Date: Fri, 22 Mar 96 10:38:21 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V8#026 Computer Privacy Digest Fri, 22 Mar 96 Volume 8 : Issue: 026 Today's Topics: Moderator: Leonard P. Levine Re: MS Internet Assistant Cache Re: MS Internet Assistant Cache Re: MS Internet Assistant Cache Re: Netscape Problems Re: 800 ANI Re: 800 ANI More on SSNs More on SSNs An Excellent Pro-Individual Rights Listserv All Brothers May Be Watching Us Privacy in Cyberspace Privacy and Electronic Commerce [from CUD] PGP and Human Rights [long] Info on CPD [unchanged since 11/22/95] ---------------------------------------------------------------------- From: huggins@tarski.eecs.umich.edu (James K. Huggins) Date: 19 Mar 1996 13:02:35 -0500 Subject: Re: MS Internet Assistant Cache Organization: University of Michigan EECS Dept., Ann Arbor, MI References: Shannon Wenzel writes: I have begun learning HTML programming. In order to place an example graphic on an HTML page, I thought I would scan my harddisk for a suitable GIF or JPEG image. In Win95, I lauched the FIND utility and typed *.GIF. In seconds, a huge list of GIFS scolled across the screen. I though this was odd so I wen to the directory. To rephrase someone ... it's not a bug, it's a feature. Netscape (which I use: I don't have Win95) sets aside a cache directory where it dumps all the files that it reads. Why it's a feature: you can configure your browser so that it doesn't necessarily need to re-download a file if you re-access it but it hasn't changed --- which can be quite helpful if you're running over a slow modem or you pay for connect charges by the minute. Netscape does allow you to change the size of the cache (even to set it to 0), and to change how it uses the cache. I don't know if MS Internet Assistant does so as well, but I would guess it might be possible. As to the "unscrupulous" uses of such: standard HTML shouldn't do anything nasty like virus delivery. Java does have some small security problems (which are being addressed); check out comp.lang.java for starters. -- Jim Huggins, Univ. of Michigan huggins@umich.edu (PGP key available upon request) W. Bingham Hunter ------------------------------ From: "Prof. L. P. Levine" Date: 19 Mar 1996 14:20:20 -0600 (CST) Subject: Re: MS Internet Assistant Cache Organization: University of Wisconsin-Milwaukee James K. Huggins points out: Netscape does allow you to change the size of the cache (even to set it to 0), and to change how it uses the cache. I don't know if MS Internet Assistant does so as well, but I would guess it might be possible. Another side point. Copyright usually is interpreted as allowing a download of a file for viewing and reading. It usually is interpreted as not allowing the copying of the file for reprinting and further publication. This caching of a file (both images and text files are cached) for later reloading to speed up review of an already viewed page or picture permits (encourages?) the storage of files that might well have been released only for viewing. The law is far from clear here. As an example, one might look at the home page for Peter, Paul and Mary (http://www.magick.net/%7Eppm/) where the owner of the data has a clear copyright notice: Portions of these pages, and all contents, are Copyright (C) 1995 by Magick Net, Inc. or Warner Bro. Have I violated the copyright by the simple act of viewing the home page? Have I violated it by the automatic caching done in my little PC? If I include the picture in my web page have I done it? If I save and print the lovely photo on that page have I done it? Finally, what if I sell copies? -- Leonard P. Levine e-mail levine@cs.uwm.edu Professor, Computer Science Office 1-414-229-5170 University of Wisconsin-Milwaukee Fax 1-414-229-2769 Box 784, Milwaukee, WI 53201 PGP Public Key: finger llevine@blatz.cs.uwm.edu ------------------------------ From: Mark.E.Anderson@att.com (Mark Anderson) Date: 20 Mar 1996 14:03:36 -0600 Subject: Re: MS Internet Assistant Cache Shannon Wenzel said: Has anyone else had experience with this? I am concerned about "virus" delivery or some other unscrupulous use of such technology. Call me paranoid but I wouldn't store any sensitive data (like credit card info, home finances, ...) on any PC that can open an active TCP session. There are so many unknown back doors and viruses out there that would make it relatively easy for someone to snoop around your system. Just look at how many security holes were found in operating