Date: Sun, 17 Mar 96 08:44:46 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V8#024 Computer Privacy Digest Sun, 17 Mar 96 Volume 8 : Issue: 024 Today's Topics: Moderator: Leonard P. Levine Netscape Problems Netscape White Pages Privacy Problem Privacy Suit in San Diego Legal Restrictions o SSN Email Privacy Re: Social Security Number Misuse Re: Sadomasochistic imagery Re: CIA & NSA run remailers Re: CIA & NSA run remailers Washington Post Editorial on DejaNews Re: 800 ANI Re: Social Security Number Misuse Call for papers - personal information Online Parental Control Act of 1996 Info on CPD [unchanged since 11/22/95] ---------------------------------------------------------------------- From: "Prof. L. P. Levine" Date: 12 Mar 1996 10:30:06 -0600 (CST) Subject: Netscape Problems Organization: University of Wisconsin-Milwaukee Taken from RISKS-LIST: Risks-Forum Digest Monday 11 March 1996 Volume 17 : Issue 88 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator From: Jon Reeves Date: 11 Mar 1996 13:41:04 -0500 Subject: Yet another Trojan horse lurking in Netscape 2.0... I noticed, while loading a web page, that there was a mailto: URL active (using the "Easter Egg" Ctrl-Alt-T popup to see active URLs). Sure enough, after I cancelled that and examined the source, I saw something like this:
A quick test on my local machine shows that this will send a message to nasty@secret.org with the subject gotcha and the body "hi=there". This is insidious; it means that E-mail messages, purportedly from me (and all traces will show they really are from me) can be sent anywhere, without my knowledge, with contents that I do not approve. Further, it means that I can no longer count on browsing a site without my userid being disclosed. Unlike Java, there is no way to disable this. [Also been submitted to Netscape.] ------------------------------ From: hbaker@netcom.com (Henry G. Baker) Date: 09 Mar 1996 07:51:22 -0800 (PST) Subject: Netscape's too-lenient syntax checking From [frustrated web site visitor] The main link to [site name deleted] doesn't work through 'lynx' because the html is not correct. The '', so that the [site name deleted] link won't work. Could you please look at this problem, and send me a message when it is fixed. Thanks very much. > From: [webmaster @ affected site] RE: Re: [site name deleted] Web Link Thanks for the input. The mistake was never noticed before because the Netscape browsers are smart enough to detect the error and deal with it. Lynx, however, is not. The problem is fixed, although I don't recommend looking at the site with anything but Netscape 1.1N and higher. We incorporate too many of Netscape's features to make viewing these pages without it useful. I have nothing against Netscape trying to be smart, but the very sloppiness that makes it behave reasonably for unreasonable input leads web page designers to believe that their web pages have been debugged if they work correctly on Netscape. Perhaps Netscape should have a `careful' mode for helping web page maintainers to provide `squeaky clean' pages. I have found numerous web page problems with Lynx in this way, and when informed of these problems, some web page maintainers have been downright snotty in their responses. Their attitude seems to be `it serves you right for not using a graphical browser like Netscape'. Perhaps the web site designers should wake up to the fact that most of the sophisticated web surfers that I know either use an ascii browser like Lynx, or turn off image loading when surfing, because they actually want to visit more than one web site per day. All those pretty 4-color _buttons_ (??) that they use look good for _one_ visit, and thereafter ------------------------------ From: "Prof. L. P. Levine" Date: 15 Mar 1996 10:51:29 -0600 (CST) Subject: Netscape White Pages Privacy Problem Organization: University of Wisconsin-Milwaukee Taken from RISKS-LIST: Risks-Forum Digest Thursday 14 March 1996 Volume 17 : Issue 90 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Netscape White pages "Who Where?" risks (Brian Kelley) From: brian@piglet.cam.cornell.edu (Brian Kelley) Date: 13 Mar 1996 16:21:35 -0500 Subject: Netscape White pages "Who Where?" risks A mate of mine, whom I will call Skip and his computer ralph.nomame.edu, decided to look himself up on the "Who Where?" database. He found his name, selected it, and was rewarded with the response: * Name: ??? Console E-mail: skip@ralph.nomame.edu Organization: cornell university, ithaca Last Updated: -- This is all fine and good, except that a) he never registered himself with the server and b) ralph.noname.edu is not a mail server and all mail there will bounce. So the question is, how did this E-mail address show up? So, I looked at my entry. * Name: Brian Kelley E-mail: brian@piglet.cam.cornell.edu Organization: cornell university, ithaca Last Updated: -- Now, piglet.cam.cornell.edu is also not my e-mail address. We did a little digging and discovered that the standard unix command "finger @ralph.noname.edu" responded with [ralph.noname.edu] Login Name TTY Idle When Where skip ??? console 10:30 Tue 22:22 and "finger @piglet.cam.cornell.edu" responds with [piglet.cam.cornell.edu] User Real Name TTY Host Console Location brian Brian Kelley 4 piglet 357 Theory Center So, our assumption is, which is also a risk in itself, that some program is fingering computers and "grep"ing the return info which, in the case of skip is incorrect. However, the real question is, how did these machines get registered with the page? The answer is, Netscape. My best guess is that by selecting the "Who Where?" page, or some other page, automatically registers your