Date: Mon, 08 Jan 96 15:09:15 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V8#004 Computer Privacy Digest Mon, 08 Jan 96 Volume 8 : Issue: 004 Today's Topics: Moderator: Leonard P. Levine Re: Checking Account Status is Public Breasts on AOL Re: BC Commissioner Upholds Severing of Voter Addresses Spy Viruses Re: Bully for US Gov't Boo to Wisconsin Re: The Year We Struggled with On-line Censorship Re: Public Universities and SSNs Re: Public Universities and SSNs Gas Station Receipts Re: Censorship Escalation Info on CPD [unchanged since 11/22/95] ---------------------------------------------------------------------- From: "Mark W. Eichin" Date: 05 Jan 1996 18:51:23 -0500 Subject: Re: Checking Account Status is Public quoth Wm. Randolph Franklin, wrf@ecse.rpi.edu: Every bank (and S&L etc) that I've checked with will tell you over the phone whether a check you're holding from one of their customers would clear if you deposited it. ... No bank manager that I've asked sees any privacy problems with this. I'm told (by friends who are customers there) that University Bank, in Palo Alto CA, also provides this service by default; however, if you specifically ask them about it, they'll set a "privacy flag" on your account and will in fact refuse all such requests. _Mark_ Cygnus Support, Eastern USA ps. Yes, University Bank is the one with the fanciful alien spaceship crashing into the side of the building :-) ------------------------------ From: fyoung@oxford.net (F Young) Date: 05 Jan 96 22:56:27 EST Subject: Breasts on AOL wasn't censoring "breast" in private e-mail, the chats themselves, or discussion group posts--at least none of the e-mail, chats, or discussion groups I was in. This may have been only because they didn't have the time and technology, and it certainly doesn't reduce the stupidity of the act. There is, nonetheless, a very fine line between moderating and censoring in public discussion groups. But the thought of my private e-mail being monitored by officials/agents of an online service is upsetting to say the least. The technology is certainly there if any online service wish to pick up certain keywords from private e-mail and then take actions against the sender. I believe online servies should be given the same immunity given to common carriers. But privileges comes with responsibility, online services must then ensure they do not unilaterally censor public information, and that private e-mails not be read by any third party while they remain in their systems. Does AOL allow members to use PGP to encrypt their e-mails? In the summer, breast cancer survivors tried to form a chat room called "Breast cancer survivors." They were told that the chat room name was obscene. Someone tried variations, such as "boob cancer" and "hooter cancer." AOL accepted these--they were not "obscene." After lots of The term "breast cancer" is widely used by _all_ medias. I have heard and saw the term on TV, radio, newspapers, and government documentations. I would consider "boob" or "hooter" much less acceptable in serious discussions such as those found in support groups. It is insulting to breast cancer survivors to make them use colloquials when sharing their experiences with each other. About two months later, a breast cancer survivor scanned through user profiles to find other women who described themselves as breast cancer survivors. She found that all these posts had been purged because of their allegedly obscene content. Congratulation for cancelling your AOL account. ------------------------------ From: bo774@freenet.carleton.ca (Kelly Bert Manning) Date: 06 Jan 1996 07:54:12 GMT Subject: Re: BC Commissioner Upholds Severing of Voter Addresses Organization: The National Capital FreeNet References: "Mario M. Butter" (mbutter@tower.clark.net) writes: The US has different laws in each state; indeed one state (Louisiana) has laws modeled after the French legal system rather than English common law. In some states, the voter registration lists are public information. Is this a setup for the "Dead men vote, at least they do in Louisiana line"? The names of voters can still be released to the public. Their addresses cannot. I did have the idea that states pretty much run elections in the USA. My reference to efficiency was based on a second impression that voters cast ballots for everyone from president down at least as far as county offices at the same place on the same date. Here there is no coordination between federal and provincial elections. Municipal and school board elections do occur together on a fixed schedule, but bodies such as hospitials are often incorporated as societies with elections at arbitrary times operating under the type of voting procedure that Pat Robertson fans exploited so well a few years back. Speaking of hospitals, there is