systems such as Unix (tm) throughout the years. I can imagine hackers (some probably working for reputable software companies) having a field day downloading select info from your hard drive without your knowledge. -- Mark Anderson mea@ihgp.att.com ------------------------------ From: Chris Kocur Date: 19 Mar 1996 18:15:55 GMT Subject: Re: Netscape Problems Organization: JCPenney References: "Prof. L. P. Levine" wrote: A quick test on my local machine shows that this will send a message to nasty@secret.org with the subject gotcha and the body "hi=there". This is insidious; it means that E-mail messages, purportedly from me (and all traces will show they really are from me) can be sent anywhere, without my knowledge, with contents that I do not approve. Further, it means that I can no longer count on browsing a site without my userid being disclosed. Unlike Java, there is no way to disable this. [Also been submitted to Netscape.] Well one way to disable it is to update your Netscape mail preferences and remove or invalidate the 'Mail (SMTP) Server' entry. Not only will the mail not send, but you'll get an error message when a message is attempted. The downside of course is that you can't mail anything from inside of Netscape until you reenter the mail server. Definitely an inconvenience, more so for some than others, but at least nothing will get mailed out without your knowledge. -- Regards, Chris #include I can do it quick; I can do it well; I can do it cheap -- pick any two. -- Red Adair ckocur@jcpenney.com (work), ckocur@plano.net (home) ------------------------------ From: Bruce.Taylor@hedb.uib.no (Bruce Taylor) Date: 20 Mar 1996 17:55:40 GMT Subject: Re: 800 ANI Organization: Computing Section, Faculty of Arts, University of Bergen, Norway References: johnl@iecc.com (John R Levine) writes: Dumb but true: US companies put ads in European magazines with the only contact number an 800 number you can't call from Europe. Prior to about 1992 I was unable to put through a call from Norway to an 800 number in North America. I tried again about a year ago - these days it works. Of course I pay international rates for the call. -- Bruce Bruce Taylor Bruce.Taylor@hedb.uib.no Det historisk-filosofiske fakultets edb-seksjon voice: +47.55.212348 Universitetet i Bergen, Norway fax: +47.55.231897 ------------------------------ From: wrf@ecse.rpi.edu (Wm. Randolph U Franklin) Date: 22 Mar 1996 00:31:26 GMT Subject: Re: 800 ANI Organization: ECSE Dept, Rensselaer Polytechnic Institute, Troy, NY, 12180 USA References: wbe@psr.com (Winston Edmond) writes: The policy is that the one who pays for the call is entitled to enough information to determine whether or not their bill is correct. "Somebody, somewhere, but we're not going to tell you who or where, called and you owe us $5 for the call" isn't an acceptable billing practice. However, I've heard that this was always the billing practice in Europe, partly driven by their concern for privacy. Each account had a meter to record total long distance charges, The actual called numbers were not stored. Each month, you got a very simple bill, containing just a total amount, from the PTT. Dunno whether that's still the case over there. Of course, they now have the prepaid calling cards, for which, it's been reported, all the numbers called are recorded. My general point here is that different societies can make quite different privacy/accountability tradeoffs. -- Wm. Randolph Franklin wrf@ecse.rpi.edu ECSE Dept., 6026 JEC, Rensselaer Polytechnic Inst, Troy NY, 12180 USA ------------------------------ From: Robert Gellman Date: 20 Mar 1996 13:36:54 -0500 (EST) Subject: More on SSNs curunir@deltanet.com wrote Two items: How did the codification miss that particular section? I thought codification took the public law word for word into the US Code... Public laws and US code are not necessarily the same thing, and there are many public laws that are uncodified. I could offer a longer explanation, but codification policy and practice is pretty dull. Second, my employer demands I get an airport ID at the Long Beach Airport. In the absence of a privacy act disclosure statement, I refused to give my SSAN. Now they're demanding it again. I think they probably qualify under one of the exceptions (as a polic agency), but it seems to me that they still have to give out a disclosure notice. Showing them a copy of the law simply does not impress them - no SSAN, no ID. The airport authority may or may not