machine with the database which then fingers your machine for information. To test this theory, just look up the entries for "root." (Which indicates many more risks, i.e. root running Netscape, et. al.) This would be fine if there was a notice that entering this page automatically registers you (and everyone currently logged onto your computers) with the database. However, the page highlights and underlines the phrase "Add Your Listing" which indicates that it has not been added already. The risks, in the case of skip, are obvious. However, it was just another reminder to myself about the propagation of personal information (that may indeed be inaccurate.) -- Brian Kelley 357 Rhodes Hall Cornell University Ithaca, N.Y. a14850 brian@ee.cornell.edu (607) 255-0963 ------------------------------ From: "Brian Duck" Date: 12 Mar 1996 11:58:44 EST Subject: Privacy Suit in San Diego I need your help... A couple of weeks ago, prior to a well-deserved and utilitzed vacation in Colorado, I heard the tail end of an item on NPR (National Public Radio) about a man in San Diego, CA who had recently won a court case in which he had acted to protect his privacy. (I'll recap the news item, but what I'm looking for are leads on the case, the specific consumer protection bill he sited, and the actual text used on the back of the check...) As I recall, this individual was visiting a local retailer which had a habit of gathering names and addresses for their marketing database from their casual customers. He refused to have his name and address enered into their computer, and (when he releaized that it would becopied of his check) he added a simple paragraph to the reverse of the check. The paragraph stated, in general terms, that the check was an agreement between the individual and the retailer. That the retailer agreed not to use the individual's address WITHOUT consent, and that the check endoresment was not consent. Also, the paragraph sited some 'specific consumer protection bill' (my words, I'm looking to find out what this reference was!) And, finally, the paragraph stated what the fine was (within the limits of the state's small claims statute) for violating the privacy of the individual. He asked the clerk, and the manager to BOTH initial the paragraph, and offered the check as payment. As expected, his name and address was entered into the computer of the marketing machine of the retailer, and he began receiveing catalogs. He contacted the retailer, informing them that they were violating their agreement with the individual, and asking them to cease. This contact occured via registered mail. After six attempts, the individual took the retailer to court, presented the check, the recipts for the registered mailings, and was awarded 6x the price identified in the agreement. Any information to collaborate with this story would be appreciated. Brian Duck usfmcjnm@ibmmail.com (internet) President, BDuck (PROFS & eWorld) Ford Macintosh User Group (313) 390-5329 ------------------------------ From: Robert Gellman Date: 12 Mar 1996 21:02:40 -0500 (EST) Subject: Legal Restrictions o SSN There were some recent postings here about legal restrictions on SSNs that had some erroneous information. The only real federal law restricting the collection of SSNs is section 7 of the Privacy Act of 1974. That is Public Law 93-579, and section 7 is uncodified. It can be found at 5 USC 552a note. Here is the text: (a)(1) It shall be unlawful for any Federal, State or localH government agency to deny to any individual any right, benefit, or privilege provided by law because of such individual's refusal to disclose his social security account number. (2) the provisions of paragraph (1) of this subsection shall not apply with respect to - (A) any disclosure which is required by Federal statute, or (B) the disclosure of a social security number to any Federal, State, or local agency maintaining a system of records in existence and operating before January 1, 1975, if such disclosure was required under statute or regulation adopted prior to such date to verify the identity of an individual. (b) Any Federal, State, or local government agency which requests an individual to disclose his social security account number shall inform that individual whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it. Note that this only applies to government agencies and not to the private sector. There are quite a few other federal laws that expressly permit or mandate the use the SSNs and that supersede the section quoted above. In 42 USC 405, states are authorized to use SSNs for motor vehicle purposes, welfare, and state tax purposes. The Selective Service can also use SSNs under another federal law. The tax code REQUIRES people who pay wages, dividends, interest, and engage in some other activities to collect and report SSNs. There is no federal law that I know of that restricts the collection of SSNs by a private entity. I can't speak to state constitutions or state laws, but there just isn't much help here from federal law. I repeat: private companies can collect and disclose SSNs without restriction under federal law. State governments are mostly unrestricted in how they can disclose SSNs by federal law. The section quoted above only restricts collection. The federal government itself is restricted by the Privacy Act in its ability to disclose SSNs. If someone knows of any other relevant federal laws, please post them with specific cites. + + + + + + + + + + + + + + + + + + + + + + + + + + Robert Gellman rgellman@cais.com + + Privacy and Information Policy Consultant + + 431 Fifth Street S.E. + + Washington, DC 20003 + + 202-543-7923 (phone) 