Date: Wed, 06 Dec 95 16:15:25 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V7#048 Computer Privacy Digest Wed, 06 Dec 95 Volume 7 : Issue: 048 Today's Topics: Moderator: Leonard P. Levine Signed Postings Caller ID leakage Re: SSN for CA DL renewal SSN for NY DL renewal Is it Possible to Not GET a SSN? Cashless Society Re: Common Carrier Re: Privacy and Police Computers Professional Paranoids Privacy Watchdog Outs Big Brother Companies Info on CPD [unchanged since 11/22/95] ---------------------------------------------------------------------- From: "Prof. L. P. Levine" Date: 06 Dec 1995 15:55:55 -0600 (CST) Subject: Signed Postings Organization: University of Wisconsin-Milwaukee This is from the moderator of the Computer Privacy Digest. In a previous mailing I used a newly formed authorization technique to "sign" the digest. The authorization will ultimately cause postings that are authorized by someone other than the moderator (me) to be automatically cancelled. Out of some several thousand readers I received 3 notices that the authorized messages did not arrive at the destination address. People who are concerned about this sort of thing will be working on fixing those problems that occur. This is the only posting of 11 items in Volume 7 number 48 that is not "signed". If this is the only posting that you see in this volume:number, please let me know, I am certain that other moderated boards will shortly be using this technique to fix the problem of spamming so if you have a problem, I expect it will get worse. As a temporary or even a permanent fix I will be pleased to directly mail the entire digest to anyone who has a problem. Just let me know. The problem we are about to solve is not seen as a serious one to everyone. One reader responded: As a meta-comment, I'm astounded that you're bothering to tilt at this windmill --- you (and many others) are reacting *so* irrationally hysterically to the threat of bogus postings that you'll entertain screw up your news propagation. Strikes me as very silly, and is the sort of thing that only contributes to the hysteria. I mean, you're not even reacting to a *REAL* problem, in any dimension (since as you admit, your newsgroup hasn't had a problem). At the least, why not let some newsgroup that *is* really expeeriencing difficulty to be the guinea pig? I presented this question to Greg Rose, the author of PGP Moose. His response was: I must disagree with your correspondent in that I wouldn't have gone to this amount of trouble if there wasn't already at least a little bit of a problem. About 8 months ago there was a spate of forged spams sent to moderated newsgroups. This lead to a lot of work by Chris Lewis on automatic spam detection and cancelling, and to the desire to create the PGP Moose. I agree with you that it can only get worse, and what is more, I believe that when it gets worse it will do so quickly. By the way, the particular spam that I reacted to, way back then (March 7th), was crossposted to every moderated newsgroup. Chris Lewis caught it quickly and autocancelled it, but technically I think you have experienced the problem at least on a small scale -- you probably just didn't notice at the time. I added: Here in the US we are about to enter a VERY contentous year of politics and I see every reason to believe that various political groups will use the net as never before to express their opinion and to damage their opponents. Dirty tricks will abound. For example look at http://www.dole96.org (spoof) and http://dole96.com (real). It is 11 months till the election and we see this now. Unless we are on top of this we will not be able to respond when the time comes. Greg responded: You've touched on a point that worries me. I see the PGP Moose as a precautionary measure, something that should be put into place before there is a major problem. You, and a couple of others, seem to agree. But the vast bulk of people out there seem to be waiting for the problem to occur for real before they will think about implementing (installing) something like it. It's much harder to build a levee when it's raining cats and dogs. The Privacy Digest is certainly no further away from the problem than misc.news.bosnia or comp.std.c++ (both of which have moderators using it, although in both cases they have multiple moderators and not all are using it). And I strongly feel that masquerading as another is a breach of that person's rights, and to some extent of the right of privacy. That it is your right (as moderator) that is being breached is merely less general than breaching everyone's. I responded that the cancellation of other folk's postings in general is a vigilante tactic, and is, perhaps, as serious a breach of net-etiquet as the original spam. Cancelling a posting in a _moderated_ group with the permission of the moderator has no such effect, since I am the only one permitted to post to CPD and all other legal posts are done, in effect, with my authority. If I authorize someone to cancel any message that I have not personally signed there is no impropriety, just someone acting as my authorized agent. Greg went on: I have some other, less direct, reasons for wanting the experiment to proceed. Proper use of cryptographic tools is one of the great hopes for privacy and security in the near future, but I believe it is under threat from legislators everywhere. One of the background motivations for developing the PGP Moose was to deploy a widely used, clearly beneficial tool using PGP particularly, and cryptographic techniques generally. Then when someone says "Let's ban ...", we can say "But look at the consequences to ...". At the moment I'm unaware of any such valid argument outside of banking and commerce, and they are always handled by grandfather clauses or some form of per-case authorisation. It also focuses attention on the laws and the ITAR. So, here we go with step 2. This issue Volume 7 number 48 has 11 items, all of which are signed except this one. If you see no other item in this volume:number, please let me know. Greg Rose INTERNET: greg_rose@sydney.sterling.com Sterling Software VOICE: +61-2-9975 4777 FAX: +61-2-9975 2921 28 Rodborough Rd. http://www.sydney.sterling.com:8080/~ggr/ French's Forest 35 0A 79 7D 5E 21 8D 47 E3 53 75 66 AC FB D9 45 NSW 2086 Australia. co-mod sci.crypt.research, USENIX Director. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ From: Beth Givens Date: 06 Dec 1995 13:20:09 -0800 (PST) Subject: Caller ID leakage Starting December 1, Calling Number ID is supposedly transmitted on ALL calls, local as well as long distance, as per a FCC ruling. The one exception is for calls originating in California. (The California Public Utilities Commission has requested a 6-month waiver, until it has had the opportunity to accept or reject the local phone companies' education plans for alerting California consumers to the privacy effects of Caller ID.) Rumor has it that some Caller ID data for California calls has somehow "leaked" out -- both in the past and since December 1st. But we have not been able to verify that. If you have indeed seen California numbers on your Caller ID display devices, I'd appreciate hearing from you -- either via this forum or directly to my email address (bgivens@acusd.edu). If you don't mind divulging the first 6 digits of those numbers, that data would help track down the errant phone company switches. Thanks. Beth Givens Voice: 619-260-4160 Project Director Fax: 619-298-5681 Privacy Rights Clearinghouse Hotline (Calif. only): Center for Public Interest Law 800-773-7748 University of San Diego 619-298-3396 (elsewhere) 5998 Alcala Park e-mail: bgivens@acusd.edu San Diego, CA 92110 ------------------------------ From: fyoung@oxford.net (F Young) Date: 01 Dec 95 23:07:25 EST Subject: Re: SSN for CA DL renewal halfbree@rapidnet.com wrote: That is an intresting statement as South Dakota and several other states use your SSAN as the Drivers License #. In Canada, a law was passed by the previous government prohibiting the use of the Social Insurance Number (SIN), same type of ID as the SSN, for record-keeping other than with the federal government. Before this law, when I went to high school, my school ID was my SIN. When applying for my DL in Ontario, they asked for two pieces of identification, and I have to show that I am a permanent resident or citizen of Canada, but that could be done without showing my SIN. Ontario DLs have unique numbers. At the same time, the government began requiring everyone to provide their SINs when opening any account that has to do with money - presumably to keep tab on us so we have a harder time not paying tax on interest earned. Foreigners opening bank accounts in Canada are subjected to a 25% withholding tax on interests. ------------------------------ From: walt@lfs.loral.com (Walt Johnson) Date: 05 Dec 1995 15:12:45 GMT Subject: SSN for NY DL renewal Organization: Loral Federal Systems, Owego New York Yesterday I renewed my New York Drivers License. NY requested my SSN but didn't make an issue of it when I requested the written statement of statutory authority and impact of refusal. I just put a "N" in the space and they accepted it. Walt Johnson N3385L KB2UOU Cessna A185E Loral Federal Systems Group EDO 2790 Owego, New York 13827 The comments expressed waltj@lfs.loral.com above are my own and do (607-751-2158) not reflect the position FAX(607-751-6223) of the Loral Corporation ------------------------------ From: adkinsg@piranha.ianet.net (Garry P. Adkins) Date: 02 Dec 1995 01:11:38 -0500 Subject: Is it Possible to Not GET a SSN? Organization: Ichthus Access Networking Inc., (304) 453-5757 I (of course) have a SSN. I've been wondering if it's possible to not actually *have* a SSN.... I was talking with a guy the other day (he's a pastor), and he home-schools his kids, etc. They don't have SSNs. (yet...) He really really really really objects to getting them on religious and moral grounds. While maybe not as extreme, but it's kinda like the "mark of the beast" thing. It sent me to thinking... Any idea what his options are? Can he be a "conscientious objector" to the SSN deal? -- ------------------------------------------------------------------------ Garry Adkins adkinsg@ianet.net USnail: 712 Chestnut St. BELLNet: +1-304-453-5757 Kenova, WV 25530-1511 ------------------------------ From: maillist@dazed.nol.net (Al Johnson) Date: 02 Dec 1995 09:00:42 GMT Subject: Cashless Society Organization: Networks On-Line, Houston The governments main reason for pushing the cashless society idea is that it will obliterate the underground economy which transactions the IRS is unable to collect taxes on. But I do not believe that undergroud transactions put that much of a dent in the governments tax revenue, besides they collect enough taxes as it is already. However, there are benefits that a cashless society would have for the consumers and the economy as a whole, but however great the benefits, no cashless system should be implemented unless total privacy can be gauranteed. Simply devise a system that makes tracking purchases impossibe. A system whereby a cash purcase cannot be linked to a person, or a bank account. I see no reason why we cannot have a