Date: Sat, 19 Aug 95 16:43:35 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V7#014 Computer Privacy Digest Sat, 19 Aug 95 Volume 7 : Issue: 014 Today's Topics: Moderator: Leonard P. Levine Re: Credit Reports and Identifying Information Re: Watch them Vacation Programs Re: Web Access and Mailing Lists Netscape Security Privacy Commissioner of Canada -- Annual Report 1994/95 News about Secure-A-File Re: Caller ID/ANI A Netscape Story Re: An Abuse of Individual Right to Privacy? Final Program - AST 9/4/95 [long] Info on CPD [unchanged since 08/01/95] ---------------------------------------------------------------------- From: harris.jarnold@ic1d.harris.com (Jon Arnold) Date: 15 Aug 1995 17:27:16 GMT Subject: Re: Credit Reports and Identifying Information Organization: Harris Corp - ATCSD berczuk@space.mit.edu (Steve Berczuk) writes: 1) Does this mean that if a "TRW Subscriber" makes a mistake reporting identifying info it stays there? (on a related note, they also had a "previous address" mispelled. When we pointed that out we got the same answer ("we only print what was reported".)) Having dealt specifically with TRW many times in the past for similar errors in their report, this is true. They take the stand that they will store *whatever* information their subscribers send them about a person; right, wrong, misspelled, or inaccurate is not their concern, they merely report the news. All of the big 3 credit bureaus are like this, but TRW seems to take it quite literally as a matter of policy. If I wanted to pay to be a bona fide TRW subscriber, I could report delinquent debts on anybody I didn't like, and TRW would post the delinquency to their credit reports in a flash. No exaggeration here; I posed this question to a TRW manager, who verified that that's exactly how it would work if I were a subscriber. 2) Can we figure out who reported the AKA to get THEM to correct it? How? They apparently know who reports every scrap of information to them, but they are normally unwilling to give out that information to you. For me, it took a *lot* of persistence to get similar information from various pieces of erroneous information on my own report. 3) Aside from esthetic considerations, how important is information like "previous addresses and "Also know as" (or relatedly spouses first name-- credit bureaus seem to not be able to handle "spouses first & last name")? Don't know on this one, but I figure if this is something that's going to be used for things like mortgage applications, car loans, etc, I would feel better if the information there was accurate, imho. -- harris.jarnold@ic1d.harris.com ---------------------------------------------------------------------------- Jon Arnold "If you ain't the lead dog, the view never changes." Disclaimer: The views & opinions expressed here are my own, and have no necessary relevancy to the views & opinions of my employer. ---------------------------------------------------------------------------- ------------------------------ From: "Peter M. Weiss +1 814 863 1843" Date: 15 Aug 95 14:07 EDT Subject: Re: Watch them Vacation Programs Furthermore, they are an invitation to a hacker to "try" the vacationer's account. -- Pete Weiss, Penn State ------------------------------ From: Robert Bulmash <75754.2763@CompuServe.COM> Date: 15 Aug 1995 20:19:22 GMT Subject: Re: Web Access and Mailing Lists Organization: Private Citizen, Inc. It is unlawfull for anyone in the USA to send unsolicited junk E-Mail over regular telephone lines to any modem-computer that has a printer attached to it. The law allows the plaintiff to sue the sender for $500 (in state small claims court) for each transmission of such. I will be filing such a suit here in DuPage County (just west of Chicago) later this week or early next. If you want more information call Private Citizen, Inc. at 1/800-CUT-JUNK ------------------------------ From: "Prof. L. P. Levine" Date: 19 Aug 1995 11:23:48 -0500 (CDT) Subject: Netscape Security Organization: University of Wisconsin-Milwaukee Taken from RISKS-LIST: Risks-Forum Digest Friday 18 August 1995 Volume 17 : Issue 27 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator From: shank@netscape.com (Peter Shank) Date: 17 Aug 1995 08:44:45 -0700 Subject: Netscape security Late Tuesday evening a person from France posted a news article to the hacker community claiming success at decrypting a single encrypted message that had been posted as a challenge on the Internet sometime on or before July 14, 1994. His response to the challenge is described in an email that has been forwarded widely across the Internet. What this person did is decrypt one encrypted message that used RC4-40 for encryption. He used 120 workstations and two parallel supercomputers for 8 days to do so. As many have documented, a single RC4-40 encrypted message takes 64 MIPS-years of processing power to break, and