be a governmental organization. Assuming that it is, you are free to complain and point to the law. You are right about the disclosure notice, as far as I know. (There might be some anti-hijacking law that grants an exemption, but that is rank speculation.) The SSN provision of the privacy act has no enforcement provision. Why not write to the general counsel for the airport and provide a copy of the law? Odds are that they never heard of it. There have been some successful court challenges to governmental violations, but that is a lot of trouble and expense. + + + + + + + + + + + + + + + + + + + + + + + + + + Robert Gellman rgellman@cais.com + + Privacy and Information Policy Consultant + + 431 Fifth Street S.E. + + Washington, DC 20003 + + 202-543-7923 (phone) 202-547-8287 (fax) + + + + + + + + + + + + + + + + + + + + + + + + + + ------------------------------ From: kfarrell@brainiac.com (Kevin J.Farrell) Date: 20 Mar 96 23:39:42 EST Subject: More on SSNs If some other form of identification is used instead of the SSN we will still have the same problem. I heard there is talk of using a some form of a National ID number for all Americans. Privacy is gone today. Kevin J. Farrell ------------------------------ From: jwarren@well.com (Jim Warren) Date: 20 Mar 1996 13:40:36 -0800 Subject: An Excellent Pro-Individual Rights Listserv I recommend this relatively new list -- informative, provocative, worthwhile. -- Jim Warren, GovAccess list-owner/editor (jwarren@well.com) Advocate & columnist, MicroTimes, Government Technology, etc. =========================== New Mailing List Freematt's Alerts; Pro-Individual Rights Issues. Freematt's Alerts is a private moderated list dealing with pro-individual rights issues. Special attention is given to censorship and free speech concerns. (Volume of 7-15 messages per week). To subscribe send a blank message to freematt@coil.com with the words Subscribe FA in the subject field. List is owned by Matthew Gaylor . Send any questions or comments to Matthew Gaylor ============================ ------------------------------ From: wjanssen@cs.vu.nl (Wouter Janssen) Date: 21 Mar 1996 09:30:52 GMT Subject: All Brothers May Be Watching Us Organization: Fac. Wiskunde & Informatica, VU, Amsterdam Big Brother is watching us? Probably, I don't know for sure, I'm just careful :) but did you know just anybody can search a database and see what articles you posted on which newsgroups lately? I didn't untill I found out about DeJaNews. An on-line database on WWW where you can enter keywords to search on some specific topic. However, usernames are topics too! Many of you probably knew about this, but in case you didn't be warned when you post something! (btw, the URL for DeJaNews = http://www.dejanews.com/forms/dnq.html) --------------------------------------------------------------------- In real life : Wouter Janssen | Just because you're paranoid E-mail : wjanssen@cs.vu.nl | Don't mean they're not after you Irc : Tijgertje | URL: http://www.cs.vu.nl/~wjanssen/| (K. Cobain) PGPkey : mail to wjanssen=pgp@cs.vu.nl --------------------------------------------------------------------- ------------------------------ From: jonl@well.sf.ca.us (Jon Lebkowsky) Date: 21 Mar 1996 19:24:48 GMT Subject: Privacy in Cyberspace Organization: The Whole Earth 'Lectronic Link, Sausalito, CA Electronic Frontiers Forum at HotWired's Club Wired Thursday, March 21, 1996 7PM PST PRIVACY IN CYBERSPACE Sameer Parekh, included on Newsweek's list of the "50 people who matter most on the Internet," is an information-age renaissance blend of programmer, entrepreneur, and activist. His company Community Connexion (http://www.c2.org) has implemented an infrastructure supporting completely private internet mail, a kind of anonymity server. Join Sameer Parekh and Jon Lebkowsky for a lively discussion of the technological and sociopolitical issues of privacy in cyberspace. Access to the Electronic Frontiers Forum in Club Wired at HotWired is by telnet to chat.wired.com:2428, or you can go to http://www.hotwired.com/club and click on "Enter Club Wired." A login is required, but free and easy to get. Login's also required to post to Threads, HotWired's asynchronous conferencing system. Otherwise you can read transcripts and other pages at HotWired without logging in. -- Jon Lebkowsky http://www.well.com/~jonl Electronic Frontiers Forum, 7PM PST Thursdays ------------------------------ From: collins@ait.nrl.navy.mil (Joe Collins) Date: 21 