Date: Tue, 02 Apr 96 13:28:12 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V8#029 Computer Privacy Digest Tue, 02 Apr 96 Volume 8 : Issue: 029 Today's Topics: Moderator: Leonard P. Levine Re: Computer Privacy Re: Computer Privacy Re: USENET Reposters: Privacy and Copyright Concerns Re: USENET Reposters: Privacy and Copyright Concerns Finding Lost Money Re: SSN Absurdity Crooks Buying Your Social Security Data BC Health Minister Bans Info Sale to Drug Companies [from RISKS] Argentine Hacker Re: The Stalker's Home Page Informed View on 800 ANI ACM/IEEE Letter on Crypto Re: Privacy and Electronic Commerce Info on CPD [unchanged since 11/22/95] ---------------------------------------------------------------------- From: cprosse@elux3.cs.umass.edu (Christopher Prosser) Date: 31 Mar 1996 18:35:02 -0500 Subject: Re: Computer Privacy Organization: UMASS References: quinn@direct.ca (john quinn) wrote: I need some help on a legal question. Can an employer obtain information from a computer and from disks marked "private" and use that information to fire an employee? Specifically, another employee found files considered inappropriate, reported them to management, who subsequently read through all the files and built a case against the original employee. Can this information be used against the employee, or is it inadmissable due to an invasion of privacy? As I understand it, yes. Provided that the employer owns the computer, they are legally entitled to everything on the machine, regardless if it is marked private or not. It is also legal for your employer to read your email, though it isn't very ethical. My Employee Agreement clearly states this fact so I try not to keep anything around that I fdon't care if my bosses read. If I want to, I encrypt it using PGP. -- Chris Prosser ------------------------------ From: Barry Campbell Date: 30 Mar 1996 09:47:54 +0000 Subject: Re: Computer Privacy Organization: CCSL References: john quinn wrote: I need some help on a legal question. Can an employer obtain information from a computer and from disks marked "private" and use that information to fire an employee? Specifically, another employee found files considered inappropriate, reported them to management, who subsequently read through all the files and built a case against the original employee. Can this information be used against the employee, or is it inadmissable due to an invasion of privacy? John: (1) Consult an attorney experienced in technology-related privacy law in your jurisdiction for the definitive word on this. (2) Having said that, it has been my experience that if the computer is provided by the employer and is under the employer's control, users have no "reasonable expectation of privacy" regardless of how disks or files may be marked. (And since the employer is probably a private entity and not an agent of the government, none of the search-and-seizure protections of the Fourth Amendment apply, anyway.) (3) In general, though there have been some legislative efforts at the state and federal level that have attempted to combat this (largely unsuccessful, from what I've gathered), employees have very little "right to privacy" in the workplace. Calls may be monitored; the contents of computer disks and files may be inspected, with no legal recourse to the employee. Lesson: Don't discuss or have anything on corporate communications media that you wouldn't want to wind up on your boss's desk. -- Barry Campbell | "There's no difference between theory | and practice in theory, but there is http://www.cris.com/~Btc | in practice." ------------------------------ From: sgs@access.digex.net (Steve Smith) Date: 30 Mar 96 17:14:40 GMT Subject: Re: USENET Reposters: Privacy and Copyright Concerns Organization: Agincourt Computing References: andypajta@aol.com (AndyPajta) wrote: If anything I write is copyrighted as soon as it is "fixed" and I choose to "publish" it on a newsgroup for other SUBSCRIBERS, that doesn't give any individual subscriber (the search engine, in this case), the right to re-publish it (i.e., to charge advertisers for space on their web page and allow the viewing of my composition beyond what I originally intended). [snip] To put it more...legal?... I can not photocopy a magazine article and republish it in another magazine without the copyright owner's permission. Sounds logical to me. Problem is that copyright is merely a "right to sue". It's not "real" until it's tested in court. As a silly example, Alan Sherman copyrighted middle C. Anybody who played middle C was playing his "song". Anybody who played any other note was playing his song transposed. Needless to say, it never hit the courts. Are you willing to sue Digital? -- Steve Smith sgs@access.digex.net Agincourt Computing +1 (301) 681 7395 "If you're not looking for something, you won't find anything." ------------------------------ From: hrick@gate.net (Rick Harrison) Date: 31 Mar 1996 16:16:23 -0500 Subject: Re: USENET Reposters: Privacy and Copyright Concerns Organization: CyberGate, Inc. References: When you post a message to Usenet, you are giving implied permission for all Usenet