Date: Mon, 20 Nov 95 19:04:48 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V7#043 Computer Privacy Digest Mon, 20 Nov 95 Volume 7 : Issue: 043 Today's Topics: Moderator: Leonard P. Levine Re: Telemarketing Re: Telemarketing Re: Telemarketing Re: Telemarketing Re: Unsolicited email Advertising Re: Unsolicited email Advertising Re: Unsolicited email Advertising How to Prevent Unsolicited Mail Re: Company Network email Reading by Network Ad/Sup? Re: Cont. Saga with Bank/DL/Unemployment Re: Copyright Notice Re: Copyright Notice Public Perceptions on Privacy "Privacy Times" (Newsletter)? Private Property References Please Chip-Card Sources Anyone? SSN for CA DL renewal Health Privacy Legislation - Part IV Info on CPD [unchanged since 08/18/95] ---------------------------------------------------------------------- From: glr@ripco.com (Glen L. Roberts) Date: 19 Nov 1995 16:44:25 GMT Subject: Re: Telemarketing Organization: Full Disclosure anonymous wrote: I've been looking for creative solutions to the nuisance problem of telemarketing. One solution to unwanted telemarketing is the creation of a "don't call me" list wherein people can designate that they don't wish to be telemarketed. Then, rather than rely on local or state law enforcement to prosecute offenders, allow the individual the ability to prosecute the offender through small claims court. Any reactions to this idea? Thanks. That is already in effect... BUT you have to tell each company to put you on their do not call list! There is no master list. I believe the civil penalty is $500. I just act excited about the offer and then tell them to hold on while i get my credit card and set the phone down. When it started beeping, I hang up. I have noticed that moving to Oil City PA from Suburban Chicago, the number of telemarketing calls have dropped dramatically... maybe the demographics for the area (very low property values) don't attract as many telemarketers... ------ Glen L. Roberts, Host Full Disclosure Live Privacy, Surveillance, Technology and Government! Tech Talk Network, WWCR Shortwave: 5065 khz. 8pm est/Sundays. Real Audio: 7 days/week, 24 hrs a day: http://pages.ripco.com:8080/~glr/glr.html ------ ------------------------------ From: Robert Jacobson Date: 17 Nov 1995 22:45:44 -0800 (PST) Subject: Re: Telemarketing Commercial speech has never enjoyed the same full protections as personal speech or journalistic speech. No one can come into your home unwelcome nor, under FCC and state regulations, unduly call your phone or use your fax to deliver unwanted commercial messages. The same rule should apply to online systems, unless we want to single out this medium for special abuse. -- Bob Jacobson Worldesign Inc. Seattle ------------------------------ From: prvtctzn@aol.com (Prvt Ctzn) Date: 18 Nov 1995 20:37:54 -0500 Subject: Re: Telemarketing Organization: America Online, Inc. (1-800-827-6364) Private Citizen, Inc. will Notify 1400 telemarketing related firms nationwide that, if the solicit you, they owe you $500. For more information e-mail prvtctzn@aol.com -- Robert Bulmash Private Citizen, Inc. 1/800-CUT-JUNK ------------------------------ From: ladidi442@aol.com (Ladi Di442) Date: 18 Nov 1995 12:35:45 -0500 Subject: Re: Telemarketing Organization: America Online, Inc. (1-800-827-6364) All you need to say when you get the call is "place me on your don't call list", if you get another call from the same telemarketer, tell them one more time if they call you, you will sue......new law. ------------------------------ From: tswalton@aol.com (TSWalton) Date: 18 Nov 1995 18:34:41 -0500 Subject: Re: Unsolicited email Advertising Organization: America Online, Inc. (1-800-827-6364) Jeffrey Mattox wrote: Would this work? Since most junk mailer routines probably grab the addresses from the header, what if you used a bogus Reply-To address and then included your real and correct email address in your signature? I would suggest that the net begin to charge the spammers a per piece handling charge......just like the USPS. It would be too costly to spam if they are not hitting their target audience and would be self limiting in the long run. ------------------------------ From: haz1@kimbark.uchicago.edu (Bill) Date: 20 Nov 1995 02:57:51 GMT Subject: Re: Unsolicited email Advertising Organization: The University of Hell at Chicago Jeffrey Mattox wrote: Would this work? Since most junk mailer routines probably grab the addresses from the header, what if you used a bogus Reply-To address and then included your real and correct email address in your signature? Nice idea, but no cigar. Searching the last few lines of a post for any string beginning and ending with whitespace and including an "@" sign is no harder than searching the first few lines for that. All you'd succeed in doing is breaking the Reply-To-Sender function of most newsreaders, where your posts are concerned. -- Bill (haz1@midway.uchicago.edu) ------------------------------ From: eichin@mit.edu Date: 17 Nov 1995 19:27:47 -0500 Subject: Re: Unsolicited email Advertising Jeffrey Mattox wrote: Would this work? Since most