Date: Mon, 15 Jan 96 19:11:31 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V8#006 Computer Privacy Digest Mon, 15 Jan 96 Volume 8 : Issue: 006 Today's Topics: Moderator: Leonard P. Levine Re: Breasts on AOL Re: Checking Account Status is Public Re: Checking Account Status is Public Cases on Disclosing Private Information Re: Canadian Social Insurance Number Re: Spy Viruses Computers See ALL Your Postal Mail New Access Code for the French Electronic Directory Caller ID Leakage? News from Zimmermann's Attorney Info on CPD [unchanged since 11/22/95] ---------------------------------------------------------------------- From: huggins@tarski.eecs.umich.edu (James K. Huggins) Date: 12 Jan 1996 08:18:37 -0500 Subject: Re: Breasts on AOL Organization: University of Michigan EECS Dept., Ann Arbor, MI References: gmcgath@mv.mv.com (Gary McGath) writes: At the time, I thought that AOL figured that flamewars increased usage of the system, while "dirty words" might drive people away, and thus that they were increasing their revenue by having this policy. But banning the word "breast" while allowing mildly dirty synonyms doesn't even have this kind of twisted logic to it. Oh, there's a logic to it. It's the old "my right hand doesn't know what my left hand is doing" logic, though. My speculation is that someone (some people?) on staff with AOL got complaints about obscenity in some areas, and thought that banning the use of certain words like "breast" would take care of that problem. It probably did. But it also created the host of other problems that they didn't anticipate (e.g. "breast cancer" becoming a forbidden term). One time back in my undergraduate college days, the staff in the dorm in which I lived were trying to crack down on large parties for the usual reasons (noise complaints, illegal alcohol consumption, etc.). The bright idea they had was to require every "party" to be registered with the staff, presumably to allow the staff advance notice of a bad situation. They defined a "party" as any gathering of 10 or more people. No problem, right? Right ... except that there was a Jewish group which met occasionally to conduct services in one of the meeting rooms, and (forgive my goyim ignorance here) certain services require the presence of 10 adult men in order to be conducted. So this new "party" requirement meant that every time this group wanted to conduct a service, they had to register it. This seemed to be treading on 1st amendment territory (regulating the free exercise of religion), and so, the whole thing was dropped. The point of the story? Mainly that some systems are so big that one doesn't realize the effect that a seemingly "small" change will have throughout the system. -- Jim Huggins, Univ. of Michigan huggins@umich.edu "You cannot pray to a personal computer no matter how user-friendly it is." (PGP key available upon request) W. Bingham Hunter ------------------------------ From: anonymous@ixnews3.ix.netcom.com Date: 12 Jan 1996 16:43:41 GMT Subject: Re: Checking Account Status is Public wrf@ecse.rpi.edu (Wm. Randolph U Franklin) wrote: Every bank (and S&L etc) that I've checked with will tell you over the phone whether a check you're holding from one of their customers would clear if you deposited it. This means that if you know someone's account number, perhaps because they wrote you a check in the past, then you can call the bank, pretend to have a check from them for $X, and determine whether their balance is >=X. I worked in a bank for seven months as a teller and I always thought that was a strange arrangement, and of course when I asked about it everyone thought I was some complete and utter paranoid... What I think is a bigger problem for everyones privacy is that for the most part the average bank customer has absolutely no patience for those relatively few policies that can offer some privacy protection. The number of times I had customers go ballistic on the phone when I refused to give out their account information (and these are customers who did not know me or me them) was shocking. Only slightly more puzzling was the amount of times I had people flip out when I asked them for ID when they wanted to cash a check... All that being said I must admit that, having worked in a bank, I shudder to think just how available and accessable all our information is... ------------------------------ From: cnordin@vni.net (Craig Nordin) Date: 13 Jan 1996 01:40:30 -0500 Subject: Re: Checking Account Status is Public Organization: Virtual Networks References: I think http://www.cashmoney.com will point you towards a Belize Trust Account, which is much more secure. Untraceable Credit Cards, Accounts, and other financial mechanisms which defy this kind of invasion of privacy. ------------------------------ From: peggy@cc.gatech.edu (Margaret P. Eisenhauer) Date: 12 Jan 1996 12:07:49 -0500 (EST) Subject: Cases on Disclosing Private Information kkirk@compumedia.com said: I am putting together an article on the 'new' issues of Client Server