Date: Tue, 22 Nov 94 08:59:42 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V5#065 Computer Privacy Digest Tue, 22 Nov 94 Volume 5 : Issue: 065 Today's Topics: Moderator: Leonard P. Levine Re: Datamation Writes on the Wiretap Act Re: Mother's Maiden Name Re: Mother's Maiden Name Debit Cards Vancouver Sun reports E-mail interception within BC Government Re: Must I Always Carry I.D? Conferences that may be of interest Forged Internet Email Re: Corporate Electronic Communications Policy Info on CPD, Contributions, Subscriptions, FTP, etc. ---------------------------------------------------------------------- From: hedlund@halcyon.halcyon.com (M. Hedlund) Date: 19 Nov 1994 21:34:04 GMT Subject: Re: Datamation Writes on the Wiretap Act Organization: NWNEXUS, Inc. - Making Internet Easy Doug Sewell wrote: from November 15, 1994 issue of Datamation, in Press Watch on p.99:] Despite a last minute push by privacy geeks like the American Civil Liberties Union to block its passage, Congress has approved President Clinton's new data-wiretapping legislation. [...] This shows what "professional DP people" think of both privacy and "us geeks". You think? I read that as a sarcastic take on _Congress's_ view of the bill -- that it was something only privacy geeks cared about. But then, I know nothing about Datamation or its biases.... ------------------------------ From: sean@sdg.dra.com (Sean Donelan) Date: 19 Nov 94 17:12:45 CDT Subject: Re: Mother's Maiden Name Organization: Data Research Associates, St. Louis MO Panopticon@oubliette.COM writes: and a wife without support. After all, our government, local and national, has not yet really shown significant enforcement of child support laws. I know that many of you will mention that we must preserve the privacy of every man in that we may secure privacy for all, and on the face of it I agree with this. But isn't it time we made an exception in the case of child support? Given that the assets of the man belong, legally in part, to his children. The exception has already been made. The US federal government is requiring all the states to set up a fully automated means of tracking down people who don't pay child support. I believe that Minnisota is the first state to bring their system on-line. -- Sean Donelan, Data Research Associates, Inc, St. Louis, MO Domain: sean@dra.com, Voice: (Work) +1 314-432-1100 ------------------------------ From: Robert Ellis Smith <0005101719@mcimail.com> Date: 21 Nov 94 16:00 EST Subject: Re: Mother's Maiden Name Jim Green (Nov. 15) and others imply that because we're free to select any "mother's maiden name" we should feel secure about our bank records and other personal information. As I tried to point out earlier, when you supply a mother's maiden name (or functional equivalent), the bank is free to pass that on to a credit bureau. The credit bureau, in turn, is free to disclose that to ANYBODY for a fee, including private snoopers. CREDIT information may be disclosed only to users with a permissible purpose under the law, but mother's maiden name can be disclosed to anyone. What good is a personal password that can be bought and sold in the marketplace by strangers? And isn't it a deception for banks and others to imply that a mother's maiden name is some kind of secure password? -- Robert Ellis Smith Publisher Privacy Journal ------------------------------ From: robert.heuman@rose.com (robert heuman) Date: 20 Nov 1994 20:25:40 -0500 Subject: Debit Cards Organization: Rose Media Inc, Toronto, Ontario. The use of debit cards has been discussed, without a clear understanding of their purpose. Their purpose, from a bank's viewpoint, is to get rid of the float and credit card frauds. From the merchant's viewpoint, he is assured payment, because the funds are transferred from your account to his at the time the card is run through the equipment. There is NO advantage to you - you do loose the float (if your bank really gave you one) and there is no credit attached to the card, so an overdraft is a loan, if the bank has given you those privileges. Do not, for one moment, believe that the debit card is to your advantage. When compared to a credit card, unless you have problems handling your money, there is NO benefit to you. The card is for the Bank's purposes. Eventually the banks would like to see the end of credit cards and the exclusive use of debit cards - no float - loans carrying high interest if you overdraw, and eliminate credit card fraud. Just be sure you can: 1. select your own PIN 2. change your PIN at any time, day or night, on YOUR demand Else refuse to use the damn things - if enough users REFUSE to use them the bank has a marketing choice - alienate customers or continue to provide credit cards. Credit cards will be around for a number of years, but expect them to disappear within 10-20 years unless consumers start protesting debit cards, en mass, NOW. --- RoseReader 