Date: Fri, 30 Dec 94 11:06:55 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V5#079 Computer Privacy Digest Fri, 30 Dec 94 Volume 5 : Issue: 079 Today's Topics: Moderator: Leonard P. Levine Re: Must I Always Carry I.D? Re: School Monitoring Re: School Monitoring Re: School Monitoring Re: School Monitoring Credit Reporting Re: 3 Hits and You're Out SSN Removal from VA Driver Lic., Possibly, Private Records Pointer to a Variable Info on CPD, [new] ---------------------------------------------------------------------- From: "David C. Frier" Date: 27 Dec 1994 14:28:41 -0500 Subject: Re: Must I Always Carry I.D? Organization: Express Access Online Communications, USA On 11 Nov 1994, amy young-leith wrote: If you are pulled over and you HAVE a valid drivers license issued to you, but you don't have it WITH you (it's at home on the table or in your purse slung on the chair or...), is THAT a crime? Will you be charged with something? Will you have any chance to obtain your license to avoid this charge if there is one? I have been in traffic court and seen a succession of cases dismissed by the judge after the defendants, all of whom had been charged with "driving without a license," produced the licenses that had been at home on the table or in the other pants or whatever. -=-=-=-=-=-=-=-=-=-=-=+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+=-=-=-=-=-=-=-=-=-=-=- David C. Frier, CCP | All opinions expressed my | duvie@digex.com Compensation Systems | very own, not necessarily | 76702,1417 (CIS) Wyatt Software | those of my various bosses: | 75250,422 (CIS) Washington, DC | employer, wife, kids or God.| 410/358-3100 =-=-=-=-=-=-=-=-=-=-=-+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+-=-=-=-=-=-=-=-=-=-=-= ------------------------------ From: ranck@earn.net (Bill Ranck) Date: 28 Dec 1994 10:23:48 GMT Subject: Re: School Monitoring Organization: Universite Paris-Sud, France. Jim C (collins@nova.umd.edu) wrote: Recently, the logon banner at my school/internet provider has had an unsettling addition to it: "All usage of this system is monitored for security purposes, and by signing on to the system you are implictly consenting to this monitoring." Yipes! What are the implications of this? Is this even legal? I don't.... Why not? It's their machine. They get to make the rules on how you can use it and they can certainly monitor how it's being used. Revealing your usage to others would be a problem, but for internal security reasons they have every right. ... expect to pick up the phone and hear "By using this service you are implictly consenting to being montored for security purposes", I don't... Some businesses you call will have a recording that says something like that. They monitor their incoming calls to see how well they are handled, etc. There is usually a record that tells you this if a company is doing it. The phone company doesn't do it because they are a "common carrier" and forbidden to control content, but the party you call certainly can monitor their phones. ... expect to go mail a letter and see on the mailbox "By using this service you are implictly consenting to subjecting your mail and parcels to inspection". What is this nonsense? Jim C. Never heard of the Postal Inspectors? They certainly can inspect mail. There just isn't a notice on the mailboxes. Welcome to the real world :-/ -- * Bill Ranck +33.1.69.41.24.26 ranck@earn.net * * Technical Staff, European Academic & Research Network (EARN) Orsay, France * ------------------------------ From: brunkhorst@mayo.edu Date: 28 Dec 1994 13:57:28 GMT Subject: Re: School Monitoring Organization: Mayo Foundation collins@nova.umd.edu (Jim C) writes: Recently, the logon banner at my school/internet provider has had an unsettling addition to it: "All usage of this system is monitored for security purposes, and by signing on to the system you are implictly consenting to this monitoring." Yipes! What are the implications of this? Is this even legal? I don't expect to pick up the phone and hear "By using this service you are I'm sure it is legal for a 'publicly-funded' system to be monitored for usage, as long as explicit notification and consent exists (which this message informs the potential user of). If I have a chargeback program that tells me every time you login, logout and what programs you run (and some will log the command lines), and I use that for a security check because some security hack tells me to ("I need to know who telnetted from your box to bank.umd.edu at 3:34am yesterday"), all of a sudden my accounting log is a monitor. My guess is that is what happened, some reasonable lawyer pointed out that no one told the suspect that mere usage of software would be 'monitored' and therefore his/her privacy was impinged. With this login banner, a sysadmin can now use any logs for 'monitoring' purposes, since the opportunity of advise and consent was offered to all users. Of course, with the vagueness of the statement, they may well be able to 'tap' sessions at the keystroke level as they see fit. That last sentence is what concerns me. As a sysadmin, I have no problem using the normal accounting files to trace computer usage, which can provide some