virtual wallet with digital cash. The wallets can be mass produced in the form resembling a credit/ATM card. All cards are generic, meaning that they are anonymous, have no personal information identifying the owner of the card, or the owners bank account. I call this card a virtual wallet, as opposed to a virtual checkbook, because the purpose of this wallet is to carry your digit cash - cash is anonymous. I'm talking about cash that functions the same as the bills in your wallet right now. The digital cash can be downloaded from your bank account through the ATM directly into you virtual wallet. Each unit of digital cash is made up of serial numbers and denomination codes that are registered with the U.S. Treasurey Dept.. The cash can be used for any purchase or can be transferred between individuals as usual. When a purchase is made, a certain amount of digital cash codes equal to the amount of the sale is transfered from the wallet into the business cashregister. The digital cash *IS* the currency. It is not an *authorization* for your bank to transfer monies from your account into the merchant's account, (like a check or credit card) thereby requiring personal and purchase information to be gathered and transferred. The digital cash is paper cash in digital format and functions the same. So don't lose your virtual wallet because the cash in it can be spent by anyone, just as if you lose your real wallet today! And don't try to go to your bank to get replacement cash for the cash that you lost before it was spent, because they have no way of knowing what cash is spent and what cash is not, because they do not track who gets what currency ID numbers. These generic wallets can also be equiped with programmable PIN's so as to deter unauthorized use. If all digital wallets used PIN's, then many more lost wallets would probably get returned to their owners in the hope of reaping a possible reward. This is just a rough outline of my ideas and they will certainly need modification. But, my point is this: We shouldn't have to give up our privacy in order to reap the rewards of a cashless economy, or anything else for that matter. ------------------------------ From: herrin@why.com (William Herrin) Date: 02 Dec 1995 19:49:46 GMT Subject: Re: Common Carrier Organization: Why? Because we like you. Kevin Kadow writes: Personally I'm more concerned with the chilling effect on free speech that would result from restricting content, regardless of who is held liable. As I've stated in other forums, the question isn't HOW to make the Internet safe for children (one proposed goal of this bill) but WHETHER it should be done at all. The Internet is no longer a publically funded resource, if the politician's want their own safe and censored network, let them start one for that purpose. I disagree. The availability of pornography and similarly problematic material potentially has the ability to bar children from the Internet, or at least from huge un-checked expanses of it. That shouldn't be allowed to happen. The question is how do you let the kids roam without, as you say, having a chilling effect on free speech. I like safesurf's answer. Take a look at . Their plan adds a voluntary capability to the technology, which if supported by laws and treaties would allow kids to roam without chilling anyone's rights. Of course, it takes more than just the web, but thats a place to start. -- William D. Herrin herrin@why.com herrin@ultima.cms.udel.edu 6857 Lafayette Park Dr. wherrin@gmu.edu herrin@scienza.onr.navy.mil Annandale, VA 22003 Fallible_Dragon@udic.org -==(UDIC)==- Web: PGP Public Key Available via web page ------------------------------ From: John Medeiros <71604.710@compuserve.com> Date: 02 Dec 95 21:23:20 EST Subject: Re: Privacy and Police Computers In his post, Adam Starchild , related a New Jersey incident in which police used a "patrol car computer scanner" to determine that a driver had a suspended driver's license. I for one, would like to hear a LOT more detail on such a case. If anyone knows any additional details please provided them. On its face, the incident sounds quite ominous. The use of the term "computer scanner" is particularly troubling. On the other hand, after many, many years of monitoring police radio traffic (quite legal and inexpensively done with widely available equipment), it appears that officers used a data terminal in their car to inquire about a vehicle owned by Mr Donis. For whatever reason, they then used that same terminal to determine if the registered owner (Mr. Donis) driver's license was valid. Finding that it was suspended, they then stopped and determined that Mr. Donis was in fact the person driving the car. Mr. Donis was then arrested. Now, this is all supposition, I have no personal knowledge of this incident. However, if my senario is accurate, it portrays something that has been done for years. Initially via radio with the assistance of dispatcher, but now directly by the officers themselves. It would therefore pose no new intrusions into privacy. In fact, the digital signal used to transmit the information to the data terminals in patrol cars is infinitely more difficult to monitor than the good old radio waves and will cut down on the amount of information "overheard" on police radios, so actually *increases* privacy. In fact my concern is somewhat differnent than Mr. Starchild's. My concern is that someone will be able to "spoof" the police computer by transmitting on the correct frequency, in the correct protocol, with a vailid identifier, etc., and have the police coomputer respond with information. Now