Date: Thu, 02 Mar 95 09:25:55 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V6#023 Computer Privacy Digest Thu, 02 Mar 95 Volume 6 : Issue: 023 Today's Topics: Moderator: Leonard P. Levine Re: Cordless Phone Privacy Re: Cordless Phone Privacy Re: Cordless Phone Privacy Re: Question Regarding Wiretapping A True Story Re: Use of Mailboxes Question on Clipper Status Re: Compuserve Sued for Delivering "Junk E-Mail" The IRS and The INS Re: The National Computer Security Organization Can You Buy Boxes to Fool CallerID/ANID? EPIC Legislative Update 2.2 Info on CPD [unchanged since 12/29/94] ---------------------------------------------------------------------- From: eck@panix.com (Mark Eckenwiler) Date: 28 Feb 1995 00:01:15 -0500 Subject: Re: Cordless Phone Privacy Organization: Saltieri, Poore, Nash, deBrutus & Short, Attorneys at Law rthomas007@aol.com sez: I am not in the know about the bill you just spoke of. However, up until a year or so ago, the U.S. Supreme Court ruled that there is no expectation of privacy on a cordless telephone. There is on a cellular. Cite, please. And even if such a case existed, the 1994 Digital Telephony Act's amendments to Title III have now *created* a legal expectation of privacy for cordless calls. BRENDZA@gould-tm.mhs.compuserve.com sez: Does this mean that cordless phone signals that are broadcast between the handset and the base are not encrypted (and then de-encrypted for the phone line) because of some federal legislation against it? If so, is this so that law enforcement agencies can monitor the broadcast, like a wire-tap without a warrant (a wireless tap?). The effect of the 1994 amendment to Title III -- bringing cordless phone transmissions within the protection of federal wiretap law -- is to prohibit warrantless taps by law enforcement. ------------------------------ From: Christopher Zguris <0004854540@mcimail.com> Date: 28 Feb 95 08:48 EST Subject: Re: Cordless Phone Privacy writes: Does this mean that cordless phone signals that are broadcast between the handset and the base are not encrypted (and then de-encrypted for the phone line) because of some federal legislation against it? If so, is this so that law enforcement agencies can monitor the broadcast, like a wire-tap without a warrant (a wireless tap?). I always wondered why AT&T or some other phone manufacturer never manufactured a "scrambled signal" phone unit. I guess I never really thought about why no one did. Is this why? Does that mean it's illegal to install your own encrypted broadcast scheme if you were inclined to? Last I heard, Radio Shack sells an "scrambled" phone. Of course, it's not digital descrambling, so -- as I understand it -- it's fairly easy to unscarmble. I'm thinking there's another manufacturer, but the name escapes me. I don't think it's becuase of legislation or a conspiracy, I think it's simple economics. I don't think people would have payed the extra money for a scrambled phone, we're talking more than your average cordless phone. Besides that, I also don't think the people selling the phones want to publicize the fact either way. Bringing up scrambling means acknowledging someone might/is listening, and that's a bad thing for sales :-) . -- Chris czguris@mcimail.com (just another happy MCI customer) ------------------------------ From: knauer@ibeam.jf.intel.com (Rob Knauerhase) Date: 01 Mar 95 07:03:20 GMT Subject: Re: Cordless Phone Privacy Organization: Intel Corporation writes: Does this mean that cordless phone signals that are broadcast between the handset and the base are not encrypted (and then de-encrypted for the phone line) because of some federal legislation against it? If [...] why no one did. Is this why? Does that mean it's illegal to install your own encrypted broadcast scheme if you were inclined to? It almost certainly isn't illegal to encrypt the transmission between a cordless handset and base; as an example, the Motorola model 550 cordless phone boasts what they call "secure clear technology" for just such a purpose. The unit includes a "demo mode" so you can hear what someone with a 46/49MHz scanner would hear. (Some may claim that analog voice inversion isn't "encryption"; I'm not sure if there are subtleties to the definition or not.) -- Rob Knauerhase [knauer@ibeam.jf.intel.com] Intel Mobile Technology Lab "It would be quite possible to control a distant computer by means of a telephone line." -- Alan Turing, 1947 ------------------------------ From: Mike Rollins Date: 27 Feb 1995 06:50:37 -0500 (EST) Subject: Re: Question Regarding Wiretapping Organization: IDS World Network Internet Access Service, (800)IDS-1680 Michael Benedek wrote: Pardon me if this is not an appropriate usergroup on which to post this question: If the government is tapping your phone line, is there anyway, theoretically to make an untraceable phonecall or send an untraceable computer transmission? The best way to place a telephone call with minimal risk of having it traced or intercepted, is to use an encryption scheme such as PGP, while