database access to corporate databases/warehouses. One of the major issues is security. [snip] What I'm looking for is actual, published and documented cases where a company or organization became liable either civilly or criminally for releasing information that is considered private and protected. There's no privacy issue in the example, as the records were public to begin with... either public records or publically available. People consider a lot of public information to be private, but this thought doesn't create a basis for liability. There are cases (both civil and criminal) based on disclosure of truly private info, breach of confidentiality agreements, disclosure of legally-protected employment data, etc. To find examples, look for a (legal) basis for the case, such as a law or an agreement. Also, there's been a case filed in Va by a name claiming that the sale of his name on a mailing list violates a Va privacy statute (Avarahami v. U.S. News and World Report). This cases hasn't come to trial yet. Hope this help, -- Peggy ------------------------------ From: AFAULKNE@142.36.138.3 (Andrew Faulkner) Date: 12 Jan 1996 16:24:47 -0800 (PST) Subject: Re: Canadian Social Insurance Number Organization: BC Systems Corporation References: In article mbesosa@drake.prometric.com (Michael Besosa) writes: Can someone point me to a source of information on the Net about the structure, validation, and permitted uses of the Canadian Social Insurance number? http://vanbc.wimsey.com/~faulkner/sin_fact.html -- Andrew Faulkner Applications Analyst, BC Lands Ministry of Environment, Lands and Parks 387-1146 Internet address: afaulkne@bclands.crl.gov.bc.ca ------------------------------ From: daveb@iinet.net.au (Dave) Date: 13 Jan 1996 06:16:38 GMT Subject: Re: Spy Viruses Organization: iiNet Technologies References: bo774@freenet.carleton.ca (Kelly Bert Manning) wrote: According to a CBC Radio "Quirks and Quarks" segment from a few weeks back a Vancouver company called "Absolute Software" is planning to offer a "PC Phone Home" product to deter or alleviate theft. [snip] The claim was that whatever is added in would look for a modem port and dial a special 1-800- number during idle periods, in such a way that it wouldn't be noticed by the user of the stolen system. [snip] I can't imagine an individual or a company with any concern about data confidentiality that would seriously consider putting something inside their boxes that is designed to surreptiously dial out without the user knowing, and which has the added bonus of covertly dumping data over the phone line. Sounds like another good reason to use an external modem. If my modem dials out, I get to hear it do so, and see the status lights twitch, in time to kill it if need be. I defy any software to defeat that. -- Dave PGP fingerprint = 20 8F 95 22 96 D6 1C 0B 3D 4D C3 D4 50 A1 C4 34 ------------------------------ From: TOM ALCIERE <73151.3051@CompuServe.COM> Date: 14 Jan 1996 15:13:02 GMT Subject: Computers See ALL Your Postal Mail Organization: CompuServe, Inc. (1-800-689-0736) You send your Aunt Matilda a letter and address it to Aunt Matilda Smith, 123 Main St., Anytown NY 12345 and put a 32 cent stamp on it and mail it. The USPS machine picks up the ultra-violet reflection from the phosphorescent tagging on the stamps, which you can't see but stamp collectors can if they have a UV light for that purpose. Now the computer can "face" the letter and run it past a scanner. Unlike your telephone bill, however, this letter has a HAND-WRITTEN address which the optical character recognition (OCR) machine cannot read. It is then referrred to the remote bar code system (RBCS) and a computer takes a picture of it, sending it down the telephone line to a remote encoding center (REC) where data conversion operators (DCO's) sit and read the address and type in the necessary keystrokes. 12345 is sufficient to send it to the Anytown post office. Then the DCO is prompted to key "inward" info, 123MAIS for 123 Main St. Supervisors take random samples which include hard copies of mailpiece images and show DCO's the ones with errors. These sheets stay in the DCO's file for a period of time. All that's necessary to monitor Aunt Matilda is to command the RBCS to generate similar copies for anything keystroked 123MAIS12345. Bring a letter with your return address ON THE BACK to a post office window and ask the clerk for a stamp. S/he will tell you to put the return address ON FRONT!!! -- Tom Alciere 73151.3051@compuserve.com ------------------------------ From: JeanBernard_Condat@email.Francenet.fr (JeanBernard Condat) Date: 21 Dec 1995 17:14:16 GMT Subject: New Access Code for the French Electronic Directory Organization: FranceNet 3611: new access code for the French electronic directory The access code for the French email directory on the videotex network (via the Minitel terminal interface) have change January 1st. The old one was "11". The new one will be "3611" with a new beautiful name: "les pages zoom." France Telecom begin currently to unify all the codes preparing the hurge modification of October 16th. The three first minutes are free at this time. To do some listing with this file, France Telecom have develop the 3614 MARKETIS. Internet users can access this service with the MinitelNet gateway (look at the http://www.minitel.fr, too). To have a phone number you can dial "12" on the French phone system (cost: 5 UT = 3.6 FF or $.67), or dial freely from a public phone (same access number) or dial the " 711" on a portable phone... The user database will bethe same... but the time of research of the information depend from the media used -|] -- Jean-Bernard Condat ___ (( _.