202-547-8287 (fax) + + + + + + + + + + + + + + + + + + + + + + + + + + ------------------------------ From: Ernesto Martinez Date: 14 Mar 1996 15:28:40 -0600 Subject: Email Privacy Organization: University of Illinois at Urbana Hi, I am a Library Science student at the University of Illinois at Urbana-Champaign. I am doing a research paper on email privacy in the workplace. My condition of foreigner has meant that I am not as well informed as -I guess- an American might be, on recent (2-5 years) developments affecting the topic in which I am working. That's why I am turning to you for help. Can you refer me to some judicial cases and/or internet resources directly related to my topic?. I also have a doubt that I guess you can help me to resolve: I have been reading a 1989 book that explains that the US has not yet a Privacy Protection Agency, despite some proposals. Has this situation changed since the book's printing date?. Is EPIC and other privacy advocates pushing for that commission to be created?. -- Ernesto Martinez Graduate School of Library and Information Science University of Illinois at Urbana-Champaign email: martinez@alexia.lis.uiuc.edu ------------------------------ From: lachman@netcom.com (Hans Lachman) Date: 15 Mar 1996 10:48:48 GMT Subject: Re: Social Security Number Misuse Organization: Agency for the Prevention of Evil References: anonymous writes: MY SSN, for example, is also my driver's license number, my university employee number, student loan account number, and, as of recently, my local "business registration" number. The potential for abuse is outrageous . . . All the more reason to allow people to opt out of Social Security. Once you're not in the system anymore, you won't need one of those silly numbers. While we're at it, we can also team up with the anti-IRS crowd. Once the gov't phases out personal income tax, they won't need to perpetuate the SS numbers as so-called Taxpayer Identification Numbers. The above may not happen soon, but we can still work toward making them happen eventually. -- Hans Lachman ------------------------------ From: platinum Date: 14 Mar 1996 18:05:00 -0500 (EST) Subject: Re: Sadomasochistic imagery i'm not sure whether this got to the list; the mail system here has been really screwy. so you may receive this message and the following one twice. if so, my apologies for the inconvenience sethf@mit.edu wrote: Have you heard the statement "Electronically, everyone's a publisher"? Well, that's a good metaphor, but sometimes it breaks down in detail. Is posting to alt.sex "just like" selling books in an adult bookstore? I don't think so. But the terms used can be vague enough to make an argument in this manner. i've always wondered why people discarded the original metaphor, which i think is still the best: bulletin boards. you put something up on a bulletin board, using a thumbtack that has your name on it. anyone who chooses to walk by the board can look at it. each board is kept clearly labeled in such a way that everyone can tell what the content is without having to read any of what's posted there you are responsible for what you say. the only time a message is taken off of an unmoderated board is when it gets too old and you need space; if you're on a moderated board, you know it's moderated and you accept that fact the first time you post. and, as always, no one has to read what you say and everyone is free to respond in any manner sie likes the issue that now comes into question is: who should be allowed into the building where the boards are kept? who should be allowed to access them and their content? (my opinion: everyone. other people's opinons vary.) and if you let someone in, are you responsible for what they see while they're inside? let's not lose sight of the fact that some of the most ardent critics of online behavior are online. we wouldn't have invented words like "flame" if that sort of criticism didn't happen so very often. it is really really easy to tell someone you take objection to hir behavior in a newsgroup or on a list. what people offline don't like is that it's just as easy to ignore the objection. this is what .kill files are for. no one is forced to be offended more than once by anyone else. me, i never had a killfile when i was reading newsgroups because i was always sure that even the most truly abhorrent asshole might have something meaningful to contribute somewhere down the line. this, i've found, is an unusually forgiving viewpoint. but this is a _community_, the online world, and i've found that when community standards are set (either by the people moderating an area--"welcome to #backchat! no swear words, no netsex, and above all _be friendly_!"--or by other users--"i take extreme offense at what your saying and here is why"), they actually tend to be obeyed i have very little experience with newsgroups, so i can't speak too much for them. on the other hand, i've spent about two and a half years on four different irc networks and this works amazingly well. you offend an op, you get kicked. sometimes you're warned first, sometimes the kick is a warning. offend again and get banned. offend another user and that user complains to an op, and you'll usually get the same treatment. i've yet to find a channel where having ops was really abused for any length of time, and i've seen a lot of places designed to keep that from happening. if you don't like our rules, it tends to go, make your own place with your rules and invite in the people you want. as far as i can tell, it's the same with usenet our self-censorship is incredibly effective (though i hate examples of it like the equestrian newsgroup that decided to stop