Date: Fri, 29 Mar 96 13:29:43 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V8#028 Computer Privacy Digest Fri, 29 Mar 96 Volume 8 : Issue: 028 Today's Topics: Moderator: Leonard P. Levine Re: The Stalker's Home Page Re: How Do Junk eMailers Get Addresses? Re: How Do Junk eMailers Get Addresses? Re: How Do Junk eMailers Get Addresses? Re: Individual RTP vs. Corporate FOS Re: Individual RTP vs. Corporate FOS Chase Bank Credit Info Computer Privacy ANI blocking Re: Privacy and Electronic Commerce USENET Reposters: Privacy and Copyright Concerns SSN Absurdity Re: All Brothers May Be Watching Us Re: 800 ANI Info on CPD [unchanged since 11/22/95] ---------------------------------------------------------------------- From: "Michael J. McClennen" Date: 25 Mar 1996 16:34:11 -0500 Subject: Re: The Stalker's Home Page Organization: University of Michigan EECS Dept., Ann Arbor, MI References: In fact, this is nothing new. The capability to find anyone anywhere in the country has existed for at least 20 years now. Case in point: 20 years ago, my cousin fled an abusive relationship in California. For the next four years, until she found someone able to protect her, she was regularly visited and threatened by this man. No matter where she moved (or how far off the beaten path) he was always able to find her within a few months. All this technology does is make available to the casual user the kinds of information that were formerly available to anyone willing to track down the right sources and pay the right fees or bribes. -- MIchael McClennen ------------------------------ From: "Chris W. Rea [UL]" Date: 25 Mar 1996 18:13:11 -0500 Subject: Re: How Do Junk eMailers Get Addresses? Organization: Erindale College, University of Toronto, Canada References: Lee wrote: I'd also appreciate if someone tell basic facts about how they get other people's email addresses. There are many ways that unscrupulous advertisers can get ahold of email addresses: 1) Some sites have lists of users available through gopher, WWW, etc. The idea is to have some kind of address book to make the lives of people who actually want to get in touch with _you_ easier. Your system administrators mean well, but unscrupulous advertisers can copy these lists. This is why some sites choose not to have such a service. 2) Unscrupulous advertisers can rip out your email address from any news that you post to Usenet. 3) If you are on any public mailing list, unscrupulous advertisers can join these and pilfer the names of any posters to the list. 4) Using a list of sites and finger, unscrupulous advertisers can see if your system gives a list of online users when fingered. New addresses can then be added to their master list. Some sites only allow fingering a specific user ID, and don't give a list of all online users. There are automated ways of doing the above, so it is quite easy for somebody to get hundreds of email addresses per minute. Unscrupulous advertisers who don't want to go to so much trouble can probably buy such a list from somebody else. I use a program that screens incoming mail, and directs anything from people I don't know to a secondary folder. It also sorts mail that is directly addressed to me differently from mail that is only CC'd to me or that is addressed to multiple recipients. Also, when I get such a message, I send a request to the remote site's administrator asking them to please inform the user who sent the unsolicited mail to please not do so again. If the mail is coming from somebody in the same country/state/province as you, you might have recourse if your local harassment laws are strict enough. Of course, I don't think these would count for first offenses. If you do ask somebody to not mail you, and they do it again and again, you might have a legal option. But I'm not a lawyer, so I don't know. :-) -- [ CHRIS W. REA [UL] UofT CompSci email: cwrea@credit.erin.utoronto.ca ] [ This message is copyright (C)1996 by the author. All rights reserved. ] ------------------------------ From: glr@ripco.com (Glen L. Roberts) Date: 28 Mar 1996 15:56:34 GMT Subject: Re: How Do Junk eMailers Get Addresses? Organization: Full Disclosure References: lihou@ms2.hinet.net (Lee) wrote: I'd also appreciate if someone tell basic facts about how they get other people's email addresses. It is trivial to write a program to cull them out of newsgroup postings, and/or web pages... ------ Links, Downloadable Programs, Catalog, Real Audio & More on Web Full Disclosure [Live] -- Privacy, Surveillance, Technology! (Over 153 weeks on the Air!) The Net Connection -- Listen in Real Audio on the Web! http://pages.ripco.com:8080/~glr/glr.html ------ ------------------------------ From: branden@ecn.purdue.edu (Branden Robinson) Date: 29 Mar 1996 05:33:39 GMT Subject: Re: How Do Junk eMailers Get Addresses? Organization: Purdue University References: Lee (lihou@ms2.hinet.net) wrote: Recently I have begun receiving more and more junk e-mail. The most I'd also appreciate if someone tell basic facts about how they get other people's email addresses. http://www.dejanews.com/ illustrates the method beautifully. Simpy get a USENET feed, select your scope, and suck out every email address you see. -- "There is no gravity in space." | G. Branden Robinson "Then how could astronauts walk around on the Moon?" | Purdue University "Because they were wearing heavy boots." | branden@ecn.purdue.edu ------------------------------ From: johnl@iecc.com (John R Levine) Date: 25 Mar 96 22:34 EST Subject: Re: Individual RTP vs. Corporate FOS Organization: I.E.C.C., Trumansburg, N.Y. If you find yourself in any sort of agreement