretty convincing stories about the fire that destroyed our only copy of the birth certificate, the tragic death of all the relatives who could have vouched for my being his father...but if those prints match the prints of a child listed as missing, no amount of tapdancing will get me off the hook. Are you referring to the fire that destroyed the county courthouse where the original birth certificate is stored and is available for less than $10, and can often be ordered by mail in a week, or the alleged copy you supposedly had? Unless the courthouse burns down there is always a copy of the BC available, which can be certified. --- Paul Robinson - Paul@TDR.COM Voted "Largest Polluter of the (IETF) list" by Randy Bush ------------------------------ The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. Back issues are available via anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The archives are in the directory "pub/comp-privacy". People with gopher capability can access the library at gopher.cs.uwm.edu. Mosaic users will find it at gopher://gopher.cs.uwm.edu. Archives are also held at ftp.pica.army.mil [129.139.160.133]. End of Computer Privacy Digest V5 #030 ****************************** .