-| | _-~-_ || { | | (o o(_)___ _) ) "-.|___| _.( Y ) \. `O / .--'-`-. _((_ `^-' /__< \ .+|______|__.-||__)`-'(((/ ((_d Ç Sur Internet, tout le monde sait que vous etes un chien È [titre de mon prochain livre] ------------------------------ From: Beth Givens Date: 6 Dec 1995 13:20:09 -0800 (PST) Subject: Caller ID Leakage? Starting December 1, Calling Number ID is supposedly transmitted on ALL calls, local as well as long distance, as per a FCC ruling. The one exception is for calls originating in California. (The California Public Utilities Commission has requested a 6-month waiver, until it has had the opportunity to accept or reject the local phone companies' education plans for alerting California consumers to the privacy effects of Caller ID.) Rumor has it that some Caller ID data for California calls has somehow "leaked" out -- both in the past and since December 1st. But we have not been able to verify that. If you have indeed seen California numbers on your Caller ID display devices, I'd appreciate hearing from you -- either via this forum or directly to my email address (bgivens@acusd.edu). If you don't mind divulging the first 6 digits of those numbers, that data would help track down the errant phone company switches. Thanks. Beth Givens Voice: 619-260-4160 Project Director Fax: 619-298-5681 Privacy Rights Clearinghouse Hotline (Calif. only): Center for Public Interest Law 800-773-7748 University of San Diego 619-298-3396 (elsewhere) 5998 Alcala Park e-mail: bgivens@acusd.edu San Diego, CA 92110 ------------------------------ From: "Declan B. McCullagh" Date: 13 Jan 1996 11:44:03 -0500 (EST) Subject: News from Zimmermann's Attorney [snip] And attached is a note from Phil Zimmermann's attorney. ---------- Forwarded message begins here ---------- From: "Philip L. Dubois" Date: 12 Jan 1996 23:37:22 -0700 Subject: News Release -----BEGIN PGP SIGNED MESSAGE----- Yesterday morning, I received word from Assistant U.S. Attorney William Keane in San Jose, California, that the government's three-year investigation of Philip Zimmermann is over. Here is the text of Mr. Keane's letter to me: "The U.S. Attorney's Office for the Northern District of California has decided that your client, Philip Zimmermann, will not be prosecuted in connection with the posting to USENET in June 1991 of the encryption program Pretty Good Privacy. The investigation is closed." The U.S. Attorney also released this to the press: "Michael J. Yamaguchi, United States Attorney for the Northern District of California, announced today that his office has declined prosecution of any individuals in connection with the posting to USENET in June 1991 of the encryption program known as "Pretty Good Privacy." The investigation has been closed. No further comment will be made by the U.S. Attorney's Office on the reasons for declination. Assistant U.S. Attorney William P. Keane of the U.S. Attorney's Office in San Jose at (408) 535-5053 oversaw the government's investigation of the case." On receiving this news, Mr. Zimmermann posted this to the Cypherpunks list: - -----BEGIN----- My lead defense lawyer, Phil Dubois, received a fax this morning from the Assistant US Attorney in Northern District of California, William Keane. The letter informed us that I "will not be prosecuted in connection with the posting to USENET in June 1991 of the encryption program Pretty Good Privacy. The investigation is closed." This brings to a close a criminal investigation that has spanned the last three years. I'd like to thank all the people who helped us in this case, especially all the donors to my legal defense fund. Apparently, the money was well-spent. And I'd like to thank my very capable defense team: Phil Dubois, Ken Bass, Eben Moglen, Curt Karnow, Tom Nolan, and Bob Corn-Revere. Most of the time they spent on the case was pro-bono. I'd also like to thank Joe Burton, counsel for the co- defendant. There are many others I can thank, but I don't have the presence of mind to list them all here at this moment. The medium of email cannot express how I feel about this turn of events. -Philip Zimmermann 11 Jan 96 - -----END----- I'd like to add a few words to those of my client. First, I thank Mr. Keane for his professionalism in notifying us of the government's decision. It has become common practice for federal prosecutors to refuse to tell targets