2.52 P001886 Entered at [ROSE] RoseMail 2.60 : RoseNet<=>Usenet Gateway : Rose Media 416-733-2285 ------------------------------ From: ua602@freenet.Victoria.BC.CA (Kelly Bert Manning) Date: 20 Nov 1994 23:01:37 -0800 Subject: Vancouver Sun reports E-mail interception within BC Government The Vancouver Sun published a report about this on page B1 of the 94/Oct/12 issue. The headline was "Ministry admits to e-mail tapping: MESSAGES: Corrections official sounded alarm on tapping". Byline: Harold Munro. The individual whose E-mail was being monitored found out after someone sent him a note and got an acknowledgement from a second ID that he hadn't CCed. I'll quote remarks attributed to Steve Howell, described as a "program analyst with the corrections branch in Victoria. "McKinnon was sent the e-mail of hogg, Barr and a handful of other civil servants on certain dates from July through September 1993". "If current messages were monitored in May, Howell said, it might be because computer systems officials are not accustomed to retrieveing e-mail. This might be the first time that they had ever had such a request." "But he added, the ministry does operate on the basis of a legal opinion that e-mail is the property of the government, not the employee, as soon as it is sent. Therefore the government believes it can read employee e-maill at anytime." ------------------------------ From: VSLARRY@weizmann.weizmann.ac.il (Larry Israel) Date: 20 Nov 1994 19:19:15 GMT Subject: Re: Must I Always Carry I.D? Organization: Weizmann Institute of Science In Israel a driver must always have his license, vehicle registration, and compulsory insurance certificate. It used to be that if you did not have them, you had twenty-four hours to get to the local police station and show them (I don't know if this was the law, or what the police allowed you out of the goodness of their hearts). A few years ago the law (or perhaps practice) was changed, and you will be fined if caught without them in your possession. Of course, a small fine compared to the one levied if you really don't have a license, a registered vehicle, or compulsory insurance. ------------------------------ From: "Prof. L. P. Levine" Date: 21 Nov 1994 08:41:17 -0600 (CST) Subject: Conferences that may be of interest Organization: University of Wisconsin-Milwaukee The CPSR sent this to its Members and Friends. Some of them were issues that related to privacy. What follows is a portion of their list: CONFERENCE /EVENT SCHEDULE Free Speech and Privacy in the Information Age. Waterloo, Ontario. Nov. 26, 1994, Sponsored by University of Waterloo. Contact: sfsp@graceland.uwaterloo.ca. The Technology for Information Security Conference '94 (TISC '94), Galveston, TX, Dec. 5-8. Contact: John D'Agostino dagostin@killerbee.jsc.nasa.gov "Information Espionage," Cincinnati, OH, Dec. 6. Contact: thornbge@cyxsmtp.wpafb.af.mil 1995 Data Security Conference. Jan 9-11, 1995. Redwood City, CA. Sponsored by RSA Data Security. Contact: kurt@rsa.com Towards an Electronic Patient Record '95. Orlando, FL. Mar. 14-19, 1995. Sponsored by Medical Records Institute. Contact: 617-964-3926 (fax). Access, Privacy, and Commercialism: When States Gather Personal Information, College of William and Mary, Williamsburg, VA, March 17. Contact: Trotter Hardy 804 221-3826 Computers, Freedom and Privacy CFP'95, Burlingame CA, Mar 28-31 Contact: 1995 IEEE Symposium on Security and Privacy, Oakland, CA, May 8-10. Contact: sp95@itd.nrl.navy.mil Tenth Annual Conference on Computing and Philosophy (CAP), Pittsburgh, PA, Aug. 10-12. Contact: Robert Cavalier rc2z@andrew.cmu.edu 412 268-7643 Computers in Context: Joining Forces in Design, Aarhus, DENMARK, Aug. 14-18. Contributions for papers, proposals for panels, workshops, and tutorials (in 6 copies - not by facsimile or e-mail)): Deadline for receipt Jan 5. Contact: Computers in Context, Aarhus University, Dept. of Computer Science, Bldg. 540, Ny Munkegade 116, DK-8000 Aarhus C, DENMARK. --- CPSR ANNOUNCE LIST END --- To alter or end your subscription to this mailing list, write to listserv@cpsr.org. For general information send the message: HELP To unsubscribe, send the message: UNSUBSCRIBE CPSR-ANNOUNCE You need to do this from the same machine you subscribed from. In both cases, leave the subject blank, or at least not resembling an error message. ------------------------------ From: mr.rogers@the_place_to_be_.nut Date: 19 Nov 94 20:24:47 PST Subject: Forged Internet Email This is another example of how simple it is to forge messages. What I really found as shocking was how just about anyone on a ny kind of computer can pull it off. -- Xxxxx Xxxxx xxxxx@xxxxxxx.xxx [extensive moderator comment: The author of the above did actually sign with a name and a reasonable looking email address. I have removed them since what I say below could easily be considered offensive and there is no reason to put him or