Date: Wed, 28 Feb 96 11:25:50 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V8#019 Computer Privacy Digest Wed, 28 Feb 96 Volume 8 : Issue: 019 Today's Topics: Moderator: Leonard P. Levine Re: Caller ID: Ameritech -> MCI Re: Caller ID: Ameritech -> MCI Re: Caller ID: Ameritech -> MCI Re: Caller ID: Ameritech -> MCI Re: Caller ID: Ameritech -> MCI Re: Northwestern's EECS may be Censoring ANI Information Cannot Be Used for Marketing Purposes KING Radio Checks out Bill Gates U.S. Grants First Encryption Export License Re: Your Computer Is Watching You Re: Anonymous Remailers are a Virus Spreading Online AT&T Cell Users are At Risk Maryland House of Delegates & Medical Database Bills Info on CPD [unchanged since 11/22/95] ---------------------------------------------------------------------- From: Mitch Tanenbaum Date: 25 Feb 1996 00:08:26 -0700 Subject: Re: Caller ID: Ameritech -> MCI I just read your item about Ameritech and MCI. I suspect that the issues is very simple and not at all what it represents itself to be. 800 numbers offer a service to the paying/receiving party called ANI for automatic number identification. It is a similar service to caller ID, but I think it only works with 800 numbers. I think it was originally designed to allow csr's to get screen pops when you call in about a question on your bill or where is the nearest atm or..... as far as I know, the only way to block ANI is to not call an 800 number. ------------------------------ From: doug@cc.ysu.edu (Doug Sewell) Date: 26 Feb 1996 08:49:43 -0500 Subject: Re: Caller ID: Ameritech -> MCI Organization: Youngstown State University References: Thus spake Christopher L. Barnard : Just another data point for those interested in Caller ID interoperability. I phoned an 800 number from my private residence line (Ameritech) and preceded the call with *67. The 800 number was able to determine my phone number (this was an automated system I was calling). I phoned Ameritech, who identified the 1-800 number as As many of the regular readers of *.dcom.telecom* will tell you, 1-800 numbers use ANI (automatic number identification, I believe) and not caller-id, to identify your phone line. If the 800 line holder requested, the identification information can be delivered in real-time (just like caller-id) and cannot be blocked. After all, they're paying for you to call their 800 number... Yet another reason to never assume that caller ID blocking will actually block anything... -- Doug Sewell (doug@cc.ysu.edu) (http://cc.ysu.edu/~doug/) Youngstown Ohio goes to area code 330 on March 8, 1996 alt.fan.john-palmer - Tygra, tygra, burning blight. cat core | uuencode bunny.dropping | mail jp@tygra.michigan.com ------------------------------ From: ewl@panix.com (Emery Lapinski) Date: 26 Feb 1996 12:08:27 -0800 Subject: Re: Caller ID: Ameritech -> MCI Organization: Emery Lapinski, private citizen. References: Christopher L. Barnard wrote: Just another data point for those interested in Caller ID interoperability. I phoned an 800 number from my private residence line (Ameritech) and preceded the call with *67. The 800 number was able to determine my phone number (this was an automated system I was Caller ID and the 800 number system's ANI are two totally separate things. I don't know why the operators didn't know this, or wouldn't tell you about it. ANI has been around forver. The logic is that since they're paying for the call, they get to know your phone number, alost as if you had called them collect. Yet another, totally separate system, is the E911 system, which lets the 911 operator know where you're calling from and who owns the phone and a whole lot of other good infomation. -- ewl@panix.com | http://www.panix.com/~ewl | "You can have my useless cat(1) when you pry it from my cold dead finger(1)." | This work is Copyright 1995 Emery Lapinski and is freely redistributable by anyone and anything with the exception of Microsoft Network. | Telco Bill, make a run for the border. ------------------------------ From: pevans@mindlink.bc.ca (philip evans) Date: 26 Feb 1996 21:02:46 GMT Subject: Re: Caller ID: Ameritech -> MCI Organization: MIND LINK! - British Columbia, Canada References: dan@fch.wimsey.bc.ca (Dan Fandrich) writes: When an 800/888/900 number owner receives the number of the person calling, he receives the caller's ANI (Automatic Number Identification), NOT his directory number sent by Caller*ID. In most cases, the ANI and Caller*ID are the same but since ANI is designed for billing purposes, they can be different. ANI uses a completely different mechanism from Caller*ID and *can not* be blocked by the caller, period. The reasoning is that the 800 number owner is paying for the call so is entitled to know who is racking up his bill. This CAN be useful for the caller. I got a (what I condisder) junk mail catalogue that had an 800 number printed on it. What