a new BC I&P commissioner decision at the web site dealing with a request that a service bureau be ordered to restore e-mail between staff at a hospital and the Ministry of Health and scan it for a specified list of key words. I'm not aware of much of the background, but my reading of it is that the major factor in the rejection of the request was the volume of work involved. If it had been cheap/fast/easy to retrieve this the decision might have gone the other way. -- notice: by sending advertising/solicitations to this account you will be indicating your consent to paying me $70/hour for a minimum of 2 hours for my time spent dealing with it ------------------------------ From: "Prof. L. P. Levine" Date: 06 Jan 1996 09:11:53 -0600 (CST) Subject: Spy Viruses Organization: University of Wisconsin-Milwaukee Taken from RISKS-LIST: Risks-Forum Digest Friday 5 January 1996 Volume 17 : Issue 60 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator From: Educom Date: 01 Jan 1996 19:48:38 -0500 (EST) Subject: Spy Viruses (Edupage, 31 December 1995) Syndicated columnist Gina Smith predicts a proliferation of computer "spy" viruses similar to Microsoft Windows 95's registration wizard that can zip around your CPU and determine whether you've legally registered all the software you've got loaded on there: "It's already possible to do this sort of scanning without alerting the user, so it doesn't take much of a futurist to imagine the same sort of stealth technology being used on unknowing bulletin board and Internet users. In fact, I think a trend away from juvenile-prank computer viruses to information-seeking `spy' viruses isn't merely likely, it's inevitable." (Popular Science Dec 95 p12) ------------------------------ From: Robert Gellman Date: 06 Jan 1996 21:53:03 -0500 (EST) Subject: Re: Bully for US Gov't Boo to Wisconsin I just got my new tax forms. My Social Security Number (SSN) did not appear on the federal form cover but was only on a label folded into the middle of the book. The state of Wisconsin, as usual, had my (and my wife's) SSN right on the top of the cover. I didn't notice this until I read your posting. I agree that this is progress of a sort. But if postal workers wanted your SSN, all they have to do is flip open the tax booklet and read the label. The booklet is not sealed. The real problem is that getting an SSN is generally pretty easy so a Postal Worker does not have any great incentive to collect them. Still, if someone gets YOUR SSN, and uses it improperly, a lot of damage can result. Like I said, it is progress of a sort. + + + + + + + + + + + + + + + + + + + + + + + + + + Robert Gellman rgellman@cais.com + + Privacy and Information Policy Consultant + + 431 Fifth Street S.E. + + Washington, DC 20003 + + 202-543-7923 (phone) 202-547-8287 (fax) + + + + + + + + + + + + + + + + + + + + + + + + + + ------------------------------ From: gmcgath@mv.mv.com (Gary McGath) Date: 07 Jan 1996 15:02:19 GMT Subject: Re: The Year We Struggled with On-line Censorship Organization: Conceptual Design References: bernie@fantasyfarm.com (Bernie Cosell) wrote: On the other hand, if you do want to pursue the quest, at least be aware of how tough a row it is going to be to hoe. You'll have to make a case that the network is a medium different from *any* other, and that that difference should be the reason to overturn hundreds of years of *unquestioned* legal precedent, rather than that difference meaning that some sort of new and innovative legislation is called for. We may be drifting rather far from the topic of privacy here in discussing censorship, but I'll throw in a couple of brief comments which Prof. Levine can use or not as seems appropriate. Trying to win an argument by conceding the basic principle is the real "fool's errand." The degree of free speech which we have was won by people arguing for a basic principle, not by carving out specialized exceptions to a general principle. The fact that there have always been laws against "pornography" is not evidence that there is an exception hidden in the First Amendment, nor is it a reason for us to act as if there were. Once you concede the principle and then argue "But we're an exception!" then you only end up having your case made more and more narrow. Any victories you win are at the cost of having helped the case for censorship in the "normal" course of affairs. An example: In New Hampshire, several communities have passed ordinances severely restricting the location of bookstores that carry material "that constitutes sexual conduct." The very definition is incoherent at its root. But rather than challenge the principle, the plaintiffs chose to challenge the details of the zoning. They lost -- and now there's a precedent saying that the ordinance was upheld in court. -- Gary McGath