Date: Thu, 01 Feb 96 14:37:13 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V8#011 Computer Privacy Digest Thu, 01 Feb 96 Volume 8 : Issue: 011 Today's Topics: Moderator: Leonard P. Levine Re: One Person's War on Junk Mail Re: One Person's War on Junk Mail Re: One Person's War on Junk Mail Re: One Person's War on Junk Mail CCTV Codes of Use Re: AOL search warrants and email retention Re: AOL search warrants and email retention Re: Voyeur's delight Re: Lotus [IBM] Blinks Re: Some Thoughts on Privacy in General Computer policy from American Library Association Info on CPD [unchanged since 11/22/95] ---------------------------------------------------------------------- From: bo774@freenet.carleton.ca (Kelly Bert Manning) Date: 31 Jan 1996 09:07:29 GMT Subject: Re: One Person's War on Junk Mail Organization: The National Capital FreeNet References: Beth Givens reports: A San Diego man, Bob Beken, recently won an interesting suit in Small Claims Court against Computer City involving unwanted mail solicitations. Perhaps this case, along with the Avrahami case, will serve as wake up calls to the direct marketing industry. Consumers want and deserve to be able to control what enters their mailboxes. Your thoughts?? F Young (fyoung@oxford.net) writes: I've never been through a time when I got so upset about junk mail that I would go through the trouble of writing a "contract" such as that of Mr. Beken, or suit the marketer in court. Personally, I'm more upset on fax advertising or the long and windy unsolicited e-mail as it cost me money to receive them. Long e-mails could also potentially fill up my mailbox and cause important messages to get bounced. [...] Although I can't wait for someone to try that in Canada and set a precedence ... It has been done, about 2 years ago. An Ontario woman won a judgement against "Columbia House". They didn't sign any sort of contract, they just refused to stop sending her crap mail, claiming that they "could not" remove former suckers from their crap mailing lists. To my way of thinking this illustrates perfectly how direct marketing is often hard to distiguish from a deliberate scam. The victims of the ripoff are the companies paying direct marketing "experts" to mail crap to people they know for a fact will never buy. When this scam is operated internally in an enterprise the pay off seems to be bigger budgets/more responsiblity/more income for the direct marketing directors and managers. When it it done by an outside specialty firm it seems more like an actionable ripoff. The original title may be misleading. Is this really about junk mail? The title may be obscuring the fact that the underlying issue is that personal information about people, such as their names, addresses, and the fact that they have enough interest in particular areas to subscribe to magazines specializing in them, is being passed around without their knowledge or consent. That is the issue that makes 'a war on junk mail' a relevant topic for this forum. The former moderator of this group seemed to think that stuffing crap mail back into return envelopes is a lof of work. I don't get much crap mail and hardly any repeats after I educate the perps about the provincial credit reporting act. The last one who repeated despite promising a judge to "take me off his list" had an interesting time explaining to another judge that what he had really meant was that he would flag my address as one that they wouldn't sent any more crap to, but the flagging software was buggy. I was able to use this specific example to go back to the public body he got data from, no questions asked, and get them to adopt an interim policy that information seekers would have to sign a contract prohibiting this kind of use. Legislative changes have wiped out even that contractually limited access. I have to sort paper into glossy, non glossy and newsprint, with no window envelopes, before the local curbside recyclers will take it instead of leaving it with a "not acceptable" sticker. It really takes much less time and trouble to simply stuff it into a return envelope and drop it in the mail box I walk past every day. I do this regularly with anonymous crap mail that arrives. It is often a mix of paper types and I don't want to waste time sorting it for recycling. We have weight/volume limits and over limit penalties for garbage collection. These even apply to commercial pickups if they use the municipal landfill. If I was getting as much crap mail as most people seem to get and "circular filed" it I'd probably go over the limit every pickup. -- notice: by sending advertising/solicitations to this account you will be indicating your consent to paying me $70/hour for a minimum of 2 hours for my time spent dealing with it ------------------------------ From: "Dennis G. Rears" Date: 31 Jan 96 11:02:00 EST Subject: Re: One Person's War on Junk Mail Chris Kocur writes: >It all depends on your situation. My email doesn't cost extra and I >don't leave my fax online, so those don't bother me as much. But I have >had important and wanted mail (bills, magazines, letters) returned as >undeliverable because junk mail had filled up my mail box. You need to have a talk with your postmaster. This is against postal regulations. If you mailbox is filled, a card requesting you to pick up excess mail should be placed in your mailbox. It never should be returned as undeliverable. dennis ------------------------------ From: Jon Miller Date: 31 Jan 1996 13:41:15 -0700 (MST) Subject: Re: