Date: Sat, 27 Jan 96 09:26:30 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V8#009 Computer Privacy Digest Sat, 27 Jan 96 Volume 8 : Issue: 009 Today's Topics: Moderator: Leonard P. Levine Re: Health Privacy Bill (S.1360) Re: Lotus [IBM] Blinks Re: Lotus [IBM] Blinks Re: One Person's War on Junk Mail Re: One Person's War on Junk Mail Re: One Person's War on Junk Mail Re: One Person's War on Junk Mail Re: One Person's War on Junk Mail New Hampshire Senate Considers Mandatory Drivers SSN S. 652: A Senator's Response Some Thoughts on Privacy in General White House E-mail Made Public Single Computer Breaks 40-bit RC4 in Under 8 Days Re: Keyboard Monitors Re: Unsolicited email Advertising Medical Records Privacy Straight Jacketing the Internet Info on CPD [unchanged since 11/22/95] ---------------------------------------------------------------------- From: Robert Gellman Date: 23 Jan 1996 23:52:43 -0500 (EST) Subject: Re: Health Privacy Bill (S.1360) Robert Ellis Smith wrote: If the current "medical confidentiality" proposal in Congress is enacted as is, a patient would be powerless to sue if an insider at a hospital browsed through medical files without a need to know, if a hospital released patient information to an information company it uses that had been cited for violations of federal laws on the management of personal information, if a hospital employee disclosed information to an authorized recipient in a format that could be easily intercepted (fax, e-mail, word-of-mouth, unsealed envelope), or if a doctor's assistant used patient information to harass a patient (perhaps by calling the patient's home). This is simply not true. The bill provides (Secion 201) that a health informtion trustee (record keeper) may not disclose a medical record except as authorized under the bill. The same section also provides that information may only be used or disclosued if the use or disclosure is compatible with or related to the purposes for which the information was obtained. Smith's first example is a hospital insider browsed a record without a need to know. That is not an authorized purpose and is a violation of the bill and fully actionable. The bill also requires that there be a record of all non-treatment disclosures so that there would be evidence if improper disclosures were made. There is no such requirement today. If a hosptial did not maintain the accounting for disclosures, it could be sued for that as well. Smith's second example involves release to a company that had been cited for violations of information laws. The bill provides (Section 111) that a record keeper must establish and maintain appropriate administrative, technical, and physical safeguards to ensure the confidentiality, security, accuracy, and integrity of information. The release of information to a person who has demonstrated an inability to maintain it in accordance with law would be a violation of this requirement and fully actionable under the bill. Smith's third example is if information is transmitted in a format that could be easily intercepted. This could also be a violation of the same security requirement in Section 111. And by the way, these kinds of disclosures go on today all the time. Try filing a lawsuit today and see where that gets you. If you can't show large damages, no lawyer will take your case. Smith's fourth example is if a physician's assistant used information to harass a patient. This would not be an authorized use because it is not compatible with the purpose for which the information was obtained (section 201). This use would be fully actionable under the bill. Further, in each of these cases, the successful plaintiff would be entitled to minimum damages of $5000, punitive damages, and attorney fees. These are not necessarily available under existing statutes or under common law. The bill gives no one immunity. It provides a statutory scheme that criminalizes lots of conduct that is not criminal today. It provides clearer and better civil remedies than are available today. Common law remedies are pie-in-the-sky. Their availability for 200 years has not prevented the medical establishement from passing around medical records with virtually no restrictions. That's why we need legislation. I will agree that the bill in question needs a lot of work before it is worth passing. What is doesn't need is misinformation about its content. + + + + + + + + + + + + + + + + + + + + + + + + + + Robert Gellman rgellman@cais.com + + Privacy and Information Policy Consultant + + 431 Fifth Street S.E. + + Washington, DC 20003 + + 202-543-7923 (phone) 202-547-8287 (fax) + + + + + + + + + + + + + + + + + + + + + + + + + + ------------------------------ From: WELKER@a1.VsDeC.nL.nuwc.navy.mil Date: 24 Jan 1996 09:46:22 -0400 (EDT) Subject: Re: Lotus [IBM] Blinks The Administration contends that this is not so. With their "commercial key escrow" scheme, they contend that you shouldn't be able to build a door they cannot break down, but they also contend that they should be able to order you to give a copy of the key to a government-approved individual, so that they can come enter your house (with a warrant, of course) when they wish. While the debate over who should hold the escrowed keys is a legitimate one, I must point out that some form of key escrow is essential as a practical matter in order for electronic documents to be legally binding. I think this more than anything else is why PGP is not much appreciated by the business community. We cannot permit electronic commerce wherein someone can claim "oops, I lost the key...sorry about your $1M". [snip] After