discussing anything that might be construed as illegal under the CDA; that's just wrong. that's an imposition of other "community standards" on us). no one seems to be telling this to the media or the government, and it might startle people enough to give us a bit of legroom. this is not a total anarchistic free-for-all, no matter how much we may want it to be, and we need to stop presenting it that way if we're going to get anywhere in the fight against the real world ------------------------------ From: "Prof. L. P. Levine" Date: 15 Mar 1996 10:37:17 -0600 (CST) Subject: Re: CIA & NSA run remailers Organization: University of Wisconsin-Milwaukee Taken from RISKS-LIST: Risks-Forum Digest Thursday 14 March 1996 Volume 17 : Issue 90 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator From: denning@cs.cosc.georgetown.edu (Dorothy Denning) Date: 14 Mar 96 14:14:55 EST Subject: Response from Strassmann/Marlow on remailers [From Paul A. Strassmann, National Defense University and William J. Marlow, SAIC, via Dorothy Denning] We find that a report by a Mr. Viktor Mayer-Schoenberger [e.g., RISKS-17.87] citing our alleged statements at a Harvard University Conference has been widely quoted on Internet, out of context. Specifically, he attributed to us statements that a number of anonymous remailers in the US are run by government agencies and that the most popular remailers in France and Germany are also run by government agencies. What Mr. Viktor Mayer-Schoenberger reported as facts are his interpretations. Our comments were of a general academic nature. We were not attributing remailer activities to any specific governments, but rather commenting on the general situation where much of the research on the use of networks has been paid for by governments and therefore one can assume that they would know how to make use of such facilities. We have no specific knowledge of any particular agency of any government offering remailers services. Whether or how they use remailers is not known to us. Online users just need to be "aware of the risks." Paul A. Strassmann, National Defense University William J. Marlow, SAIC ------------------------------ From: "Prof. L. P. Levine" Date: 12 Mar 1996 10:33:09 -0600 (CST) Subject: Re: CIA & NSA run remailers Organization: University of Wisconsin-Milwaukee Taken from RISKS-LIST: Risks-Forum Digest Monday 11 March 1996 Volume 17 : Issue 88 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator From: Raph Levien Date: 11 Mar 1996 13:42:55 -0800 Subject: Re: CIA & NSA run remailers (Mayer-Schoenberger, RISKS-17.87) As the maintainer of a remailer-list, I felt I should respond to this. Strassmann and Marlow have lately been getting quite a bit of press spreading anti-remailer fear, uncertainty and doubt. Almost all of it is inaccurate. It is certainly possible that governments are running remailers. Personally, I tend to doubt it, but that's just because I know most of the remailer operators. Even if governments were running remailers, the use of a chain of remailers, rather than just one, protects against compromise of identity even if one or more remailers are compromised. It suffices that one of the remailers in the chain is honest. It certainly isn't the case that the most popular remailers in France and Germany are run by government agencies. Maybe if there were remailers in these countries, they would be, but there aren't. There used to be one in Germany, but it's no longer operating. There's never been one in France. If there were, it would be quite illegal, due to the French crypto restrictions. The ability to crack 1000-bit keys would represent a major advance in factoring technology. 1024-bit keys less than an order of magnitude more effort to crack than 1000, so recommending them in face of 1000-bit keys having been cracked is ridiculous. The current record for factoring an RSA key is still RSA-129, which is only about 428 bits. Advances in factoring are expected, but most people figure 1000 bits is a long way away. [... don't forget that if you can monitor and compare the incoming and outgoing mail from an anonymous remailer, ... PGN] Remailers come in three different grades of security, depending on how sophisticated a client is used. Low grade remailers, including the popular anon.penet.fi, are subject to simple comparison of incoming and outgoing messages. So-called type-1 remailers use PGP encryption, so they are not vulnerable to this attack, but can be analyzed by correlating the size of incoming and outgoing messages. The Mixmaster remailers, by Lance Cottrell, are based on David Chaum's original digital-mix theory, and can't be size-correlated either. I can't guarantee that the remailer network is secure, but I feel that ease-of-use, reliability, and vulnerability to spamming are greater concerns at this point. Not to mention misinformation. -- Raph Levien ------------------------------ From: "Declan B. McCullagh" Date: 14 Mar 1996 13:24:57 -0500 (EST) Subject: Washington Post Editorial on DejaNews I admit I'm a bit surprised by this editorial. It doesn't mention two possible solutions for this "unnerving new technology" of DejaNews/AltaVista: anonymity and pseudonymity. Also, driving "adult" conversations onto mailing lists is not a good thing technically, since mailing lists don't scale as well as USENET. Socially, forcing conversations off USENET will only make it more difficult for new users to participate. Legally -- well, how can an operator of a mailing list judge whether a new subscriber is a minor or not? If the list is open (such as the forthcoming fight-censorship-announce will be), anyone can join -- just like USENET, with just the