Date: Wed, 09 Nov 94 07:20:04 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V5#060 Computer Privacy Digest Wed, 09 Nov 94 Volume 5 : Issue: 060 Today's Topics: Moderator: Leonard P. Levine Re: Must I Always Carry I.D? Re: Must I Always Carry I.D? Re: Must I Always Carry I.D? First Amendment Rights vs Regulation of the Net Re: Planting "Mistakes" to Guard Copyright Re: Other People's E-mail Re: E-mail Privacy Alert Re: E-mail Privacy Alert Snail-mail forwarding Re: Digitized Signatures Re: Digitized Signatures Re: Mother's Maiden Name Re: Mother's Maiden Name Re: Mother's Maiden Name Forged Mailings Re: Need help on making a computer/PC usage policy Re: Logging Entry and Exit. Re: Intrusive Supermarket Card Re: Book recommendation ---------------------------------------------------------------------- From: kadokev@rci.ripco.com (Kevin Kadow) Date: 08 Nov 1994 02:09:02 -0600 (CST) Subject: Re: Must I Always Carry I.D? I friend recently told me that he thought you HAVE to carry I.D. of some kind with you at all times. I don't think you need "your papers Not in the USA, but true in many other countries. You CAN be hassled by the police if you don't have identification, and of course you need a drivers license to drive (and the drivers license functions as a de facto national ID card). The one time I was hassled by the police for walking around my neighborhood at 3am (looking for a lost cat, which came back on her own the next day), they asked for my Social Security # and in a minute or so got back much information, some of it incorrect (the computer said I had a drivers license). This is one reason so many people are opposed to the proposed 'Government services card' that Clinton mentioned a few months back, and to National healthcare and the associated ID card. In America they cannot demand "Show me your papers, Comrade", so far... -- kadokev@ripco.com Kevin Kadow FREE Usenet/Mail, inexpensive Internet - Ripco... Wearing white hats since 1983 Dialup:(312) 665-0065|Gopher:gopher.ripco.com|Telnet:foley.ripco.com ('info') ------------------------------ From: fd@wwa.com (Glen L. Roberts) Date: 08 Nov 1994 16:26:57 GMT Subject: Re: Must I Always Carry I.D? Organization: WorldWide Access - Chicago Area Internet Services 312-282-8605 708-367-1871 I friend recently told me that he thought you HAVE to carry I.D. of some kind with you at all times. I don't think you need "your papers By Frank Turano (This originally appeared in Full Disclosure Magazine -- in the Police Encounter Forum) QUESTION: You have said in your previous articles and your book on police encounters that a person is not required to identify himself or give other information to police officers. My cousin who is a law school student, told me that in the case you relied upon, Brown v. Texas, the police made an unlawful stop of Brown because there was no reasonable suspicion to believe that Brown was involved in any criminal activity and that was why Brown was not required to identify himself. He said that if an individual is lawfully stopped and the police have reasonable suspicion, that individual would be required to identify himself. What is your opinion on this? ANSWER: I'm afraid that the courts have continually ruled the opposite of your cousin's conclusion. When the Supreme Court reversed Brown's conviction, a portion of that ruling might possibly be construed by the reader to mean that the police could not require Brown to identify himself because they lacked reasonable suspicion to believe that brown was involved in criminal activity. But considering the past and more recent cases involving police stop it is evident that reasonable suspicion is needed before the police may lawfully detain an individual, but an individual cannot be required to identify himself... even if there is probably cause to arrest. In oral arguments before the Supreme Court, the state of Texas, being represented by Mr. Patton, claimed that when a person refuses to identify himself to a police officer "it tends to disrupt the goal of society over its citizens to make sure they are secure in their gains and their homes." The court responded to Patton... "How does that secure anybody by forcing them, under penalty of being prosecuted, to giving their name and addresses, even though they are lawfully stopped?" The Court went on to indicate that the state had no valid interest in putting a man in jail because he refused to identify himself. If the 1979 Brown case leaves any doubt in the reader's mind that a person is not required to identify himself to a police officer, even when the police have reasonable suspicion, it was certainly cleared up in Kolender v. Lawson, 461 U.S. 352 (1983). In that case the Supreme Court stated... "States may not authorize the arrest and criminal prosecution of an