all, if $1.5 million can buy a CIA counter-intelligence agent, I wonder how much a Lotus Notes key escrow holder goes for these days? You can find a copy of the Lotus press releases at http://www.lotus.com Consider the following positive impact (from the standpoint of the users): encryption of messages becomes the norm rather than the exception. Sure the government can intercept any particular message it wants, but it still has to break the 40-bit key of any message it wants to read. I can't say for sure, but I think this makes it logistically challenging for any government to try to scan all encrypted email traffic with a keyword search, for example. Further, persons who really wish to protect their data can layer a better encryption scheme on top of Lotus'. The third party is then forced to either admit that they are scanning the subject's mail (if it is a government and wants to subpoena the key), or live without knowing its contents. I think Lotus accomplishes far more to protect privacy in the long run by making it a standard practice to encrypt your mail than they lose by partially compromising a (not the) key. Of course, none of this really matters, since encrypted Notes mail only flows within a single Lotus Notes network. If it has to pass through a mail gateway and be read by a recipient using the competition's products, it will cease to be encrypted -- no value for electronic commerce outside a single company or very tight business relationship. I don't see how there can be any kind of realistic electronic commerce at the international level without the cryptosystem being in the public domain (or at least dirt cheap). ------------------------------ From: jfh@acm.org (Jack Hamilton) Date: 25 Jan 1996 03:06:37 GMT Subject: Re: Lotus [IBM] Blinks Organization: kd6ttl References: Monty Solomon wrote: Although there are a lot of reasons why we think this is a terrible idea, the first one that springs to mind is the fact that the one public key that Lotus has embedded in all their software is a single point of failure for every International Lotus user throughout the world. It isn't clear to me from the press release that there will be only one public key. There could be one per country, or one per license. That would increase security somewhat. But not to the point that I would buy Notes if I wanted security. I wonder why Lotus/IBM doesn't include a user exit, allowing an administrator to use PGP or ViaCrypt or whatever other encryption mechanism they want. -- Jack Hamilton jfh@acm.org ------------------------------ From: fyoung@oxford.net (F Young) Date: 24 Jan 96 22:04:54 EST Subject: Re: One Person's War on Junk Mail Beth Givens reports: A San Diego man, Bob Beken, recently won an interesting suit in Small Claims Court against Computer City involving unwanted mail solicitations. Perhaps this case, along with the Avrahami case, will serve as wake up calls to the direct marketing industry. Consumers want and deserve to be able to control what enters their mailboxes. Your thoughts?? I've never been through a time when I got so upset about junk mail that I would go through the trouble of writing a "contract" such as that of Mr. Beken, or suit the marketer in court. Personally, I'm more upset on fax advertising or the long and windy unsolicited e-mail as it cost me money to receive them. Long e-mails could also potentially fill up my mailbox and cause important messages to get bounced. I realize more and more communities charge curbside garbage pickup by the bag, and I can see a concern on junk mail there. I find the fact that my name and address (and other personal info) are being sold for profits or otherwise exchanged with unknown third parties much much more troubling than the actual pieces of unsolicited mail I receive. Although I can't wait for someone to try that in Canada and set a precedence ... ------------------------------ From: bo774@freenet.carleton.ca (Kelly Bert Manning) Date: 25 Jan 1996 05:01:18 GMT Subject: Re: One Person's War on Junk Mail Organization: The National Capital FreeNet References: Beth Givens (bgivens@pwa.acusd.edu) writes: A San Diego man, Bob Beken, recently won an interesting suit in Small Claims Court against Computer City involving unwanted mail solicitations. He purchased some items at Computer City (owned by Tandy, which also owns Radio Shack and Incredible Universe) and paid by check. When he noticed the clerk keying his name and address into the computer at the checkstand, he asked if he was going to get any junk Should we draw the conclusion that he didn't give the address and it was read from the cheque? I ran into what may be a variation on that the last time I paid my car insurance. The clerk wanted to know "is there a phone number" because I didn't write one on the form. Then she noticed I was paying by cheque she perked up and grabbed it, only to turn up the corners of her mouth when she saw that it only had my name on it, with no address or phone number. I used the same cheques for buying the vehicle and didn't get any sort of hassle. What is sort of annoying is that the telco writes in my phone number on the rare occassions I pay them by cheque. I had fun with the cableco a while back when their office was locked during a strike. I sent them a cheque for the amount I was paying, without the statement. They returned it to the bank branch for forwarding to me. Guess the management types trying to keep the cash flow going didn't know how to do a name search. -- notice: by sending advertising/solicitations to this account you will be indicating your consent to paying me $70/hour for a minimum of 