same problems. If the list is closed, then the operator would have the terrible burden of checking IDs for new subscribers. This is impractical, as I say in my affidavit discussing this list: http://fight-censorship.dementia.org/top/ -Declan ----------------------------------------------------------------------- The Washington Post Editorial March 14, 1996 Public Cyberspace TECHNOLOGY, STILL on the move, has a way of changing the terms of debate over whether and how cyberspace can or should be regulated. The latest example is the emergence of an unnerving new technology that goes by the name Deja News. Deja News is an Internet search program that is capable, when fed a name, of retrieving every instance of that name's having been mentioned anywhere in the public areas of cyberspace -- including many, such as the so-called newsgroups and bulletin boards, that participants have been accustomed to treat as ordinary conversations that vanish into the ether after a few days. Since a fair number of these newsgroups have sprung up for the purpose of hosting conversations on off-color topics, a great many people are now in roughly the position of those Bush White House officials who didn't know that the system was saving copies of their e-mail about Iran-contra. It's not that the conversations in question are necessarily about anything illegal. But, as with the scanners that feed your grocery-buying preferences into a database and send you catalogues based on what you buy, or the telephone companies that sell your name and profile to a dozen junk-mail cooperatives, this self-cataloguing Internet presents a rather different sort of "space" and "speech" from what many using it have imagined till now. One likely short-term effect will be to drive a lot of conversation out of the public areas that worry the would-be censors -- such as the 200 newsgroups that the Internet provider Compuserve briefly blocked from access at the request of nervous prosecutors in southern Germany -- and into protected spaces such as e-mail subscription lists. With any luck it will not only undercut the argument for censorship of the sort now under court challenge (the Communications Decency Law, which would criminalize the transmission of what is characterized as indecent material to minors) but render it entirely beside the point. The arrival of such technologies as Deja News underlines the strange nature of speech on the Internet and the new ways in which it divides up -- not just into the familiar divisions of private vs. public but into a new category that might be called super-public. In this category, what appear to be ordinary conversations turn out to be a lot more like electronic newspaper archives, existing in a sort of eternal present for anyone who happens to have the right tools. ------------------------------ From: lachman@netcom.com (Hans Lachman) Date: 15 Mar 1996 11:32:47 GMT Subject: Re: 800 ANI Organization: Agency for the Prevention of Evil References: I had a debate about all this with someone on comp.dcom.telecom a couple years ago, and the debate ended with him saying that he knows more about telecom than I do, and it's just not technically feasible to implement these features in the telephone network (i.e., ANI blocking option for the caller, and call rejection option for the 800 number owner). All I can say is that, if that's the case, then the telecom industry ought to hire better design engineers. johnl@iecc.com (John R Levine) writes: Well, if we were designing the world's telephone system de novo, there's a lot we might do differently. That's why CLID, which is new, has blocking options while ANI, which is much older, doesn't. [snip] This is exactly the attitude I was complaining about, i.e., "we're not going to solve the problem because..." vs. "here's how the problem can be solved...." Don't give up so easily. You don't need to redesign the world's telephone system from scratch in order to solve the problem. Here's an idea. Phase in CLID as the method by which 800 number owners get the caller's number. Then blocking will apply. OK, I'll save everyone the trouble of telling me why this won't work by saying I'm not a telecom expert and I'm just guessing. I'd instead like to hear from telecom experts who are creative and persistent enough to produce ideas as to how to solve the problem and reduce the cost of the solution, and not "no can do". I'd like to think one of the reasons we have comp.society.privacy and similar newsgroups is to discuss how to get technology to conform to the needs of human beings, not the other way around. If the telecom industry is capable of implementing ISDN, CLID, and other even more frivolous features without redesigning the world, and without breaking the bank, then I'm sure they can also find a way to implement a *67-like feature that uniformly suppresses the caller's number, as users expect. We're already past the question of whether the phone system should work the way people want; the answer is "yes". The question is how to achieve this goal. Well? -- Hans Lachman ------------------------------ From: softwa19@us.net (Charles R. Smith) Date: 15 Mar 1996 20:14:20 GMT Subject: Re: Social Security Number Misuse Organization: US Net, Incorporated References: anonymous wrote: I remember a discussion back when I was sitting in Administrative Law class some years ago to the effect that, technically, the SSN authorizing legislation prohibits the use of SSNs for ANY purpose, including driver's licenses. If I remember correctly, that's still on the books, though widely disregarded. This law is dodged by the mis-identification of the SSN number as a "control number" in most states. A