Date: Mon, 20 Feb 95 17:44:18 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V6#019 Computer Privacy Digest Mon, 20 Feb 95 Volume 6 : Issue: 019 Today's Topics: Moderator: Leonard P. Levine Re: Requests for Home Phone Numbers Recent break-ins and collections of credit card numbers Cordless Phone Privacy Re: Innacurate Personal Information Phones that dial *67 automatically Phones that dial *67 automatically Incredible Universe Privacy Concerns Re: How Can I Change This? Re: How Can I Change This? Privacy Laws Regarding Computer Databases, etc. Re: Mailing Lists & Personal Information Ignore This Privacy questions for research New Hires SSN put into National Database Swiss Federal Data Protection Commissioner on-line What Does City Hall Have about Me? ---------------------------------------------------------------------- From: Christopher Zguris <0004854540@mcimail.com> Date: 16 Feb 95 10:57 EST Subject: Re: Requests for Home Phone Numbers mjh9@lehigh.edu wrote: I have a question about using an alias in the U.S. I work in our campus post office (which handles both campus and U.S. Mail), and often put mail in the mail in student's boxes. One thing that my supervisor has told me on several occasions, it that I must make sure that the name on the mail matches the the name on the box that it is addressed to. In one sense this makes sense, students come and go, so boxes change from one person to another each semester. However, this makes it almost impossible to receive mail under an alaids that the post office is not aware of. Is this policy used anywhere else, and is it even legal? Any input is appreciated. I thought it was _illegal_ to put anything in someone's mailbox! Private delivery companies can't put magazines in private mailboxes because it's against the law and the post office will sue them into the stone age. How does a campus post office get away with fiddling with private mail? -- Christopher Zguris czguris@mcimail.com ------------------------------ From: "Vinod Narayanan" Date: 16 Feb 95 13:56:45 -0500 Subject: Recent break-ins and collections of credit card numbers Todays NY times had a story about the apprehension of Mr.Mitnick for various computer related breakins. There are various risks to be considered in this incident, including some that Mr.Mitnick did not anticipate, but one particular item caught my attention. Mr.Mitnick had manged to hack netcom, and in the process, got hold of a file containing 20,000 credit card numbers. Eventhough the article did not explicitly state this, I assumme that these were the credit card numbers of netcom subscribers. Now, obviously, we all know that the service providers collect credit card numbers one at a time. But to think that this is collected in a single file, on a system accessible from the main switch, is rather disconcerting. I would have expected at least one of the following measures to be taken: - Move the credit card numbers physically to a separate system, which cannot be accessed directly from the hosts connected to the networks, maybe on a daily basis. - Use some strong encryption, with the key being stored on a separate system, and all decryption being done on a separate system. Now, we may think that this is a risk associated only with online providers who collect your credit card numbers for access to accounts. However, this is not the case. As more and more merchants come on-line, it is likely that their databases are accessible directly from the network also. I think the basic lesson is that we all need to be aware of the higher risk associated with on-line collections of sensitive data. -- vinod@watson.ibm.com "Keep it simple: as simple as possible, but no simpler" -- A. Einstein ------------------------------ From: Lane Lenard Date: 16 Feb 1995 15:54:32 -0500 Subject: Cordless Phone Privacy I'm doing some research on cordless phone snooping and have heard that there are "monitoring enthusiast clubs" in which members share monitoring techniques. There is even supposed to be a monthly magazine called "Monitoring Times" that gives eavesdropping techniques. Does anybody know anything about these clubs and/or this magazine? Also, what is the current legal status of cordless phone snooping? Am I correct in assuming that it is now illegal as of the passage of the recent Digital Telephony legislation? Thanks in advance. -- Lane Lenard ------------------------------ From: fred@sunserv.optiplan.fi (Fred Baube) Date: 16 Feb 1995 22:58:52 +0200 (EET) Subject: Re: Innacurate Personal Information Surely sendmail reeled when thusly spake Kajae@aol.com: I agree. Perhaps an alternative in addition to this would be an idea that a previous poster had that we make credit bureaus compete for our reports, and penalize them for innacuracies by threatening to take our report elsewhere. This of course would be predicated on the fact that 1) we as individuals would have to be legally enpowered to have