level of session monitoring (and some level of invasion of privacy, if not explicitly explained to all computer users), as this is akin to tracking credit card transactions, but I have a harder time of keystroke monitoring. My guess is that by providing that generic banner, they have covered the lions share of invasion of privacy issues by stating, "if you prefer a higher level of privacy, then don't use our system." The don't say the DO keystroke monitor every session, but they infer they have the right to, once you log on and 'give up' your right to privacy. Why don't you expect to see those sorts of warnings on telephone and postal boxes? I have a feeling the only difference is the level of judicial 'probable cause' needed to humanly exam the records. Your telephone usage is being monitored, if for nothing else billing purposes. I wrote a program once when I worked for a telco to monitor 'unusual' aberrations of calling card use, to identify possible fraud. Credit Card companies advertise they do the same thing. My guess is Fed Ex could do the same. Is this 'monitoring' for 'security purposes?" Could be. I guess I wouldn't get all bent out of shape by this statement up front. Go ask the sysadmin what sort of monitoring they are doing. If you feel by this explanation that a) your privacy is being intruded beyond normal levels, and b) this will impact the level of education or research you are expecting to receive at UMD, then bring it up with the Academic Dean (I would hate to have operators 'borrowing' term papers from classmates in the name of 'security!'). -- ========================================================================= Geoffrey Brunkhorst Brunkhorst.Geoffrey@Mayo.edu Research Computing Facility, Guggenheim 10 (507) 284-1805 Mayo Foundation, Rochester MN, 55905 USA Fax (507) 284-5231 ------------------------------ From: travis@netrix.com (Travis Low) Date: 29 Dec 1994 17:21:06 GMT Subject: Re: School Monitoring Organization: Netrix Corporation collins@nova.umd.edu (Jim C) writes: [new login banner as follows:] "All usage of this system is monitored for security purposes, and by signing on to the system you are implictly consenting to this monitoring." Yipes! What are the implications of this? If someone hacks their way into the system, the system administrators may wish to monitor the hacker's activity. Is this even legal? Probably (but I am not a lawyer). You could probably get a more complete explanation on comp.security.misc, but I believe the strong wording covers their asses. If the word "welcome" appeared, hackers (or hackers' lawyers) would argue that the hackers were invited in. Or suppose the hacker who just deleted your Ph.D. thesis was discovered via keystroke monitoring. Without the nasty login message, the surveillance might be of dubious legality ("But they didn't *tell* me they would monitor my keystrokes!"). I don't expect to pick up the phone and hear "By using this service you are implictly consenting to being montored for security purposes", It is not necessary with telephones. You can't do the same kind of damage with a phone, or wiretaps would probably be legal. I don't expect to go mail a letter and see on the mailbox "By using this service you are implictly consenting to subjecting your mail and parcels to inspection". Yet another story. I believe the post office can inspect packages without your prior consent. Or without ever warning you. But again, I am not a lawyer, and you might want to check. -- travis@netrix.com ------------------------------ From: "balkx003" Date: 30 Dec 1994 16:55:41 GMT Subject: Re: School Monitoring Organization: University of Minnesota, Twin Cities "All usage of this system is monitored for security purposes, and by signing on to the system you are implictly consenting to this monitoring." Yipes! What are the implications of this? Is this even legal? I don't expect to pick up the phone and hear "By using this service you are implictly consenting to being montored for security purposes", I don't expect to go mail a letter and see on the mailbox "By using this service you are implictly consenting to subjecting your mail and parcels to inspection". What is this nonsense? Jim C. Well, it's perfectly legal for them to do that because they own that system, you don't, and the main reason they do that is because they don't want you to cause any trouble from their system - your actions could bring lawsuits upon them.. even though I disagree with people doing that, they have somewhat of a reason for it, huh? -- balkx003@gold.tc.umn.edu ------------------------------ From: Robert Ellis Smith <0005101719@mcimail.com> Date: 27 Dec 94 19:16 EST Subject: Credit Reporting Just before the holiday there were some inquiries about credit reports. Here are some answers: The practice of doing a credit check of everybody on a list before sending a mailing is legal so long as everybody who makes the cut gets a bona fide extensio n of credit. It's called prescreening. If you object to it - because it is recorded as an "inquiry" on your credit report and because the name of inquiring company may mean nothing to you - write a letter to Rep. James Leech, new chair of the House Bank