Date: Mon, 26 Feb 96 06:59:52 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V8#018 Computer Privacy Digest Mon, 26 Feb 96 Volume 8 : Issue: 018 Today's Topics: Moderator: Leonard P. Levine Re: Anonymous Remailers are a Virus Spreading Online Re: Anonymous Remailers are a Virus Spreading Online Re: Anonymous Remailers are a Virus Spreading Online Re: Anonymous Remailers are a Virus Spreading Online Re: Strange Telemarketing Call Re: Strange Telemarketing Call Re: Caller ID: Ameritech -> MCI Re: Caller ID: Ameritech -> MCI Re: Caller ID: Ameritech -> MCI Re: Caller ID: Ameritech -> MCI Re: Caller ID: Ameritech -> MCI Re: Europe Data Protection Directive Re: Your Computer Is Watching You Re: Access to DMV Records by Rental Car Companies Email Privacy in Colorado, USA "Privacy Piracy" on KING TV Monday 17:00 Pacific Time It Could Never Happen Here Info on CPD [unchanged since 11/22/95] ---------------------------------------------------------------------- From: brown@krl.caltech.edu Date: 25 Feb 1996 14:17:49 -0800 Subject: Re: Anonymous Remailers are a Virus Spreading Online Organization: Avida Artificial Life group References: This .sig is a fucking protest. Don't let the assholes in Congress get away with this abortion of Justice. Feel free to duplicate, modify and redistribute this .sig, under the condition that the content remains "indecent". http://www.vtw.org [moderator: I will leave this signature file in this time, but intend to censor gratuitous indecent material in the future. Not that I fear the government but it offends my personal taste.] I think that it would be more in line with the "moderator" aspect of things to simply deny the post on these grounds, rather than removing the .sig. Just my $.02... -- Titus Brown, brown@krl.caltech.edu. [moderator: Titus is right, in future I will not censor user postings but will reject those with gratuitous indecent material.] ------------------------------ From: JF_Brown@pnl.gov (Jeff Brown) Date: 23 Feb 1996 23:29:38 +0000 (GMT) Subject: Re: Anonymous Remailers are a Virus Spreading Online Organization: Battelle Pacific Northwest Labs References: "Prof. L. P. Levine" wrote: My most serious question about anonymous remailers is this: How can we be sure that the operator of such a remailer is not a federal or other governmental agent? That person is trusted with our privacy and has all the data needed to identify a user. In article , daveb@iinet.net.au says... One (too?) obvoius defence is to use a remailer in another country. I greatly doubt if the US Govt. has subverted a remailer in, say, Finland. The Finnish Govt. might have something to say about that. This may be naive, but: - aren't network locations traceable to being overseas just by convention. That is, couldn't one really be in the U.S. but have "daveb@iinet.net.au" as their address? - couldn't a particular address be set up overseas, but tapped in between? My overseas mail appeared to go through particular routers. - couldn't a U.S. "spy" set up a remailer overseas? -- Jeff Brown JF_Brown@pnl.gov ------------------------------ From: JF_Brown@pnl.gov (Jeff Brown) Date: 23 Feb 1996 23:34:15 +0000 (GMT) Subject: Re: Anonymous Remailers are a Virus Spreading Online Organization: Battelle Pacific Northwest Labs References: fyoung@oxford.net says... ... snip prior article ... I remember reading this on an anonymous remailer FAQ. Chaining at least three remailers and using PGP to encrypt the message would greatly reduced the chance of being "exposed." If one of the three remailers was a government sting, then the worse it could get is big brother would discover the orign of a message (going to another remailer) or the destination of a message (from another remailer). I think it is probably worse than that. If the first of the three remailers were the sting, then wouldn't the message be compromised? Or, if encrypted, then the sender would be flagged as someone to watch more closely? If it were not the first, then any remailer in the chain that was a front could track where messages came from and where they go to, and thereby gain an idea of where additional remailers would be. Could these sites then be monitored to track flows more closely, and perhaps track individual addresses (an "anonymous" one, but still "unique" and therefore traceable)? Jeff Brown JF_Brown@Pnl.gov ------------------------------ From: martin@kurahaupo.gen.nz (Martin Kealey) Date: 24 Feb 