of investigations that the government has decided not to prosecute. I appreciate Mr. Keane's courtesy. Let me add my thanks to the other members of the defense team-- Ken Bass in Washington D.C. (kbass@venable.com), Curt Karnow in San Francisco (karnow@cup.portal.com), Eben Moglen in New York (em21@columbia.edu), and Tom Nolan in Palo Alto (74242.2723@compuserve.com). Bob Corn-Revere in D.C. (rcr@dc1.hhlaw.com) was a great help on First Amendment issues. These lawyers are heroes. They donated hundreds of hours of time to this cause. Each is outstanding in his field and made a contribution that nobody else could have made. It has been an honor and a privilege to work with these gentlemen. Mr. Zimmermann mentioned a lawyer named Joe Burton (joebur@aol.com) of San Francisco. Mr. Burton deserves special mention. He represented another person who was under investigation. To have made this other person publicly known would have been an invasion of privacy, so we didn't. We still won't, but we can finally acknowledge Mr. Burton's enormous contribution. Whether we were getting paid or not, the rest of us at least received some public attention for representing Phil Zimmermann. Mr. Burton labored quietly on behalf of his client. He took the case pro bono and did an extraordinary job. He is a lawyer who exemplifies the finest traditions of the Bar and the highest standard of integrity. I am proud to know Joe Burton. The warriors at the Electronic Privacy Information Center (EPIC)-- Marc Rotenberg, David Sobel, and David Banisar-- and at the Electronic Frontier Foundation (EFF), Computer Professionals for Social Responsibility (CPSR), and the American Civil Liberties Union (ACLU) provided financial, legal, and moral support and kept the public informed. They continue to do so, and we all owe them thanks for it. Those members of the press who recognized the importance of this story and told the world about it should be commended. Undeterred by the absence of sex and violence, these reporters discussed the real issues and in so doing served the public well. Many other people, lawyers and humans alike, made invaluable contributions. My assistants Alicia Alpenfels, Suzanne Turnbull Paulman, and Denise Douglas and my investigator Eli Nixon kept us organized. Rich Mintz, Tom Feegel, and Nathaniel Borenstein of First Virtual put up a Web site and aggressively supported the Zimmermann Legal Defense Fund. Another site was built by Michael Sattler of San Francisco, and he and Dave Del Torto (also of S.F.) let me stay in their homes. Thanks also to MIT and The MIT Press: Hal Abelson, Jeff Schiller, Brian LaMacchia, Derek Atkins, Jim Bruce, David Litster, Bob Prior, and Terry Ehling. And there were many others. Finally, I offer my thanks to everyone who contributed to the Zimmermann Legal Defense Fund. People all over the world gave their hard-earned money to support not only Phil Zimmermann's defense but also the cause of privacy. It is impossible to be too pessimistic about our future when there are so many of you. Now, some words about the case and the future. Nobody should conclude that it is now legal to export cryptographic software. It isn't. The law may change, but for now, you'll probably be prosecuted if you break it. People wonder why the government declined prosecution, especially since the government isn't saying. One perfectly good reason might be that Mr. Zimmermann did not break the law. (This is not always a deterrent to indictment. Sometimes the government isn't sure whether someone's conduct is illegal and so prosecutes that person to find out.) Another might be that the government did not want to risk a judicial finding that posting cryptographic software on a site in the U.S., even if it's an Internet site, is not an "export". There was also the risk that the export-control law would be declared unconstitutional. Perhaps the government did not want to get into a public argument about some important policy issues: should it be illegal to export cryptographic software? Should U.S. citizens have access to technology that permits private communication? And ultimately, do U.S. citizens have the right to communicate in absolute privacy? There are forces at work that will, if unresisted, take from us our liberties. There always will be. But at least in the United States, our rights are not so much stolen from us as they are simply lost by us. The price of freedom is not only vigilance but also participation. Those folks I mention in this message have participated and no doubt will continue. My thanks, and the thanks of Philip Zimmermann, to each of you. ------------------------------ From: "Prof. L. P. Levine" Date: 11 Jan 1996 16:51:47 -0600 (CST) Subject: Info on CPD [unchanged since 11/22/95] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the Subject: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Web browsers will find it at gopher://gopher.cs.uwm.edu. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V8 #006 ****************************** .