individual for failing to produce identification on demand by a police officer... police officers with reasonable suspicion that an individual has committed or is about to commit a crime may detain that individual... for the purpose of asking investigative questions... but they may not compel an answer and they must allow the person to leave after a reasonable brief period of time...." Based on Kolender, the 9th Circuit Court of Appeals in 1987 ruled in Martinelli v. City of Beaumont, 820 F.2nd 1491, that an individual approached by police cannot be arrested for refusing to produce identification. ****************************************************************************** This text is from Full Disclosure. Editor: Glen L. Roberts, Box 734, Antioch, Il 60002. Call the Surveillance Hotline: (708) 356-9646 ****************************************************************************** -- Glen L. Roberts, Editor, Full Disclosure Host Full Disclosure Live (WWCR 5,065 khz - Sundays 7pm central) email fd@sashimi.wwa.com for catalog on privacy & surveillance. Does 10555-1-708-356-9646 give you an "ANI" readback? email for uuencoded .TIF of T-Shirt Honoring the FBI Remember, fd _IS FOR_ Full Disclosure! ------------------------------ From: centauri@crl.com (Charles Rutledge) Date: 08 Nov 1994 20:38:46 -0800 Subject: Re: Must I Always Carry I.D? Organization: CRL Dialup Internet Access (415) 705-6060 [Login: guest] I friend recently told me that he thought you HAVE to carry I.D. of some kind with you at all times. I don't think you need "your papers Not true. The Supreme Court ruled sometime back that you are not legally bound to carry identification nor identify yourself to law enforcement officals unless they have suspession that you are doing something illegal. The case delt with a black man walking at night throught a mostly white neighborhood and stopped by people and asked to identify himself. When he couldn't (he was not carrying any identification at the time), they arrested him for basicly having no ID. In the ruling, the Supreme Court said that law enforcement officials have no right to demand ID from someone just minding his own business. Of course, law enforcement officials often have a very liberal interpretation of what minding one's own business is. -- Charles Rutledge | Liberty is a tenuous gift. Hard to win, easy centauri@crl.com | to give away, and no will protect it for you. ------------------------------ From: KL9636A@american.edu (Kevin Levitt) Date: 08 Nov 94 01:03:34 EST Subject: First Amendment Rights vs Regulation of the Net Organization: The American University I am a senior at American University conducting a research paper on the issue o f first amendment rights vs. regulation of the net. I am looking for opinions, articles, papers, and/or references on the subject. Also, how can the governm ent regulate the net without breaching our first amendment rights and should th e net be regulated at all? Thanks for your help! -- Kevin Levitt kl9636a@american.edu ------------------------------ From: morris@grian.cps.altadena.ca.us (Mike Morris) Date: 08 Nov 1994 05:25:33 GMT Subject: Re: Planting "Mistakes" to Guard Copyright Organization: College Park Software, Altadena, CA daf1@cec.wustl.edu (Danyel A Fisher) writes: How does one tell an illegal copy from a legitimate one, when the legitimate copy contains the fictitious city? Thomas Brothers, a company that prints street map books for a lot of major cities used to mis-spell the name of a 1-block long minor street on each page. I discovered this when I spotted it on a page, and commented about it to the order lady when I telephone ordered a few as christmas presents. Recently they overhauled their Los Angeles map book, and now the minor street on my page is spelled correctly, and I can't find an error of that type on the page anywhere. Maybe they changed the system??? -- Mike Morris WA6ILQ | All opinions must be my own since nobody pays PO Box 1130 | me enough to be their mouthpiece... Arcadia, CA. 91077 | ICBM: 34.12N, 118.02W | Reply to: morris@grian.cps.altadena.ca.us ------------------------------ From: nevin@cs.arizona.edu (Nevin Liber) Date: 08 Nov 1994 03:11:05 -0700 Subject: Re: Other People's E-mail Organization: University of Arizona CS Department, Tucson AZ Prof. L. P. Levine quoted: There still seems to be a lot of confusion remaining about if and when you can properly and legally read another person's electronic mail. First off, what is "proper" and what is "legal" are two entirely seperate things. One of the reasons that there is confusion over this issue is because people try to combine them. Yet, the same basic rule we've always had for Postal Service mail applies to electronic mail: if the message isn't addressed to you, don't read it unless you have