2 hours for my time spent dealing with it ------------------------------ From: David & Kirsten Lichty Date: 25 Jan 1996 10:56:15 GMT Subject: Re: One Person's War on Junk Mail Organization: zNET Hello, This is a subject I've spent some time on. My favorite response is to stuff their postage paid envelope full (really, really full) of all of the stuff they sent me at a postage rate I subsidised. When it goes back to them is is usually over the first class 1 oz. rate. This requires someone at the company to come up with postage due to receive it. In most companies this is enough of a hassle that a manager or at least a supervisor becomes involved. In the envelope with their junk is my request to be dropped from their list. It is still slow, but I've gotten off of most of the un-wanted lists. Another trick, I use different middle initials or invent a "dept. no." for various responses. With a little record keeping, I can tell who is selling my name. And with a mini-contract as you described this could become interesting. Thanks for the posting. -- David San Diego, CA ------------------------------ From: Dan Langille Date: 26 Jan 1996 12:57:20 GMT Subject: Re: One Person's War on Junk Mail Organization: DVL Software Limited References: Beth Givens wrote: Is this a significant victory? I think so. A court has agreed that a consumer has a right to say "no" to junk mail and to have the request honored. Perhaps this case, along with the Avrahami case, will serve as wake up calls to the direct marketing industry. Consumers want and deserve to be able to control what enters their mailboxes. Your thoughts?? I think not. I always understood it to be the case that asking not to receive unsolicited material meant the sender must cease. If I am mistaken, the I would agree with you that the case is significant. Otherwise, it's just an example where someone really mucked up and Mr Beken was smart enough to know how to take advantage of what he thought was going to happen. Good on him. -- Dan Langille DVL Software Limited ------------------------------ From: horowitz@nosc.mil (Alan M. Horowitz) Date: 27 Jan 1996 01:08:57 GMT Subject: Re: One Person's War on Junk Mail Organization: NCCOSC RDT&E Division, San Diego, CA References: Beth Givens writes: Consumers want and deserve to be able to control what enters their mailboxes. Your thoughts?? Why do you have a general right to stop me from sending mail to you? If I harrass you by mail, I am committing a crime (already on the books), and you have a right to file a complaint - as long as you are honest enough to do so under penalty of perjury. YOu are welcome to _contract_ with me to prevent me from sending mail to you. You have to give a consideration to me, of course, or I am not likely to enter into such a contract. Every time I hear the word "consumer" I wince my eyes. Another do-gooder run amuck, wanting to distort the marketplace's civil remedies. Funny how the do-gooder finds a way to latch onto a paid position as an "activist", in his scheme. Where _did_ Ralph Nader get 2 million dollars for that Washington townhouse he lives in ?!? ------------------------------ From: David Marston Date: 24 Jan 1996 23:18:01 -0500 (EST) Subject: New Hampshire Senate Considers Mandatory Drivers SSN There is a bill about to be heard by New Hampshire's Senate Transportation Committee that would require criminal background checks for all vehicle registrants, new or renewal. "Wanted felons" would be denied registration, and presumably be arrested. The same bill would also delete provisions that allow applicants for driver's licenses to request that their Social Security Number (SSN) and digitized picture not be kept in the database at the Department of Safety (the licensing agency). The bill has no verbiage stating a grand purpose, but we can reasonably deduce from its effects that it is supposed to constrain the ability of wanted criminals to remain at large. Note: the State Police is another division of the Department of Safety, so it is closely tied to the Division of Motor Vehicles. The DMV authorities would no longer have discretion to check if a person is wanted, but would have to check every applicant through the National Crime Information Center or the National Law Enforcement Telecommunications System. Fees are increased to pay for that processing. The bill requires that all drivers supply their SSN. Apparently, the sponsoring senators believe that such a requirement somehow makes it harder for wanted criminals to hide their identity. In fact, it increases the likelihood that a lying applicant will cause grief for an innocent person by appropriating his/her SSN. Bureaucratic typos and mistakes would also ensnare the innocent. And as we computer people know, numbers have an allure to the lazy bureaucrat, because they appear to make it easy to have a positive match with the target person. Thus, names and other identifying characteristics are felt to be less reliable or harder to use once the allegedly distinct number is available. The bill is Senate Bill 608-FN-Local, which can be abbreviated to SB 608. Comments will be taken at a public hearing on Wednesday, January 31, 1996, at 9:30 AM in Room 102 of the Legislative Office Building, which is directly behind the State House (Capitol) in downtown Concord, NH. If you are a New Hampshirite who can't attend, you can give your opinion to your state senator. Sponsors of this bill are Senators Roberge and Colantuono; if you are in the district represented by either one, you may want to express your opposition to their opponents in this Fall's elections as well. -- David Marston ------------------------------ From: Mike Hales Date: 24 Jan 1996 22:24:02 -0700 Subject: S. 652: A Senator's Response Organization: Smoke-N-Mirrors The following is a response to my letter, including my comments, to the gentleman from Idaho: Note: This response is being mailed and posted to several newsgroups. I do not consider this a breach in 'Nettiquette, as it is not a personal communication. Rather this is a communication between a citizen and his elected representative and reflects the views of said representative, which are and should be in the public domain. Dear Senator Craig, Thank you for responding to my letter. While it is apparent that we hold similar views on the First Amendment Issue, I fear that the importance of this issue is being seriously downplayed. This causes me great concern. Please follow below and note my comments. (I am sorry that I am not more eloquent, so must resort to line-by-line commentary to your response.) Larry_Craig@craig.senate.gov wrote: Thank you for contacting me regarding Senator Exon's amendment to the Telecommunications Competition and Deregulation Act (S. 652). I appreciate having the benefit of your thoughts. This amendment received broad bipartisan support in the Senate and It was a knee-jerk reaction to a college students badly researched paper. This paper, and the issues it addressed, was picked up by Time magazine and others and played nationwide. It was *not* checked for accuracy, nor was the factual data verified (and found innaccurate) until later. The paper was THOROUGHLY DEBUNKED upon peer review. And, just because it "received broad bipartisan support" doesn't mean it is right. Did you research the issue? Did your staff? What do you really know about the "Internet"? speech and has upheld restrictions on its transmission through other media. Furthermore, our nation has a long history of permitting extraordinary actions when the vulnerability of children is at stake as well. Here you admit it is "extrordinary action...". Let me submit to you that the information "readily available" on the Internet is no more so than that available at my local convenience or video rental store. In fact, my son came home the other day with a story of how he and his friends found some videocassette covers that apparently contained sexually-explicit material. His description of the covers was very graphic. Does this mean we must "regulate" the alley? The trash-collection agency? After all, this material was deposited in a trash can for pickup by the contractor, yet freely available to anyone who came along. In this case, my children came along and discovered them. Do I hold the City of Boise liable because they provided the "pipeline" for this material? In my view, this measure represents the best attempt yet to prevent the stalking, harassment, and abuse of children and others by those who use technology to prey on their victims. I welcome any further ideas, suggestions, or improvements to this legislation by anyone with a desire to protect those who are vulnerable to the Internet's darker side. The stalking, harassment, and abuse you speak of is prevalent throughout our society, not just on the Internet. Further, the "Internet" is not the same entity as the "bulletin boards" that Time and others so eagerly attached all this hysteria to. (I sincerely wish that I could spend a day with you and show you what the Internet is *really* all about.) We, as a society, have taken measures to address these issues. There are laws already in place to provide the safeguards we seek, and they don't infringe on the rights (moral judgements aside) of consenting adults. While your point about the Court holding that obscene material is not protected speech is valid, the infringements upon what *is* protected is another issue. What this bill and other ill-conceived and poorly thought out legislation fails to take into account is that it would unduly infringe on many more law-abiding individuals than it would serve to deter. Therefore, it will be tossed out by the Supreme Court and we will all have wasted a great deal of time and money on this non-issue. Better than trying to get a balanced budget, I suppose... Perhaps more important than all of the above; we Americans are conveniently ignoring one glaring fact. The Internet is, as the name implies, *International*. Whatever regulations we decide to put on it will be conveniently ignored by the rest of the world. In reading posts from international "netizens", it is painfully obvious that most of the world is looking on in awe and disdain at our simplistic and stupid view of this and other issues. "Why don't they educate their children and guide them in their daily chioces?" "No, they give them money and send them to the mall to mouth obscenities at the shoppers." > NOW, LET'S CUT TO THE CHASE: This issue is *not* about "protecting the children" (you sound like Bill "I Feel Your Pain" Clinton). What I suspect is that you know what a threat to the existing power structure the Internet really is. Finally, real, everyday people will have a way to express their opinions worldwide; freely, inexpensively, and without any kind of filtering. Facts, and *opinions* of those facts, will become known instantly to everyone and debated fiercely and freely. (Not subject to editorial review by those who own the printing presses and transmitting stations.) There will be no place to hide. How un-American! Please sir, convince me that it is otherwise, for I percieve the American political parties are kowtowing as usual to special interests and powerful fringe groups. As they say, "Every picture