this roughly corresponds to the amount of computing power that was used to decrypt the message. Important points to understand: 1. He broke a single encrypted message. For him to break another message (even from the same client to the same server seconds later) would require *another* 8 days of 120 workstations and a few parallel supercomputers. The work that goes into breaking a single message can't be leveraged against other messages encrypted with other encryption keys. 2. The standard way to determine the level of security of any encryption scheme is to compare the cost of breaking it versus the value of the information that can be gained. In this case he had to use roughly $10,000 worth of computing power (ballpark figure for having access to 120 workstations and a few parallel supercomputers for 8 days) to break a single message. Assuming the message is protecting something of less value than $10,000, then this information can be protected with only RC4-40 security. For information of greater value, currently available RC4-128 security should be used. 3. Inside the US, software can support a range of stronger encryption options, including RC4-128, which is 2^88 times harder to break. Meaning that the compute power required to decrypt such a message would be more than 1,000,000,000,000 (trillion) times greater than that which was used to decrypt the RC4-40 message. This means that with foreseeable computer technology this is practically impossible. So in conclusion, we think RC4-40 is strong enough to protect consumer-level credit-card transactions -- since the cost of breaking the message is sufficiently high to make it not worth the computer time required to do so - -- and that our customers should use higher levels of security, particularly RC4-128, whenever possible. This level of security has been available in the U.S. versions of our products since last April. Because of export controls it has not been available outside the U.S. We would appreciate your support in lobbying the U.S. government to lift the export controls on encryption. If you'd like to help us lobby the government send email to export@netscape.com. Finally, we'd like to reiterate that all this person has done is decrypt one single RC4-40 message. RC4 the algorithm and products which use the algorithm remain as secure as always. [moderator, this was also noted by: Timothy P. Donahue Cisco Systems ATM Business Unit +1-508-262-1141 1100 Technology Park Drive +1-508-262-1141 FAX Billerica MA USA 01821 tdonahue@cisco.com ] ------------------------------ From: jroy@fox.nstn.ca (Jocelyn Roy) Date: 17 Aug 1995 19:24:12 GMT Subject: Privacy Commissioner of Canada -- Annual Report 1994/95 Organization: NSTN Inc. ICS/Windows Dialup User The Privacy Commissioner of Canada released his 1994/95 annual report today. It can be found at the following Web site: http://info.ic.gc.ca/opengov/opc/pubs.html Among the topics discussed: * privacy and security on the information highway * a model privacy code for the private sector * biomedical privacy (drug testing and genetic testing, including Canada's new forensic DNA testing law) * the inadequacy of Canada's current patchwork of privacy laws * court decisions on privacy issues. ------------------------------ From: ppease@netcom.com (Paul Pease) Date: 17 Aug 1995 22:13:59 GMT Subject: News about Secure-A-File Organization: NETCOM On-line Communication Services (408 261-4700 guest) Ilex Systems has just announced a new software package for Windows, called Secure-A-File. It uses RSA-licensed security, with 1024-character words to make it unbreakable. Costs $99 per end. E-mail me if you would like more information. -- Paul Pease, Writer/Consultant in Beautiful Downtown Palo Alto. Call me at 415 322-2072; fax 415 322-7940. ppease@netcom.com [moderator: This is very close to an advertizement, but I have decided that a single announcement like this makes sense here.] ------------------------------ From: Terry Crabb Date: 18 Aug 1995 08:51:35 -0400 (EDT) Subject: Re: Caller ID/ANI I have cause to regularly send packages via Fed Ex, and was initially surprised to discover that they knew who I was, and where I was, before I told them anything. The process to get a courier to call involves dialling 1-800-.... If you ignore the "press 1 for this, press 2 for that", and roll over to a human, they appear to be reading your information from a terminal. An earlier post suggested calling 1-800-CALL-ATT prior to placing a call to another 800 number, in order to defeat ANI. Well, I tried that, and they _still_ knew who I was! -- Terry Crabb tcrabb@gems.vcu.edu Systems Programming Dept., MCV Associated Physicians, Richmond, VA Finger tcrabb@opal.vcu.edu for PGP Public Key ------------------------------ From: "Prof. L. P. Levine" Date: 18 Aug 1995 08:39:54 -0500 (CDT) Subject: A Netscape Story Organization: University of