1996 17:03:45 +1200 (NZST) Subject: Re: Anonymous Remailers are a Virus Spreading Online Roy M. Silvernail (roy@sendai.cybrspc.mn.org) wrote: That's the reason behind chaining your message through several remailers. The first remailer in the chain knows your address, but not the ultimate destination of the traffic. A single uncompromised remailer in the chain will break the traceability of your message. [assuming encrypted message] Unfortunately that is untrue. If the first and the last remailer cooperate Well, there you have it - if you already know the routing of the message, then of course you can trace it - the hard part's already been done! The point with an encrypted chain is that only the sender and recipient know the total chain - the other members only know the link either side, and can't see end-to-end (as long as you have at least 3 remailers in the chain). ------------------------------ From: Chris Kocur Date: 24 Feb 1996 00:17:53 GMT Subject: Re: Strange Telemarketing Call Organization: JCPenney References: Mark.E.Anderson@att.com (Mark Anderson) wrote: [snip] Has anyone else heard of a market research survey that had to be recorded? I've done telephone recordings for insurance depositions before but it seems odd to cold call someone and demand of them to be recorded. In the last year or so I have had that happen when I've agreed over the phone to subscribe to a service or something, but never for a survey. So far it has only been after the sales pitch and I've already agreed to the purchase. They read a prepared statement (which I believe is also recorded) and record my reponse. I should probably respond with a specific answer such as 'I agree to purchase xxxx', but usually I just say 'yes'. (I know, I shouldn't encourage them, but sometimes its something I want and they're lucky enough to catch me in a generous mood). -- Regards, Chris #include I can do it quick; I can do it well; I can do it cheap -- pick any two. -- Red Adair ckocur@jcpenney.com (work), ckocur@plano.net (home) ------------------------------ From: prvtctzn@aol.com (Prvt Ctzn) Date: 25 Feb 1996 11:20:33 -0500 Subject: Re: Strange Telemarketing Call Organization: America Online, Inc. (1-800-827-6364) References: Here's a suggestion! If you think your up against a `peculiar' survey caller... 1) Allow the interview to start 2) give them information (it does not have to be coreect) 3) after about the fourth question say something like: "Hey, I'm giving you my private info but I don't know anything about your firm." 4) ask them for their firm's name, then address, 5) tell them that, in order to confirm their ID, you will call them back. Then get their phone number. The key to this process is to give them enough survey information for them to feel invested in you. Thus they will want to be able to complete the survey, rather than waste the time the already spent wasting your time. It's kinda like fishing... You are the fish... but you have a hook to pull them into the water. Robert Bulmash Private Citizen, Inc. 1/800-CUT-JUNK ------------------------------ From: johnl@iecc.com (John R Levine) Date: 23 Feb 96 23:52 EST Subject: Re: Caller ID: Ameritech -> MCI Organization: I.E.C.C., Trumansburg, N.Y. Just another data point for those interested in Caller ID interoperability. I phoned an 800 number from my private residence [and the callee received my phone number] This has nothing to do with CLID. When you call an 800 number, the people you call always get a record of the caller's number. Why? It's itemized billing. The number is delivered via a technology known as ANI, which has been around for many decades, ever since the operator stopped asking "what number are you calling from?" on toll calls. I have cheapo $5/mo 800 service, so I get my monthly bills with the 800 calls itemized by number, just like the outgoing calls. If I had fancier 800 service, I could get the caller's number at the time the call arrives. The theory, which I think is reasonable, is that since I'm paying for the calls, I have a reasonable right to get an itemized bill, just like for all the rest of my phone calls. Anyone who wants to call me without giving me their phone number is entirely welcome to do so, just not on my nickel. (Unlike some 800 numbers, mine all have published normal equivalents.) 