tells a story": "The information superhighway is a revolution that in years to come will transcend newspapers, radio, and television as an information source. Therefore, I think this is the time to put some restrictions on it." - U.S. Senator James Exon - Can you tell me the gentleman doesn't have a hidden agenda? He doesn't say anything about the children here. What he says is that we can't allow *information* to be *uncontrolled* ("restrictions on it..."). This is the same kind of "for the good of all" statements Hitler started with... Thank you for your time and interest in my concerns. Sincerely, -- Mike Hales 1905 Shone Street Boise, ID 83705 mhales@primenet.com ------------------------------ From: ingramm@Cognos.COM (Mark Ingram) Date: 25 Jan 1996 15:20:17 GMT Subject: Some Thoughts on Privacy in General Organization: Cognos Incorporated, Ottawa CANADA I know how hard it is to keep a debate going in a mailing list, but I have to try to get this out, so here goes ... The first point I would like to make is that there is no real problem with having no privacy -- unless you are a criminal, of course. I have come across many cliches and supposed pearls of wisdom that all allude to this: "Secrets will out." "If though wouldst cast the mote from another's eye, first cast the beam from thine own." Etc. (additions welcome) I was first going to attempt to justify this assertion with a vaguely religious argument, you know, God knows everything about you, so there can't really be anything wrong with knowing everything about someone else ... but I was led inescapably to the issue of intent -- of course there's nothing wrong with God knowing everything, because God won't do anything evil with that knowledge! So it's a specious argument. However, in a truly public (non-private? aprivate? deprived (:-)?) world, there isn't even a problem with intentions (or so I assert). Let us take a worst-case example, or at least one that I know, the stalking issue. Let's say that solely because your address was known, someone hunted you down and killed you. But in a world of no privacy, the killer's location and actions are known, and we can presume that redress will be swift and permanent! I know, this offers little comfort to your corpse, but I think most would admit that unless you want to live in a world of dull scissors and nerf hammers, anyone can kill anyone else at any time; and the only thing that can stop it (and in my opinion, the only thing that should) is the unwillingness of the killer to face the consequences. So the fact that there is no privacy is a boon, in this case. I submit that *all* supposed invasions of privacy are similar to this example. Person A knows something about person B, and performs action C as a result. If the action is unjustified, person B has redress; and if it is justified, why should person B complain? The real problem with a lack of privacy, as I see it (and I see it growing every day -- at a hyper-exponential rate), is when it is one-way. There are people, and organizations, that know things about me, and I know *nothing* about them. I don't even know what they know about me! So, the next time someone asks you for some personal information, don't feel invaded -- feel shut out! They have access to mountains of fascinating information, and you have bupkis ... Any and all replies, followups, comments, and criticisms gratefully received. -- Mark Ingram ingramm@cognos.com ------------------------------ From: 74231.1231@compuserve.com (Feng Ouyang) Date: 25 Jan 1996 15:48:19 GMT Subject: White House E-mail Made Public Organization: CompuServe Incorporated I just heard an interview on PBS, talking about a new book on White House staff E-mail messages that were released to public after a "freedom of information" law suit. I have a few questions that I think worth pondering. 1. When the staff members (of Reagon and Bush administration) wrote the E-mail they did not expect it to be made public. Is it fair to have the court decision applied to those messages (retroactive)? 2. I believe not all conversations and telephone calls in the White House are public records. So why E-mail? In a more general term, if some form of private communication is allowed in the Government, why exclude E-mail from that? 3. Where does public access end? For example, if the staff members decided to subscribe to CompuServe so they can exchange messages out side of the White House computer system, will these accounts later be subjected to public disclosure? Does it matter whether these accounts are paid for by the Government of by the individuals? Does the public have the right to inspect personal records of the staff members to detect the existence of such E-mail accounts? 4. Unlike hard copy memos or letters, E-mail is easy to temper or even fabricate. That is why, if I understand correctly, E-mail cannot be used for legal documents. Now how can one judge the accuracy of E-mail as public record? What right do the authors or involved party have when they question the authenticity of the message? How you find these questions interesting. -- Feng Ouyang 74631.1231@compuserve.com ------------------------------ From: Monty Solomon Date: 26 Jan 1996 01:13:02 -0500 Subject: Single Computer Breaks 40-bit RC4 in Under 8 Days Begin forwarded message: From: daveg@pakse.mit.edu (David Golombek) Date: 18 Jan 1996 20:45:33 -0500 To: cypherpunks@toad.com Subject: Single computer breaks 40-bit RC4 in under 8 days MIT Student Uses ICE Graphics Computer To Break Netscape Security in Less Than 8 Days: Cost to crack Netscape security falls from $10,000 to $584 CAMBRIDGE, Mass., January 