gmcgath@mv.mv.com http://www.mv.com/users/gmcgath One world, one vendor, one Web browser? No, thanks! ------------------------------ From: glr@ripco.com (Glen L. Roberts) Date: 08 Jan 1996 14:08:13 GMT Subject: Re: Public Universities and SSNs Organization: Full Disclosure The Oil City, Pa school district called up and asked my wife for the kids SSNs... said: when we get their SSNs we'll be all set. I called back to see what the deal was (ie: no Privacy Act Notice, and no Privacy Act exemption allowing them to ask). To make a long story short, the individual I talked to was responsive to my privacy concerns (we'll see about the District in general). The REASON they wanted one of the SSNs was they would run the SSN though a private company that has a list of kids that have Medical ID cards. If there was a match, the school would get money from the State. Why not just ask if the kid has a Medical ID card? (not that it is really any of the schools business who is on welfare or not). Anyway, he said it was completely voluntary whether we provided the SSN (and quite irrelevant to their objective since we don't have Medical ID cards... so they won't get any money either way). I sent him a copy of the book I publish, Your Social Security Number from Pension Provider to Privacy Penetrator. I also just got my packet from the United States District Court... we'll see if an apology and compliance with the Privacy Act is forthcomming before I decide to spend $120! (They had a spot on some paperwork for the SSNs but we didn't fill em out or hear anything about it). ------ Check out our "Why Microsoft Sucks Contest" see url below Full Disclosure [Live] -- Privacy, Surveillance, Technology! (Over 140 weeks on the Air!) The Net Connection -- Listen in Real Audio on the Web! http://pages.ripco.com:8080/~glr/glr.html ------ ------------------------------ From: Steigelmann@picard.capd.abbott.com (Jim Steigelmann) Date: 08 Jan 1996 19:49:47 GMT Subject: Re: Public Universities and SSNs Organization: Abbott Labs References: wrf@ecse.rpi.edu says... UT Austin asks for the applicant's SSN on recommendation forms, and says that it is required. There is no privacy act notice. This would seem to be illegal. It is also intimidating since an applicant might be scared to make a fuss since the admissions process is so vague, and the applicant would never be able to prove that complaining was why he was rejected. The University of Illinois had an even more insideous practice - your Student ID number - required for every test (and asked for by bouncers to get into bars) was you social security number. -- --------------- Jim Steigelmann ---------------------------------------------------------- The opinions expressed are my own and do not represent the opinions of my employer, my boss, the state of Illinois, the government of the United States of America, or of the world in general... ----------------------------------------------------------- ------------------------------ From: "Prof. L. P. Levine" Date: 06 Jan 1996 09:32:19 -0600 (CST) Subject: Gas Station Receipts Organization: University of Wisconsin-Milwaukee Taken from RISKS-LIST: Risks-Forum Digest Friday 5 January 1996 Volume 17 : Issue 60 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator From: CharlesP_Schultz-ECS013@email.mot.com Date: 03 Jan 96 06:56:36 -0600 Subject: Gasoline Pump Receipt Risks Over the last few months, I have pulled up to self-serve gasoline pumps that accept credit card payment, and noticed that a previous customer has left behind the receipt that gets printed at the end of the transaction. Some pumps make you explicitly hit a button to get a receipt, but others do it automatically. So what's the risk? The risk lies in the information that you leave behind if you drive away without taking the receipt, or if you simply toss it in the trash nearby. The receipts from different gas companies have different information, but the worst risk I have seen so far is on the Amoco receipt where the account number and CUSTOMER NAME appear on the receipt. I also found a Chevron receipt that has someone's account number on it, and the gas station's name and station number. Since this particular gas station is "Juan's Chevron" I suppose a spoofer could call up Chevron posing as Juan and give their station number to legitimize their spoof, so here there is also a risk to the station owner. Mobil receipts have less information than the Amoco or Chevron ones. But as long as someone gets a legitimate account number, this is probably enough information to perpetrate some damaging fraud (for example, setting up a bogus gas station, then turning in credit card receipts and getting paid for them by the gas provider - this actually happened down here a number of years ago). Here's a list of the information provided on the receipts (besides the amount of gas and price per gallon) from the three providers I mentioned above. I don't know if the gas companies use different models of pumps in different parts of the country (I'm in South Florida), so your receipts may differ. Perhaps we could collect information from other gas providers, and urge them to be more sensitive to their customers' privacy. AMOCO: Station name and address, date, time, CUSTOMER NAME, CARD ACCOUNT NUMBER, reference number CHEVRON: Date, station name and address, station number, CARD ACCOUNT NUMBER, invoice number, authorization number MOBIL: CARD ACCOUNT NUMBER, invoice number, date, station name and city -- Charles P. Schultz ------------------------------ From: Harvey A Silverglate Date: 05 Jan 1996 22:17:27 +0001 (EST) Subject: Re: Censorship Escalation Charles Platt wrote: I have a question for people whose knowledge of censorship history is more comprehensive than mine: is there any factual basis for the claim, often made by "our side," that censorship tends to escalate? I've often heard it said by civil libertarians that if we allow them to censor X today, they'll want to censor Y tomorrow. Today, alt.sex.pedophilia; tomorrow, gay discussion groups. Today, Hustler magazine; tomorrow, Penthouse. Your question is too interesting for me to pass up the opportunity for a brief reply. My reply is brief and partial, but I think to the point. In 1943, the U S Supreme Court decided the landmark free speech/free press case of NEAR vs. MINNESOTA. In that case, the Court declared presumptively unconstitutional all efforts by government at PRIOR RESTRAINT of speech or press. This means that the government may not prevent, IN ADVANCE, anyone from speaking or publishing, although in some situations the government may prosecute, or courts may award civil damages for, certain prohibited forms of speech (obscenity, libel/slander for example). However, the Court, almost in passing, said that the rule against prior restraints was not absolute. It gave as an example of a possible exception, the case of a newspaper wanting to publish the schedule by which troop ships would be sailing in time of war. In such an extreme situation, said the Court, where national security was involved, prior restraint might indeed be constitutional. On the basis of the "troop ship" exception set out in NEAR, state and federal governments have tried time and time again to suppress speech and press via the route of prior restraints. There was the attempt to stop the publication of the "Pentagon Papers" by the NYTimes, Washington Post, and Boston Globe. There was the attempt to stop publication by the Progressive magazine of an article on how to build an atomic bomb (all of which information was available in the MIT library!). There was the recent case of a private litigant - a bank - trying to stop a business magazine from publishing an article containing documentation from a lawsuit in which the bank was involved. Such attempts at prior restraint are, sadly, endemic nowadays to many "politically correct" college and university campuses. The attempts at prior restraints go on and on. And each time, there is restraint for a period of time until some appellate court overturns the injunction against publication. It is a real problem. The Supreme Court should have said simply that ALL prior restraints are unconstitutional, and relied on the patriotism and good sense of the press not to publish troop ship sailing schedules in time of warfare. (Besides, such publication might well be punishable AFTER publication, and surely a newspaper would not go ahead and publish such material just because prior restraints are not available to the government, if punishment after the fact were available.) This is a good example of the phenomenon of the "slippery slope." Once an inroad is made in liberty, the government, and some private parties, may be counted on to try to push the envelope. Inroads into liberty inevitably result, even if most are successfully resisted. True, the same phenomenon might be found on the other side. Allow one sexually-suggestive book to be published, and others -- even MORE suggestive -- are likely to follow. But for people who value liberty, if the "slippery slope" phenomenon is going to operate, better it should operate in the direction of liberty, rather than in the direction of suppression and repression. -- Harvey Silverglate ------------------------------ From: "Prof. L. P. Levine" Date: 06 Jan 1996 09:32:19 -0600 (CST) Subject: Info on CPD [unchanged since 11/22/95] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the Subject: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Web browsers will find it at gopher://gopher.cs.uwm.edu. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V8 #004 ****************************** .