Wisconsin-Milwaukee If you are running Netscape on your IBM type PC and you type CTRL-ALT-F you suddenly find yourself looking at "The Amazing Fish Cam" which connects to a netscape server and does something cool, I suppose. I saw this noted on page 18 of the 8/14/95 "Interactive Age" and tried it today. What are the privacy implications? The geniuses at Netscape have put into their excellent software this undocumented (or poorly documented) feature to amuse me. I must ask why else they would have done it. Have they not learned from the experience of Prodigy or Microsoft that communications software that runs in ways that the user is not warned about can easily lead the user to wonder what else is automatically installed? That undocumented stuff might well be very intrusive. Most of us recall the near disaster that faced Prodigy some years ago when a swap file they installed on the user's PC seemed to have material to be uploaded from the user's work space. The facts were finally shown to be much more benign, but the damage still echos around the net. Currrently we are watching the introduction of Windows 95. Windows 95 might or might not have software that automatically reports to Microsoft just what software you are running. I suspect it does not, but we shall see. I truly wonder just what else Netscape does that they have not told me/us about. I hope that there are those privacy nuts out there who are watching as packets are thrown around the net. I hope that they are looking for stuff that the user did not intend to send to the author of the package. I hope that the CTRL-ALT-F is the only unadvertized special feature. -- Leonard P. Levine e-mail levine@cs.uwm.edu Professor, Computer Science Office 1-414-229-5170 University of Wisconsin-Milwaukee Fax 1-414-229-6958 Box 784, Milwaukee, WI 53201 PGP Public Key: finger llevine@blatz.cs.uwm.edu ------------------------------ From: shorten@nic.wat.hookup.net (Robert Shorten) Date: 19 Aug 1995 02:37:24 GMT Subject: Re: An Abuse of Individual Right to Privacy? Organization: HookUp Communication Corporation, Waterloo, Ontario, CANADA Well, wouldn't such a thing be like the phone book? The phone company lists names and addresses of people and doesn't ask them first whether they want to be listed (such people have to contact the phone company.) As long as they (the directory people) give clear information in their directory as to how one can be unlisted, I don't think it's an invasion of privacy. There are already paper directories that list names, addresses, phone numbers, and even places of work. Jay Shorten shorten@nic.wat.hookup.net ------------------------------ From: "Dave Banisar" Date: 16 Aug 1995 07:51:10 U Subject: Final Program - AST 9/4/95 [long] ANNOUNCEMENT OF FINAL PROGRAM Advanced Surveillance Technologies A one day public conference sponsored by Privacy International and Electronic Privacy Information Center 4 September 1995 Grand Hotel Copenhagen, Denmark Overview Recent developments in information technology are leading to the creation of surveillance societies throughout the world. Advanced information systems offer an unprecedented ability to identify, monitor, track and analyse a virtually limitless number of individuals. The factors of cost, scale, size, location and distance are becoming less significant. The pursuit of perfect identity has created a rush to develop systems which create an intimacy between people and technology. Advanced biometric identification and ID card systems combine with real-time geographic tracking to create the potential to pinpoint the location of any individual. The use of distributed databases and data matching programs makes such activities economically feasible on a large scale. Extraordinary advances have recently been made in the field of visual surveillance. Closed Circuit Television (CCTV) systems can digitally scan, record, reconfigure and identify human faces, even in very poor light conditions. Remote sensing through advanced satellite systems can combine with ground databases and geodemographic systems to create mass surveillance of human activity. Law is unlikely to offer protection against these events. The globalisation of information systems will take data once and for all away from the jurisdiction of national boundaries. The development of data havens and rogue data states is allowing highly sensitive personal information to be processed without any legal protection. These and other developments are changing the nature and meaning of surveillance. Law has scarcely had time to address even the most visible of these changes. Public policy lags behind the technology by many years. The repercussions for privacy and for numerous other aspects of law and human rights need to be considered immediately. Advanced Surveillance Technologies will present an overview of these leading-edge technologies, and will assess the impact