placing the call from a pay phone which is located at a distance from the location of the residence or business that you believe to be under surveilance. In other words, make a point of driving past a few pay phones to one which is chosen at random. Please note that this will not protect you from the risk of a tap being placed on the receiving end of your call. In order to try doing that, you would need to have the recipient of your call waiting at a second randomly chosen pay phone. Unless the desired privacy is related to an issue of extreme importance, this is really not worth the effort. Even then, be warned that people are likely to get careless. -- Mike Rollins mjr@conan.ids.net Speaking only for myself. ------------------------------ From: pbrennan@world.std.com (Patrick M Brennan) Date: 01 Mar 1995 23:12:22 GMT Subject: A True Story Organization: The World Public Access UNIX, Brookline, MA I went to the local Sears to buy a new clock radio this afternoon over my lunch break. I needed some help on getting a price from the salesman on the floor, and I eventually selected a model and we went over to a register to complete the purchase. The salesman, a regular white guy in his late 30s or early 40s, logged in to the register, and after a short sparring session during which he tried really hard to sell me the extended warranty (I said no three times!), he began to key in the purchase. I swear I am not making this conversation up (but I am recalling it from a 3-hour old memory): ==================================================== SALESMAN : Cash, check or charge? ME : Cash. SALESMAN : Can I get your phone number, please? ME : xxx-xxxx. SALESMAN : (keys it in) Where's that? ME : Brighton. SALESMAN : Hm. Name? ME : Brennan. SALESMAN : (keys it in) Address? ME : I don't think you need that. SALESMAN : Yes, I do. ME : Why? SALESMAN : Because that's what the computer wants. ME : Well, I don't really think it's necessary. (At this point the SALESMAN voids the transaction, and starts it again to get to the menu choice which allows him to bypass the address screen. His face displays his displeasure.) ME : I'm sorry, I don't mean to make your life rough. SALESMAN : I don't see what's wrong with it. ME : Everywhere I go lately, these companies want me to give them my address. I don't see why it's necessary and I don't want your company's computers keeping tabs on me. SALESMAN : It's necessary in order to prevent fraud. ME : This is a cash transaction we're doing here. I think it's unlikely that I can defraud your company. SALESMAN : Well you know, somebody else could just bring it back and return it for money. ME : m-Hm. SALESMAN : The company's just looking to protect its ass. You know, Sears has a big credit card division. Without their credit card business, the company couldn't stay in business. We can't even check people's credit ratings, and that's just stupid. ME : Well, I think people have a legitimate right to protect their privacy. SALESMAN : Ahhh, you've been listening to too many liberal college professors. Privacy, Shmivacy. If you're not doing anything wrong, you have nothing to worry about. ME : Yeah, right -- until they change the definition of what's "wrong". SALESMAN : Well, I've got nothing to worry about. ==================================================== Is this poor schmuck as dumb as he sounds? I have to admit I am baffled by the zeal displayed by this hourly wage-drone. Above and beyond the call of $6 per hour, which leads me to the conclusion that this guy is exactly the dittohead type that voted in the fascists this past fall. I imagine that Sears's nose has already had the full tour of every orifice of this guy's life (they don't trust just *anybody* to run their registers!). Not only does he have no concept of the enormous power of large corporate databases to corrupt and degrade individual privacy, he doesn't care! And most perplexingly : he actually defended the company's prerogative to gather information, and the computer's demand to have the information, OVER a PERSON's right to keep the information. Hey, if I haven't done anything wrong, I have nothing to worry about. Companies come before people, anyway. He might as well have come from Mars : I cannot relate to this guy at all. And it scares me that his may represent a substantial segment of the popular opinion. If that is so, then I am glad I've listened to too many liberal college professors. -- Patrick Brennan ------------------------------ From: mjh9@lehigh.edu Date: 01 Mar 1995 19:27:17 -0500 Subject: Re: Use of Mailboxes wicklund@Intellistor.COM (Tom Wicklu nd) writes: Christopher Zguris <0004854540@mcimail.com> writes: I thought it was _illegal_ to put anything in someone's mailbox! Private delivery companies can't put magazines in private mailboxes because it's against the law and the post office will sue them into the stone age. How does a campus post office get away with fiddling with private mail? This also means that your campus mailbox isn't technically a mailbox under postal