her to embarassment if, in fact, the name is not that of the actual forger. I responded to this message with my usual acknowledgement and got the message below. Truly shocking and alarming; a user had found a way to forge Internet email. Earlier today I noted that a paper envelope on my desk had a return address of "God in Heaven". Incredible, a user had managed to evade the power of the mighty Post Office and forge a return address on this too. A month ago I received a phone call from someone claiming to be Newt Gingrich. Some investigation traced that call to a pay phone on the street. Even the power of the Phone Company quakes before these technical geniuses. Credit cards have been forged, copied, spoofed. Alarm! Alarm!! The ultimate authority of a claim to my identity is me and my credibility. If I claim that a message in _any_ media is not mine then the onus falls on the claimant to establish that the claim is valid. Can I be seriously inconvenienced, even to the point of being arrested? Yes. The problem, however, is not electronic, it is just old fashioned criminal action. It can and should be watched and controlled, it can never be fixed, except at horrible cost to our life style; a cost greater than I choose to pay. So, bring on your forged email, you got me again. After all the 'D' key is right here under ... my middle finger. Actual copy of bounce from forged email message: Date: 20 Nov 1994 08:34:27 -0600 From: Mail Delivery Subsystem Subject: Returned mail: Host unknown (Name server: the_place_to_be_.nut: host not found) To: levine The original message was received at Sun, 20 Nov 1994 08:34:26 -0600 from levine@localhost ----- The following addresses had delivery problems ----- mr.rogers@the_place_to_be_.nut (unrecoverable error) ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu ---------------------------------+-----------------------------------------] ------------------------------ From: bernie@fantasyfarm.com (Bernie Cosell) Date: 20 Nov 1994 15:15:39 GMT Subject: Re: Corporate Electronic Communications Policy Organization: Fantasy Farm, Pearisburg, VA Dick Mills writes: Bernie Cosell [bernie@fantasyfarm.com Computer-Privacy-Digest:V5,062,12] apparently does not share my paranoia about the proposed policy. I guess not... In the original posting I didn't cite my actual fears so as not to contaminate the comments. I'll state them now. I have to confess that I still find your position on this unclear. First, you mix together policy with how the policy might be implemented. To my view those are *separate* matters and should be discussed separately (and, indeed, specified by the company separately!). We can chat about the _policy_ and whether it is appropriate, makes sense, etc. Apart from that we can chat about whether the particular way a company happens to be implmenting the policy is appropriate, makes sense, etc. The company can change how it implements a policy without changing the policy [in fact, this would almost always be the case, as changing conditions and feedback both from the employees and the operational groups (and perhaps new laws, court decisions, EEOC rules, etc) dictate improvements and refinements in the machinery]. Second, not all of your concerns are *privacy* ones, which I would think are the only ones really appropriate for this forum. Questions of employee morale, cost-effectiveness, and such, are surely better discussed elsewhere [misc.jobs perhaps]. One question about your paranoia is whether it is with the policy, per se, or over speculations about how the policy _might_ be implemented. On the last, I'm not sure I can envision a policy on just about anything that is so benign and airtight that it could not possibly be badly misimplemented. The policy states: [Company] reserves the right to review all electronic records and communications, although it not the intent to do so except for legitimate business reasons. This implies that the company may tap phones, and bug rooms, even though it is not their intention to do so. I fear this will cause unnecessary fear and suspicion among employees. Suppose an employee sent a letter to his employer stating, "I reserve the right to criticize company management publicly in the press, although it is not my intention to do so." What is the gain to offset the suspicion caused by such a letter? I agree.. this was a foolish thing to put in the policy. The sentence should have ended just after "communications". As for your fear, since you offered not even a hint as to why you believe that, it is difficult to say much. I've worked at high-security sites, where every square inch of the workplace is covered by surveillance cameras, where every phone is recorded. Employees aren't told when they're being watched/listened to or what happens with the tapes. Your 'fear' certainly wasn't rampant there, so it is at least not totally necessary that a policy mandating tight security