junk mailer routines probably grab the addresses from the header, what if you used a bogus Reply-To address and then included your real and correct email address in your signature? The obvious alternative is a compromise: scoring. I've used it in news readers for years (strn, gnus) and since Gnus-5.x can handle email as well, you can do the same thing there. The simplest case, you give positive scores to people you know, negative scores to known spammers, and set a threshhold for discarding messages. To get more sophisticated, smaller negative scores for crossposting too much, positive scores for having your name in the header (to distinguish personal from list or bulk mail) but negative for having more than 100 names in the header; even a negative score for subject lines containing ONLY CAPS or the words "money" and "fast"... Once you *have* digitial signatures to work from, you still need to attach reputations to them, and scoring like this is one way of doing it. (Gnus-5 can read score files over ftp -- so you can get scores from someone who specializes in such things as spam detection -- or the alternative, something like "guild" certification for positive scores...) ------------------------------ From: Robert Gellman Date: 17 Nov 1995 23:41:24 -0500 (EST) Subject: How to Prevent Unsolicited Mail Do I have a right to forbid certain people or groups to send me mail? Since I can bar solicitors, et al from my property, it seems that I should be able to forbid mailers from entering the same space, and that my home should be free from unwanted intrusion. The answer is an unequivocal YES. Under federal law (39 USC sec. 3008), you can request the Postal Service to issue an order to a mailer to refrain from mailing to you and to remove your address from any mailing list. The purpose of the law is to get your name off mailing lists of obscene matter. But it is up to you to decide what is obscene. The Supreme Court has expressly stated that you can use this law to prevent the mailing of a dry good catalog. The Court stated that a mailer's right to communicate stops at the mailbox of an unreceptive addressee. See Rowan v. Post Office Department, 387 US 728 (1970). This is a wonderfully powerful tool for anyone who want to be off of a mailing list. Few people know about it, and the Postal Service does nothing to tell people about it. If anyone out there has used this law, it would be informative if they could describe their experience. + + + + + + + + + + + + + + + + + + + + + + + + + + Robert Gellman rgellman@cais.com + + Privacy and Information Policy Consultant + + 431 Fifth Street S.E. + + Washington, DC 20003 + + 202-543-7923 (phone) 202-547-8287 (fax) + + + + + + + + + + + + + + + + + + + + + + + + + + ------------------------------ From: ddg@cci.com (D. Dale Gulledge) Date: 17 Nov 1995 22:03:00 GMT Subject: Re: Company Network email Reading by Network Ad/Sup? Organization: Northern Telecom Inc., D&OS sanders@pipeline.com (John C. Sanders) writes: Could a LAN administrator/supervisor have this capability and not know it? Can anyone cite any articles or other sources of information on this topic? Anyone with physical access to a machine has unlimited access to all unencrypted data on that machine. As long as there is some way to either reboot that machine with a chosen system disk or physically remove the hard drives and place them in another machine you can do it. Once physical security is breached only encryption will protect your data. So yes, your system administrator can potentially read your mail. It is possible, that your unspecified LAN software specifically makes such access difficult under normal circumstances. However, I doubt that. And, of course, you have regular backups that could be loaded elsewhere for leisurely reading, right? If your data isn't encrypted, your only protection is the good will of people who have physical access to the system. If you don't trust them, you have a problem. -- D. Dale Gulledge, Software Engineer Directory & Operator Services, Northern Telecom. Warning: Bicyclist in mirror is moving faster than you think. ------------------------------ From: jcr@mcs.com (John C. Rivard) Date: 20 Nov 1995 15:42:15 -0600 Subject: Re: Cont. Saga with Bank/DL/Unemployment Organization: very little Maryjo Bruce wrote: I have now gotten a certified letter from the bank where I withdrew over 10K from savings, regarding the unacceptability of being unemployed. I ^^^^^^^ think I am going to contact a PRO with the IRS about this. I have been following this discussion with increasing incredulity and outrage. Since when do you have to provide an a proof of employment to withdraw YOUR OWN MONEY from a bank? It's not like you are applying for a loan! The money is YOURS to do with as you please. If they resist letting you have it, you should be able to charge them with theft. I would immediately close all accounts with this institution, and take my business elsewhere. (I know that is not always possible, especially in your current financial straights). -- John C. Rivard  Opinions expressed yadda yadda--you know the drill ------------------------------ From: halfbree@rapidnet.com Date: 18 Nov 1995 15:53:29 GMT Subject: Re: Copyright Notice Organization: Very Little michaelm@nairobi.eecs.umich.edu (Michael McClennen) writes: the intent is that copyright is automatically granted to a work as soon as it appears in a form such that everyone can agree upon the exact content. Thus, a verbal utterance *snip* recorded on a magnetic tape, written down, or typed into a computer, *snip* is an unambiguous record of the content and thus an automatic copyright to the author. *snip* The exact ownership of the computer (or the tape recorder, the pen, etc.) does not enter into the question. Now that makes sense! However I believe the ownership of the actual material; ie; tape, paper, book, vidio, or so on would enter into the question as to who owns the copyright. The original author or owner of the copyright may have bartered his/her rights to the copy right away to another. -- The Halfbreed ------------------------------ From: John Adams Date: 20 Nov 1995 16:49:43 -0600 (CST) Subject: Re: Copyright Notice les@Steam.Stanford.EDU (Les Earnest) wrote: My understanding of the copyright law is different -- that the copyright belongs to the person who first puts "copyrightable" material in a permanent form, such as a paper copy or a magnetic recording. Simply posting an article on Usenet does not meet this standard. One could argue that the person posting the Usenet article is the "first person to record the post on a magnetic recording" - namely the poster is the first person to save her or his Usenet article to the news filesystem. No. Lucas first put Star Wars in the form of film, which was copyrighted, so he owns it. By your arguments, the guy operating the film camera owns the film since he is the "first person" to make the recording. -- John Adams, VAX Systems Manager & Network Administrator ATE Engineering, NADEP Cherry Point at Pensacola Florida +1.904.452.3912 DSN: 922-3912 jadams@seahawk.navy.mil Find out about me -- http://www.seahawk.navy.mil/~jadams ------------------------------ From: "Prof. L. P. Levine" Date: 18 Nov 1995 11:05:47 -0600 (CST) Subject: Public Perceptions on Privacy Organization: University of Wisconsin-Milwaukee A Cartoon by "Beattie" and copyright by Daytona Beach Sunday News-Journal and Copley News Service (spelling errors mine) was posted on the editorial page of Friday's Milwaukee Journal Sentinel. It shows some of the concerns we discuss here. It is an interesting example of just how far the issue of privacy has penetrated into the public mind. The cartoon shows a howsewife character talking to a clerk at the "Phone Center" with normal phones scattered on the shelves. On a front shelf are two special phones labeled "Garfield Phone" and "Inspector Clousseau Phone". The customer is captioned as saying "I want to sign up for Call Waiting, Call Forwarding, and that new service that lets you know if the FBI is listening." I am interested in other examples of general public interest in privacy. Email or posting here will have about the same effect as I am the moderator :-). ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ From: rpd3743@is2.nyu.edu (Robert P. Day) Date: 19 Nov 1995 03:39:23 GMT Subject: "Privacy Times" (Newsletter)? Organization: New York University Hello, Does anyone know where I can get a subscription to the "Privacy Times" newsletter. I heard a reference to the newsletter on a television program, but I do not know where it is published. Any info would be great. -- Robert ------------------------------ From: bctsmarcos@aol.com (BCTSMARCOS) Date: 19 Nov 1995 19:08:06 -0500 Subject: Private Property References Please Organization: America Online, Inc. (1-800-827-6364) I am looking for references to a court case filing that is based on the theory that if a company that sells a product or service sells my name as a result of that tranaction such as subscribing to a magazine that they have established a value for my name and associated information. Therefore, it becomes private property and the seller of my information must make a deal with me to use, rent, lease, or sell my private property. If anybody has any information on this issue please forward to me thanks BCTSMARCOS,AOL ------------------------------ From: Roger Clarke Date: 20 Nov 1995 10:38:42 GMT Subject: Chip-Card Sources Anyone? Organization: Australian National University G'day All I'm searching for web-sources (and indeed any other sources) of material on privacy implications of smart-cards applications in retail financial services (bus-speak for consumer payments). I've seen very little in the mainstream places like here, Privacy Forum and even Cypherpunks. Any clues, anyone? When I've got the working paper far enough advanced to make some sense, I'll post the URL here for them what's interested. Many thanks! Roger ------------------------------ From: Ron Richter Date: 17 Nov 1995 21:19:10 GMT Subject: SSN for CA DL renewal Organization: NCCOSC RDT&E Division, San Diego, CA I was wondering if anyone knows what the deal is regarding the Social Security