feed-takers to redistribute messages. Commercial services such as CIS and AOL charge their users by the minute for access to Usenet. So, to logically extend the principle to its extreme, it could reasonably be argued that someone who markets the archives of a newsgroup on a CD-ROM, or a service like DejaNews, is merely re-distributing the feed in a slightly different (and more useful, "value-added") format. I imagine this principle will eventually be tested in court. Personally I hope messages posted to Usenet will be proven to be public domain material unless the authors attach a copyright notice to their messages. -- Rick Harrison, editor, Journal of Planned Languages http://members.aol.com/harrison7/ ------------------------------ From: tburgess@uoguelph.ca (Todd W Burgess) Date: 30 Mar 1996 18:51:14 GMT Subject: Finding Lost Money Organization: University of Guelph A couple of week ago, I heard a disturbing radio commercial. The ad said that there is over 200 million dollars of inactive bank accounts across Canada and you may be entitled to it. All you had to do is call a 1-900 number and they would do a search for you (you would have to pay for the phone call though). They claimed to be wired in to all the banks in Canada and could search all their databases in about 60 seconds. Assuming their claims are true, I have a couple of complaints regarding their "service". I have seen what happens when you go searching for lost bank accounts. When my father had to look for my Grandad's bank accounts all the banks had a couple of requirements before they would perform a search. The first was they would not discuss any information about a customer over the phone, my Dad had to go in person to a branch. The second was the bank manager insisted that my Dad present photo ID and the papers showing that he had power of attorney. After the manager reviewed all the information, only then would they authorize the search. I find it hard to believe that a third party can circumvent all the bank's security procedures for a small fee. As well, I also find it hard to believe that the bank would permit access to its customer database. I would hope the only people who have access to my customer information is the bank and nobody else. I always assumed that the banks maintained "closed" networks. I have heard stories about the lengths banks go to, to protect their computer hardware. I would hope such security applies to their customer accounts. I hope the advertisement was a fraud but if it is not then I would love to know why the banks are permitting this kind of service. -- University of Guelph, Computer Science Major E-mail: tburgess@uoguelph.ca URL: http://eddie.cis.uoguelph.ca/~tburgess ------------------------------ From: bo774@FreeNet.Carleton.CA (Kelly Bert Manning) Date: 31 Mar 1996 08:40:42 GMT Subject: Re: SSN Absurdity Organization: National Capital Freenet, Ottawa, Canada Glen L. Roberts (glr@ripco.com) writes: Someone mailed me an few pages out of the 3/20/96 Congressional Record - Senate S2546. It has a list of "Executive Nominations received by the Senate 3/20/96" It then lists hundreds of NAMES & SSNs! Are these people insane? Have they no concern for privacy? Or about making it trivially easy for someone to impresonate someone who might be admitted to official functions. And it's not like it hasn't been pointed out already, many times. I have a memory of reading somewhere, I think it was in "databanks in a free society", a decades old book, about how the committee members met once on a weekend in a federal office in Washington, DC, and had to pronounce the magic combination of name and SSN to a microphone to confirm that they were the people who were supposed to be allowed into the building. The book points out that even 30 years ago it was so easy to obtain SSNs that this of almost no value. A recent issue of "Privacy Journal" reported that a teacher used the SSN's of college students to open charge accounts. Theft of identity/credit rating is a growth industry. The same issue said that credit bureaus are getting many thousands of complaints every day about people who;s names have been used by fraud artists. Apparently there is even a new flag in Credit Reports {confirm identity before opening accounts/loans}. What a novel idea. I wonder just how they will do it? It's hard to think of anything except biometric identification that would work, and I don't think that that is what they are thinking of. -- notice: by sending advertising/solicitations to this account you will be indicating your consent to paying me $70/hour for a minimum of 2 hours for my time spent dealing with it ------------------------------ From: taxhaven@ix.netcom.com (Adam Starchild ) Date: 31 Mar 1996 19:05:41 GMT Subject: Crooks Buying Your Social Security Data Organization: Netcom Taken from The New York Post, March 28, 1996: Neal Travis' New York: Crooks Buying Your SS Data A major scandal is about to strike the Social Security Administration. I understand a gang of credit-card scammers has had access to Social Security's closely-guarded files for close to two years. The criminals, popularly known