10, 1996 -- An MIT undergraduate and part-time programmer used a single $83,000 graphics computer from Integrated Computing Engines (ICE) to crack Netscape's export encryption code in less than eight days. The effort by student Andrew Twyman demonstrated that ICE's advances in hardware price/performance ratios make it relatively inexpensive -- $584 per session -- to break the code. While being an active proponent of stronger export encryption, Netscape Communications (NSCP), developer of the SSL security protocol, has said that to decrypt an Internet session would cost at least $10,000 in computing time. Twyman used the same brute-force algorithm as Damien Doligez, the French researcher who was one of the first to crack the original SSL Challenge. The challenge presented the encrypted data of a Netscape session, using the default exportable mode, 40-bit RC4 encryption. Doligez broke the code in eight days using 112 workstations. "The U.S. government has drastically underestimated the pace of technology development," says Jonas Lee, ICE's general manager. "It doesn't take a hundred workstations more than a week to break the code -- it takes one ICE graphics computer. This shuts the door on any argument against stronger export encryption." Breaking the code relies more on raw computing power than hacking expertise. Twyman modified Doligez's algorithm to run on ICE's Desktop RealTime Engine (DRE), a briefcase-size graphics computer that connects to a PC host to deliver performance of 6.3 Gflops (billions of floating point instructions per second). According to Twyman, the program tests each of the trillion 40-bit keys until it finds the correct one. Twyman's program averaged more than 830,000 keys per second, so it would take 15 days to test every key. The average time to find a key, however, was 7.7 days. Using more than 100 workstations, Doligez averaged 850,000 keys per second.ICE used the following formula to determine its $584 cost of computing power: the total cost of the computer divided by the number of days in a three-year lifespan (1,095), multiplied by the number of days (7.7) it takes to break the code. ICE's Desktop RealTime Engine combines the power of a supercomputer with the price of a workstation. Designed for high-end graphics, virtual reality, simulations and compression, it reduces the cost of computing from $160 per Mflop (millions of floating point instructions per second) to $13 per Mflop. ICE, founded in 1994, is the exclusive licensee of MeshSP technology from the Massachusetts Institute of Technology (MIT). ### INTEGRATED COMPUTING ENGINES, INC. 460 Totten Pond Road, 6th Floor Waltham, MA 02154 Voice: 617-768-2300, Fax: 617-768-2301 FOR FURTHER INFORMATION CONTACT: Bob Cramblitt, Cramblitt & Company (919) 481-4599; cramco@interpath.com Jonas Lee, Integrated Computing Engines (617) 768-2300, X1961; jonas@iced.com Note: Andrew Twyman can be reached at kurgan@mit.edu. ------------------------------ From: Dan Langille Date: 27 Jan 1996 00:52:26 +1300 Subject: Re: Keyboard Monitors Organization: DVL Software Limited References: Prof. L. P. Levine wrote: What follows is a spam, but for a product that we should be aware of and warned about. SUBJECT:***KEYBOARD RECORDERS******** My classmates and I used to do such things at university back in the early '80s. It was fairly straightforward. You'll also be pleased to know that most of the recent operating systems don't allow such things. [moderator: sorry I seem to have lost the mailing address.] Gee. I wonder how that happened... ;) -- Dan Langille DVL Software Limited ------------------------------ From: Dan Langille Date: 26 Jan 1996 13:04:48 GMT Subject: Re: Unsolicited email Advertising Organization: DVL Software Limited References: Dick Mills wrote: I can't imagine anyone reacting so strongly to a wrong telephone number, or to a misaddresed post card. Let's just apply the same standard of civility and tolerance in cyberspace. Honest mistakes I have no problem with. But I have never received an eMail which was incorrectly addressed. And I have never recieved a phone call which was to a wrong number and which was trying to sell me something. I suppose it's just that most people do not want to see junk mail on the Internet. Commercial information yes. But not in newsgroups nor in eMail. One exception: if you ask a question in a newsgroup about widgets, I feel it is acceptable for you to then receive eMail from a company that sells widgets. You asked for you. You got it. -- -- Dan Langille DVL Software Limited ------------------------------ From: fisherdcb@aol.com (Fisher DCB) Date: 26 Jan 1996 23:57:09 -0500 Subject: Medical Records Privacy Organization: America Online, Inc. (1-800-827-6364) i'm a reporter for a group of television stations. i'm doing a story on computerized medical records and whether safeguards are adequate. does anyone know of people who have had experiences they might be willing to share? please respond to above e-mail address....or call 202 783 0322 ------------------------------ From: "Declan B. McCullagh" Date: 25 Jan 1996 14:38:50 -0500 (EST) Subject: Straight Jacketing the Internet NEWS ANALYSIS: TELECOM REFORM + by Craig A. Johnson American Reporter Correspondent Washington, D.C. 1/22/96 CONGRESS STRAIGHT-JACKETS THE NET by Craig A. Johnson American Reporter Correspondent WASHINGTON -- Chief House and Senate telecom conference negotiators are set to squeeze the Internet into yet another a regulatory rathole. Conference leaders are attempting to attach further "de-regulatory" restrictions to the conference committee's draft telecom bill that