new law just went into effect here in Virginia as of Jan. 1, 1996, giving people the OPTION to ask for a random generated Drivers License Number instead of taking their SSN. This cost quite a bit in programming but so far over 300,000 people have elected the random number. The biggest problem so far has been trying to associate the new random numbers with the real SSN for tax purposes. Additional information follows on NCIC SSN uses: National Crime Information Center - (Much like the Internet but for law enforcement only) NCIC is a nation wide network of computers made up of local, state and federal systems. This system is tied to DMV information in all 50 states, holding plate, driver, Vehicle ID number and other auto related data. It is also tied to the FBI crime information center which contains wanted information and all criminal histories. It has access to all boat registration, plane registration and fire-arms registrations. Other users of NCIC information are the IRS, CIA, NSA, BATF, and most state welfare and taxation agencies. NCIC has been used by an Arizona law enforcement official to find his ex-girl friend and kill her. NCIC assisted a drug gang in Pennsylvania identify narcotics agents. NCIC has been used by Private Detectives to obtain information for political purposes. Most NCIC data is available only through special terminals and passwords hooked up to this private network. However, even after data is transmitted over a secure network, local dispatchers pass this data to front line officers over open radio systems. This fault has been used here in Virginia to obtain clean names and SSNs for criminals to buy guns. Some agencies with NCIC computers also have connections to the Internet, leaving them open for possible hacker attack. I fought what seemed like an endless battle with state officials here in Virginia in 1994 to NOT hook any NCIC systems or data to the INTERNET. Although, the natural inclination was to join the crowd, I was finally able to convince them that doing so was risk not worth taking. This was done during the State mandated Internet study when I questioned Maryland Officials about security. They admitted that their SAILOR (a public Internet connection) system had been used to penetrate the computers of a U.S. nuclear power plant. Thus a direct link with NCIC died in Virginia. In November, 1993, a local couple was murdered in their home in what was discovered later to be a drug related crime. The police were able to catch the killers because they found the couple's stolen car outside an apartment complex. However, during the stake-out, the police used their radio for a NCIC inquiry. A local TV station overheard the call and put their live TV broadcast van on the spot in minutes. The police were able to catch the two killers while dodging the TV reporters. Fortunately, no one was killed. Ten days later I demonstrated to Commander Lew Moore, head of Communications for Chesterfield County Police, my on-line ciphering software. I demonstrated secure data, graphics and VOC (voice) file transfer, and playback, noting the fact that he had 100 cellular phones and 30 laptops already available. I even pointed out proudly that it could be used with packet radio modems easily adapted to his radios. I even offered to let them have the software for free. His response... "Well, that's nice but I really don't know what we would use it for." SOURCES: NCIC details of operation, disclaimer, size and on-line agencies: NCIC Users Manual - FBI, J.Edgar Hoover Bld., Washington, D.C. NCIC abuses: John P. McPartlin, "GAO: FBI BREACH IS AN INSIDE JOB", Information Week, Sept. 9th, 1993 Winn Schwartau, "INFORMATION WARFARE", Thunder's Mouth Press, 1994 ISBN 1-56025-080-1 Use of SAILOR to penetrate US nuclear reactor computer - Barbara G. Smith, Manager Maryland State Library SAILOR Internet Project. VA INTERNET STUDY COMMITTEE MEETING, August 25, 1994, Summary of Minutes (Call Va. Dept of Information Technology for complete minutes at 804-344-5550) -- Charles R. Smith SOFTWAR - Richmond, VA http://www.ultimate.org/2292/ ------------------------------ From: rja14@turing.newton.cam.ac.uk (R.J. Anderson) Date: 16 Mar 1996 12:16:51 GMT Subject: Call for papers - personal information Organization: Isaac Newton Institute, University of Cambridge PERSONAL INFORMATION - SECURITY, ENGINEERING AND ETHICS 21-22 June, 1996 Isaac Newton Institute, Cambridge FIRST CALL FOR PAPERS Many organisations are building computer networks that will share medical records and other highly sensitive personal information. This has led to debate in the UK, the USA, Germany and elsewhere over both the propriety of such information sharing and the technical measures that are necessary to control it. The debate has shown how little we understand about the protection of personal information. Most existing models of computer security were developed for applications in banking and commerce or for the military and intelligence communities. There the goal of confidentiality is to protect the organisation's assets and operations. With personal information, on the other hand, the goal is to uphold the rights of the individual, and to facilitate professional practice in line with established codes of ethics. It is becoming clear that systems cannot adequately protect medical records and other personal information by blindly following the banking and military paradigms of computer security. A fresh approach is needed. For this reason, the British Medical Association is sponsoring a two day colloquium at the Isaac Newton Institute, Cambridge, whose goal is to bring together people interested in the protection of personal