ing Committee, and urge him to reform the Fair Credit Reporting Act accordingly. And write to your own Member of Congress. When you exercise your rights under the act to see your own credit report, that is not recorded as a "credit inquiry." -- Robert Ellis Smith, Publisher, Privacy Journal ------------------------------ From: david@c-cat.PG.MD.US (Dave) Date: 28 Dec 94 12:55:42 EST Subject: Re: 3 Hits and You're Out Organization: China Cat BBS (301)604-5976 Robert Ellis Smith wrote: On Dec. 5, 1994, Geoffrey Knauth asked whether the mere fact that someone inquires into your credit-bureau file may have negative consequences for you. The answer is yes. Credit grantors regard an inquiry from a company into your credit file without any evidence in your credit file that the company subsequently granted you credit as evidence that the company rejected you. To many credit grantors, three inquiries in a short period of time without any granting of credit indicates that your credit applications have been rejected three times. That's enough for other companies to reject you. mikus@bga.com (Mikus Grinbergs) writes: What I personally find objectionable is to receive unsolicited letters saying: "You have been PRE-APPROVED for our credit card (or vacation rental, or whatever). Just sign here." I make it a point not to respond. Now you tell me that these hucksters (who've run credit checks on me that I haven't authorized) make footprints that look like "credit-denied", unless I accept their offer ? Mind-boggling! my concern with this issue is this: I am planning to buy a house within the next year or two, I was pre approved and received a free card ( 21%) from a local dept. store, all I had to do was use it show my id and it would be activated, ( really, get a fake id, and use it anyway) I was pre approved for something like $2500 I am concernet when the mortgage lender checks my credit, they will count the $2500 and "debt available" when I tore up and threw out the card. Is this correct to assume ? -- David R. Ristau ======================== david@c-cat.pg.md.us uunet!anagld!c-cat!david ------------------------------ From: "SAMARAWEERA Law Offices, Wash., D.C." Date: 29 Dec 1994 18:47:34 -0500 Subject: SSN Removal from VA Driver Lic., Possibly, Private Records Organization: Express Access Online Communications, USA Original Subject: Social Security Number Removal from Virginia Driver's License and, Possibly, from Private Records Maintained in VA The Virginia General Assembly is about to start its 2 month 1995 session during the first week of January. During the 1994 General Assembly session, Delegate Karen Darner introduced a bill that would have required the removal of social security numbers from Virginia driver's licenses. The bill was "carried" to 1995 which means that it did not make it out of the Roads and Navigation Committee, but that the Committee indicated that it would consider it again during the 1995 session. Those of us who are concerned about the use of the social security number for identification purposes in government records, and in private records; e.g. utility companies, etc.; should write to Delegate Darner and the VA General Assembly to urge passage of this legislation during the 1995 session. I shall attempt to follow the bill, if it is re-introduced, and provide an update posting. Meanwhile, if you want to phone Delegate Darner, in Richmond, her office voice phone number is (804) 786-7206. The fax number, which is for the entire General Assembly, is (804) 786-6310. Virginia is still studying whether to provide internet access to government agencies, etc., so I do not know if they have e-mail addresses for the General Assembly. If others want to follow this item and try and persuade their Virginia state Delegates or Senators to pass this legislation, please do so. Postings of examples of specific statutes from other states would be helpful. Full text would be the best, but if that is not available, a citation or short general description would also do. \\\\\\\\\\\\\\\\\\\\\ Rohan J. Samaraweera \\\\\\\\\\\\\\\\\\\\\\\\ SAMARAWEERA Law Offices Suite 900, 1150 Connecticut Avenue, N.W., Washington, D.C. 20036 Voice Telephone: (202) 785-1985 Facsimile: (202) 785-1912 \\\ E-Mail and Internet Address: samarlaw@access.digex.net \\\\\\\\\\ ------------------------------ From: pmf@world.std.com (Paul M Foglia) Date: 30 Dec 1994 14:31:02 GMT Subject: Pointer to a Variable Organization: The World Public Access UNIX, Brookline, MA I saw a couple of weeks ago that someone gave a way to set a pointer (or a reference) to a control. I have searched for the article but can't find it. Does anyone remember this, or know how to do it? -- Paul Foglia pmf@world.std.com ------------------------------ From: "Prof. L. P. Levine" Date: 29 Dec 1994 10:50:22 -0600 (CST) Subject: Info on CPD, [new] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the SUBJECT: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit or append to the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Mosaic users will find it at gopher://gopher.cs.uwm.edu. Older archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V5 #079 ****************************** .