Date: Wed, 08 Feb 95 15:41:27 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V6#016 Computer Privacy Digest Wed, 08 Feb 95 Volume 6 : Issue: 016 Today's Topics: Moderator: Leonard P. Levine Re: Wastebaskets Re: Wastebaskets Research Help on Database Administrators' Liability Inaccurate Personal Information Re: Who is Looking at Your Files? Re: Who is Looking at Your Files? Re: Phone Users Slam Dunked Re: Privacy in Telecommunications Re: Requests for Home Phone Numbers Internet Access Policy The Cybercop Impetus Info on CPD [unchanged since 12/29/94] ---------------------------------------------------------------------- From: wb8foz@netcom.com (David Lesher) Date: 06 Feb 1995 20:49:28 GMT Subject: Re: Wastebaskets Organization: NRK Clinic for habitual NetNews Abusers - Beltway Annex "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> writes: For high-security requirements, you can use "cross-cut" shredders which use offset knives to slice paper into small diamond-shaped fragments instead of long parallel ribbons. Such crosscut shredders (typically the Intimus 007) have been required by USG for any classified for 15 years. They learned this in Tehran. The alternative is a SEM, Inc. disintegrator. This is a 10-20 hp. motor with three rotating knives, sort of like a reel-type lawn mower. Unlike a 007, it will eat anything short of a handgun.... ------------------------------ From: sasdvp@unx.sas.com (David Phillips) Date: 07 Feb 1995 13:58:52 GMT Subject: Re: Wastebaskets Organization: SAS Institute Inc. G Martin writes: How careful are you about what you put in your wastebasket at work, or your trash at home? [chomp] Which leads me to a question I'd like to ask all of you. How do you dispose of documents, diskettes or backup tapes that have sensitive info on them? I think shredders are next to worthless because it's so easy to reassemble the document. It really depends upon the shredder. While in the Navy, one of my responsibilities was the destruction of our communications security materials (ie, code cards, etc.) We ran this through a shredder that left pieces that were 1/16" by 3/16" (I know, cause I had to measure a sample of them periodically to ensure destruction met specifications) I doubt that it would be easy, or even possible, to reassemble such a document. -- David Phillips sasdvp@unx.sas.com SAS Institute, Inc., Cary, NC If you're not living on the edge, you're taking up too much room. Don't Tread on Me DVC ------------------------------ From: "James E. Kelley" Date: 06 Feb 1995 14:05:20 -0600 (CST) Subject: Research Help on Database Administrators' Liability I have been monitoring the group for the last couple of weeks in the hope of running accross some information or discussion that would be of help to me in my research. I am a graduating law student who wishes to inquire into the potential liability of database administrators who fail to adequately protect information contained within the database. I feel that this is primarily a privacy concern that will stem from tort law. However, I have not failed to see the potential of liability for the disemination of corrupted (changed) data. I ask for any and all suggestions that would give me avenues to research. To date, I have read numerous articles and papers. Unfortunately, I have not found much information directly on point. I hope that this is something that either has been discussed before or is a new topic you would be willing to explore with me. I hope we can be of help to one another. I have appreciated the fact that most of what I have read in this group is both well thought out and well spoken. Hope to hear from you. -- James E. Kelley Creighton Univercity School of Law Omaha, NE ------------------------------ From: "Richard Schroeppel" Date: 06 Feb 1995 18:13:42 MST Subject: Inaccurate Personal Information A couple of people have suggested that, whenever a credit bureau mails out a report, they should cc the reportee; the requester pays for the extra copy. This seems fair, and it may be a good idea. There are two downsides to be aware of. I don't know how they balance out. (1) If I'm snooping through your mailbox, I might find a credit report. You'll never know it's missing, since you were unaware that XYZ corp. was thinking of sending you an unsolicited credit card. I swipe the credit report and use the information therein to cause you misery. (2) There's a more general problem about privacy here: The typical complaint begins "the XYZ corp. refused my loan and won't say why", and evolves to "XYZ corp. used wrong information from ABC credit". The victim decides that he at least wants the damned data to be accurate. But this ignores another problem: The data often shouldn't have been collected in the first place. If there are procedures in place for correcting