I usually do in those cases is call the 800 number and ask them to remove me. When I called this one at about 6:30 pm on a friday, I got a recording asking me to wait, as all representatives were busy. This went on for a l-o-n-g time. Eventually I put the phone down and did some other stuff, checking every now and then. I think that what happened was that the number was only good for certain hours, and I'm on the left coast, I had just missed them - but the recording kept repeating, asking me to hold on. Well, I did not need the phone as I was away that weekend. On sunday evening I checked and I was still connected. When I went to work at 4:30 am Monday, yep, still being asked to wait. I knew I'd need the phone that day so I (regretfully) hung up. And no, they haven't sent me any more catalogues... ------------------------------ From: Glenn Foote Date: 27 Feb 1996 18:06:10 -0500 (EST) Subject: Re: Caller ID: Ameritech -> MCI Aaron Zaugg wrote: The justification for ANI on 800 numbers (besides the answering operator having all your personal info pop up on the screen before the call is answered) is that the company you are calling is paying for the toll. Therefore for billing purposes, they have the right to know who is calling. Just a warning to others. The same applies if anyone makes a collect call from your own phone. The receiver of the call will have your phone number on their long distance bill. This will happen whether your number is unlisted or not. Although this is the current rationalization about ANI, I believe that there are a couple of things wrong with this theory. First the "right" to know who is calling on an 800 number is not the same as having sufficient information to audit the bill. For years telephone companies would not provide this information, and the business community got along without it just fine. Users could still be given sufficient information to indicate the general area of the call (NPA, NNX), but even this is may be too much information _for billing purposes_ when you consider that 800 services are increasingly being offered on a flat per minute basis. Second, your right to privacy should supersede any information given out to another telephone subscriber, regardless of what they are paying for. Let us not confuse a business offering with a basic right to privacy. This is especially true when it comes to collect calls; you have the option of taking the call or not based on the identity of the caller (which is not the same thing as where the call is coming from). Ergo, the ANI is no longer relevant and in the case of blocked caller ID, should not be provided. Third, and perhaps most important, this 800 number situation is becoming a growing problem. Consider that by just making the call, you are risking the inclusion of your number into a data base containing an ever growing profile (often shared among interested parties) that can and *is* being compiled. [Source: Personal Knowledge of Companies using this technology.] This information can be, and is, then linked with other commercially available data bases which include access to [1] White Pages Nationwide (including Unlisted, but not Non-Published phone numbers), [2] Auto Registrations from most states (including SSN), [3] Magazine Subscriptions, [4] Warranty Cards, [5] Surveys, [6] Commercial Mailing Lists (and probably InterNet Mailing List in the near future), [7] Birth List, [8] Census statistics, [9] Voter Registration Lists, [10] Yellow Pages Nationwide, [11] Annual Reports, 10K's, SEC information, [12] Federal, State, and Local Government data, [13] Business Magazines, [14] Newsletters, and Newspapers, [15] Change of Address data, [16] over *200* other sources of information about you. [source, MCI product description, MCI FastData] {other data providors include: MetroNet, AT&T Find America, and Directory Net Inc.} All can be either immediately dumped to the party you called as their phone is ringing, or retrieved while you are on line. All through the use of commercial services SOLD WITH 800 number services as part of this "right" to _audit_ their bill. I suspect that the risks of calling _any_ 800 number are a little more that most people realize. -- Glenn "Elephant" Foote ------------------------------ From: weh@SEI.CMU.EDU Date: 25 Feb 1996 22:35:54 -0500 Subject: Re: Northwestern's EECS may be Censoring Organization: Software Engineering Institute I don't view this as much an indicator that one Sys Admin may be monitoring or censoring more so than another, but rather that one Sys Admin is more consistently providing notice of a possible action that could be taken re: users of their system. I've never seen this done from fingering someone, but fingering does cause you to use resources on the remote system, and one might consider that it should also be accompanied by warning. For more background on this particular warning, and