will remove guarantees for access and interconnection, and permit telecom companies to price Net services in ways which seem defensible only to the special interests which crafted the provisions. Fresh from the "indecency" defeat, Net lobbyists and public interest groups barely caught their breath before a new "red tide" of restraints appeared in the draft conference bill language. Though Netheads in Washington, such as D.C. Internet Society Chair Ross Stapleton-Gray, reassure us that the Internet will remain "pretty much the way it is now," and that neighborhood Internet service providers (ISPs) will generally be able to offer access at continuing competitive rates, insiders who have studied the language of the bill have grave concerns about how the Internet of the future will look. A senior counsel on the Senate Justice Committee told the American Reporter last week that new draft changes will put back into the bill the original Cox-Wyden language (AR, No. 65) that would have prohibited the FCC from "economically regulating" the Internet. "Nobody really knows what this means," the source said. In a style now familiar to reporters covering the telecom bill, House Commerce Committee Chairman Tom Bliley (R-VA) prefers critical conference decisions to be made in the dark corners of Capitol offices and meeting rooms as far away from open committee meetings as possible. A "signature sheet" is presently being substituted for open discussion and debate. This assures that so-called "technical" changes and at least one "substantive" change to the draft telecom bill, according to Senate Commerce Committee staffers, can proceed without conferees understanding too much about what the changes really mean. he proposed language prohibiting the FCC from economically regulating the Internet is doubly ironic in that it was not part of the Cox-Wyden measure, which overwhelmingly passed the House on a vote of 420-4, and an FCC role for "describing" measures to regulate Internet "content" is positively sanctioned in the draft language. Title V of the bill, "Broadcast Obscenity and Violence," classifies the Internet as equivalent to a broadcast facility and regurgitates the now familiar criminalization of speech measure inserted into the bill by the Christian Coalition's poster boy, House Judiciary Chairman Henry Hyde (R-IL). Hyde, always eager to please fundamentalists, rammed his amendment through the House conference caucus on a razor-thin vote (AR No. 174) of 17 to 16, with members saying later that they did not understand the implications of what they voted for. This change in the House language brought it into line with the Exon "indecency" clause in the Senate bill. Part of this regulatory cowpie is thrown into the FCC's lap (whose budget of course is chopped by the Congressional-deficit boys). The bill states: "The Commission may describe measures which are reasonable, effective, and appropriate to restrict access to prohibited communications..." But, while permitting the FCC to "describe" such measures, the bill expressly states that the agency has "no enforcement authority over the failure [on the part of providers or users] to utilize such measures." This part of the bill is a honey-trap for litigators. Placing the FCC solely in an advisory role literally ensures that all of the interpretation, implementation, and enforcement will be undertaken by the courts and the Department of Justice. Of course, numerous individual and organizational users and providers will get caught in the cross-fire. Other measures tucked away in the telecom bill's turgid prose seem to have escaped the scrutiny of many self-styled Internet defenders, protectors, and aficionados. Interconnection and equal access have barely passed the lips of Net mavens in connection with the telecom bills, yet these provisions in the draft bill could leave Net providers out in the cold without protection from gusts of corporate capriciousness. The draft bill states that "each telecommunications carrier has the duty to interconnect directly or indirectly with the facilities and equipment of other telecommunications carriers" as well as the the duty to provide "to any other telecom carrier" interconnection and "nondiscriminatory access to network elements on an unbundled basis..." What are "network elements," and why is "interconnection" important? The House telecom bill, H.R. 1555, clearly spelled these out, prior to its re-write by the conference committee. In the language of H.R. 1555, "a local exchange carrier" had to offer to those providing "a telecommunications service or an information service, reasonable and nondiscriminatory access on an unbundled basis ... to databases, signalling systems, poles, ducts, conduits, and rights-of-way ... or other facilities, functions, or information ... integral to the efficient transmission, routing, or other provision... that is sufficient to ensure the full interoperability of the equipment and facilities..." of those seeking such access. But, the conferees, under pressure from the Regional Bell Operating Companies (RBOCs) removed guarantees of access and interconnection to providers of "information services," which include Internet service providers. In plain English, these changes in the bill mean that ISPs, online service providers, and any other interactive "information service" providers dependent upon telecom networks must worship at the altar of the Bell companies in order to attain "interconnection" and "equal access," two vital functions of communications which this bill was supposed to guarantee and enshrine for the information-centered