One Person's War on Junk Mail Subsidized junk mail clearly is an afront to environmental and privacy issues. If the government insists on allowing marketers to spend our money to mail to us mail we don't want, we should be allowed to remove our name from lists. However, personally I find telemarketers calls (in the evening particularly) to be more of an unwarranted intrusion and of unknow environmental effect (power, e.g.) as well as a potential drain on otherwise productive time. I have found the worst intrusion to be 2:00 A.M. mass marketing faxes to my home/business phone (which does not have a fax on it)! This may be a federal offense, but it was easier to just get the telephone company to intervene by calling in advance and arranging a *57 intercept. Phone company service in this instance appeared very amenable. -- jon miller martin & mehaffy, llc boulder, co ------------------------------ From: michael@piglet.amscons.com (Michael Bryan) Date: 31 Jan 1996 21:17:22 -0800 Subject: Re: One Person's War on Junk Mail Organization: none References: Chris Kocur wrote: It all depends on your situation. My email doesn't cost extra and I don't leave my fax online, so those don't bother me as much. But I have had important and wanted mail (bills, magazines, letters) returned as undeliverable because junk mail had filled up my mail box. Or my personal pet peeve, the fact that the junk mail can sometimes obscure your important mail. The worst type are the advertising supplements that many neighborhoods get on a weekly basis. (We actually get two per week here in San Jose, one from Advo, one from Potpourri.) These are small newspaper-like things with lots of glossy coupons, and loose single-page inserts. If you get a couple of these in your mailbox, it's quite easy for real mail to get stuck among the inserts, and you have to carefully sort through it all to make sure you don't throw out something important with the junk. I tried getting the individual companies to stop sending these to me. So after a six-week delay, they stopped sending the addressed postcards that always accompany these. But my postal carrier continued to stick the inserts into my mailbox anyway! It took several calls to the post office, and several notes to my carrier, to finally get these things stopped. But I've only seen one in two years now, and I'm a lot happier when I go to my mailbox these days. Well, except for FHP. Somehow, at the ripe age of 32, I got on their list of "elderly" recipients of Medicare, so I have been getting weekly mailings from them for well over a year now. Every time, I call the 800 number that is listed, and demand to be taken off their list. If a postage paid mailer is included, I send it back with everything scratched out, and a large note scrawled across it, demanding to be taken off their list. They just keep coming, and coming, and coming... It's become personal now. If I ever get them to stop, it will be a miracle. I'm about to resort to extreme profanity on the returned mail, in the hopes that maybe that will work for some reason. (I doubt it, but I've tried just about everything else.) ------------------------------ From: Max Hunt Date: 31 Jan 96 09:30:32 gmt Subject: CCTV Codes of Use I am looking for examples of Codes of Coduct for the use of public CCTV systems or systems in public places. Can anyone advise on sources? I would be happy to feed back examples. -- M.J.Hunt@LUT.AC.UK Tel: 01509 222310 Fax: 267477 Computing Services, Loughborough University of Technology ------------------------------ From: Alan Tignanelli <75453.2055@CompuServe.COM> Date: 31 Jan 1996 16:00:12 GMT Subject: Re: AOL search warrants and email retention Organization: CompuServe, Inc. (1-800-689-0736) References: I find it disturbing that, according to the St. Petersburg Times, AOL keeps email for five days before purging. I read this to mean that contrary to what their customers may expect, AOL intentionally retains email users have tried to delete. Ever accidentally delete mail you wanted to keep? I have. The fact that AOL keeps mail after you delete it is not a secret - there's a menu option to look at mail you've already ready and discarded. On one hand, a benefit. On the other, a risk. -- Alan Tignanelli ------------------------------ From: Chris Kocur Date: 31 Jan 1996 23:02:30 GMT Subject: Re: AOL search warrants and email retention Organization: JCPenney References: Declan McCullagh writes: I find it disturbing that, according to the St. Petersburg Times, AOL keeps email for five days before purging. I read this to mean that contrary to what their customers may expect, AOL intentionally retains email users have tried to delete. MDDALLARA@msuvx2.memphis.edu wrote: Disturbing, yes, but not that recent. I remember reading about AOL's email retention policy a few months ago, when law enforcement agencies first ran into the problem of deleted email. Service decided to make full copies of all mail passing through *their* system and keep those copies for five days. Every time AOL is in the news, they just reinforce my conviction that I'd rather be castrated with a cheese grater than ever use their network. Actually I believe AOL as usual is being misquoted. What they do is purge your email 5 days after you read it/send it (30 days if you don't read it). This happens even if you don't want it deleted. If you want to keep it longer you have to log it to your local disk. This was a problem for the police, they wanted stuff older than 5 days. AFAIK if you delete it