900 and other pay-per-call numbers also get the calling number, for a very similar reason -- they need to know who to bill. -- John R. Levine, IECC, POB 640 Trumansburg NY 14886 +1 607 387 6869 johnl@iecc.com "Space aliens are stealing American jobs." - Stanford econ prof ------------------------------ From: Aaron Zaugg Date: 24 Feb 1996 15:43:15 -0700 (MST) Subject: Re: Caller ID: Ameritech -> MCI Anytime anyone calls an 800 number the possibility is there for your phone number to be sent along with it. Its not Caller ID but instead ANI. Automatic Number Identification can be used for many different reasons. Most long distance code dialup numbers use it for security purposes so someone can not just call trying codes with no threat of recourse. The justification for ANI on 800 numbers (besides the answering operator having all your personal info pop up on the screen before the call is answered) is that the company you are calling is paying for the toll. Therefore for billing purposes, they have the right to know who is calling. Just a warning to others. The same applies if anyone makes a collect call from your own phone. The receiver of the call will have your phone number on their long distance bill. This will happen whether your number is unlisted or not. ------------------------------ From: jlkolb@sd.cts.com (John Kolb) Date: 25 Feb 1996 03:03:24 GMT Subject: Re: Caller ID: Ameritech -> MCI Organization: CTS Network Services (CTSNET), San Diego, CA References: Christopher L. Barnard (cbarnard@cs.uchicago.edu) wrote: Just another data point for those interested in Caller ID interoperability. I phoned an 800 number from my private residence line (Ameritech) and preceded the call with *67. The 800 number was able to determine my phone number (this was an automated system I was calling). I phoned Ameritech, who identified the 1-800 number as 800 and 900 numbers ALWAYS, to the best of my knowledge, receive the phone numbers of those who call them. After all, they are the ones paying for the call. Guess we need to insist that anyone we call provide a non-800 # also. ------------------------------ From: dan@fch.wimsey.bc.ca (Dan Fandrich) Date: 25 Feb 96 01:51:50 GMT Subject: Re: Caller ID: Ameritech -> MCI Organization: Fandrich Cone Harvesters Ltd. References: cbarnard@cs.uchicago.edu writes: Just another data point for those interested in Caller ID interoperability. I phoned an 800 number from my private residence line (Ameritech) and preceded the call with *67. The 800 number was able to determine my phone number (this was an automated system I was calling). [...] Yet another reason to never assume that caller ID blocking will actually block anything... When an 800/888/900 number owner receives the number of the person calling, he receives the caller's ANI (Automatic Number Identification), NOT his directory number sent by Caller*ID. In most cases, the ANI and Caller*ID are the same but since ANI is designed for billing purposes, they can be different. ANI uses a completely different mechanism from Caller*ID and *can not* be blocked by the caller, period. The reasoning is that the 800 number owner is paying for the call so is entitled to know who is racking up his bill. >>> Dan -- dan@fch.wimsey.bc.ca / MIME email ok / finger danf@vanbc.wimsey.com for pgp key ------------------------------ From: peter@nmti.com (Peter da Silva) Date: 25 Feb 1996 22:59:47 GMT Subject: Re: Caller ID: Ameritech -> MCI Organization: Network/development platform support, NMTI References: Christopher L. Barnard wrote: Just another data point for those interested in Caller ID interoperability. I phoned an 800 number 800 numbers will always get your ID, since they're paying for the phone call... it's billing information they're entitled to. This predates "Caller ID", and has nothing to do with it. I'm boggled that none of the operators knew this, though. -- Peter da Silva (NIC: PJD2) `-_-' 1601 Industrial Boulevard Bailey Network Management 'U` Sugar Land, TX 77487-5013 +1 713 274 5180 "Har du kramat din varg idag?" USA Bailey pays for my technical expertise. My opinions probably scare them ------------------------------ From: banisar@epic.org (Dave Banisar) Date: 24 Feb 1996 13:58:08 GMT Subject: Re: Europe Data Protection Directive Organization: Electronic Privacy Information Center References: Jacques Lemieux <72470.1055@CompuServe.COM> wrote: I am looking for any comment on the European Data Protection Directive. Any hints for me? The EC Directive is available at Privacy International's web page at www.privacy.org/pi/ -- Dave Banisar EPIC/PI Washington Office ------------------------------ From: gordon@sneaky.lerctr.org (Gordon Burditt) Date: 24 Feb 1996 09:03:31 -0600 (CST) Subject: Re: Your Computer Is Watching You But many PC users may take a dim view of Netscape's failure to draw their attention to the fact that their behaviour may be tracked i this way. Moreover, there appears to be only one way to disable the facility: by manually amending or deleting the COOKIE.TXT file containing all the cookies. Why does anyone think that this disables the facility? Deleting the cookies file will prevent the cookies from persisting over sessions (I hope), but it is not at all obvious to me that you won't be "re-infected" with cookies each time you visit a site that uses them (especially if Netscape is still set to show one of Netscape's pages on startup - I recommend changing this). I expect that the cookies file is cached in memory and that updates use the memory copy (no, I didn't trace the code to prove this). This will allow Netscape to track your travels in their pages in any one session, but it won't allow correlations between sessions (except by IP address, which might be dynamic or correspond to several different users) if you keep deleting or prevent creation of the cookie file. Gordon L. Burditt sneaky.lerctr.org!gordon ------------------------------ From: "Milton C. Hubbard" Date: 24 Feb 1996 19:50:06 -0500 Subject: Re: Access to DMV Records by Rental Car Companies Organization: University of Louisville References: Philip H. Smith III, (703) 506-0500 wrote: [cut] Moral: never, never, never, never rent off-airport unless you (a) can't afford a real car rental agency (b) have lots of time and (c) have proof of lots of insurance. Philip, Did you offer to use a Gold VISA, MC or AMEX as security? They offer complete car insurance automatically even when the renter has no comprehensive coverage on his own policy. I don't see how the rental agency could lose in this situation. Comments anybody? -- Milton Hubbard ------------------------------ From: lrose@mercury.cair.du.edu (Lucas Rose) Date: 24 Feb 1996 23:33:43 -0700 Subject: Email Privacy in Colorado, USA Organization: Would you give the 30 pieces of silver back? Rep. Ron Tupa's (D-Boulder) email privacy bill has been sent to the Appropriations committee. This bill tried to guarantee that an employee's email was secure from the inspection of the employer without the employee's consent. It also tried to make inter- and intra-office governmental email memos not subject to the Open Records Law, and insure the same employee email privacy for public employees. Additionally, it updated Colorado's wiretapping laws to the same protection afforded by Federal Law. It has been amended down to only the governmental privacy policy mandate and the updating the wiretapping laws, but it still needs support to escape Apropriations. Please call the Representatives who sit on the Appropriations committee and encourage them to support the bill so that Colorado can begin to treat email like all other forms of communication. Ask them to support HB1199, regarding email privacy. Appropriations Committee (all areas codes are 303): Tony Grampsas: 866-2957 David Owen: 866-2943 Jeanne Adkins: 866-2936 Vickie Agler: 866-2939 Nolbert Chavez: 866-2925 Bill Jerke: 866-2907 Bill Martin: 866-2965 Phil Pankey: 866-2953 Gilbert Romero: 866-2968 Todd Saliman: 866-5524 Carol Snyder: 866-4667 Colorado is a national leader in the telecommunication field, and we should be a leader in protecting electronic communication. Help support HB1199, and help support privacy in telecommunications. If you have additional questions, please call Rep. Ron Tupa (303-866-2915). Please forward this message to all interested parties. -- lrose@mercury.cair.du.edu "A thing is not necessarily true because a man dies for it." -- Oscar Wilde ------------------------------ From: bo774@freenet.carleton.ca (Kelly Bert Manning) Date: 25 Feb 1996 23:27:13 GMT Subject: "Privacy Piracy" on KING TV Monday 17:00 Pacific Time Organization: The National Capital FreeNet, Ottawa, Ontario, Canada This is a Seattle area NBC station, but I have the impression that it is also distributed by satellite, so it may be widely available across the continent. This is their normal 5:00 am news slot, so it probably won't take up the whole hour. I have a recollection of seeing a story on a Seattle station about 8 