with some of the ideas I'm expressing in this message to Deja News, please let them know of your concerns. I'm concerned about the individual's right to privacy which I feel is superior to corporate freedom of speech, since the corporation can exert a much greater damaging influence over an individual than an individual can exert on a corporation, practically speaking. I'm as strong a privacy advocate as anyone, but I really don't see the point of railing against DejaNews. After all, when you send out a message to usenet, you're asking a cooperating network of several hundred thousand computers to distribute it all over the world so that any or all of several million people can read it. And having done this, you consider your message to be private? I don't get it. The reality is that usenet messages have been archived practically since usenet began 15 years ago. For example, I have complete archives of comp.compilers, which I moderate, going back to when the group began ten years ago. The archives are available via FTP, WWW, and e-mail. Is this because I'm a snoop? No, it's because they're interesting and people are constantly retrieving interesting past discussions. Also, there have long been usenet sites that get their feeds on tape, either for security reasons or because they're in remote areas where long phone calls are impractical. What happens to the old tapes? I expect they're all saved somewhere. I actually think that DejaNews is a good thing from a privacy point of view because it levels the playing field -- regular users can now look through usenet archives the same way that snoops at three letter organizations have been doing all along. Note that this is a different issue from that of usenet material being appropriated for commercial purposes. For example, I sent a summary of a dismaying April 1994 speech by an IRS system manager to a couple of places on the net, and my summary showed up word-for-word in Wired magazine later that year with no attribution. That isn't an issue of privacy, that's theft. But DejaNews makes their database available informally at no charge to web users, which seems to me entirely in keeping with the way usenet articles are distributed. -- John R. Levine, IECC, POB 640 Trumansburg NY 14886 +1 607 387 6869 johnl@iecc.com "Space aliens are stealing American jobs." - Stanford econ prof ------------------------------ From: branden@ecn.purdue.edu (Branden Robinson) Date: 29 Mar 1996 05:53:16 GMT Subject: Re: Individual RTP vs. Corporate FOS Organization: Purdue University References: Steven D. Sybesma (sybesma@netcom.com) wrote: I am posting here an e-mail message I just sent to Deja News about their business practices. I didn't find out about what their service consisted of (although I had vaguely heard of them) until I read the Rocky Mountain News article from 3/10/96 entitled "Searched, stalked on Internet"). [...] I'm not sure you understand how USENET works. Do you remember that little message Pnews tells you the first time you use it? ("This message will be distributed to machines all over the world, costing the net hundreds, if not thousands, of dollars.") I know of few more blatant examples of self-advertisement than posting to USENET. If you write a letter to the editor of a national magazine where standard practice in the letters column is to print names and addresses, should you be all that surprised if someone uses that information to contact you? Want your name and address withheld? You have to ask the magazine to do that. Likewise, on the net, you must use an anonymous account or mail-to-news gateway. I, too, was a little startled to see the hits my name brought up on DejaNews. Posts I had made months ago that I had completely forgotten about showed up before my eyes. Did I decide DejaNews was violating my right to privacy? No. My name and email address show up at least twice on every message I post to the public, international fora called USENET. All the guys at DejaNews did was set up a news server that archives posts back for a couple of months, and stuck a search engine on it. If you had enough disk space to archive the posts, writing a search engine to do what they do would be a trivial task for an undergraduate in computer science (and for many non-CS majors as well). USENET is anything BUT a private forum. You splatter your name across the net and you expect no one to notice? If you have something to protect, take that into account before you post. And don't tell me I'm not sympathetic to privacy issues -- I am *very* concerned. I support the Fourth Amendment without hesitation (and the other nine as well). But if you expect remarks you make to a potential audience of millions, tagged with your name, to just tumble down a hole and be forgotten, whether they were serious discussions or flippant remakrs, you're fooling yourself. USENET, regardless of its original intent, today serves as a massive bulletin board where anyone can air their thoughts to a worldwide audience. Your complaint is simply the result of your non-consideration of the ramifications of that function. If you want to restrict your audience, use email (either personal or in the form of a mailing-list). Were anyone to develop something like DejaNews for electronic mail, I would be all over them in the name of privacy -- justifiably -- and I would hope you would join me. -- "A celibate clergy is an especially good idea, | G. Branden Robinson because it tends to suppress any hereditary | Aerospace Engineering propensity toward fanaticism." | Purdue University -- Carl Sagan | branden@ecn.purdue.edu ------------------------------ From: centauri@crl.com (Charles Rutledge) Date: 25 Mar 1996 19:35:20 -0800 Subject: Chase Bank Credit Info Organization: CRL Dialup Internet Access (415) 705-6060 [Login: guest] Chase Bank is offering a new service for charge card holders that allows you to get your information about your account over the phone. Enter your account number and your zip code, and you can find out the following: 1) Account balance 2) Credit available 3) Cash advance available 4) Ammount of last payment 5) Next minimum payment 6) Date that payment is due I called Chase and asked why this information was available with so little security. The representative told that only "basic" information was given out, so it was not a security risk. Of course I explained that this is information that I were prefer not be made public and that it really should be protected with a pin number. How hard could it be for someone to get my account number and my zip code? She said that she send it on as a suggestion. Considering that the banks are always warning us to be cautious with our account information, I find it absurd that they would protect this kind of info with my zip code. This my be the only instance where it would be safer by using my SSN. -- Charles Rutledge | Liberty is a tenuous gift. Hard to win, easy centauri@crl.com | to give away, and no will protect it for you. ------------------------------ From: quinn@direct.ca (john quinn) Date: 26 Mar 1996 04:28:50 GMT Subject: Computer Privacy Organization: Internet Direct Inc. I need some help on a legal question. Can an employer obtain information from a computer and from disks marked "private" and use that information to fire an employee? Specifically, another employee found files considered inappropriate, reported them to management, who subsequently read through all the files and built a case against the original employee. Can this information be used against the employee, or is it inadmissable due to an invasion of privacy? -- Jack Quinn ------------------------------ From: Dean Ridgway Date: 26 Mar 1996 00:20:56 -0800 Subject: ANI blocking Greetings everyone! I think this discussion on ANI/CLID is getting way out of hand. ANI is a fact of life for 800 callers, get used to it. If you don't want them to get your number use a phone booth. I think I have said this once before here. If I am calling a business' 800 number, more than likely I want to do business with them. Thus I don't particularily care if they get my name, number, and credit rating. What I *DO* care about is them selling this information to a third party. Most companies see this as "free" money and the only way to get them to stop this despicable practice will be some kind of legislative action. With all the pro-big business types in Washington, don't hold your breath. :-( -- /\-/\ Dean Ridgway | Two roads diverged in a wood, and I- ( - - ) InterNet ridgwad@peak.org | I took the one less traveled by, =\_v_/= FidoNet 1:357/1.103 | And that has made all the difference. CIS 73225,512 | "The Road Not Taken" - Robert Frost. http://www.peak.org/~ridgwad/ PGP mail encouraged, finger for key: 28C577F3 2A5655AFD792B0FB 9BA31E6AB4683126 ------------------------------ From: collins@ait.nrl.navy.mil (Joe Collins) Date: 26 Mar 1996 14:56:07 -0500 Subject: Re: Privacy and Electronic Commerce Organization: Naval Research Laboratory References: peter@nmti.com (Peter da Silva) wrote: The issue isn't that electronic commerce is incompatible with privacy, but that electronic *credit* is. And it's not always clear whan a transaction is based on credit (for example, rentals are basically credit transactions but people don't think of them that way). I find some of Peter da Silva's arguments do not consider the breadth of what I consider electronic commerce to be. I also find the specific examples Peter da Silva cites of privacy ensuring methods either make overly optimistic assumptions or are in agreement with the concepts of privacy brokerage. First, I do not consider commerce to be restricted to simple purchase transactions of money for goods. I would also consider extension of credit to be part of commercial activity. There are a wide range of commercial contractual arrangements that are not restricted to either of these. Examples: secured mortgage agreements, real property transactions, insurance-covered medical treatment (requires identification), etc. "Electronic cash" in its many variations has the features fitting the general concept of privacy brokerage: The issuer is the privacy broker; The cash usually utilizes one-time keys; There must be traceability and accountability between the user and the issuer to prevent counterfeiting or fraud. (It would be a mistake to believe that any electronic cash system is invulnerable to counterfeiting). Consider also that the bank underwriting the electronic cash will probably report a transaction history to me. How can that happen if I am unlocatable? Finally, how many people will store lots of electronic cash on their computer if they are liable for its loss? With respect to electronic banking, many laws and customs prevent anonymous account-holding for accounts against which I might issue a draft (to prevent counterfeiting) or from which I earn interest (reported to tax collectors). For banking, in general the bank would serve as a privacy broker and WILL hold information about the account holder. How they dispense that information depends on their security policy. The basic problem with the arguments presented by Peter da Silva lie in assumptions in the following statement: ... Then you wouldn't have to reveal your identity unless you had a dispute