externally held personal information, and they aren't too onerous, we will drift into the situation that the subject of the information is *responsible* for correcting the information. The credit scum mails you a report and says "Is this correct? Use the attached postcard to mail corrections." and then it's up to *you* to fix it, and if you don't you've (a) accepted any resulting credit denial, and (b) acquiesced in a felony if the report seriously overstates your income or omits that phone bill you skipped out on in college. Is it worse to have the credit scum collecting personal information that's full of errors, or to have the same scum, with the same information, but also the assurance that the information is correct? The IRS has announced a goal of collecting enough information about us to form a "personal profile", to see if we're living too high for the income we report. They aren't planning to let the public see the files, so they don't plan procedures for correcting them. But suppose they sent you the file, and demanded by law that you correct it? It's one thing to be in Who's Who when you want to, but quite another to be required to report the information and swear to it. -- Rich Schroeppel rcs@cs.arizona.edu ------------------------------ From: otto@vaxb.acs.unt.edu (M. Otto) Date: 07 Feb 1995 16:18:32 GMT Subject: Re: Who is Looking at Your Files? Organization: Zetetic Institute This post may be included, in whole or in part, in followups or pri vate email. It may also be included in any archive site which archives all posts to a group. Proper attribution must be maintained. It may not be included in an y edited compilation, distributed electronically or otherwise, for profit or not , without the permission of the author. rj.mills@pti-us.com (Dick Mills) wrote: That leads me to wonder if we couldn't form privacy rights legislation on the same principle. Instead of attempting to stop digitized signatures, sales records, video rental info, and the thousands of other data gathering activities, we could require that the individual be cc'd whenever this information was transmitted to third parties. I like this idea too. It's much too sensible, so of course the U.S. Government will hate it. :) Seriously, though, I think there would be at least one really big obstacle to overcome in getting this bill passed: The junkmailer's lobby. The junkmailers will be among the ones expected to pay for all of these notifications, and they won't like this one bit. Expect resistance. Expect resistance from people with deep pockets. -- M. Otto otto@vaxb.acs.unt.edu "A virtual prisoner of UNT's VAX" ------------------------------ From: BSD Now! Date: 08 Feb 1995 07:26:10 +0000 (GMT) Subject: Re: Who is Looking at Your Files? Organization: home.for.retired.hackers d) Police Abuse of Personal Records [comp.society.privacy V6#004]: If the citizens were getting copies when police request information on them from a national center, then abuse would be harder to spot. More important, knowledge that they could not do it secretly would deter police from abusing the data in the first place. Why isn't there more enthusiasm from comp.society.privacy readers? Is it not explained well? OK, I'll bite on your question as to why no enthusiasm... as you point out, there are hundreds of supposedly legitimate credit reporting groups --I know some that are one man bands that specialize in more detailed searches. banks are interested in 'clear' assets they can lien; car dealers are interested in how you made your car payments; if you have good car payment records and your baseline is not too bad, you'll get the paper, maybe not at the rate you would like, but you'tt get the paper. third mortgage lenders are total bandits --they are often looking to make loans to people with sufficient equity who probably will _not_ be able to meet the load payback - they _want_ to foreclose. the real problem will be enforcement --the big 3: trw, equifax, and ??? will comply; major regionals will comply. some locals will comply --but I'd take any amount in bets on the rest. for instance, --just check the boxes on 50 categories: real estate, litigation, criminal, driving, marital, you name it --specify the geographic areas for a head start (or just start with a name and address or an SSN. give me $200 plus $50 a check box --you're about to get in bed with this dude you think you know for $10 million --is it worth tossing me $1,000, or even $10,000 to get _everything_ that exists on this guy --it is, and computers make it impossible to regulate this; too much is public record; the rest is obtained by someone, and is available. if you want to make the concept of credit access disclosure stick (and I am all in favour), it will be necessary to make it at least a misdemeanor to _RECEIVE_ the subrosa