years ago that started out with writing down a licence number of a randomly selected car parked near the station and recounting all that could be discovered about the registered owner using public records, which included a few years of tax returns because they had been filed as part of a divorce case. I can't recall if that was KING or another seattle area station. My recollection is that the story said that the owner was advised of them retrieving the registration details because it was Washington state policy to use part of the statutory access charge fee to send notice of disclosure to the registered owner whenever vehicle registration data was released to a third party. -- notice: by sending advertising/solicitations to this account you will be indicating your consent to paying me $70/hour for a minimum of 2 hours for my time spent dealing with it ------------------------------ From: jwarren@well.com (Jim Warren) Date: 24 Feb 1996 12:41:34 -0800 Subject: It Could Never Happen Here For reasons that will become obvious, I've blanked the user id info in this forward -- though the *currently operational* thought police probably already have a copy if the author transmitted from their current location. Notice how nicely the 1994 Democrats' half-billion-dollar national wiretap system facilitates the 1995 Republicans' zealous "decency" mandate. --jim Jim Warren, GovAccess list-owner/editor (jwarren@well.com) Advocate & columnist, MicroTimes, Government Technology, BoardWatch, etc. From: xxx@xxx.com Date: 15 Feb 1996 05:09:32 -0500 To: jwarren@well.com Jim, This is delayed in getting back to you, but I just wanted to tell you that your discussion of making all U.S. phone lines wire-tap ready reminds me of my present life. I live in Riyadh, Saudi Arabia. Everything is tapped here and most people know it. Faxes are also "grabbed" and if they find a reason to suspect immoral activity, they can then go back and actually open up every transmitted fax from a certain line. The government acquiesces to the religious police and allows the tapping (besides the obvious reasons of snooping around for subversion) to be done for the purpose of routing our expatriates' prohibited activities (church, parties with men & women mixed, music and theatrical performances, etc). There is a list of "key words" plugged into the tapping computers (for instance, the choral society I am in makes everyone avoid "choir, chorus, rehearsal, conductor, concert" and we're not making this up -- we have a manager (expat, of course) from the Ministry of Postal, Telegraph and Telephone in our bass section that provides us with the hot list every few months or so. As pertains to church, it's really a mess. My spouse and I worship in the Diplomatic Quarter with an Anglican community, but we live in a U.S. Army facility (the one that had the terrorist bombing on Nov. 13 that killed 7 -- my spouse was in the building and got bad glass cuts) that houses worship services on Fridays. We learned that the General did not know about the phone tapping, but certain civilian staff were briefing everyone new upon arrival about avoiding "sunday school, preacher, etc") on the phone so as to not endanger our services. After the bombing, dear friends and family would sometimes want to pray with our families over the phone, or offer scripture for comfort, and we had to tell them "you can't do that", so we asked the General if our phones were STILL being tapped at a public meeting and he told everyone that he'd never heard of that before (I heard his secretary tell him it was a "story" that did surface every few months or so) and that it was ridiculous -- the Ambassador would love to see the Muttawa (religious police) try and get us thrown out of the kingdom for holding religious services. Anyhow, I just thought you'd be interested to see a slice of official U.S. military life, residing here on Diplomatic Passports, outside the confines of the American border. Best wishes, xxx, Information Systems Mgmt. xxx, European Division ------------------------------ From: "Prof. L. P. Levine" Date: 30 Jan 1996 18:45:30 -0600 (CST) Subject: Info on CPD [unchanged since 11/22/95] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the Subject: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Web browsers will find it at gopher://gopher.cs.uwm.edu. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V8 #018 ****************************** .