that they are likely to have in the immediate future. Technology specialists will discuss the nature and application of the new technologies, and the public policy that should be developed to cope with their use. The conference will also bring together a number of Data Protection Commissioners and legal experts to assess the impact of the new European data protection directive. We assess whether the new rules will have the unintended result of creating mass surveillance of the Internet. The conference will be held in Copenhagen, and is timed to co-incide with the annual international meeting of privacy and data protection commissioners. PROGRAM 10.00 - Introduction and Welcome 10.10 Keynotes Simon Davies, Director General, Privacy International and Visiting Law Fellow, University of Essex, UK, "Fusing Flesh and Machine" This lively introduction will provide an overview of recent trends in technology, culture and politics that are bringing about an era of universal surveillance. The paper concentrates on the theme of fusion, in which data and data subjects are being brought into more intimate contact. The creation of an informational imperative throughout society is leading to the degradation of privacy as a fundamental right. As a result, there are few remaining boundaries to protect the individual from surveillance. Steve Wright, Director, Omega Foundation, UK 'New Surveillance Technologies & Sub-state Conflict Control. This talk will cover the role and function of new surveillance technologies; an overview of the state of the art and some of the consequences eg the policing revolution - with a move away from firebrigade policing towards prophylactic or pre-emptive policing where each stop and search is preceded by a data check. The emergence of new definitions of subversion to justify new data gathering activities and an increasing internal role for the intelligence agencies now that the cold war has ended. It will show how different surveillance and computer technologies are being integrated and how such information and intelligence gathering is linked into more coercive forms of public order policing when tension indicators rise during a crisis. 11:15 - 11:30 Break 11.30 - 12.45 Regulation versus freedom The European Data protection Directive will establish a common privacy position throughout Europe. Its intention is to safeguard personal privacy throughout the Union, yet already there are glaring conflicts with the freedom of information flows on the net. This section discusses the threat of universal surveillance of the net caused by the new laws. Frank Koch, Rechtsanwalt, Munchen, Germany European Data Protection : Against the Internet ? Data Protection, according to the Common Position (CP) of the European Union, requires control over the medium used for transfers of personal data, the recipients of these data, and the way these data are used. The open structure of the Internet seems to be quite incompatible with these requirements. The member States and the controllers within them are required to take all steps to ensure that personal data are not transferred into communication nets that do not conform to the CP. This paper will discuss why personal data will be prevented from being freely transferred throughout the internet, and how this will affect users of the net. Malcolm Norris, Data Protection Registrar, Isle of Mann Enforcing privacy through surveillance? The need for a Europe-wide privacy directive is pressing. Greater amounts of personal data are flowing to a growing number of sites. Yet, without care, there is a risk that such laws could have the unintended consequence of causing widespread surveillance of activities of net users. The fact that unprotected personal data should not be flowing on the net might at some point provoke authorities to routinely surveil net data. This paper discusses these dilemmas, and suggests measures that might avoid the threat of universal surveillance. Lunch Break 12:30 - 1:45 1.45 - 3.15 Perfect surveillance In many countries, the era of the private person is at an end. Information surveillance, automatic visual recognition and geographic tracking are at an advanced stage, and are set to imperil privacy. This panel will discuss developments in surveillance, including advanced Closed Circuit TV, satellite remote sensing, Intelligent Vehicle Highway Systems, and forward looking infrared radar. Phil Agre, University of California, Advanced tracking technologies Ambitious plans for advanced transport informatics have brought serious privacy concerns. Computerized tracking of both industrial and private vehicles may not be consciously intended to reproduce the erstwhile internal passport systems of the Soviet Union and South Africa, but deeply ingrained technical methodologies may produce the same result nonetheless. This presentation surveys some of the purposes behind