how it relates to the ECPA, refer to the relevant CERT advisory. (I don't have the number handy right not). Check on ftp://info.cert.org for CERT advisories. From: Cecelia A Clancy Some time ago, I noticed that an omninous notice suddely started popping up whenever I fingered anybody with an account on the Northwestern (NU) Electrical Engineering and Computer Science (EECS) host of eecs.nwu.edu. It does not matter who in EECS you finger, you get the same message. Since we have been discussing Zu"ndel, I'll show you the finger of a NU Revisionist who happens to be in EECS: ------------------------------ From: privacy@interramp.com (Privacy Newsletter) Date: 26 Feb 1996 14:53:56 GMT Subject: ANI Information Cannot Be Used for Marketing Purposes Organization: Privacy Newsletter Several participants in this newsgroup have recently discussed how 800-number-owners have the capacity to collect ANI information. This is very true. However, the nationwide Caller ID rules -- which went into effect December 1, 1995 -- make it illegal for an 800-number-owner to use ANI information for marketing purposes. ANI is allowed only for routing purposes or for account retrieval; under the FCC's rules, no other behavior is tolerated. A strict reading of the rule means that should an individual call a business with an 800 number, and the individual becomes disconnected, then the business cannot call the individual back. Generally speaking, unless the individual gives permission to associate his/her telephone with his/her name, the business cannot call back. Period! Ironically, such a provision does not apply to numbers captured under Caller ID -- only under ANI. For more information, you can check the complete rule under the FCC's homepage or contact Privacy Newsletter. -- John Featherman Editor Privacy Newsletter PO Box 8206 Philadelphia PA 19101-8206 Privacy@interramp.com Phone: 215-533-7373 ------------------------------ From: bo774@freenet.carleton.ca (Kelly Bert Manning) Date: 27 Feb 1996 07:02:11 GMT Subject: KING Radio Checks out Bill Gates Organization: The National Capital FreeNet References: That was 5 PM, even on the wet coast. According to the story they stood on the sidewalk and asked passerby to volunteer to produce their Drivers licence for them to use to see what they could find out about them. Eventualy someone did. Using the drivers licence as a starting point they were able to get his SSN, which allowed them to retrieve a variety of information, his 5 major credit cards, the names, addresses, phone numbers and SSNs of his neighbours at various times, the kind of cars he'd had loans on, the upscale department stores he shops at, what time of day he married his second wife, his tax returns filed for his divorce, the mortgage amounts for property he had bought, the accounting firm that prepared his tax return. The fee for pulling the divorce case file was $25. Today's story ended with the advice to not give out your SSN, not to fill out personal information areas when completing registration cards and to use cash to pay instead of charge cards or checks. The story concluded with a comment that the wealthy don't have any more privacy than regular folks and said that their tuesday show will reveal how much they were able to find out about Bill Gates III. -- notice: by sending advertising/solicitations to this account you will be indicating your consent to paying me $70/hour for a minimum of 2 hours for my time spent dealing with it ------------------------------ From: taxhaven@ix.netcom.com (Adam Starchild ) Date: 27 Feb 1996 19:51:48 GMT Subject: U.S. Grants First Encryption Export License Organization: Netcom U.S. Grants First Encryption Export License The U.S. Department of State has granted the first license for export of a computer security system using a 64-bit key to Barclays Bank of the UK and Visa International. The security code will be used for a new personal computer-based banking service Barclays is launching today in a pilot program. Longer algorithms have been used outside the U.S. in closed electronic systems, such as cash machine networks, but the use of a 64-bit algorithm will be the first in an "open environment," where the bank does not control the personal computers using the code. -- Asset Protection & Becoming Judgement Proof http://www.catalog.com/corner/taxhaven ------------------------------ From: bobwood@netcom.com (Bob Wood) Date: 28 Feb 1996 00:06:59 GMT Subject: Re: Your Computer Is Watching You Organization: NETCOM On-line Communication Services (408 261-4700 guest) References: gordon@sneaky.lerctr.org (Gordon Burditt) wrote: Deleting the cookies file will prevent the cookies from persisting over sessions (I hope), but it is not at all obvious to me that you won't be "re-infected" with cookies each time you visit a site that uses them (especially if Netscape is still set to show one of Netscape's