Date: Tue, 23 Jan 96 14:07:16 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V8#008 Computer Privacy Digest Tue, 23 Jan 96 Volume 8 : Issue: 008 Today's Topics: Moderator: Leonard P. Levine One Person's War on Junk Mail Re: Unsolicited email Advertising Medical Confidentiality Keyboard Monitors US Customs and Social Security Numbers Password Protection Scientology wins Copyright Case Re: Spy Viruses Lotus [IBM] Blinks Conferences / Events Info on CPD [unchanged since 11/22/95] ---------------------------------------------------------------------- From: Beth Givens Date: 18 Jan 1996 13:18:21 -0800 (PST) Subject: One Person's War on Junk Mail A San Diego man, Bob Beken, recently won an interesting suit in Small Claims Court against Computer City involving unwanted mail solicitations. He purchased some items at Computer City (owned by Tandy, which also owns Radio Shack and Incredible Universe) and paid by check. When he noticed the clerk keying his name and address into the computer at the checkstand, he asked if he was going to get any junk mail as a result. He was told 'no.' As a precaution, Beken took the check back and wrote a short contract on the back: "Computer City agrees NOT to place Robert Beken on any mailing list or send him any advertisements or mailings. Computer City agrees that a breach of this agree- ment by Computer City will damage Robert Beken and that these damages may be pursued in court. Further, that these damages for the first breach are $1,000. The deposit of this check for payment is agreement with these terms and conditions." After some discussion with another clerk, Computer City accepted the check. In the ensuing months, Beken received four mail solicitations from Computer City. He wrote two letters in protest but received no reply. Beken then took his case to Small Claims court. The judge agreed that a contract had been broken and awarded Beken $1,000 plus court costs of $21. Beken has since written a book (self-published) about his winning method. Is this a significant victory? I think so. A court has agreed that a consumer has a right to say "no" to junk mail and to have the request honored. Perhaps this case, along with the Avrahami case, will serve as wake up calls to the direct marketing industry. Consumers want and deserve to be able to control what enters their mailboxes. Your thoughts?? -- Beth Givens Voice: 619-260-4160 Project Director Fax: 619-298-5681 Privacy Rights Clearinghouse Hotline (Calif. only): Center for Public Interest Law 800-773-7748 University of San Diego 619-298-3396 (elsewhere) 5998 Alcala Park e-mail: bgivens@acusd.edu San Diego, CA 92110 ------------------------------ From: rj.mills@pti-us.com (Dick Mills) Date: 19 Jan 1996 14:14:07 -0500 Subject: Re: Unsolicited email Advertising donna@mildred.houston.tx.us (hyper-creatrix) wrote: can i add america online for allowing their clueless lot to do such things? i got a post recently from someone on aol whose screen name i didn't recognise, and i also didn't recognise any of the 30+ addresses/screen names in the remainder of the to: field. the sender, an aol looney, was asking me and the other recipients to effectively mailbomb a third party who's screen name i also didn't recognise. i complained to the postmaster and abuse daemons at aol. haven't heard anything since, but also the bozo hasn't sent any more junk mail to me. ...... that's a great solution; i'll add that to my retaliation! :) thanks for the tips! Aren't we getting a little oversensitive folks? Donna's complaint goes far beyond commercial spamming or Advertizing. She doesn't make any allowance for the sender simply getting the screen name wrong. AOL allows up to 5 screen names per user, and they have lots of subscribers. Take any valid screen name and mis-type it somehow. Because names are anything but randomly distributed, you may have a very high probability of hitting some third party's screen name by accident. It's annoying, just like wrong numbers on the phone, but it is not worthy of such anger or retaliation. Even if the looney chose her name deliberately what's the big deal? I get snail mail and email from political movements I oppose. What would we become if everyone decided to retaliate against the Democrats or Republicans because they sent you unwanted political material? The line of burglar wannabes outside the Watergate offices would be very long. I can't imagine anyone reacting so strongly to a wrong telephone number, or