permission. If in doubt, don't read other people's mail. Simple enough. I would agree that this is the "proper" thing to do. However, I don't believe that there is any legal precedent for considering the Internet as a common carrier, such as the Post Office or a phone company. THE ECPA EXCEPTIONS -- BUSINESSES. The ECPA does *not* protect the privacy of a business' internal e-mail. Question: if my Internet mail passes through your business machine, are you legally allowed to read it? There is some debate on the breadth of these exceptions. No court case has discussed how they apply to BBSs. I read these exceptions narrowly, and believe the prudent systems administrator should too. Again, the proper thing is to read this exceptions narrowly, but I'm not at all convinced that legally they can't be taken more broadly. What if a system administrator has specific information that a certain user might be using e-mail to discuss or even facilitate a crime? Does that justify nosing through the user's e-mail? Again, I believe only very narrow circumstances could justify it. If we are talking about proper behavior, I agree. If we are talking about legal behavior, I'm not so sure. A good point of reference: Remember that the same law applies to BBSs and telephone companies. Most people want to limit Ma Bell's right to monitor phone calls as much as possible. The same goes for e-mail. Is there much case history to support this claim? The Steve Jackson case is different, since it was the government doing the intruding. Unless there is legal precedent (case history) to support otherwise, the safest thing to do is not think of it as electronic mail but as electronic postcards, which any intervening party may photocopy (backup). -- Nevin ":-)" Liber nevin@cs.arizona.edu (602) 293-2799 ^^^ (520) after 3/95 ------------------------------ From: stanley@skyking.OCE.ORST.EDU (John Stanley) Date: 08 Nov 1994 20:52:56 GMT Subject: Re: E-mail Privacy Alert Organization: Coastal Imaging Lab, Oregon State University wrote: In our experimentation with a freely available Internet software program, we have discovered that we can use someone else's e-mail address to mail messages and post to newsgroups. Readers of those messages can reply directly to the e-mail address. Four things happen every fall: 1. Students advancing through the educational system move from net-less schools to net-available ones (high school -> college or jr. high to high ...). 2. Said students learn about SMTP. 3. Said students believe that they have discovered a secret that nobody else has ever noticed. 4. Some of said students get alarmed about how easy it is to use SMTP for less than honorable uses. Welcome to the Fall. What are your concerns and comments about this issue? My concern is the implied assumption in this posting. That is: paper mail is different in this respect than email. A secondary concern is that a journalism class which is trying to deal with this issue is promulgating this misassumption. In short, you have as little knowledge of the true author of any particular letter that shows up in your physical mailbox as you do of any email message. Even if you recognize the signature at the bottom of the page, you had better call the author to verify that someone else, who is also familiar with that signature, didn't forge the mail. We are not mentioning the software program that allows this posting at this point because: you think nobody else knows about it. What is truly sad is that your instructor is not correcting this misassumption before you made it public. ------------------------------ From: tale@uunet.uu.net (David C Lawrence) Date: 09 Nov 1994 00:44:04 GMT Subject: Re: E-mail Privacy Alert Organization: UUNET Communications Someone with a From: header of "Do not remove this tag under penalty of law " wrote in : David Lawrence once posted an article in control that told how to forge a news message that would look like it came from the originating site without your own site's name appearing in it. I have never posted an article instructing how to forge news articles. I particularly disavow "Better living through forgery", which is being repeatedly forged in my name. The message was signed: Paul Robinson - Paul@TDR.COM Reports on Security Problems: To Subscribe write PROBLEMS-REQUEST@TDR.COM Voted "Largest Polluter of the (IETF) list" by Randy Bush ... but who knows if that was the real author, apart from Mr. Robinson and his possible impersonator. -- David Lawrence, moderator, news.announce.newgroups & news.lists uunet news & archives ------------------------------ From: ratner@ficus.CS.UCLA.EDU (Dave Ratner) Date: 08 Nov 1994 22:01:53 GMT Subject: Snail-mail forwarding Organization: UCLA Computer Science Dept. Well, I recently moved (physical address, not email!). The US Post