before the 5 days, its gone. Now, there are numerous examples of things that have been 'deleted' being recoverable. That *may* be the case with AOL. OTOH, most ISP's use Unix based systems. I wonder what pains they go through to make sure deleted email is unrecoverable? Most I would guess rely on the fact that it will eventually be overwritten by new email. With the mail reader I use on my PC, email isn't really deleted until I 1) compact my in/out boxes, 2) clear my trash bin, 3) compact the trash. Even that's not 100% unless I purge my mail file and make sure the space is overwritten on disk. Oh, and darn, now I have to erase my backup tapes too. In some ways I consider AOL email that stays within AOL more private. Email on the net has no guarantees. Internet email may go through many systems on its way and none of those systems have any obligation not to read it, archive it or redirect it and you have no way of telling if they do. At least with AOL, you know what their motives are - they want money and to make it they have to keep their customers happy. I have no idea of the motives of the unknown sysops on the unknown systems my internet email may cross. But I can guess keeping me happy is not very high on their list. -- Regards, Chris #include I can be do it quick; I can do it well; I can do it cheap -- pick any two. -- Red Adair ckocur@jcpenney.com (work), ckocur@plano.net (home) ------------------------------ From: WELKER@a1.VsDeC.nL.nuwc.navy.mil Date: 31 Jan 1996 11:21:50 -0400 (EDT) Subject: Re: Voyeur's delight raised a point in the encryption debate I never heard before. While the debate over who should hold the escrowed keys is a legitimate one, [...] I can see the cause for concern if this is a real hole, but I can't see the hole. Can you elaborate? How can someone perpetrate a fraud by losing a key? The hazard of which I speak is not fraud, but merely loss of data. If you are my broker and don't get my encrypted/signed buy/sell order on time because you lost my public key, or your private key, or if you later claim not to have been able to validate the transaction, there could be large amounts of money on the line. A key held in escrow by a trusted third party thwarts deniability (or requires conspiracy to compromise the system). The "low-tech" analogy would be having a document notarized or co-signed -- the notary can attest that he saw both of us sign it. I agree about the public part, but you seem to be defending the Clipper proposal in your article. The Clipper algorithm is not public. Cheap is not an issue. Clipper is _an_ implementation of the necessary technology. I make no claims concerning its acceptability to industry, nor do I necessarily endorse government key escrow. My assertion is only that key escrow is "safer" for business purposes from a protection of assets standpoint. Even if you are the mafia it sometimes helps to have an arbiter. Secure encryption is not dependent on secrecy. Public algorithms can be examined to verify that they do not, contain holes back doors such as a secret master key. The government's refusal to make Clipper public raises the suspicion that they have done exactly that, and that the escrow issue is merely a smoke screen. Secure encryption is dependent on the secrecy of keys, not algorithms. Other than that, your statement is valid. Shotgun scanning is not the only risk. Storage is cheap enough to archive *ALL* the Internet traffic *ALL* the time, in raw unprocessed form. A terabyte tape reel has already been reported. That's enough to store 500 million typical email messages on a single reel. It's not only the government that has the resources to archive the traffic, private parties do it already. In a decade or two a typical home PC may have the capacity to archive all the world's UseNet traffic and web pages. Enemies in hostile countries can also archive our traffic. There are about (I think) five terabytes "suspended" in the Internet at any one time (sorry, forgot the source), a number which will continue to rise. This traffic is being pumped into the net from thousands of sources with data rates of 56 kbps or higher. Even if you could store it all, you still have to intercept and catalog it all. According to my copy of _Interactive_Week_ (v3n2 29 Jan 96, page 50) you _might_ be able to capture around 79% of traffic if you compromise AOL, Compuserve, Prodigy, MS-Net, _and_ all academic servers. Now you've archived it. What are you gonna do with it? If its all encrypted (even with a 40 bit key), you still have to locate the messages of interest and crack them. It would be far cheaper to bug your PC and/or park a TEMPEST van down the street. If you're worried about archiving, even military-grade encryption won't conceal a message forever, and the last sentence should tell you that if the government wants it bad enough then military grade encryption won't protect you at all. You are right about the power of serveillance -- you can look up the Doug Wilder / Chuck Rob bugging fiasco for an example. I certainly am of the opinion that ISPs should be protected as "common carriers" like the telcos. As automated toll collectors and surveillance cameras (including facial recognition) become on-line "webcams", then video and audio recordings of all surveiled public areas will become part of the permanent public archives. Future O.J. trials will never again have to speculate who was where when. Not that it would influence the verdict :) ------------------------------ From: stuart@cosc.canterbury.ac.nz