to a misaddresed post card. Let's just apply the same standard of civility and tolerance in cyberspace. -- Dick Mills +1(518)395-5154 AKA dmills@albany.net http://www.albany.net/~dmills ------------------------------ From: Robert Ellis Smith <0005101719@mcimail.com> Date: 19 Jan 96 13:57 EST Subject: Medical Confidentiality If the current "medical confidentiality" proposal in Congress is enacted as is, a patient would be powerless to sue if an insider at a hospital browsed through medical files without a need to know, if a hospital released patient information to an information company it uses that had been cited for violations of federal laws on the management of personal information, if a hospital employee disclosed information to an authorized recipient in a format that could be easily intercepted (fax, e-mail, word-of-mouth, unsealed envelope), or if a doctor's assistant used patient information to harass a patient (perhaps by calling the patient's home). The "immunity" provision of S. 1360 sponsored by Senator Bennett of Utah is one of the most troublesome parts of the bill. Deleting it would improve the bill tremendously in the interests of medical patients. Computer Privacy Digest subscribers should express their concerns to their Members of Congress and to Sen. Bennett. -- Robert Ellis Smith Publisher, Privacy Journal Providence RI 0005101719@mcimail.com ------------------------------ From: "Prof. L. P. Levine" Date: 19 Jan 1996 14:01:46 -0600 (CST) Subject: Keyboard Monitors Organization: University of Wisconsin-Milwaukee What follows is a spam, but for a product that we should be aware of and warned about. SUBJECT:***KEYBOARD RECORDERS******** ALSO KNOWN AS:Keyboard Grabber, Keyboard Key Logger, Keyboard Monitor, Keyboard Recorder. PURPOSE: Captures keystrokes and sends & saves them to a hidden file. Now you can keep a record of any keyboard activity on your computer. Monitor your computer at home or office. My private collection of keyboard recorders is yours for only $9.95. You will receive 18 different programs on a 3 1/2 disk. You'll get:KEYCOPY,KEYFAKE,KEYREAD,KEYTRAP,KEYREC,KEYLOGWN(Windows), HACKKEY,BAGKEYS,GETIT,PLAYBACK,ROBOKEY,RECORD,ENCORE, KCAP10,PTM229N,QWERTMAN,GKG,DEPL. Just send $9.95 plus $1.00 for shipping and handling to: [moderator: sorry I seem to have lost the mailing address.] ------------------------------ From: "anonymous" Date: 19 Jan 1996 14:01:46 -0600 (CST) Subject: US Customs and Social Security Numbers [To Moderator: to protect the privacy of the business I work for, and that of their customers, please remove my name and e-mail address if you decide to post this message. ] [moderator: done.] Over the past few weeks, there has been a lot of discussions on the use of SSN by businesses, employers and insurance companies. I perform import and export for a Canadian company. The US Customs Proforma Invoices I have to fill out has a field for the consignees' IRS or Social Security #. I was told that the field has to be filled out - sometimes, goods get imported with no problem, but if US Customs feels like, they can demand the information before releasing the goods, therefore causing delays. Consignees which are businesses will have to provide their Employer ID to the me, if they are individuals, their SSN must be used. I do not know what are the implications of releasing a business' Employer ID. But in any case, I find it rather intrusive for US Customs to ask for such info, since I am the one to obtain these info from the consignees. Canadian Customs also requires businesses to provide their ID for customs clearance. But with the current system, Canadian businesses' ID are the same as their GST registration number, which, by law, must appear on all invoices and receipts anyways - so there is no big deal. I have purchased many products from overseas personally, and I have never been asked for my Social Insurance Number for customs clearance. Something to ponder ... ------------------------------ From: "anonymous" Date: 20 Jan 1996 22:19:17 CST Subject: Password Protection [moderator: the poster requested anonymity.] I work for a company that handles support for an online service. Previously, passwords were not available to anyone here -- we had to submit a request to the service's headquarters to have someone's password mailed to him. I recently found out that they now will be available to anyone here -- this includes ours (employees). Supposedly the software in which