pages on startup - I recommend changing this). I expect that the cookies file is cached in memory and that updates use the memory copy (no, I didn't trace the code to prove this). This will allow Netscape to track your travels in their pages in any one session, but it won't allow correlations between sessions (except by IP address, which might be dynamic or correspond to several different users) if you keep deleting or prevent creation of the cookie file. Just edit out everything after the first 3 lines or so and put a +R attribute on it...Anyone can read it but there will be nothing there for them to read and Netscape will know that it is there but can't write anything further..... I did mine sometime ago when someone posted a message calling my attention to the cookie.txt ...There have been no ramifications to that fix that i'm aware of... *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* Bob Wood , Stanton, Ca. PGP Key ID# B01F7D19/1024 Bit Finger: bobwood@netcom.com *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* ------------------------------ From: daveb@iinet.net.au (Dave) Date: 28 Feb 1996 00:39:54 GMT Subject: Re: Anonymous Remailers are a Virus Spreading Online Organization: iiNet Technologies References: roman@portal.stwing.upenn.edu (Roman Gollent) wrote: Please explain that to the admin of anon.penet.fi. If the Church of Scientology can bully admins of systems on foreign soil into giving out real names and addresses, what's to stop the US government from doing the same? While I have no doubt that the Church and its mobs of lawyers has a great deal of power, I'm still under the impression (perhaps mistaken) that the US government wields even more influence, especially on an international level. It hasn't happened yet, but it could. In the case you mention, the essential point is that everyone knew what was happening. The remailer was not _subverted_, that is tapped clandestinely. Legal process, however misused, is nevertheless open. I would agree, however, that anon.penet.fi (or any other remailer) is not suitable _alone_, to protect sensitive messages. As other posters on this thread have said, use several remailers, with layered encryption between them. -- Dave Brooks PGP public key: finger daveb@opera.iinet.net.au servers daveb@iinet.net.au fingerprint 20 8F 95 22 96 D6 1C 0B 3D 4D C3 D4 50 A1 C4 34 ------------------------------ From: "Prof. L. P. Levine" Date: 28 Feb 1996 11:03:14 -0600 (CST) Subject: AT&T Cell Users are At Risk Organization: University of Wisconsin-Milwaukee Taken from PRIVACY Forum Digest Friday, 23 February 1996 Volume 05 : Issue 05 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. AT&T Cell Users at Risk: follow-up (dperetz@accessone.com) Date: 04 Feb 96 14:52:06 PST From: dperetz@accessone.com Subject: AT&T Cell Users at Risk: follow-up. dperetz@accessone.com wrote: Want billing/payment information on someone else? Want to run a usage analysis for the best rate plan for another? ATT Wireless Networks makes this possible with their automated INFOEXPRESS (Customer Care) service. Simply dial 1-800-782-xxxx or 1-206-389-xxxx (SEA). Enter the target cell number and the person's zip code. [ Assuming this service operates as described, it is but another example of the widespread practice of making customer information available with minimal or no security provisions by many entities. When questioned, firms implementing such systems usually claim they can't imagine why anybody would be concerned about the release of such information (allowing change orders in such an environment would be *highly* unusual), and that more "secure" systems (such as the use of PINs) would be "too inconvenient" for the customer. Usually the claim is also made that they've received virtually no complaints, either! ... -- MODERATOR ] (privacy not CPD) Follow-up: You are quite correct. I spoke with S.B., an INFOEXPRESS specialist. She stated they were hoping for a 4:1 'approval ratio.' Change orders are easy (yes, it was a cold phone): A) Simply get the amount of the last payment with the method described above. B) Enter the option to speak with a CSR. D: "I'm calling to see if my check for last month's bill of 61.62 posted?" CSR: "Yes it did, on January twelfth." D: "Thanks, and I'd also like to discontinue the voice-mail option. I just never use it." CSR: "Okay." . . . At this point I stopped the CSR and asked her to discontinue INFOEXPRESS instead. This can't be done. I haven't played extensively with the auto- mated c. o., but the picture is clear. I questioned the CSR about performing the c.o. without verification. I was told that because I knew last month's billing amount, it was okay. Had I not known, I would have been asked for an account number. I explained I got the amount from INFOEXPRESS: "I'll let you talk to my supervisor." Groan. ------------------------------ From: informed@access.digex.net (Keep InforM.D.) Date: 26 Feb 1996 18:47:49 GMT Subject: Maryland House of Delegates & Medical Database Bills Organization: Keep InforM.D. In 1993, the Maryland legislature passed a sweeping health care reform bill known as HB 1359. This 81 page bill - signed by Governor Schaefer created (among other things) the Health Care Access and Cost Commission (HCACC) and charged them to create a database of ALL encounters with providers of care by patients. The following must be reported to A STATE AGENCY (HCACC) WITHOUT YOUR CONSENT !!! [Taken from HCACC Notice of Proposed Action dated 06/23/95] (1)Patient ID (your insurance ID number encrypted) (2)Patient Date of Birth (3)Patient Sex (4)Patient Race (W,B,Asian or Pacific Islander,Native American, Other) (5)Patient ZIP Code (6)Patient Covered by Other Insurance (7)Coverage Type (Medigap,Individual,Self Insured,Employer Plan,Public Employee) (8) Delivery System Type (HMO,P(oint) O(f) S(ervice),PPO or other Managed Care, Indemnity) (9) Claim Related Condition (Non accident, Work, Auto accident, Other accident) (10) Practitioner Tax ID (11) Participating Provider Indicator (Yes, No, Not coded) (12) Claim Total Charge (13) Claim Allowed Charge (14)Reimbursement Amount (15) Patient Liability (Patient copay and/or deductibles) (16) Type of Bill (interim or final etc) (17) Claim Control Number (the internal control number used by insurers to track claims) (18) Claim Paid Date (19) Number of Diagnosis Codes (up to ten indicators of your illness) (20) Number of Line Items (up to 15 procedures) (21) Diagnosis Codes (see (19)) (22) Service From Date (beginning treatment date) (23) Service Thru date (ending date) (24)Type of Service (Phys, Pharmacy,Lab,Medical equipment, Surgery,Dental) (25) Place of Service (Inpatient, Outpatient hospital, Office, Surgicenter, Home, State or Local Clinic, Hospice,Intermediate Care Facility, Comprehensive Care Facility (26) Service Location Zip Code (27) Unit Indicator (Miles, Anesthesia,Visits, Oxygen Units, Blood Units) (28) The Number of Units in (27) (29) Procedure Code ( What Care was Provided) (30) & (31) Modifiers (32) Servicing Practice Identifier (33) Billed Charge (34) Amount Allowed also--- Collect appropriate information relating to prescription drugs for each type of patient encounter with a pharmacist ... Issue 1 You will not have the right to deny the state access to this information. Issue 2 Psychiatric patients, in an effort to protect themselves from outsiders gaining knowledge of their treatment, pay the bills themselves to avoid the insurance company making a record and their employer finding out they are in treatment. THEY WILL LOSE THAT PROTECTION!!! Issue 3 In 1996 and beyond, do you really want a governmental agency to have this access to your personal life ? Issue 4 This information MUST BE PUBLISHED BY LAW. With all of the 34 items above, it will be very easy to identify you. This information will be sold without restriction. Issue 5 Notice that RACE is a required element. Issue 6 Does the state need to know your prescriptions ? Lets suppose a pharmaceutical company buys the information (they do in Florida- I verified it!!) they could mail brochures to you on drugs THEY want you to take. Issue 7 Florida tracks only 80 surgical and medical codes. Why does the state need everything ? Issue 8 What could a divorce lawyer do with the information (custody battle, etc) Issue 9 What about patients who are HIV+ or have AIDS ? Issue 10 Most states (No. Carolina, Virginia, California, Utah, ) who have created a much more limited version have already sold or given the database to a PRIVATE CONCERN. So don't be lulled into thinking that the state will always have control. In the law - they are allowed to contract with ANY nonprofit entity that is not an insurer. WHAT CAN YOU DO ? HB 557 mandates that you CONSENT in writing EACH TIME you are treated. That Hearing is set for Thursday FEBRUARY 29, 1996 in the Environmental Matters hearing room (Room 160) in The Lowe House Office Building in Annapolis Maryland. If you can't attend please call your representative at 1-800-492-7122. Other bills (HB 1018, HB 1030, HB 1031) related to this matter will be heard that day also. YOU CAN E-MAIL ME YOUR SENTIMENTS AND I WILL TAKE THEM WITH ME AND PRESENT THEM ON YOUR BEHALF WHEN I TESTIFY. e-mail informed@access.digex.net Do not give up your right to privacy. You must act to save it. It is about to be stripped from you if you don't speak up. ------------------------------ From: "Prof. L. P. Levine" Date: 30 Jan 1996 18:45:30 -0600 (CST) Subject: Info on CPD [unchanged since 11/22/95] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the Subject: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Web browsers will find it at gopher://gopher.cs.uwm.edu. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V8 #019 ****************************** .