Date: 31 Jan 1996 19:20:52 GMT Subject: Re: Lotus [IBM] Blinks Organization: University of Waikato References: WELKER@a1.VsDeC.nL.nuwc.navy.mil writes: While the debate over who should hold the escrowed keys is a legitimate one, I must point out that some form of key escrow is essential as a practical matter in order for electronic documents to be legally binding. I think this more than anything else is why PGP is not much appreciated by the business community. We cannot permit electronic commerce wherein someone can claim "oops, I lost the key...sorry about your $1M". Check out http://www.viacrypt.com/ - they have a product, which they call PGP/BE (Pretty Good Privacy, Business Edition) which handles some of these issues. [I am in no way related to viacrypt, and have no first hand experiance with their product(s)] -- ``The greatest deception men suffer is from their own opinions.'' stuart@cosc.canterbury.ac.nz syeates@cs.waikato.ac.nz ------------------------------ From: craig@killerbee.jsc.nasa.gov (Craig Biggerstaff) Date: 31 Jan 1996 20:36:00 GMT Subject: Re: Some Thoughts on Privacy in General Organization: NASA/Johnson Space Center References: Mark Ingram (ingramm@Cognos.COM) wrote: The first point I would like to make is that there is no real problem with having no privacy -- unless you are a criminal, of course. I have come across many cliches and supposed pearls of wisdom that all allude to this: This *is* a troll, isn't it? The problem with fortune-cookie wisdom is that there is a saying for every point of view -- hence, "Good fences make good neighbors", "A man's house is his castle", and so on. The problem with having no privacy is that it is exactly equal to having no enforceable rights. The only way to eliminate privacy is to eliminate freedom. This has been demonstrated many times by various regimes, and is easy to understand. Consider: The decision to have privacy -- the decision not to make something visible to others -- is one made *by an individual*. It can only be revoked through surveillance or force. To argue that there is no problem with having no privacy is to argue that surveillance and/or force are acceptable actions. Surveillance and force are antithetical to the idea of popular government. So we, as a people, agree to permit these measures only in clearly defined situations, with clearly defined intentions. If these conditions are not met, then the entity (public or private) using these measures is running amok, and is dangerous. Justice Louis Brandeis put it very well, years ago, when he wrote something to the effect that "the most valuable of all rights is the right to be left alone." -- Craig Biggerstaff ------------------------------ From: "Carl M. Kadie" Date: 30 Jan 1996 13:40:05 -0800 Subject: Computer policy from American Library Association From: kadie@eff.org (Carl M. Kadie) Subject: NEW: Computer policy from American Library Association Date: 30 Jan 1996 11:57:56 -0800 According to a mailing list posting, the American Library Association (ALA) just approved the enclosed statement on applying the Library Bill of Rights to computers and networks. The ALA is the largest and oldest library organization. It has has a century's experience with intellectual freedom issues. The ALA's web site is http://www.ala.org. I've archived the statement at ftp://ftp.eff.org/pub/CAF/library/computer.ala. Also See http://www.eff.org/CAF. - Carl (not even an ALA member) ======================================================== Access to Electronic Information, Services, and Networks: an Interpretation of the LIBRARY BILL OF RIGHTS INTRODUCTION The world is in the midst of an electronic communications revolution. Based on its constitutional, ethical, and historical heritage, American librarianship is uniquely positioned to address the broad range of information issues being raised in this revolution. In particular, librarians address intellectual freedom >from a strong ethical base and an abiding commitment to the preservation of the individual's rights. Freedom of expression is an inalienable human right and the foundation for self-government. Freedom of expression encompasses the freedom of speech and the corollary right to receive information. These rights extend to minors as well as adults. Libraries and librarians exist to facilitate the exercise of these rights by selecting, producing, providing access to, identifying, retrieving, organizing, providing instruction in the use of, and preserving recorded expression regardless of the format or technology. The American Library Association expresses these basic principles of librarianship in its CODE OF ETHICS and in the LIBRARY BILL OF RIGHTS and its Interpretations. These serve to guide librarians and library governing bodies in addressing issues of intellectual freedom that arise when the library provides access to electronic information, services, and networks. Issues arising from the still-developing technology of computer-mediated information generation, distribution, and retrieval need to be approached and regularly reviewed from a context of constitutional principles and ALA policies so that fundamental and traditional tenets of librarianship are not swept away. Electronic information flows across boundaries and barriers despite attempts by individuals, governments, and private entities to channel or control it. Even so, many people, for reasons of technology, infrastructure, or socio-economic status do not have access to electronic information. In making