Mar 1996 17:46:27 -0500 Subject: Privacy and Electronic Commerce Organization: Naval Research Laboratory Privacy & Electronic Commerce The Risk: With respect to protecting privacy, the genie is certainly out of the bottle in the failure to restrict use of social security numbers. Abuse of SSNs, however, is not the worst we may see of this kind of problem. In order to mediate electronic commerce, in the near future we will have cryptographic key identifiers that, as proposed, will be inextricably bound to personal information. The need for this binding is essential: without the ability to identify (and locate) a legal person, one cannot enforce contractual agreements. The danger of the widespread use of these cryptographic keys results from the power of the computer. The only feasible use of these keys is electronic- i.e., there is no "air gap" as there is with the use of SSNs. The result is that our key will be known by everyone with whom we do electronic commerce and they will have it in their database. They will also have a great assurance that there is no error in the key, and consequently they will know who we are. Electronic commerce is a convenience that is enabled by these cryptographic authentication methods. These same methods can also create an equally inconvenient, even dangerous threat to privacy: when an individual loses control of personal and identifying information, his personal security is compromised. This was less true when our local community was small but, with computers and the internet, the local community is limited only by the population of the earth. There is an essential conflict between the need to protect privacy and the need to provide identification (or authentication). The Fix There are many possible fixes. Probably the most likely is the institution of private "privacy brokers". A privacy broker would act as a broker that mediates any secure transaction an individual would like to make. Methods would include such things as performing the transactions in the broker's name or issuing and providing certification for one-time cryptographic keys. The necessary identification security features may be provided by having the broker maintain the appropriate logs of subscriber activities or records of the keys issued to a subscriber. Privacy is maintained by not releasing any personal information or activity information except in limited fashion and in accordance with an appropriate security policy. While many might identify the cypherpunk anonymous remailers as examples of privacy brokers, their general practice of full anonymity does not allow for legal accountability. Public and commercial acceptance of privacy brokers will require more moderate security policies that both protect privacy and ensure accountability. -- Joe Collins ------------------------------ From: "Prof. L. P. Levine" Date: 19 Mar 1996 11:30:44 -0600 (CST) Subject: [from CUD] PGP and Human Rights [long] Organization: University of Wisconsin-Milwaukee Taken from Computer underground Digest Mon Mar 18, 1996 Volume 8:Issue 21 ISSN 1004-042X PGP and Human Rights Date--Mon, 18 Mar 1996 12:01:37 -0700 (MST) Subject--PGP and Human Rights Recently, I received the following letters by email from Central Europe. The letters provides food for thought in our public debates over the role of cryptography in the relationship between a government and its people. With the sender's permission, I am releasing the letters to the public, with the sender's name deleted, and some minor typos corrected. This material may be reposted, unmodified, to any other Usenet newsgroups that may be interested. -Philip Zimmermann From--[name and email address deleted] Date--Sat, 09 Mar 1996 19:33:00 +0000 (GMT) Subject--Thanks from Central Europe To--Philip Zimmermann Dear Phil, This is a short note to say a very big thank you for all your work with PGP. We are part of a network of not-for-profit agencies, working among other things for human rights in the Balkans. Our various offices have been raided by various police forces looking for evidence of spying or subversive activities. Our mail has been regularly tampered with and our office in Romania has a constant wiretap. Last year in Zagreb, the security police raided our office and confiscated our computers in the hope of retrieving information about the identity of people who had complained about their activites. In every instance PGP has allowed us to communicate and protect our files from any attempt to