information, or information which has not been 'vetted by the "victim." Now, enforcing this in the computer age is going to be more of a nightmare than prosecuting the prostitute's johns. I am sure we can all agree that we would like to believe everyone would obey a set of legislative ethic limitations --but I dont. do you? -- Dick Mills rj ------------------------------ From: bo774@freenet.carleton.ca (Kelly Bert Manning) Date: 08 Feb 1995 05:38:25 GMT Subject: Re: Phone Users Slam Dunked Organization: The National Capital FreeNet, Ottawa, Ontario, Canada The so called "Smart Talk Network" is getting a lot of bad press here about people being slammed over to it. STN contracted out the marketing and are trying to lay the blame on their indirect commission salespeople. Hm, bribing telco staff to give lists of long distance numbers called is a favourite tactic of private dicks trying to track down women trying to avoid abusive former husbands/boyfriends/etc. They usually try to find someone they think knows where the woman is hiding and throw a scare into them so that they make a long distance call and report "someone has been around looking for you". The phone number tightens the net of public and utility records to search and makes locating the target much easier. With the feeble/nonexistent validation shown by slamming it seems that it might not be that difficult for a private dick to set up a small scale long distance operation for the express purpose of getting access to peoples long distance records. They could even send some sort of obnoxious "salesman" around to give them the out that it was all a misunderstanding. ------------------------------ From: "Ronald A. Smit" Date: 08 Feb 1995 10:07:16 MET1DST Subject: Re: Privacy in Telecommunications You can find lots of information in Telecommunications Policy. E.g. in Telecommunications Policy dated December 88 (pp 353-368) you can find an article US Telecommunications Privacy Policy. -- Ronald A. Smit ------------------------------ From: "Dennis G. Rears" Date: 08 Feb 95 8:58:21 EST Subject: Re: Requests for Home Phone Numbers "Dennis G. Rears" (drears@pica.army.mil) writes: My opinions on providing SSN to merchants have appeared to be disjointed in the past. This is mainly because I haven't had an original post in CPD in about 18 months, only followups. Here's my thoughts: 1. Don't give false information. Either leave it blank or fill it in. Giving false information poorly reflects on one integrity. Kelly Bert Manning writes: This may be a cultural difference. There is also a nuance of difference btween alias and false name. An alias is a name that you choose to use for a particular purpose, as opposed to a false name made to disassociate yourself from something. I have no problem with an alias. I am refering to when a person is asked for a SSN or credit card number and that person gives a number that is false. On a issue not that has nothing to do with privacy, I am a firm believer in property rights. Part of owning property is have the ability to decide who you want to sell, lease, give, or otherwise convey services or property to. I believe a merchant should have the right to refuse to do business with anybody. Let me extend this belief. On this I am refering to a person only, not a corporation. A corporation owes it existence to the government as such it could be forced to sell to anybody. How far does that belief extend? Can a healthcare merchant(hospital) refuse to provide life saving care to someone who can pay the going rate but happens to have a skin color the hospital doesn't like to see? In this case no because the hospital is typically a corporation. Can the owner of a busline refuse to carry blacks unless they consent to ride in the back and give up their seats to whites if the bus fills up? A busline is typically operated by a governmental agency or corporation. Can someone who owns a restaurant refuse to sell the food they own to people of a particular ethnic or racial background? Absolutely. They should be able to decide who and who not they want as customers. Allowing merchants to be arbitrary rather than equitable in their choice of clients opens up a wide range of posibilities for them to be discriminatory. If they are in business they should be prepared to treat anyone with sufficient cash to pay in the same manner as anyone else who can pay. Why? In most cases market pressure will bear on the store to develop reasonable policies. -- dennis ------------------------------ From: jhoogerd@bacon.norcen.com (John Hoogerdijk) Date: 08 Feb 1995 11:47:38 -0700 Subject: Internet Access Policy Organization: Norcen Hello folks, I am drafting a usage policy for our company regarding access to the Internet. I am posting to this group because privacy, security and policy items are somewhat related. I would like feedback on the following areas from people who have developed similiar policies for their respective corporations. 