contacts are recorded will record the ID of anyone who pulls up a member's password, but only if the contact is closed! The software won't let you exit without closing the contact, but this is so easy to circumvent that it's ridiculous. Simply turning off the PC or using someone else's PC while he's away is all that's necessary. My concerns are twofold: 1) primarily, the ability of anyone at work to get my password and read my e-mail. This is the one that really freaks me... 2) the possibility that an employee could be wrongfully terminated when someone else pulled a password. It seems like both companies are setting themselves up for lawsuits, and I wouldn't mind being the first if it means putting an end to this. I'd appreciate comments from any attorneys/ACLU foks/anyone familiar with privacy laws. ------------------------------ From: Declan McCullagh Date: 20 Jan 1996 09:41:01 -0800 (PST) Subject: Scientology wins Copyright Case {The New York Times' web site is now online. It's a must-read. Check out: http://www.nytimes.com/} The Scientologists won a battle, finally, and Helena Kobrin is crowing, predictably. Read the full article on the NYT web site; registration is free. // declan@eff.org // My opinions are not in any way those of the EFF // the following is a copy from http://www.nytimes.com/library/cyber/week/0120online.html January 20, 1996 Placing Documents on Internet Violated Scientology's Copyrights, Judge Rules By PETER H. LEWIS A Federal judge ruled on Friday that a Virginia man had violated the copyrights of the Church of Scientology by posting confidential Church documents on the Internet, even though the material had been obtained from public court records. [...] In making her ruling, Judge Leonie M. Brinkema of United States District Court in Alexandria, Va., affirmed that the church holds a copyright on the documents and that Mr. Lerma infringed on the copyright by posting church documents without comment, criticism or other significant changes that would have constituted fair use. She said the church was entitled to statutory damages and legal fees, which will be determined later. ------------------------------ From: morris@grian.cps.altadena.ca.us (Mike Morris) Date: 22 Jan 1996 09:15:38 GMT Subject: Re: Spy Viruses Organization: College Park Software, Altadena, CA References: bo774@freenet.carleton.ca (Kelly Bert Manning) wrote: According to a CBC Radio "Quirks and Quarks" segment from a few weeks back a Vancouver company called "Absolute Software" is planning to offer a "PC Phone Home" product to deter or alleviate theft. [snip] The claim was that whatever is added in would look for a modem port and dial a special 1-800- number during idle periods, in such a way that it wouldn't be noticed by the user of the stolen system. [snip] I can't imagine an individual or a company with any concern about data confidentiality that would seriously consider putting something inside their boxes that is designed to surreptiously dial out without the user knowing, and which has the added bonus of covertly dumping data over the phone line. daveb@iinet.net.au (Dave) writes: Sounds like another good reason to use an external modem. If my modem dials out, I get to hear it do so, and see the status lights twitch, in time to kill it if need be. I defy any software to defeat that. Many modems will accept the command ATL0 and shut off the speaker. ATL0=off, ATL1=soft, ATL2=normal, ATL3=loud on my old modem. Some ignore the ATL command set and reply OK to it whatever you send.. I can concieve of s/w that could determine a usage profile, then dial out in a projected "safe" period after turning the speaker off... (I am picturing a system that is left running 24hrs a day). That would allow a tattle-tale program to work.... I have my entire system on a Tripp-Lite Isobar 8-outlet strip, including the sound card speakers, external modem, printer(s), etc. When I am finished with the system, it is powered off totally. -- Mike Morris morris@grian.cps.altadena.ca.us #include I have others, but this works the best. This message assembled from 100% recycled electrons (and pixels). ------------------------------ From: Monty Solomon Date: 23 Jan 1996 00:20:53 -0500 Subject: Lotus [IBM] Blinks Excerpt from BillWatch #33 LOTUS BLINKS IN INDUSTRY/NSA CRYPT STANDOFF It's not clear why this hasn't made a larger impression on the net yet, because we think its of crucial importance in the ongoing debate about cryptography. For