ultimate posession of that information and [..] This was of course rendered academic when the Supreme Court decided some years ago that information about an individual is neither the property of, or subject to control by, that individual. Perhaps an explicit privacy provision in the Bill of Rights would have changed that interpretation. The Supreme Court is not bound by precedent, but then again, who expects anything pro-privacy from *this* bunch ? -- F.Baube(tm) * "Government had broken down. G'town Univ MSFS '88 * I found the experience invigorating." baube@optiplan.fi * -- Maurice Grimaud, Paris prefect #include * of police in May 1968 ------------------------------ From: G Martin Date: 17 Feb 1995 00:33:27 -0500 (EST) Subject: Phones that dial *67 automatically Jeff Nye wrote: My phone line has caller ID and I would prefer not to pay a monthly fee to have it blocked. I'd like to block caller ID by default on all outgoing calls, which in my area, means dialing "*67" before each outgoing call. My computer's telecommunications software allows a "dial-prefix" to be prepended to all outgoing calls. Does anyone know of any telephones which do this? I'm not aware of any phones that do this, but I have seen phones that have 1-3 buttons on them for dialing police, fire or an ambulance. Since most people would use 911 anyway, these buttons are often not used. Seems like you could program them to dial *67 if you wanted to. -- Gary Martin gmartin@FREENET.COLUMBUS.OH.US ------------------------------ From: "Jongsma, Ken" Date: 16 Feb 95 14:32:00 PST Subject: Phones that dial *67 automatically Jeff Nye wrote: My phone line has caller ID and I would prefer not to pay a monthly fee to have it blocked. I'd like to block caller ID by default on all outgoing calls, which in my area, means dialing "*67" before each outgoing call. My computer's telecommunications software allows a "dial-prefix" to be prepended to all outgoing calls. Does anyone know of any telephones which do this? Zoom Telephonics (Boston, MA) makes a box called the Hot Shot that plugs into any phone outlet. It can be programmed to prepend *67 to any call from any phone on the same line. Graybar sells it for about $50. ------------------------------ From: G Martin Date: 17 Feb 1995 00:38:18 -0500 (EST) Subject: Incredible Universe Privacy Concerns Matt Sargent [ m.sargent@genie.geis.com ] said: Obviously, no one shops at The Incredible Universe against their will. But how many of the people who do shop there even realize what data they may unwitting be providing. Thanks for sharing this info. I heard rumors about Incredible Universe doing something like this, but until now I hadn't realized how extenstive their invasions of privacy really are. I have avoided shopping there for this very reason and will continue to do so as long as they refuse people the right to make anonymous cash purchases. -- Gary Martin gmartin@FREENT.COLUMBUS.OH.US ------------------------------ From: bandy@aplcomm.jhuapl.edu (Mike Bandy) Date: 16 Feb 1995 09:34:56 -0500 Subject: Re: How Can I Change This? Organization: Johns Hopkins University Applied Physics Lab, Columbia, MD, USA lauras@holly.ColoState.EDU (Laura Sizemore) writes: Is there anyone out there who knows how to change your name on the system when someone types, "finger (your login name)" mcinnis@austin.ibm.com (Mickey McInnis) writes: There might be a way to do this without going to the sysadmin, but try asking the system administrator to change the name entry for your id. This is usually stored in the /etc/passwd file. On my SunOS 4.1.3 system the command is 'passwd -f'. On your system do a 'man passwd' and see what the switches are. On HPUX 9.05 the sys admin must get involved, as our long winded IBM friend describes below. -- Mike Bandy bandy@aplcomm.jhuapl.edu Johns Hopkins University / Applied Physics Laboratory ------------------------------ From: G Martin Date: 17 Feb 1995 00:49:24 -0500 (EST) Subject: Re: How Can I Change This? lauras@holly.ColoState.EDU (Laura Sizemore) writes: Is there anyone out there who knows how to change your name on the system when someone types, "finger (your login name)" Mickey McInnis - mcinnis@austin.ibm.com There might be a way to do this without going to the sysadmin, but try asking the system administrator to change the name entry for your id. This is usually stored in the /etc/passwd file. If they are reluctant to remove your name entirely, you could try changing the first name to initials, or "Laurance" or some such. You could also ask them to change it to "account 3249" or some such. If they are still unwilling to remove or disguise your name, try working your way through the bureaucracy, or even getting one of the local or college newsrags or TV stations interested in this "scandal". i.e. "Local School Refuses to Protect Identity of Female Students, etc." Try the local bureaucrats first, you might find a sympathetic ear. If