1. Do you take measures to ensure that abuses do not occur - ie: users spending excessive time on the WWW, reading Network News, etc. 2. Do you filter and accept only news groups relevant to your business? 3. Do you have any statistics of "abuses" of the Internet, where abuse is in the context of activities not related to business objectives of the company? 4. Do you audit your user activities on the Internet? 5. Have you researched and considered any liabilities a corporation may face as a result of Internet access? This, of course, is relevant to local/national law - Norcen is a Canadian company, so Canadian experiences would be more relevant, although others would be interesting. I recognize that there is a diverse and potentially contentious set of opinions related to these issues, and although I don't wish to enter a discussion on the broader issues of censorship, I do wish to consider a wide range of views on these matters. -- John Hoogerdijk jhoogerd@norcen.com ------------------------------ From: Kajae@aol.com Date: 08 Feb 1995 15:35:52 -0500 Subject: The Cybercop Impetus Hmm... When I started the thread on the cybercops it was with the notion that those of us here who actually *care* one way or the other about possible future censorship, privacy invasions, and personal information abuses would do something about this situation other than make our opinions known to others besides _just_ those of us on the Net, whom, if they aren't like minded will at least be in a similar situation if this comes to pass. I suppose what I didn't realize at the time was that: 1) Anything that we did would have to be done by a large (or at least significant) number of us in order for it to be effective 2) Those of us who _did_ do something would have to, at some point and in some way agree on what to do and how to do it. 3) That I strongly suggest that everyone who wanted to actively participate the thread read the January 23rd article in U.S. News & World Report so you'd have a decent idea of what the heck I was talking about. What I ultimately hoped to accomplish is for us to formulate a series of actions (and perhaps even a philosophy or two along the way) that would in some way negate the rather chilling vision of the future I had after reading that article. Let me share it with you... The year is 2005. At least 75% of all homes in America have computers, tied in via modem (or whatever really cool tech we'll be using by then) to every information exchange and service we require or desire, and the U.S.'s population of couch potatoes has been all but converted into netsurfers. But the Net isn't what it was back in the roaring '90's. Oh, no. All (yes all) newsgroups and online services are monitored for content by expert systems deployed by various "politically correct" agencies of the Federal government to "regulate content for the purpose of insuring domestic tranquillity". It's illegal to own and/or operate a BBS without a Federal license, and all sysops must adhere to specific federal guidelines. Netsurfers aren't the only ones to enjoy the ever present influence of our beloved government. Since the passing of the Clipper Amendment, all forms communication hardware from cellulars to fax machines to phone trunks and satellite dishes have nice tidy little slots in them, anxiously awaiting the insertion of a chip that would give anyone who had said chip the ability to see and hear everything each of us does. And you can't use private encryption software, since *technically*, in the wrong hands it could be used as a weapon. But don't worry. To offset this, we, the Federal Government (NSA), will provide free of charge, encryption software for the public - like a nationally sponsored health care package for communications. Is it good? Sure! Would anyone from the government be able to break into your encrypted communications at will? Nah, not without Clipper, and we'd _only_ use _that_ for strictly _legal_ purposes. You can trust us, we're the government! On top of all that, no citizen truly owns their own identity. Information about everything one has, has done, and is doing is in the hands of several agencies, both commercial and federal, who are by no means accountable to mere individuals, American citizens or not. Consumer buying power is not what it once was, as all goods and service providers basically offer the same thing, but just a different way - and treat all customers with the same lack of respect for their individual privacy. Cyberthieves, hackers with reverse-engineered Clippers buy and sell legitimate credit ratings, as well as any information, great or small, to anyone with the money or power, for