gain access to our material as we PKZIP all our files and then use PGP's conventional encryption facility to protect all sensitive files. Without PGP we would not be able to function and protect our client group. Thanks to PGP I can sleep at night knowing that no amount of prying will compromise our clients. I have even had 13 days in prison for not revealing our PGP pass phrases, but it was a very small price to pay for protecting our clients. I have always meant to write and thank you, and now I am finally doing it. PGP has a value beyond all words and my personal gratitude to you is immense. Your work protects the innocent and the weak, and as such promotes peace and justice, quite frankly you deserve the biggest medal that can be found. Please be encouraged that PGP is a considerable benefit people in need, and your work is appreciated. Could you please tell us where in Europe we can find someone who can tell us more about using PGP and upgrades etc. If you can't tell us these details because of the export restriction thing, can you point us at someone who could tell us something without compromising you. Many thanks. --- [ I sent him a response and asked him if I could disclose his inspiring letter to the press, and also possibly use it in our ongoing legislative debates regarding cryptography if the opportunity arises to make arguments in front of a Congressional committee. I also asked him to supply some real examples of how PGP is used to protect human rights. He wrote back that I can use his letters if I delete his organization's name "to protect the innocent". Then he sent me the following letter. --PRZ ] From--[name and email address deleted] Date--Mon, 18 Mar 1996 15:32:00 +0000 (GMT) Subject--More News from [Central Europe] To--Philip Zimmermann Dear Phil, I have been thinking of specific events that might be of use to your Congressional presentation. I am concerned that our brushes with Governments might be double-edged in that Congress might not like the idea of Human Rights groups avoiding Police investigation, even if such investigations violated Human Rights. However we have one case where you could highlight the value of PGP to "Good" citizens, we were working with a young woman who was being pursued by Islamic extremists. She was an ethnic Muslim from Albania who had converted to Christianity and as a result had been attacked, raped and threatened persistently with further attack. We were helping to protect her from further attack by hiding her in Hungary, and eventually we helped her travel to Holland, while in Holland she sought asylum, which was granted after the Dutch Government acknowledged that she was directly threatened with rape, harrassment and even death should her whereabouts be known to her persecutors. Two weeks before she was granted asylum, two armed men raided our office in Hungary looking for her, they tried to bring up files on our computers but were prevented from accessing her files by PGP. They took copies of the files that they believed related to her, so any simple password or ordinary encryption would eventually have been overcome. They were prepared to take the whole computer if necessary so the only real line of defence was PGP. Thanks to PGP her whereabouts and her life were protected. This incident and the young woman's circumstances are well documented. We have also had other incidents where PGP protected files and so protected innocent people. If the US confirms the dubious precedent of denying privacy in a cavalier fashion by trying to deny people PGP , it will be used as a standard by which others will then engineer the outlawing of any privacy. Partial privacy is no privacy. Our privacy should not be by the grace and favour of any Government. Mediums that ensured privacy in the past have been compromised by advances in technology, so it is only fair that they should be replaced by other secure methods of protecting our thoughts and ideas, as well as information. I wish you well with your hearing. Yours most sincerely [name deleted] --- [end of quoted material] ------------------------------ From: "Prof. L. P. Levine" Date: 17 Mar 1996 09:14:50 -0600 (CST) Subject: Info on CPD [unchanged since 11/22/95] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the Subject: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Web browsers will find it at gopher://gopher.cs.uwm.edu. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V8 #026 ****************************** .