Office offers the ability to automatically forward all first-class mail sent to the old address to the new. Seems reasonable enough. BUT: the "forwarding" card to be filled out requires no documentation to submit, and can even be mailed in to the postmaster of your old zip (postal) code. So what stops random guy/stalker/person-mad-at-you from submitting a forwarding address card as you and getting all of your mail? It would seem the Post Office should require at least a *little* documentation other than a signature which can't even be checked against anything. Comments? -- Please send money, | Dave Ratner | "Wham Bam, thank you beer, or a signed PhD | ratner@cs.ucla.edu | Van Damme!" ------------------------+----------------------+------------------------ ------------------------------ From: Christopher Zguris <0004854540@mcimail.com> Date: 08 Nov 94 09:15 EST Subject: Re: Digitized Signatures ruthann@mitre.org (Ruth Ann Brasie Valentine) sez: Apparently, retailers are required to keep recordss ofall transactions for three years. I still said I didn't see why I had to sign and what were thye doing with the signatures. She gave me the name of the company doing the computer work for them. It is Nabanco. She also gave me the customer service number, so I called. They were not happy to hear from me. As a credit card merchant, I used to deal with Nabanco and speaking from experience I don't think they're happy when they hear from anyone! Nabanco -- or any credit card processor, for that matter -- isn't just "doing the computer work." Let me explain how it works for a small business (if you're Sears, the rules are a little different), a merchant pays for whatever credit card terminal the processor supports (usually an over-priced XON-something, with its companion over-priced printer), either use their terminal or go somewhere else (which is not trivial, and usually involves the same over-priced hardware). Now, once the merchant has the terminal regular policy "updates" are sent down from VISA and MASTERCARD (the guys that issue the franchises to the banks that issue the cards). VISA and MASTERCARD are pushing for the digitized signatures becuase it's easier for them! If enough people just refuse to play the game, merchants will get the message that *this approach* is not the way to combat fraud! This line bugs me because it assigns blame to the wrong party and is an exercise in futility. The merchants have no say whatsoever (speaking as one, I know), argueing with a merchant will change nothing and send no message at all. You, Ruth Ann Brasie Valentine, called Nabanco as a retail card customer, and did they listen to you -- no. You already said they didn't want to hear from you! So what makes you think a call from a merchant (even one of their own) voicing customer complaints would have any effect on this policy? If you want to send a message, contact the bank that issued your credit card and VISA & MASTERCARD that issued the franchise _to_ your bank and develope these proceedures. No credit card processing occurs without their approval and no merchant could go ahead and doing _anything_ without approval. Make no mistake, the banks, VISA and MASTERCARD _want_ to implement digitized signatures. They are planning to implement digitization on every merchants terminal (video store, flower shop, cleaners, etc.), if this bugs anyone than right to the people who are designing and buying the hardware (namely, the card-issuing banks, VISA and MASTERCARD). When the new terminals are cheaper, the Nabanco's and other credit card processors _will_ encourage all merchants to get them by creating dis-incentives in using the old ones. -- Christopher Zguris czguris@mcimail.com (just another happy MCI customer) ------------------------------ From: fd@wwa.com (Glen L. Roberts) Date: 08 Nov 1994 16:24:58 GMT Subject: Re: Digitized Signatures Organization: WorldWide Access - Chicago Area Internet Services 312-282-8605 708-367-1871 Prof. L. P. Levine (levine@blatz.cs.uwm.edu) wrote: Sears in my area has recently started asking for people to sign their credit card receipts while the receipts are on what is obviously a small digitizing pad. Sears doesn't make it obvious that this is the function of the device. You can refuse to sign on the tablet. They'll probably have to call someone first to OK it. There is a VERY USEFUL thing SEARS does with this information. But first, if you order something mail order, and DON'T SIGN THE SALES SLIP... the merchant is at great risk. Under their merchant agreement, upon request from the bank, they have to produce the signed sales slip. If they can't do that, the changes can be reversed. So, complain to your bank that you didn't make a charge, if the merchant can't prove it with the signed sales slip... the merchant is out the