information with computer security professionals. Topics of interest include the interaction between privacy and safety, security and safety policy, technical aspects, practice in different countries, the tension between clinicians and researchers, privacy in other systems (such as those supporting legal practice), the philosophy of privacy, and the regulation of access to personal information by administrators and law officers. Programme committee: Ross Anderson (Cambridge University, UK) Dave Banisar (Electronic Privacy Information Center, USA) Gerrit Bleumer (University of Hildesheim, Germany) Paula Bruening (formerly Office of Technology Assessment, USA) Ian Cheong (Royal Australian College of General Practitioners, Australia) Fleur Fisher (British Medical Association, UK) Elizabeth France (Data Protection Registrar, UK) Bob Frankford (formerly Ontario Legislature, Canada) Peter Landrock (Aarhus University, Denmark) Robert Morris (NSA, USA and Cambridge University, UK) Roderick Neame (Health Information Consulting, New Zealand) Roger Needham (Cambridge University, UK) Beverly Woodward (ACLU Massachussetts and Brandeis University, USA) Instructions for authors: Interested parties are invited to submit papers electronically (ascii, latex or postscript) or in paper form; in the latter case, send twelve copies suitable for blind refereeing (the authors' names should be on a separate cover sheet and there should be no obvious references). Papers should not exceed fifteen pages in length. Addresses for submission: rja14@newton.cam.ac.uk Dr Ross Anderson Isaac Newton Institute 20 Clarkson Road Cambridge CB3 0EH, England Deadlines: Paper submission: 10th May 1996 Notification of acceptance: 3rd June 1996 Camera-ready copy for proceedings: 17th June 1996 ------------------------------ From: Monty Solomon Date: 16 Mar 1996 16:07:18 -0500 Subject: Online Parental Control Act of 1996 Begin forwarded message: From: telstar@wired.com (--Todd Lappin-->) Date: 15 Mar 1996 16:48:54 -0800 To: telstar@wired.com Subject: BACKGROUNDER: "Harmful to Minors" I bring more detail about the "harmful to minors" standard used in the "Online Parental Control Act of 1996," introduced by Rep. Anna Eshoo (D-CA) on March 14. With a few phone calls and a lot of very valuable assistance advice from members of this mailing list, I've been able to track down some specifics regarding the "harmful to minors" standard. If passed, Eshoo 's legislation would supersede the Communications Decency Act. Eric M. Freedman, a professor of Consitutional Law at the Hofstra University School of Law, explains that the "harmful to minors" standard is essentially a modified version of the "obscenity" test laid out by the Supreme Court in Miller v. California in 1973. (As always, it's important to remember that obscene material does NOT enjoy First Amendment protection.) The "harmful to minors" standard basically adds a few caveats to the "obscenity" standard laid out in Miller. The net effect is to create a standard for children that is slightly more broad than the one used to judge content designed for adults. As Professor Freedman describes it,"harmful to minors" is predicated on "the concept of 'variable obscenity,'meaning that some material that is not obscene as to adults may be obscene as to children." This is the text of the "Harmful to Minors" standard as it is defined in the Online Parental Control Act of 1996: -------------------------------------------------------------------------- "(5) HARMFUL TO MINORS--The term "harmful to minors" means sexually explicit matter which meets all of the following criteria: (A) Considered as a whole, the matter appeals to the prurient interest of minors. (B) The matter is patently offensive as determined by contemporary local community standards in terms of what is suitable for minors. (C) Considered as a whole, the matter lacks serious literary, artistic, political, educational or scientific value for minors. -------------------------------------------------------------------------- Compare this with the three-part legal test laid out in Miller v. California, and you'll see that they are very similar. Miller defines "obscene" material as that which a) depicts sexual or excretory acts listed in a state obscenity statute, b) depicts those acts in a "patently offensive" manner, appealing to the "prurient interest," as judged by a reasonable person applying the standards of the community, and c) lacks "serious" literary, artistic, social, political, or scientific value. (As an aside, I'll mention that applying the criteria of offensiveness "as determined by contemporary local community standards standards" remains thorny. The question of *which* community's standards should apply becomes an obvious issue when your're dealing with a medium such as the Internet which facilitates global distribution. I'll dig into this more deeply in a forthcoming bulletin.) The language used to define "harmful to minors" in the Online Parental Control Act of 1996 differs slightly from language used to define the standard in the past. This is an excerpt from a CDT Policy Post, dated Dec 4, 1995: -------------------------------------------------------------------------- III. BACKGROUND ON THE "HARMFUL TO MINORS" STANDARD (Available at http://www.cdt.org/publications/pp311204.html) Harmful to minors is an intermediate standard between indecency and obscenity. It is essentially material that is obscene to a minor. It has been used in 48 state statutes and has been ruled constitutional by the Supreme Court. It is defined as follows: "'harmful to minors' means any communications or material that is obscene or that: (a) taken as a whole, and