controls necessarily causes problems. Now, I agree that that workplace certainly didn't have the feel of a college lunchroom, and it surely wasn't going to be everyone's cup of tea, but overall the security policy just wasn't a problem. I grant you that there is a spectrum here, and a company might well foolishly choose a level of oversight that is inconsistent with the 'social climate' of their workplace. But on the other hand, that might mean that the social climate, rather than the security policy, is what needs tuning. I've argued in the past that I think that most workplaces I've encountered would be _improved_ by more company watchfulness and controls. Most places I see are amazingly unprofessional about keeping their work-business disentangled from their personal-business. [for example, look at all of the postings to rec.pets from company machines with timestamps clearly marked as being during business hours]. The policy states: The message originator's department manager and corporate officers are the only individuals authorized to review... Bernie Cosell comments: I wouldn't even have been inclined to put in all the disclaimers --- I'd have ended the paragraph after the first sentence. Without the disclaimers all employees, as agents of the company, would be authorized to review any communications of anyone else in the company. Limitations of authorization must be explicitly stated. Well, this isn't a privacy issue, but are you making that statement as a lawyer? As far as I know [from every company I've worked for or consulted for], the employees aren't free to act as "agents of the company" and cannot on their own just do whatever "company" actions they please in the company's name[*]. Rather, I think it is all only by explicit authorization: you can't purchase things in the company's name unless something authorizes you to do so; as opposed to its being OK for you to do so unless there is an explicit rule preventing it. [*] In fact, I would go farther: as I understand it, only a VERY few number of folk actually have the legal authority to act as agents of the company, period. As a rule, you generally have to be a corporate officer. You can _pretend_ to be an agent of the company, but they can take criminal action against you if you do so without authorization. The policy states: Improper use of [company] electronic communications may result in disciplinary action up to and including discharge from employment. Email, more so than nearly any other kind of communication, is subject to forgery. There have been lots of discussion in computer-privacy about the vulnerabilities. It would be too easy for another employees, or even an outsider to sabotage someone's employment by sending forged email. How can you say "it would be too easy"? As far as I recall, the policy you presented [quite properly IMO!] said nothing about its evidence-gathering procedures, its review and hearing procedures, appeal procedures Again, I think the policy is exactly right as stated, and it is correct to leave out the *procedure* by which such "improper use" is determined. Whether that procedure is fair or not, whether it includes review/appeal/hearing provisions and a dozen other *procedural* questions all should be dealt with someplace else, but that is a _separate_ set of issues and ones that could actually be dealt with wholly outside of the policy statement. Also, non-electronic forms of communication become conspicuous by their absence from the policy. Perhaps --- what was the purpose of the policy? Surely there must be other company policies having to do with things like use of the FAX equipment, use of the company name [e.g., writing for info about a new litterbox for your cat using company letterhead stationery], talking to the press, handling of private and proprietary information, administration of nondisclosure agreements, use of the telephones, etc, etc, etc. Was this to be the *ONLY* company policy addressing employee communications? If so, then I agree 100%: they left out a *ton* of stuff that has to be addressed. -- Bernie Cosell bernie@fantasyfarm.com Fantasy Farm Fibers, Pearisburg, VA (703) 921-2358 --->>> Too many people; too few sheep <<<--- ------------------------------ From: "Prof. L. P. Levine" Date: 26 Sep 1994 12:45:51 -0500 (CDT) Subject: Info on CPD, Contributions, Subscriptions, FTP, etc. Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions generally are acknowledged within 24 hours of submission. An article is printed if it is relevant to the charter of the digest. If selected, it is printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the subject line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit or append to the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Mosaic users will find it at gopher://gopher.cs.uwm.edu. Older archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V5 #065 ****************************** .