money and the merchandise... That means, the merchant has to manually search for the saleslip everytime they get a search... now, Sears (and the other stores)... can just have the computer print one out... -- Glen L. Roberts, Editor, Full Disclosure ------------------------------ From: thwong@cs.cornell.edu (Ted Wong) Date: 08 Nov 1994 17:07:13 GMT Subject: Re: Mother's Maiden Name Organization: Cornell Univ. CS Dept, Ithaca NY 14853 Glen L. Roberts (fd) wrote: These little "secrets" to protect us... are only as effective as we believe that they are secret... Even more than protecting us, they make it EASY for a knowledgeable person to commit fraud, unhindered. The point is that they prevent casual fraud by someone who happened to lift your wallet. Besides, if you wanted to get really fancy, all you would have to do is use some made-up name instead of the maiden name. It would take a more determined thief to crack your password. -- ------------------------------------------------------------------------------- Ted Wong Computer Science, Cornell University ------------------------------------------------------------------------------- ------------------------------ From: tale@uunet.uu.net (David C Lawrence) Date: 09 Nov 1994 00:32:43 GMT Subject: Re: Mother's Maiden Name Organization: UUNET Communications Barry Margolin writes: If someone steals your wallet they'll get your Social Security card [...] Why are you even carrying your Social Security card? ------------------------------ From: poivre@netcom.com (Serrano) Date: 09 Nov 1994 05:05:23 GMT Subject: Re: Mother's Maiden Name Organization: NETCOM On-line Communication Services (408 261-4700 guest) Glen L. Roberts (fd@wwa.com) wrote: These little "secrets" to protect us... are only as effective as we believe that they are secret... Even more than protecting us, they make it EASY for a knowledgeable person to commit fraud, unhindered. And don't forget that dishonest family members who obviously knows one's mother's maiden name can defraud one real easy, not to mention also snooping on spouse and children to see their spendings. -- poivre@netcom.com : #include ------------------------------ From: Maryjo Bruce Date: 08 Nov 1994 09:26:27 -0800 (PST) Subject: Forged Mailings Someone used one of my accounts to post vulgar messages to newsgroups. I knew nothing about it until the messages were returned to me with demands that I cease and desist or they would...... It was at that point that things got interesting. I am 1) a librarian 2) a minister 3) a paralegal. The groups to which these messages had been posted were ones I would never read. I replied, saying I was not familiar with that type of group and had not sent the messages. I expected help in finding the person who really sent them. No. First, I was not believed. The administrator who returned the messages to me took the position that if the posts had my email address on them, they WERE from me or.....I was responsible for them no matter who sent them. I next went to support. I forwarded the messages to them. Again, I expected help. The first reply I got focused entirely on my responsibility....I had not created a secure password, and therefore, I had, in effect, allowed someone to get into my account. I was really amazed at their victim blaming. I did not know if the person sending the messages was still doing it. I needed help, and I wasn't getting it. I told them that they could take over the task of choosing my password. Furthermore, they knew mail could be sent with my address easily, without my password being discovered. I phoned the company. Once I got to the right person in the organization, things were handled professionally. ------------------------------ From: stark@gwis2.circ.gwu.edu (Michael Ross Starkenburg) Date: 08 Nov 1994 22:50:12 GMT Subject: Re: Need help on making a computer/PC usage policy Organization: The George Washington University, Washington DC The Electronic Messaging Association in Rosslyn, VA has a packet on creating corporate policy. It is about 40 pages and costs about $45.00. They will fax you a summary for free. I don't know the number but they are in the 703 area code. In addition, I am currently writing a paper on this subject. Copies will be available by emailing stark@gwis2.circ.gwu.edu ------------------------------ From: genghis@ilces.ag.uiuc.edu (Scott Coleman) Date: 08 Nov 94 22:08:50 GMT Subject: Re: Logging Entry and Exit. Organization: University of Illinois at Urbana ttw@beta.lanl.gov (Tony Warnock) writes: There is a legimate use for logging legal comings and goings. If an intruder can bypass the usual logging stuff, then the uncertainty in the time of a break-in may be narrowed. This is the same idea as having a night watchman log his rounds. The applicability of such an log depends on