regulations, which may have other implications. I posted the post to which Christopher Zguris responed, and I think I can add a little to the explanation. Our campus wide post office is a Contract Postal station. The university pays the U.S. Postal service to have the privlage of opperating a post office. This allows the university to have full Post Office Services on campus (postal money orders, exrpress mail, etc) while also using the boxes for their own campus mail. All U.S. mail is addressed to the building and also has a box number on it. The contract Post Office arrangement saves the Postal Service money (they don't need to pay as many workers), is more convienient for the University, and is better for the students (their other option would be to rent a box at the local town Post Office). I think the Post Office may also pay the University something for the service. Finally, the post office must abide by all postal regulations (eg, they cannot accept personal checks, they cannot just trash first class mail with a bad address, they must forward mail, etc.). Hope this clears it all up. -- Mario Hendricks mjh9@lehigh.edu ------------------------------ From: bill griffith <72613.2133@CompuServe.COM> Date: 28 Feb 1995 16:22:58 GMT Subject: Question on Clipper Status Organization: Pennex Aluminum Co. Hi all, I am new to the group so please accept my appoligies if this is a repeat. Could someone please tell me the status of the Clipper Chip? Please post here if appropriate or email me at 72613.2133@compuserve.com ------------------------------ From: gmcgath@condes.MV.COM (Gary McGath) Date: 28 Feb 1995 20:16:06 GMT Subject: Re: Compuserve Sued for Delivering "Junk E-Mail" Organization: Conceptual Design Privacy Rights Clearinghouse wrote: Robert Arkow, a Compuserve subscriber, is suing the service for delivering two unsolicited advertising e-mail messages to his mailbox on December 21, 1994. The suit, believed to be the first of its kind, challenges the right of advertisers to deliver so- called "Junk E-Mail" under the Telephone Consumer Privacy Protection Act of 1991 (TCPA). Arkow argues that the TCPA prohibits the automated calling of "any service for which the calling party is charged for the call." Also named in the suit is Compuserve Visa, the business responsible for the ads. The implications of this are as frightening (assuming equal probability of success) as those of S. 314. If service providers become responsible for conveying "junk mail," and can be legally held reliable for it, then providers will have to scan all messages and somehow decide which ones are "junk mail." Worse yet, the criteria used -- that sending mail to a list constitutes "automated calling" -- could outlaw all automated mailing lists, and perhaps all mail programs which batch mail, if they became legal doctrine. Thanks for calling this to our attention. -- Gary McGath gmcgath@condes.mv.com PGP Fingerprint: 3E B3 62 C8 F8 9E E9 3A 67 E7 71 99 71 BD FA 29 ------------------------------ From: Jannick Johnsson Date: 28 Feb 1995 21:51:52 GMT Subject: The IRS and The INS Organization: NeoSoft Internet Services +1 713 968 5800 Does anybody know if some body has a disagreement with IRS, like not filing your taxes if this is reported to INS, so next time somebody returns from a trip they have you in the computer. Is it possible to find out what INS has in their computer just by asking. I asked the agent once when I returned if I could see what he had on the screen. He said he was not allowed to show it to me. I did verify I was returning to the right the right country!!! I do know the police does not send your name to INS just because you are not paying you ticket or a warrent for your arrest not showing in the court. I am not convicted and do not intent to be, but just curious. -- Jannick Johnsson email wiking@neosoft.com ------------------------------ From: "Bob Bales [NCSA]" <74774.1326@compuserve.com> Date: 01 Mar 95 10:01:23 EST Subject: Re: The National Computer Security Organization Kevin, Perhaps you have missed some of bylines and extensive information written about us in: PC Magazine, Byte, Computerworld, Network World, Information Week, LAN Times, Info World, and dozens more that you most likely have not heard of. :) We are the official security product testing organization for Network World (check masthead) and operate a widely respected product certification service which is subscribed to by the likes of IBM and Intel, to name two you have heard of. :) :) Also, if you have read more than one issue of Privacy Digest or RISKS, you will have seen the very thoughtful and well-received postings of our highly respected Director of Education, Dr. Mich Kabay. Dr. Kabay's work regularly appears in national trade publications, and his paper on the impact of social and psychological factors in InfoSec was awarded best Paper at the National Computer Security Conference. His book, Enterprise System Security, will soon be published by McGraw-Hill. For your information, the NCSA to which you refer was "no name" in 