ongoing transport informatics programs, including integrated logistics systems and regulatory automation. It offers a conceptual analysis of "tracking" in technical practice. The most serious dangers to individual liberty and civic participation can be greatly alleviated, though, through the systematic use of digital cash and other technologies of anonymity. At the moment, this prospect seems much more likely in Europe than in the United States. Simon Davies, Privacy international, Closed Circuit Television and the policing of public morals The use of Closed Circuit Television (CCTV) camera systems has become a key plank in the law and order strategy of the British government. Most cities in Britain are constructing powerful, integrated CCTV systems to surveil shopping areas, housing estates and other public areas. Although there is some evidence that this extraordinary strategy is having an effect on crime figures, it is also becoming apparent that the cameras are increasingly used to enforce public morals and public order. The use of new visual information processing technologies is leading to numerous unintended purposes for the cameras, including automated crowd control and automated face recognition. Detlef Nogala, University of Hamburg, Germany, Techno-policing Technology has been used for many years for surveillance purposes, and the last decades have seen a rapid proliferation of different surveillance technologies into the civilian realm. Today there is a whole industry which is trying to direct the momentum of military surveillance technologies into the civilian security market. But there is a difference between some spectacular applications (like the gunshot-locator system derived from submarine sonar-technology) and common applications on a mass basis (like smart cards with digitally stored fingerprints). Among the "counterforces" like data-protection laws, political opposition or consumer politics a deficit in financial resources is not the least one. It is clear that most surveillance agencies are trapped in the contradiction between maximum performance and economy. This paper discusses the various forces and influences that bear upon a decision to implement particular technologies of surveillance. 3:00 - 3:15 Break 3:15 - 4:30 Solutions This session will discuss a range of responses to the new era of surveillance. These include regulation, consumer action, and the development of privacy friendly technologies. Dave Banisar, Electronic Privacy Information Center, Washington DC Encryption and the threat of universal surveillance of the net Encryption is one technological solution to the problem of privacy invasion and surveillance, yet encryption also provides an excuse for governments to undertake surveillance of citizens. Documents recently secured by EPIC indicate that US Law enformcent and intelligence agencies had planned to implement a two stage strategy for its Clipper Chip encryption policy, resulting in non-official encryption being made illegal, and thus providing an opportunity for law enforcement authorities to engage in limitless surveillance of communications. This talk discusses the dilemma facing supporters of encryption. Bruce Slane, Privacy Commissioner, New Zealand. Some positive aspects of privacy law In this talk, New Zealand Privacy Commissioner Bruce Slane presents a number of positive aspects of legal regulation of information flows. He describes areas where law is being successfully used to enforce responsible information practices. 4:30- 5:00 Conclusion and Wrap-up Number of participants : approximately sixty Costs: US $75 - Individuals/non-profit organizations $175 - Commercial organizations Venue : Grand Hotel, Vesterbrogade 9. DK -1620, Copenhagen V, Denmark For further Information and registration please contact : Dave Banisar Privacy International Washington Office 666 Pennsylvania Ave, SE, Suite 301 Washington, DC 20003 USA 1-202-544-9240 (phone) 1-202-547-5482 (fax) email : pi@privacy.org Web address: privacy.org/pi/conference/ _________________________________________________________________________ Subject: Final Program - AST 9/4/95 _________________________________________________________________________ David Banisar (Banisar@privacy.org) * 202-544-9240 (tel) Privacy International Washington Office * 202-547-5482 (fax) 666 Pennsylvania Ave, SE, Suite 301 * HTTP://www.privacy.org Washington, DC 20003 ------------------------------ From: "Prof. L. P. Levine" Date: 11 Aug 1995 09:39:43 -0500 (CDT) Subject: Info on CPD [unchanged since 08/01/95] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the SUBJECT: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit or append to the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Mosaic users will find it at gopher://gopher.cs.uwm.edu. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V7 #014 ****************************** .