necessary point out the danger of stalkers, etc. and the potential for liability or embarassment to the University if something happens. When our Columbus Freenet first got started, they originally had intended to make everyone use their full first and last name in their userid, and in the output from the Finger command. I tried bucking the system when I first applied, and asked them to only use my first initial in my first name. Even thought the application clearly stated that I couldn't do this, I wrote it on the application anyway that I wanted to. I also enclosed a letter stating that the reason was because I wanted to protect my privacy. About a week or two after I mailed my application, I got a phone call from a man who worked with our Freenet. He was rather militant in the sound of his voice, and he insisted that I would have to use my full name or I could not get an account. I wanted the account bad enough that I reluctantly agreed. Then much to my surprise, when I got the paperwork in the mail to set me up, they had used only my initial after all. I can only guess as to why they did this. I suspect that because many others probably expressed concerns about their privacy that they realized I wasn't just some paranoid nutt. Additionally, several months later, they had an announcement that they were going to limit the amount of information available on Internet via the "Finger" command to just our userid ("gmartin" in my case) and our full Internet address. And in my case, they seem to have even taken it one step further. When I try to use the internal Freenet option (not the Finger command; a Gopher menu option) to list info about users, I don't even show up as belonging to Columbus Freenet. don't know how they pulled that off, but I like it. Laura, even if you can find a command to change it yourself, I think it's important for you and others who have similar concerns to speak up. If they get enough complaints, they just might take action like our Freenet apparently did. -- Gary Martin gmartin@FREENET.COLUMBUS.OH.US ------------------------------ From: kellys@cs.stanford.edu (Kelly Schwarzhoff) Date: 17 Feb 1995 06:54:25 GMT Subject: Privacy Laws Regarding Computer Databases, etc. Organization: Stanford University Does anyone know of a good book/article that describes the main laws the attempt to protect one's privacy regarding various computer databases (i.e. credit records, medical information, criminal records, etc.), such as the Fair Credit Reporting Act, etc.? I know of "The Right of Privacy in the Computer Age" by Freedman, but unfortunately it was published in 1987 and I'm under the impression that a number of significant laws have been published in the last eight years. Suggestions? -- Kelly Schwarzhoff kellys@cs.stanford.edu MIME Mail is welcome ------------------------------ From: gmcgath@condes.MV.COM (Gary McGath) Date: 17 Feb 1995 11:58:31 GMT Subject: Re: Mailing Lists & Personal Information Organization: Conceptual Design Sarah Holland <70620.1425@compuserve.com> wrote: I think the issue is that when one subscribes to a mailing list, one doesn't expect that one's email address will be sent out to other people without having first posted! It's not a big problem, of course... On my recently started book review mailing list, I send the mailings to myself, and BCC everyone else on the list. Everyone's privacy is thus guaranteed. Just something which other people who have mailing lists might consider doing in order to avoid the problem mentioned. -- Gary McGath gmcgath@condes.mv.com PGP Signature: 3E B3 62 C8 F8 9E E9 3A 67 E7 71 99 71 BD FA 29 ------------------------------ From: Bruce Steinberg Date: 18 Feb 1995 22:41:31 -0800 (PST) Subject: Ignore This Newsgroups: comp.society.privacy From: anonymous@whocares.net Subject: IGNORE THIS X-Nntp-Posting-Host: cisco-slip114.acc.virginia.edu Message-ID: Sender: usenet@murdoch.acc.Virginia.EDU Organization: University of Virginia Date: 15 Feb 1995 17:36:55 GMT Approved: I wish it was... Lines: 2 testing again. 2121281873 This is both scary and just a little poetic, especially appearing on comp.society.privacy, and the day after the Mitnick bust. Could I have responded back and posted as directly to the newsgroup as the initial anonymous poster here (should I have chosen to add to the clutter), effectively bypassing the moderator? Are there any safeguards against this, or are we looking at the future here? [moderator: I wrote to the postmaster at the mailing address and wondered if this was the norm at their institution or if they were the victim also of this trash. The postmaster indicated that they knew who the perp was and that he had been talked to and would not do it again. Learning is a part of the Internet game. This was mild and will not be repeated.] ------------------------------ From: Loren.Mikola@asu.edu Date: 18 Feb 1995 04:07:17 +0000 (GMT) Subject: Privacy questions for research