1989. Believe it or not, we started out by picking a name which describes what we are and do. The letters just sort of followed. It's not like "NCSA" is easy to pronounce. Back then, IBM would have been better initials to use if we were seeking to trade on someones reputation. Forgive the sarcasm reflected in my previous message, but it was in direct response to what I felt was unprofessional public criticism and unfounded inuendo about an organization and people (me for instance) of which you truly ignorant. I hope this clears things up for you. -- Robert C. Bales Executive Director National Computer Security Association ------------------------------ From: bo774@freenet.carleton.ca (Kelly Bert Manning) Date: 02 Mar 1995 05:44:45 GMT Subject: Can You Buy Boxes to Fool CallerID/ANID? Organization: The National Capital FreeNet, Ottawa, Ontario, Canada A recent article in Macleans magazine stated that some Canadians with the new pizza sized Direct Broadcast Satellite receivers are using devices to make their pay per view calls look like they are coming from a US area code. There are apparently licensing disputes involved related to some Canadian businesses apparently have paid for "exclusive" rights to broadcast particular shows in Canada. Canadians can use PO boxes to handle billing for regular service, but apparently the Pay Per View services require a call for each viewing. If a call shows a canadian area code the clock starts ticking on a service termination deadline. CNID is reportedly relatively easy to fool, but I doubt that this would get past ANID unless they are calling through some sort of US call forwarding service. The article also said that some callers call an 800 service to bypass this problem. That doesn't seem to make much sense, since the call would show up in the billing details, unless it is some sort of call forwarding operation. I'd expect that to be a 900 pay per call service, not an 800 service. ------------------------------ From: "Dave Banisar" Date: 01 Mar 1995 01:18:21 -0800 Subject: EPIC Legislative Update 2.2 Privacy Legislation 104th Congress Electronic Privacy Information Center Last updated 2.23.95 An updated version of this document and the text of the bills are available from cpsr.org /cpsr/privacy/epic/104th_congress_bills/ Quality Assurance in Drug Testing Act (HR 153). Introduced by Rep. Solomon. Prohibits random drug tests, requires that employers have explicit written policies and education, use certified labratories. Referred to Committee on Commerce. Individual Privacy Protection Act of 1995 (HR 184) Introduced by Rep. Collins (D-ILL).Creates national Privacy Commission with authority to oversee enforcement of Privacy Act. Referred to Committee on Government Reform and Oversight. Antitrust Reform Act of 1995 (HR 411). Introduced by Rep. Dingell (D-MI). Telecommunications reform bill. Includes section ordering FCC to conduct privacy survey of new technologies and places limits on use of Customer Propriety Number Information (CPNI). Referred to Committee on Commerce. Postal Privacy Act of 1995 (HR 434) Introduced by Rep. Condit (D-CA). Prohibits Post Office from selling personal information to direct marketers. Referred to Committee on Government Reform and Oversight Fair Health Information Practices Act of 1995 (HR 435). Introduced by Rep. Condit (D-CA). Health Care privacy bill. Sets limits of access,use and dissemination of personal medical information. Referred to Committee on Commerce and 2 other committees. Consumer Reporting Reform Act of 1995 (HR 561). Introduced by Rep. Gonzales (D-TX). Updates 1970 Fair Credit Reporting Act to require better accuracy, less expensive credit reports, limit use of credit records for direct marketing and prohibit most uses of reports by employers. Referred to the Committee on Banking and Financial Services. ***Bills that will negatively affect privacy*** The Taking Back Our Streets Act of 1995 (HR 3). Introduced by Rep. McCollum. Republician Crime Bill. Includes provision to substantially limit judicial sanctions for illegal searches (exclusionary rule). Referred to Committee on the Judiciary. Hearings held 1/19/95 FBI Counterintelligence Act of 1995 (HR 68). Introduced by Rep. Bereuter. Authorizes easier access to credit reports by FBI for "national security purposes." Referred to Committee on Banking and Financial Services Interstate Child Support Enforcement Act (HR 195) Introduced by Rep. Roukema (R-NJ). Extends access to federal, state, local and commerical databases for purposes of enforcing child support. Increases use of Social Security Numbers. Creates database of new hires. Referred to Committee on Ways and Means and 3 other committees. Social Security Account Number Anti-Fraud Act (HR 502). Introduced by Rep. Calvert (R) Amends the Social Security Act to require the Secretary of Health and Human Services to establish a program to verify employee social security information, and to require employers to use the program using 800# to verify employee. Referred to Ways and Means. Immigration