Number that was required to be disclosed to the Department of Motor Vehicles for the state of California... I had to disclose mine when I got my license renewed, but now it seems that all they can do is have you show some form of verification instead of requiring one to give it... My impression was like where you write a check somewhere and they can no longer write your credit card number down on the check, but can ask and accept the viewing of it as an additional form of ID for name and signature and possibly, implied creditworthyness... Any thoughts? Ron Richter feel free to cc: my e-mail account too as I dont read this newsgroup everyday.... shadow@nosc.mil Thank you in advance. [moderator: this seems to be a part of a new Federal Law that is aimed at finding family deserting dads.] ------------------------------ From: Robert Gellman Date: 19 Nov 1995 20:25:01 -0500 (EST) Subject: Health Privacy Legislation - Part IV This is the fourth (and last for now) in a series of postings with excerpts from studies of health privacy. These studies show uniformly that health records have inadequate legal protection today. Today's excerpt focuses on how health records have been (and presumably are being) abused. The Bennett/Condit bills would make this type of abuse a federal crime with significant penalties. From House of Representative Report No. 103-601, Part 5 (1994): Abuse of Health Information.-- Rules for protecting health information cannot be limited to evaluating the propriety of uses by those who are lawfully in possession of the data. Evidence developed by the Committee in 1979 suggests that surreptitious trafficking in health information may be common and nationwide. Strong criminal penalties are needed to deter and punish those who may be tempted to use health information improperly. The best documented American example of abuse of health records comes from Denver, Colorado. Beginning in 1975, the Denver District Attorney and a grand jury began an investigation of the theft of health records. They found that for over twenty-five years, a private investigative reporting company known as Factual Services Bureau, Inc., engaged in a nationwide business of obtaining health information without the consent of the patient. The company's investigators typically posed as doctors and sought medical information by telephone from public and private hospitals, clinics, and doctors' offices, including psychiatrists' offices. The company paid hospital employees to smuggle out health records. Another technique involved the use of false pretenses through mail solicitations. The company was successful in obtaining health records most of the time, and it even advertised its ability to acquire health records. The customers of Factual Services Bureau included over one hundred of the most prominent insurance companies in the country. In a search of the Denver office of Factual Services Bureau, the District Attorney found almost two thousand reports to insurance companies. These reports frequently included detailed medical information about individuals that was obtained without the knowledge or consent of the individuals. No insurance company ever reported this questionable activity to law enforcement authorities. In June 1976, the Denver grand jury issued a special report to the Privacy Protection Study Commission. The report stated that trafficking in patient records was a nationwide problem: From the evidence, it is clear that the problem with respect to the privacy of medical records in this jurisdiction exists in many cities and jurisdictions across the nation. In testimony submitted during 1979 hearings, Denver District Attorney Dale Tooley said: I find it difficult to believe that there are not or have not been similar enterprises engaged in this profitable, surreptitious business. Additional direct evidence that this type of trafficking in health information is widespread in this country is hard to find because there have been no investigations focusing on health records in recent years. However, evidence of illegal trafficking in other types of personal information is easy to find. For example, the General Accounting Office recently reported on misuse of criminal history information maintained by the National Crime Information Center (NCIC). GAO found that the NCIC system was vulnerable to misuse, that misuse occurred throughout the NCIC system, and that some misuse was intentional. A limited review by GAO found sixty-two examples involving misuse, including these two: The California Department of Justice received a complaint from a person who suspected his employer of obtaining a copy of his criminal record from the NCIC's [Interstate Identification Index] file. A search of the state system's audit trail showed that the record had been accessed by a law enforcement agency in the eastern United States. Apparently, the employer had hired a private investigator, located in the eastern United States, to conduct background searches on prospective employees. The complainant's criminal history record was allegedly sold to the private investigator by