years since the original introduction of the Clipper Chip, the debate over cryptography has continued to gain momentum. Recently, the Administration, embarrassed by its defeat over the Clipper Chip proposal, put forth it's Commercial Key Escrow proposal. What is all the fuss about? It's about cryptography, and who has the right to encrypt information and who has the right to keep the key. Right now, you do, but that could all change. Think of cryptography as a really good front door on your house or apartment. The door key is yours to hold, isn't it? It's your right to give a copy to someone you trust, or if you choose, nobody at all. The Administration contends that this is not so. With their "commercial key escrow" scheme, they contend that you shouldn't be able to build a door they cannot break down, but they also contend that they should be able to order you to give a copy of the key to a government-approved individual, so that they can come enter your house (with a warrant, of course) when they wish. Industry, of course, panned this plan when it proposed late 1995, and continues to object to it. All the while, a standoff continues: the Administration refuses to allow cryptographic software with keys longer than 40 bits to be exported, and industry refuses to build Big Brother into their products. And this is where the standoff stayed until last Wednesday, when Lotus blinked. On Wed, Jan. 17th, 1996, Lotus announced that it had increased the key length of its International version of the Lotus Notes product to 64 bits. They did this by building in a back door for the Administration to use to decrypt any international traffic that it might desire to read. Although there are a lot of reasons why we think this is a terrible idea, the first one that springs to mind is the fact that the one public key that Lotus has embedded in all their software is a single point of failure for every International Lotus user throughout the world. Sure, this key is held with a high security clearance by the government, but then Aldritch Ames also had some of the most sensitive information available to him, and he proved untrustworthy. After all, if $1.5 million can buy a CIA counter-intelligence agent, I wonder how much a Lotus Notes key escrow holder goes for these days? You can find a copy of the Lotus press releases at http://www.lotus.com ------------------------------ From: cpsr-global@Sunnyside.COM Date: 20 Jan 1996 01:19:08 -0800 Subject: Conferences / Events Taken from CPSR-GLOBAL Digest 309 [CPD moderator: items have been removed.] From: marsha-w@uiuc.edu (Marsha Woodbury) Date: 19 Jan 1996 17:38:52 -0700 Subject: Conferences / Events (@) CONFERENCE /EVENT SCHEDULE of interest to cpsr-global Security, Privacy and Intellectual Property Protection in the Global Information Infrastructure, Canberra, AUSTRALIA, Feb. 7-8. Contact: http://www.nla.gov.au/gii/oecdconf.html Computers, Freedom, and Privacy, M.I.T., Cambridge, MA, March 27-30, 1996. Contact: web.mit.edu/cfp96 cfp96-info@mit.edu ACM's Special Interest Group on Computer-Human Interaction, Vancouver, BC, CANADA, April 14-18, 1996. Contact: http://www.acm.org/sigchi/chi96/ chi96-office@acm.org 410 263-5382 410 267-0332 (fax) Visions of Privacy for the 21st Century: A Search for Solutions, Victoria, BC, CANADA, May 9-11, 1996. Contact: http://www.cafe.net./gvc.foi Society and the Future of Computing (SFC'96), Snowbird, UT, June 16-20. Contact: rxl@lanl.gov http://www.lanl.gov/SFC International Symposium on Technology and Society 1996 (ISTAS '96), Princeton University, Princeton, NJ, June 21-22, 1996 Contact: istas@wws.princeton.edu 609 258-1985 (fax) Australasian Conference on Information Security and Privacy, New South Wales, AUSTRALIA, June 24-26. Contact: jennie@cs.uow.edu.au The Privacy Laws & Business, Cambridge, ENGLAND, July 1-3. Contact: 44 181 423 1300 44 181 423 4536 (fax) Advanced Surveillance Technologies II. Ottawa, ON, CANADA, Sept. 17. Contact: pi@privacy.org Data Protection and Privacy Commissioners, Ottawa, ON, CANADA, Sept. 18-20. Contact: ------------------------------ From: "Prof. L. P. Levine" Date: 15 Jan 1996 18:40:39 -0600 (CST) Subject: Info on CPD [unchanged since 11/22/95] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the Subject: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Web browsers will find it at gopher://gopher.cs.uwm.edu. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V8 #008 ****************************** .