THAT scares me. ------------------------------ From: rj.mills@pti-us.com (Dick Mills) Date: 06 Dec 1995 05:16:47 -0500 Subject: Professional Paranoids Bob Metcalfe, in his From the Ether column in InfoWorld 12/4/95 wrote a column on his predictions for 1996: Predicting the Internet's castastrophic collapase ..snip.. *Privacy. Internet backlash among professional paranoids will break into a full collapse after a series of well-publicized privacy violations instigated by the professional paranoids themselves for our own good. Gee, I guess he means us. Let me be the first to disavow it. No matter what happens in 1996 it wasn't me that did it. :) -- Dick Mills +1(518)395-5154 http://www.albany.net/~dmills ------------------------------ From: "Dave Banisar" Date: 04 Dec 1995 10:33:29 -0500 Subject: Privacy Watchdog Outs Big Brother Companies MEDIA RELEASE Contact: Simon Davies, Privacy International Davies@privint.demon.co.uk PRIVACY WATCHDOG OUTS BIG BROTHER COMPANIES New report uncovers a massive international surveillance trade funded by the arms industry and led by the UK On Monday 4 December, Privacy International will publish Big Brother Incorporated, a 150 page report which investigates the global trade in repressive surveillance technologies. The report, to be published on several Web sites on the Internet, shows how technology companies in Europe and North America provide the surveillance infrastructure for the secret police and military authorities in such countries as China, Indonesia, Nigeria, Angola, Rwanda and Guatemala The reports primary concern is the flow of sophisticated computer-based technology from developed countries to developing countries - and particularly to non-democratic regimes. The report demonstrates how these companies have strengthened the lethal authority of the world's most dangerous regimes. The report lists the companies, their directors, products and exports. In each case, source material is meticulously cited. Privacy International is publishing the report in digital form in several sites on the Internet to ensure its accessability by interested parties anywhere in the world. Surveillance technologies are defined as technologies which can monitor, track and assess the movements, activities and communications of individuals. More than 80 British companies are involved, making the UK the world leader in this field. Other countries, in order of significance, are the United States, France, Israel, the Netherlands and Germany. _Big Brother Incorporated_ is the first investigation ever conducted into this trade. Privacy International intends to update the report from time to time using trade fair documents and leaked information from whistleblowers. The surveillance trade is almost indistinguishable from the arms trade. More than seventy per cent of companies manufacturing and exporting surveillance technology also export arms, chemical weapons, or military hardware. Surveillance is a crucial element for the maintenance of any non-democratic infrastructure, and is an important activity in the pursuit of intelligence and political control. Many countries in transition to democracy also rely heavily on surveillance to satisfy the demands of police and military. The technology described in the report makes possible mass surveillance of populations. In the past, regimes relied on targeted surveillance. Much of this technology is used to track the activities of dissidents, human rights activists, journalists, student leaders, minorities, trade union leaders, and political opponents. It is also useful for monitoring larger sectors of the population. With this technology, the financial transactions, communications activity and geographic movements of millions of people can be captured, analysed and transmitted cheaply and efficiently. Western surveillance technology is providing invaluable support to military and totalitarian authorities throughout the world. One British computer firm provided the technological infrastructure to establish the South African automated Passbook system, upon which much of the functioning of the Apartheid regime British surveillance cameras were used in Tianamen Square against the pro-democracy demonstrators. In the 1980s, an Israeli company developed and exported the technology for the computerised death list used by the Guatemalan police. Two British companies routinely provide the Chinese authorities with bugging equipment and telephone tapping devices. Privacy International was formed in 1990 as a non-government, non-profit organisation. It brings together privacy experts, human rights advocates and technology experts in more than 40 countries, and works toward the goal of promoting privacy issues worldwide. The organisation acts as an impartial watchdog on surveillance activities by governments and corporations. For further information or interview, contact Simon Davies in London at davies@privint.demon.co.uk. The address of the web site is http://www.privacy.org/pi/reports/big_bro/ -- David Banisar (Banisar@privacy.org) * 202-544-9240 (tel) Privacy International Washington Office * 202-547-5482 (fax) 666 Pennsylvania Ave, SE, Suite 301 * HTTP://www.privacy.org/pi/ Washington, DC 20003 ------------------------------ From: "Prof. L. P. Levine" Date: 22 Nov 1995 14:25:54 -0600 (CST) Subject: Info on CPD [unchanged since 11/22/95] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the Subject: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Web browsers will find it at gopher://gopher.cs.uwm.edu. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V7 #048 ****************************** .