with respect to minors, appeals to a prurient interest in nudity, sex, or excretion; (b) depicts, represents, or describes in a patently offensive way with respect to what is suitable for minors, ultimate sexual acts, normal or perverted, actual or simulated, sado-masochistic acts or abuse; or lewd exhibition of the genitals, pubic area, buttocks, or post-putertal female breasts; and (c) taken as a whole, lacks serious literary, artistic, political, or scientific value for minors. Materials that would be acceptable under this standard include the text of Catcher in the Rye, Ulysses, the use of the "7 dirty words" in context, and works of art which contain nudity. These same materials would be prohibited under an "indecency" standard -------------------------------------------------------------------------- Notice that the Online Parental Control Act of 1996 replaces the specific kinds of prohibtions laid out in section (b) of the "harmful to minors" standard ("ultimate sexual acts, normal or perverted, actual or simulated, sado-masochistic acts or abuse..." etc.) with a more general category of "patently offensive" speech. This warrants further scrutiny, but for now I can say this: The definition of "patently offensive" speech is currently ambiguous. For example, under the injunction blocking full implementation of the Communications Decency Act, the Department of Justice is enjoined from enforcing the "indecency" standard, but permitted to enforce the "patently offensive" standard. Previously, the assumption had been that "indecent" and "patently offensive" are legal synonyms. Oy. So much semantics... It gives me vertigo. Nevertheless, for the moment let's assume that the pre-existing definition of "harmful to minors" is *functionally equivalent* to the one used in the Online Parental Control Act . As CDT obeserved in their Policy Post above, "harmful to minors" opens the door to categories of speech that would otherwise be blocked under the more broad "indecency" standard. Most notably, the "harmful to minors" standard permits the publication of works that have "serious literary, artistic, political, or scientific value for minors." As Professor Freedman explained to me, "The underlying purpose of the 'harmful to minors' standard is to say that you cannot altogether ban certain types of speech. It means that you must somehow segregate 'harmful' material so minors will not be exposed to it, but it also specifies that you can't remove it from circulation alotgether." For example, it is largely in virtue of the "harmful to minors" standard that some localities require copies of Hustler Magazine to be displayed out of reach of children. But even then, the general sale and distribution of Hustler is permitted for adults. Professor Freedman cites the following example: "Suppose, for example, a film of a woman compulsively masturbating. This might have serious scientific value to adults, because it may be the film of a patient in a mental hospital with a sexual disorder that the scientific community is trying to cure; thus, it could not be banned as obscene. However, the legislature could decide that it had no scientific value to an audience of children, and thus ban it as "harmful to minors," meaning, more accurately "obscene as to minors." He goes on to say, "The rule is that in applying the Miller test for that which is obscene, you may broaden it slightly to cover material that meets the test with regard to children although not with regard to adults." Freedman adds, "When this has come up in subsequent cases (American Booksellers v. Va., 484 US 483 (1988)) the focus has been pro-speech, on making sure that any such statute is not applied so as to reduce the entire adult population to reading only that which is fit for children, an effect which the court said in the American Booksellers case 'this court has repeatedly held' to be unconstitutional." And as a practical matter, Freedman notes that when the "harmful to minors" standard is used, law enforcement authorities *usually* focus on eggregious violations of the code, as opposed to "borderline" cases. Finally, Mike Godwin from the Electronic Frontier Foundation comments, "The good thing about 'harmful to minors' is that it acknowlegdes that literary, artistic, political, or scientific value needs to be protected, and that these should always be significant factors in determining what kind of material should be criminalized. The downside is that it creates uncertainty regarding the applicability of community standards to a medium in which everyone is connected to one another globally. Also, the standard does not address the variable maturity of minors, given that what's appropriate for a 17 year-old may not be appropriate to a 7 year-old." --Todd Lappin--> Section Editor WIRED Magazine --+--+--+--+--+--+--+--+--+--+--+--+--+--+- This transmission was brought to you by.... THE CDA INFORMATION NETWORK The CDA Information Network is a moderated mailing list providing up-to-the-minute bulletins and background on efforts to overturn the Communications Decency Act. To subscribe, send email to with "subscribe cda-bulletin" in the message body. WARNING: This is not a test! WARNING: This is not a drill! +--+--+--+--+--+--+--+--+--+--+--+--+--+--+- ------------------------------ From: "Prof. L. P. Levine" Date: 17 Mar 1996 09:40:02 -0600 (CST) Subject: Info on CPD [unchanged since 11/22/95] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the Subject: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Web browsers will find it at gopher://gopher.cs.uwm.edu. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V8 #024 ****************************** .