with the electronic bank holding your deposit. Commerce is mediated by contracts: implicit, verbal, or written. A contract is a bilateral or multilateral arrangement requiring trust from all parties. If any party can remain anonymous, the contract cannot be enforced against that person, and there is no reason to trust that person. -- Joe Collins ------------------------------ From: andypajta@aol.com (AndyPajta) Date: 26 Mar 1996 17:44:35 -0500 Subject: USENET Reposters: Privacy and Copyright Concerns Organization: America Online, Inc. (1-800-827-6364) Copyrightable Postings.... I was using the new Alta Vista newsgroup search engine (very cool, BTW), and got to wondering... If anything I write is copyrighted as soon as it is "fixed" and I choose to "publish" it on a newsgroup for other SUBSCRIBERS, that doesn't give any individual subscriber (the search engine, in this case), the right to re-publish it (i.e., to charge advertisers for space on their web page and allow the viewing of my composition beyond what I originally intended). Further, because a composition can so easily be taken out of context, there is a risk of literally changing the meaning of a posting. I don't see a similar problem with Web indexers because they are just creating directories, but the newsgroup re-posters are publishing content. Alta Vista claims messages are posted with the author knowing they can be read by anyone, suggesting, perhaps, they view the material as public domain. But I think that a lot of people who post material to share among a group of subscribers intends that material to be shared with only that group. To put it more...legal?... I can not photocopy a magazine article and republish it in another magazine without the copyright owner's permission. I think, actually, a lot of what's posted is dribble -- maybe this post included :-) -- but I have seen fleshed-out stories and original poetry posted here as well as other material people have expressed an interest in selling. Does anyone have similar observations/concerns? :-) andypajta@aol.com P.S. The key here is the "publishing" and "reposting" that's going on. I should be able to pick my audience, eh? ------------------------------ From: glr@ripco.com (Glen L. Roberts) Date: 28 Mar 1996 15:55:50 GMT Subject: SSN Absurdity Organization: Full Disclosure Someone mailed me an few pages out of the 3/20/96 Congressional Record - Senate S2546. It has a list of "Executive Nominations received by the Senate 3/20/96" It then lists hundreds of NAMES & SSNs! Are these people insane? Have they no concern for privacy? ------ Links, Downloadable Programs, Catalog, Real Audio & More on Web Full Disclosure [Live] -- Privacy, Surveillance, Technology! (Over 153 weeks on the Air!) The Net Connection -- Listen in Real Audio on the Web! http://pages.ripco.com:8080/~glr/glr.html ------ ------------------------------ From: glr@ripco.com (Glen L. Roberts) Date: 28 Mar 1996 15:56:04 GMT Subject: Re: All Brothers May Be Watching Us Organization: Full Disclosure References: wjanssen@cs.vu.nl (Wouter Janssen) wrote: Big Brother is watching us? Probably, I don't know for sure, I'm just careful :) but did you know just anybody can search a database and see what articles you posted on which newsgroups lately? I didn't untill I found out about DeJaNews. An on-line database on WWW where you can enter keywords to search on some specific topic. However, usernames are topics too! Many of you probably knew about this, but in case you didn't be warned when you post something! (btw, the URL for DeJaNews = http://www.dejanews.com/forms/dnq.html) DeJaNews is getting a lot of "crap" for this. But... no one has noticed that "Net Search" (info seek) under netscape does the same thing! Beyond that... what is the point of posting in a public forum, if you do not want others to read your post? ------ Links, Downloadable Programs, Catalog, Real Audio & More on Web Full Disclosure [Live] -- Privacy, Surveillance, Technology! (Over 153 weeks on the Air!) The Net Connection -- Listen in Real Audio on the Web! http://pages.ripco.com:8080/~glr/glr.html ------ ------------------------------ From: JF_Brown@pnl.gov (Jeff Brown) Date: 28 Mar 1996 22:27:12 +0000 (GMT) Subject: Re: 800 ANI Organization: Battelle Pacific Northwest Labs References: johnl@iecc.com (John R Levine) writes: An important question to start with is how much per month extra you're willing to pay to make 800 numbers blockable. Someone has to pay, and 800 customers certainly don't have any interest in paying for this. If, as I suspect, the answer for most people is "nothing", that suggests that nothing's going to change. Another few points: I know that I think about which 800 calls I'll make since that gives away my phone number. I had a conversation over lunch today with some folks who have Cellular phones, and they said they had to be careful giving out their number since they have to pay for all calls whether initiated by them or not. They were not aware that call blocking did not work on 800 calls, but now that they are will take care there also. Bottom line: how many calls are businesses willing to NOT get because they want to get the phone number of the caller? -- Jeff Brown JF_Brown@pnl.gov ------------------------------ From: "Prof. L. P. Levine" Date: 29 Mar 1996 09:14:50 -0600 (CST) Subject: Info on CPD [unchanged since 11/22/95] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the Subject: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Web browsers will find it at gopher://gopher.cs.uwm.edu. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V8 #028 ****************************** .