circumstances (as though other things didn't). Your own home - not useful. Office - not very useful. Jewel vault - useful. Level 4 virus containment - very useful. Office building during working hours - not useful. Office building during off-hours - useful. Etc. There is a trade-off between privacy and the necessity of logging times. OK - so just log the TIMES of legitimate accesses, and not the NAMES of the people making the access. I can't see any significant privacy problem there, and yet whatever advantages logging may create are still retained. -- Scott Coleman, President ASRE (American Society of Reverse Engineers) asre@uiuc.edu Life is temporally limited - drive velocitously!! ------------------------------ From: ddg@cci.com (D. Dale Gulledge) Date: 08 Nov 1994 22:08:26 GMT Subject: Re: Intrusive Supermarket Card Organization: Northern Telecom Inc., NAS Winn Bill writes: There is a supermarket chain in Indiana, Marsh Supermarkets, that has a discount card program called "Fresh IDEA" (Instant Discounts Electronically Applied). The idea behind the program is one completes an application and gets a discount card in return. When making purchases at Marsh, holders of this card are given unpublished discounts. The application has some very interesting, and intrusive, questions. Many of the questions, sans the multiple choice answers, follow. Remember, this is a discount card program for a supermarket (analogous to using coupons), not a security clearance application. [...incredible list of questions erased but not forgotten...] Many of these questions are perfectly legitimate marketting questions. However, they should not be tied to personal information. If a store selling beer asks me how much beer and what brands I buy and is willing to treat the information confidentially, I will provide it. If they want my name, address, income, marital status, medical history, sexual preference, IQ, high school transcript, and so forth, I will refuse. What surprised me about the list of invasive questions they are asking is that they did not ask for your Social Security Number. Did you forget to put it on the list, or did they? My personal suggestion would be for you to provide precisely the information that you are willing to provide. Don't give them any information other than that which would be necessary for them to contact you if they recover a lost card for you. Name and address is okay. Then do not use that card when you purchase alcohol, condoms, birthday cards, magazines, non-prescription drugs, tobacco, flowers, etc. Use it when you buy bread, milk, veggies, etc. I have no problem with the world knowing how many green peppers I buy. I would further suggest that these invasive twits should be tried in the court of public opinion. Keep a record of your correspondence with them. Specifically challenge their need to know some of the information, such as birthdates, in writing. Challenge the legitimacy of linking your name and address with information about your financial status in a database that they are not keeping secure. If they claim that it is secure, ask if they will guarantee that and whether they intend to sell the information. Feed their wrong answers to these questions to your favorite newspaper. -- My employer's opinions are published | Lernu paroli Esperanton! elsewhere. These opinions are strictly | Helpu dispremi unulingvismon! my own. | ddg@cci.com, D. Dale Gulledge, Software Engineer, Northern Telecom, Directory & Operator Services, 97 Humboldt St., Rochester, NY 14609 ------------------------------ From: Bob Bales <74774.1326@CompuServe.COM> Date: 09 Nov 1994 02:31:23 GMT Subject: Re: Book recommendation Organization: National Computer Security Association Protect Your Privacy: The PGP User's Guide, by William Stallings, is scheduled for release on November 18th. It is available from the NCSA InfoSecurity Resource Center. For information about this book (IS149) send me an EMail and I will respond with detailed description and ordering information. Excerpted from the forward, written by Phil Zimmerman: I've admired Bill Stallings's writings in computer science for some years before PGP, and here he is writing a book about my program. How can I talk about how great his book is, without, by implication, talking about how great PGP is? It's hard to write a foreword for his book about PGP without sliding into some measure of self-indulgence. Go ahead, Phil; indulge yourself!! You deserve it; it's a great program! And a great book. -- Bob Bales | CompuServe InfoSec Forum: GO NCSA Natl Computer Security Assoc| Phone: 717-258-1816 10 South Courthouse Avenue | Fax: 717-243-8642 Carlisle, PA 17013 | Email: 74774.1326@compuserve.com ------------------------------ End of Computer Privacy Digest V5 #060 ****************************** .