an officer in a law enforcement agency. A private investigator paid several city employees to conduct NCIC record searches. During the service of a search warrant at the investigator's office in an unrelated fraud matter, state investigators discovered records indicating that payments had been made for NCIC records and notified the Colorado Bureau of Investigation. The ensuing inquiry, with the cooperation of the district attorney, resulted in the indictment of several individuals. These examples are similar to the illegal buying and selling of personal information uncovered by the Denver grand jury. Other types of sensitive personal records are also routinely bought and sold. One recent investigation found a nationwide network of information brokers who obtained information from the NCIC, the National Law Enforcement Telecommunications System, the Military Personnel Records Center, the Social Security Administration, the telephone companies, and others. The information was provided in exchange for money by insiders who knew that it was against the law and policy of their agency or company. There is even evidence of open solicitation through newspaper advertising of the ability to obtain records that are legally protected against improper disclosure. Evidence supporting the notion that there is routine illegal trafficking in health information also comes from Canada. In 1979, Mr. Justice Horace Krever, Commissioner of the Royal Commission of Inquiry into the Confidentiality of Health Records in Ontario, Canada, testified before the Subcommittee on Government Information and Individual Rights. The Royal Commission of Inquiry had its origins in press stories about abuse of confidential health information. Mr. Justice Krever testified that at the time the inquiry began, no one had any clear idea of the extent of the violation of confidentiality or that many violations were in the private casualty insurance sector. The Royal Commission found that the acquisition of health information by private investigators without patient consent and through false pretenses was widespread. During a 14-month period, the Royal Commission heard from over 500 witnesses, including private investigative firms, insurance companies, hospitals, and others. For the years 1976 and 1977, the Royal Commission found that there were hundreds of attempts made in Ontario to acquire health information from hospitals and doctors; well over half of the attempts were successful. Several investigative firms went out of business as a result of the Royal Commission's work. So many insurance companies were found to have been using health information obtained under false pretenses that the Insurance Bureau of Canada made a general admission to the Royal Commission that its members had gathered medical information through various sources without the authorization of the patient. Many members of the Insurance Bureau of Canada are subsidiaries of American insurance companies. Some investigative agencies that obtained information under false pretenses are also subsidiaries of American companies. Mr. Justice Krever testified that he was "very much surprised" by the abuses of health information that the Royal Commission uncovered. He also testified that he suspected that the practices occurred not only in Ontario but throughout all of North America. Because of the similarities between the Canadian and American casualty insurance industry and the private investigation industry, this Committee inferred in a 1980 report that the same techniques for acquiring health information that were used in Canada were also used in the United States. The techniques used by the Factual Services Bureau were identical to those common in Canada. All of the people involved in the Denver and Canadian investigations have stated their view that the practices were common throughout the United States. Comment: We need stronger laws to establish deterrents to the surreptitious trafficking in identifiable health information. + + + + + + + + + + + + + + + + + + + + + + + + + + Robert Gellman rgellman@cais.com + + Privacy and Information Policy Consultant + + 431 Fifth Street S.E. + + Washington, DC 20003 + + 202-543-7923 (phone) 202-547-8287 (fax) + + + + + + + + + + + + + + + + + + + + + + + + + + ------------------------------ From: "Prof. L. P. Levine" Date: 18 Oct 1995 13:55:25 -0500 (CDT) Subject: Info on CPD [unchanged since 08/18/95] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. [new: Ordinary copyrighted material should not be submitted. If a] [copyright owner wishes to make material available for electronic] [distribution then a message such as "Copyright 1988 John Doe.] [Permission to distribute free electronic copies is hereby granted but] [printed copy or copy distributed for financial gain is forbidden" would] [be appropriate.] Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the Subject: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Web browsers will find it at gopher://gopher.cs.uwm.edu. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V7 #043 ****************************** .