Reform Act of 1995 (HR 560). Introduced by Gallegly. Requires introduction of new tamperproof id cards for immigrants. Referred to the Committee on the Judiciary. Act to enforce Employer Sanctions law (HR 570). Introduced by Beilenson. Requires issues of new Social Security Card which is "counterfeit-resistant ... contains fingerprint identification, barcode validation, a photograph, or some other identifiable feature." Card will be sole identification allowed for work authorization. Referred to Committee on Ways and Means and Judiciary Committees. Exclusionary Rule Reform Act of 1995 (HR 666). Introduced by Rep. McCollum (R-FL). Allows introduction of evidence obtained by illegal search or siezure that violates 4th Amend, statute or rule of procedure if "objective belief" that search or siezure legal. May allow illegal wiretaps, house searches to be used. Does not apply to IRS and BATF. Rejected amendment by Watt (D-NC) to replace language with that of 4th Amendment. Passed by House Feb 8, 1995. Criminal Alien Deportation Improvements Act of 1995 (HR 668). Introduced by Smith (R-TX). Authorizes wiretaps for investigations of llegal immigration. Passed by House Feb 10. Referred to Senate Judiciary Committee. Illegal Immigration Control Act of 1995 (HR 756). Introduced by Hunter. Authorized Wiretaps for illegal immigration investigations, false id. Requires issuence of "enhanced" Social Security cards to all citizens and resident aliens by year 2000 that will include photo, SSN, and are machine readable. Orders Attorney General to create databases for verification. Referred to Committee on Judiciary. Child Support Responsibility Act of 1995 (HR 785). Introduced by Johnson (R-Conn). Makes SSN of parents public record by requiring their use on birth cirtificates and marriage liscenses. Referred to the Committee on Ways and Means. Paperwork Reducation Act of 1995 (HR 830). Introduced by Controversal provision to benefit West Publishing limiting access to public records removed after Internet campaign by TAP. Passed by House Feb. 22 (418-0). House Report 104-37. See S. 244 below. Communications Decency Act of 1995 (HR 1004). Introduced by Johnson (SD). Same as Exon bill (see S. 314 below). Referred to Commerce and Judiciary Committees. **************************************************************** Senate Bills **************************************************************** Violent Crime Control and Law Enforcement Improvement Act of 1995 (S. 3). Senate Republician Crime Bill. Introduced by Dole. Includes provision to substantially limit judicial sanctions for illegal searches (exclusionary rule). Allows wiretapping for immigration, and false documents, allows participation of foreign governments in domestic wiretapping and disclosure of info to foreign law enforcement agencies. Referred to Committee on the Judiciary Family Health Insurance Protection Act (S. 7). Introduced by Senator Daschle(D-SD). Democratic Health Care Bill. Sets national standards for transfer, privacy of medical records. Referred to Committee on Finance. Exclusionary Rule Limitation Act of 1995 (S. 54). Introduced by Thurman. (See HR 666 above). Paperwork Reduction Act of 1995 (S. 244) Introduced by Sen. Nunn (D-GA). Renews 1980 Paperwork Reduction Act. Sets OMB as controller of information policy in government. Sets standards for collection, use, protection of statistical information. Referred to Committee on Government Affairs. Approved by Committee Feb. 14. Immigrant Control and Financial Responsibility Act of 1995 (S. 269). Introduced by Sen. Dole and Simpson. Creates national registry for workplace verification. Increases use of wiretaps for immigration purposes. Referred to the Committee on the Judiciary Communications Decency Act of 1995 (S. 314). Introduced by Sen. Exon (D-NE). Revises Communications Act to make transmittal of sexually oriented communications a crime. Makes anonymous communications that are "annoying" a crime. Senate Committee on Commerce, Science and Transportation. See EPIC alert 2.03 for more information. Interstate Child Support Responsibility Act of 1995 (S. 456). Introduced by Bradley (D-NJ). Creates databank of new hires. Allows datamatching with SSA for verification. Increases use of SSN. Referred to the Committee on Finance. -- EPIC Legislative Update 2.23 David Banisar (Banisar@epic.org) * 202-544-9240 (tel) Electronic Privacy Information Center * 202-547-5482 (fax) 666 Pennsylvania Ave, SE, Suite 301 * ftp/gopher/wais cpsr.org Washington, DC 20003 * HTTP://epic.digicash.com/epic ------------------------------ From: "Prof. L. P. Levine" Date: 29 Dec 1994 10:50:22 -0600 (CST) Subject: Info on CPD [unchanged since 12/29/94] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the SUBJECT: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit or append to the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Mosaic users will find it at gopher://gopher.cs.uwm.edu. Older archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V6 #023 ****************************** .