future. In even plainer English, they mean that carriers can play with Net providers like tigers playing with their prey. As providers of the critical conduits to Internet backbones, local exchange carriers under the provisions of the bill can essentially charge information services what ever the market will bear, thus potentially maiming or killing off small- to medium-sized ISPs. The carriers can also promote sweetheart deals with corporate monoliths such as Microsoft, TCI, AT&T, MCI, and Time Warner for access at discounted rates, as determined by volume or a similar measure. They can underprice, overprice, or offer no prices, since information service providers are stripped of all guarantees as the draft law is currently written. These are rather extreme visions. The reality is that discretionary pricing may well take place, but the Internet backbone's national service providers (NSPs) are working with the Commercial Internet Exchange (CIX), the Internet Society and others to ensure that draconian results do not obtain. Corporate strategy is rapidly developing which will allow traditional providers control over Internet access and provision. Diversity will hang on a while longer but the wind is clearly blowing in the direction of conglomeration and concentration -- in no small part because telcos in the U.S. are rapidly grasping the fact that long-term marginal costs for local calls are moving toward zero. Pricing is increasingly geared toward toward the content that is accessed, rather than transport costs. Carriers are restructuring in order to dominate the markets for content provision. The threat to small- to medium-sized ISPs as well as other small businesses providing information services is real. The conference committee draft already anticipates the problem. The title of its Kafkaesque Section 257, "Market Entry Barriers Proceeding," calls for remedial action by the FCC for anti-competitive conditions which the bill may actively foster. It stipulates that "within 15 months after the date of enactment," "the FCC shall complete a proceeding for the purpose of identifying and eliminating ... market entry barriers for entrepreneurs and other small businesses in the provision and ownership of telecommunications services and information services, or in the provision of parts or services to providers of telecommunications services and information services." The FCC is supposed to complete this proceeding using criteria which will favor "diversity of media voices, vigorous economic competition, technological advancement, and promotion of the public interest, convenience, and necessity." The next FCC review would not come for three years, thus placing an enormous burden on the agency to get it right in its first rulemaking proceeding. In the fast-moving communications world, a three-year lag time can be equivalent to setting policy in stone. Apparently, for the conference leadership, having the beleaguered FCC take on additional burdens is more palatable than taking the Congressional responsibility of rectifying the problem in law, and thus risk flying in the face of powerful interests filling campaign coffers. However, in the most unkind cut of all, the bill managers in this Kafka-like castle on the Hill intend to strip the FCC of economic regulatory authority over the Internet, thus rendering the above provision moot. The FCC will have no power to redress market entry barriers such as distorted conditions for interconnection and access, or skewed pricing, if the rider on the "signature sheet" currently circulating makes its way into the bill. This outcome, depending on its specific language, could well impact Internet access to schools, hospitals, and libraries. The bill requires telecommunications carriers to provide "any of its services that are within the definition of universal service" to schools and libraries at reduced rates. But, if the above qualification goes into effect, the definition of "universal service" could not include the Internet because it could not be "economically" regulated by the FCC as a "universal service." Net pricing for schools, hospitals, and libraries may therefore be up for grabs in a free-for-all commercial environment. In a bill which is a patchwork of compromises between industry giants, this Congress insists on behaving recklessly and destructively with regard to the Internet and its constituency. And, many of the conferees, as the old saw goes, appear to not "have the sense to pound sand in a rathole." -30- * * * The American Reporter Copyright 1996 Joe Shea, The American Reporter and Craig A. Johnson All Rights Reserved The American Reporter is published daily at 1812 Ivar Ave., No. 5, Hollywood, CA 90028 Tel. (213)467-0616, by members of the Society of Professional Journalists (SPJ) Internet discussion list. It has no affiliation with the SPJ. Articles may be submitted by email to joeshea@netcom.com. Subscriptions: Reader: $10.00 per month ($100 per year) and $.01 per word to republish stories, or Professional: $125.00 per week for the re-use of all American Reporter stories. We are reporter-owned. URL: http://www.newshare.com/Reporter/today.html Archives: http://www.newshare.com/Reporter/archives/ ------------------------------ From: "Prof. L. P. Levine" Date: 15 Jan 1996 18:40:39 -0600 (CST) Subject: Info on CPD [unchanged since 11/22/95] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the Subject: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Web browsers will find it at gopher://gopher.cs.uwm.edu. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V8 #009 ****************************** .