money or power. Or maybe even just for fun. In the '90's, people were prisoners in their own homes because of the threat of crime. In the new millennium, people are prisoners of their own technologically integrated, socially irresponsible society - unable to act, interact, or even possibly *think* freely for fear of social, financial, or legal reprisal. (Didn't some dude named Orwell write something about that a while ago?) Now aside from the fact that I need to lay off the peanut butter/tuna/cream cheese sandwiches before I go to bed, I also need to point out that _I_ don't endorse complete lawlessness on the Net, in cyberspace in general, or anywhere else. In fact, several law enforcement agencies have *already* used the Net to break child pornography rings, credit card scams, and a host of other socially productive things (read the aforementioned article). What I oppose is the notion that said agencies have in that they believe that they should have the potential to constantly (and I do mean constantly) invade my privacy at will, in any and every way, especially when I as a private citizen have not given them any legal (or any other) cause to do so - using law enforcement as an excuse when they don't consistently enforce existing laws that would help them accomplish their goals just as well. Circumstances are already close enough to that as it is. Do each of us as individuals have the right to make choices about where and how we spend our money? Yes (for now). Do we have an obligation to spend it in such way that it is a help to others who may not have the same choices? Yes, but by definition it's not a binding one, since that's a *free choice* that we all make, and it isn't always clear cut. Forget Radio Shack. How many of you use AT&T? Do you know that AT&T is already in the process of integrating Clipper into their hardware? How many of you are ready and willing to switch to MCI or Sprint based solely on that fact? What about the time when MCI and Sprint will be forced by federal law to integrate Clipper into their services? Who will you switch to then? What about the AT&T customers who oppose Clipper, but AT&T provides them with the best and/or most affordable service? Do we just leave them to hang, when a united front from a majority of AT&T customers could change their policy? And maybe even that of Congress? Does anyone besides me see where this is going? Should we ban police from the Net? Problematic, since you can't tell who on the Net is a cop just by looking - you can't see a badge in cyberspace. And there is the rather significant point that they do accomplish *some* good here, which is why we have them in the first place. If the law enforcement agencies of the US and the world want to stake a better claim to the Net, let them have Usenet groups and online services where the average person can *interact* with them, like a police station on-line. Let them develop their own services, applications, and encryption breakers, but do it in such a way that it wouldn't be cost effective to have every individual either world- or nationwide under some form of constant surveillance. The government and military already have their own domains, let them expand on those. So long as humans have imagination and ingenuity, all technology will be either compromised or obsolete the day it's created. This applies to Clipper just as much as it does typewriters. And no technology remains intrinsically unique forever. Just ask IBM. The NSA is *NOT* God almighty with a supremely omnipotent ability to touch and not be touched, no matter what they would have us and their trainees think. As a wing of a democratic government, they should be made responsive to the will of the people, not the other way around. Legislation reflecting this philosopy should definitely be put into place that would apply to private sector agencies as well. What's more dangerous than a person with a loaded gun? A person with a loaded gun who has no real idea of how to properly use it. What's more dangerous than a government with power? A government with power and no understanding of why it was given that power in the first place - for consideration and welfare of the people in its sovereignty. Same principle, different scope. Think about it. I have. Now it's your turn. -- Karl Jackson Kajae@aol.com ------------------------------ From: "Prof. L. P. Levine" Date: 29 Dec 1994 10:50:22 -0600 (CST) Subject: Info on CPD [unchanged since 12/29/94] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the SUBJECT: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit or append to the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Mosaic users will find it at gopher://gopher.cs.uwm.edu. Older archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V6 #016 ****************************** .