decisions about how to offer access to electronic information, each library should consider its mission, goals, objectives, cooperative agreements, and the needs of the entire community it serves. The Rights of Users All library system and network policies, procedures or regulations relating to electronic resources and services should be scrutinized for potential violation of user rights. User policies should be developed according to the policies and guidelines established by the American Library Association, including GUIDELINES FOR THE DEVELOPMENT AND IMPLEMENTATION OF POLICIES, REGULATIONS AND PROCEDURES AFFECTING ACCESS TO LIBRARY MATERIALS, SERVICES AND FACILITIES. Users should not be restricted or denied access for expressing or receiving constitutionally protected speech. Users' access should not be changed without due process, including, but not limited to, formal notice and a means of appeal. Although electronic systems may include distinct property rights and security concerns, such elements may not be employed as a subterfuge to deny users' access to information. Users have the right to be free of unreasonable limitations or conditions set by libraries, librarians, system administrators, vendors, network service providers, or others. Contracts, agreements, and licenses entered into by libraries on behalf of their users should not violate this right. Users also have a right to information, training and assistance necessary to operate the hardware and software provided by the library. Users have both the right of confidentiality and the right of privacy. The library should uphold these rights by policy, procedure, and practice. Users should be advised, however, that because security is technically difficult to achieve, electronic transactions and files could become public. The rights of users who are minors shall in no way be abridged. (See: FREE ACCESS TO LIBRARIES FOR MINORS: AN INTERPRETATION OF THE LIBRARY BILL OF RIGHTS; ACCESS TO RESOURCES AND SERVICES IN THE SCHOOL LIBRARY MEDIA PROGRAM; and ACCESS FOR CHILDREN AND YOUNG PEOPLE TO VIDEOTAPES AND OTHER NONPRINT FORMATS. EQUITY OF ACCESS Electronic information, services, and networks provided directly or indirectly by the library should be equally, readily and equitably accessible to all library users. American Library Association policies oppose the charging of user fees for the provision of information services by all libraries and information services that receive their major support from public funds (50.3; 53.1.14; 60.1; 61.1). It should be the goal of all libraries to develop policies concerning access to electronic resources in light of ECONOMIC BARRIERS TO INFORMATION ACCESS: AN INTERPRETATION OF THE LIBRARY BILL OF RIGHTS and GUIDELINES FOR THE DEVELOPMENT AND IMPLEMENTATION OF POLICIES, REGULATIONS AND PROCEDURES AFFECTING ACCESS TO LIBRARY MATERIALS, SERVICES AND FACILITIES. INFORMATION RESOURCES AND ACCESS Providing connections to global information, services, and networks is not the same as selecting and purchasing material for a library collection. Determining the accuracy or authenticity of electronic information may present special problems. Some information accessed electronically may not meet a library's selection or collection development policy. It is, therefore, left to each user to determine what is appropriate. Parents and legal guardians who are concerned about their children's use of electronic resources should provide guidance to their own children. Libraries and librarians should not deny or limit access to information available via electronic resources because of its allegedly controversial content or because of the librarian's personal beliefs or fear of confrontation. Information retrieved or utilized electronically should be considered constitutionally protected unless determined otherwise by a court with appropriate jurisdiction. Libraries, acting within their mission and objectives, must support access to information on all subjects that serve the needs or interests of each user, regardless of the user's age or the content of the material. Libraries have an obligation to provide access to government information available in electronic format. Libraries and librarians should not deny access to information solely on the grounds that it is perceived to lack value. In order to prevent the loss of information, and to preserve the cultural record, libraries may need to expand their selection or collection development policies to ensure preservation, in appropriate formats, of information obtained electronically. Electronic resources provide unprecedented opportunities to expand the scope of information available to users. Libraries and librarians should provide access to information presenting all points of view. The provision of access does not imply sponsorship or endorsement. These principles pertain to electronic resources no less than they do to the more traditional sources of information in libraries. (See: Diversity in Collection Development: an Interpretation of the Library Bill of Rights) Adopted by the ALA Council, January 24, 1996. ------------------------------ From: "Prof. L. P. Levine" Date: 30 Jan 1996 18:45:30 -0600 (CST) Subject: Info on CPD [unchanged since 11/22/95] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the Subject: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Web browsers will find it at gopher://gopher.cs.uwm.edu. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V8 #011 ****************************** .