Organization: Arizona State University Hello All, My name is Loren Mikola. I am a computer science student at Arizona State University. I am doing a research project that discusses privacy; specifically, how far government should be allowed to delve into people's privacy as far as computer technology is concerned. A large part of the paper will be on laws pertaining to privacy; as well as a substantial section on the Clipper chip. There will also be a section on striking a balance between government interference as opposed to national and domestic security. I would apreciate it if anyone with any information on these or related subjects would E-Mail me and tell me what they know. For instance, FTP or telnet sites where I can obtain documents and other related material, the names of newspapers, magazines and other periodicals that deal with this subject would also be greatly apreciated. If you are a professional in a related field, your opinions would also be valued. My E-Mail address is: loren.mikola@asu.edu Thanks very much in advance. I hope I don't sound like I'm picking your brain. But hey, that's what the Net's for. Sincerely, Loren Mikola loren.mikola@asu.edu  ------------------------------ From: jwarren@well.sf.ca.us (Jim Warren) Date: 19 Feb 1995 17:01:56 +0800 Subject: New Hires SSN put into National Database And they call this Social "Security"?? Sen. Bill Bradley (D-NJ) said about S.456 which was introduced on Thursday (16-Feb-1995): "This bill requires information on every new hire to be filed in a national database, which States can regularly search for the names or Social Security numbers of parents who owe support to children in their States." Daniel A. Norton danorton@chsw.win.net said: The bill is "The Interstate Child Support Responsibility Act" and the purpose of the database is to track parents who are purposefully evading child-support obligations. Of course, no one should expect that a database that tracks every employee in the U.S. with 30-day accuracy would be of any interest to anyone else. This child-support pursuit was the same rationale used by California's then-state Senator Becky Morgan in mandating that SS numbers must be on drivers' licenses. Who was it that first said something about no person's liberty being safe while the legislature is in session? --jim Jim Warren, GovAccess moderator; columnist, MicroTimes/Govt.Tech/BoardWatch [puffery: James Madison Freedom-of-Information Award, Soc. of Professional Journalists - Nor.Calif.(1994); Hugh Hefner First-Amendment Award, Playboy Foundation (1994); Pioneer Award, Electronic Frontier Foundation (its first year, 1992); founded Computers, Freedom & Privacy confs, InfoWorld, etc.] ------------------------------ From: Ralf Hauser Date: 20 Feb 1995 17:55:30 +0100 From: hauser@ifi.unizh.ch (Ralf Hauser) Subject: Swiss Federal Data Protection Commissioner on-line Organization: University of Zurich, Department of Computer Science We are happy to announce the experimental server of the | | | Swiss Federal Data Protection Commissioner | | Eidgenoessischer Datenschutzbeauftragter | | Prepose federal a la protection des donnees | | Incaricato federale della protezione dei dati | | Incombensa federal per la protecziun da datas | It currently contains (in HTML and RTF format): - The commissioner's recommendations for concerned individuals how to execute their rights granted by the Swiss data protection law. - Guidelines for the owners of collections of personal data. - Guidelines for the treatment of personal data in the Swiss Federal Administration. The documents are in French and German. Italian paper versions can be requested and their electronic versions are in preparation. It is furthermore planned to add the yearly reports of the Officer, the full text of the law, as well as various further information. You can reach the server under URL: http://www.edsb.ch/edsb Ralf Hauser http://www.policom.ch/Customers/POLICOM/ By Courtesy of http://www.eunet.ch -- For more information: finger hauser@claude.ifi.unizh.ch or +41 1 724-8426 ------------------------------ From: donath@hweng.syr.ge.com Date: 20 Feb 95 12:59:05 EST Subject: What Does City Hall Have about Me? Organization: Martin Marietta Aerospace, Valley Forge, PA What does my local city government have on file about me? Any tips on where to find it? Is there a FAQ that would cover some of this information? -- Kurt Donath donath@hweng.syr.ge.com ------------------------------ From: "Prof. L. P. Levine" Date: 29 Dec 1994 10:50:22 -0600 (CST) Subject: Info on CPD [unchanged since 12/29/94] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the SUBJECT: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit or append to the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Mosaic users will find it at gopher://gopher.cs.uwm.edu. Older archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V6 #019 ****************************** .