as "The Nigerian Gang," have been bribing Social Security clerks in New York and across the nation to furnish them with the details that those workers are sworn to protect. The gang has been stealing new credit cards from Newark Airport, to where they are bulk-mailed before being sorted and set to individual addresses. To validate the cards, the gang has to provide the Social Security number of the holder, plus such facts as the maiden name of the recipient's mother. The corrupt clerks have been providing this data out of the administration's computerized files at $160 a pop. "The clerks have been making a fortune," says a bank investigator. "The gang itself has made millions, because weeks go by before anyone even knows they've been scammed." This investigator says four of the gang were picked up by federal authorities during Mardi Gras in New Orleans while using bogus cards at ATMs. "They were carrying lists of names, SS numbers and identifying codes," says this source. "The authorities were able to work out who in Social Security had accessed this information. "A woman in New York has broken down and confessed, and at least another eight clerks around the nation are targeted for arrest. Both the gang and the clerks will face federal mail- fraud charges." -- Posted by Adam Starchild Asset Protection & Becoming Judgement Proof at http://www.catalog.com/corner/taxhaven ------------------------------ From: bo774@freenet.carleton.ca (Kelly Bert Manning) Date: 01 Apr 1996 15:44:58 -0500 Subject: BC Health Minister Bans Info Sale to Drug Companies See http:/www.health.gov.bc.ca/newsrel/nrdate.html How does this relate to computers, since the root issues are generic? Well, for one thing having the data in machine readable form makes it much easier to merge and relate data and perform this kind of data mining. For another thing, the Single Payer system assigns unique province wide Practitioner ID numbers that makes it easier to relate data from separate points of sale. The same applies to Personal Health Numbers, but that doesn't seem to be at issue in this matter. Finally, when systems interact, it doesn't seem to be enough to ensure that Privacy/Confidentiality is protected on just one system. While Pharmanet wasn't the source of this information it defines a province wide standard that could simplify the task of combining information from different points of sale. For background the URL above has a couple of press releases about Minister's statements about regulation of Pharmaceutical company prices and profits. See Feb 26 and Feb 13. This has been getting a lot of news coverage since the Mulroney goverment ended "compulsory licencing" about a decade ago. -- notice: by sending advertising/solicitations to this account you will be indicating your consent to paying me $70/hour for a minimum of 2 hours for my time spent dealing with it ------------------------------ From: "Prof. L. P. Levine" Date: 01 Apr 1996 15:04:14 -0600 (CST) Subject: [from RISKS] Argentine Hacker Organization: University of Wisconsin-Milwaukee Taken from RISKS-LIST: Risks-Forum Digest Monday 1 April 1996 Volume 17 : Issue 95 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator From: David Kennedy <76702.3557@compuserve.com> Date: 01 Apr 96 02:02:50 EST Subject: Argentine Hacker U.S. uses first computer system wiretap UPI Financial 29/3/96 13:27 By MICHAEL KIRKLAND WASHINGTON, March 29 (UPI) -- U.S. officials used an unprecedented court-ordered wiretap of a computer network to charge a young Argentine man with breaking into Harvard, U.S. Navy and NASA computers, the Justice Department said Friday. At a news conference at the Justice Department, U.S. Attorney Donald Stern of Boston called the operation "cybersleuthing." o Other systems penetrated, Univ Mass, Cal Tech, Northeastern and systems in Mexico, Korea, Taiwan, Brazil and Chile. >> "The search procedure was specifically designed to let another computer do the complex searches in a way that provided privacy protection for the innocent users of the network," Reno said. << o The investigators used a program called I-Watch for Intruder Watch run on a government computer located at Harvard. The program searched the net for the targeted criminal among 16,000 university users. [DMK: A search for info on this program revealed I-watch may be a product from Ipswitch, Inc. of Lexington MA.] >> I-Watch was able to "identify certain names that were unique to the intruder," Heymann said, as well as locations and accounts -- his "computer habits." Because the search was conducted by I-Watch, the communications of the legitimate users were never seen by human eyes. I-Watch was left undisturbed in its work through November and December until it had narrowed down the thousands of possibilities to one unauthorized computer cracker, Julio Cesar Ardita, 21, of Buenos Aires, officials said. << o Ardita's home was raided on 28 Dec and his PC and modem seized. He remains free because the charges against him are not among those when the US-Argentina extradition treaty applies. o Charged with: "possession of unauthorized devices" (illegal use of passwords), (18 USC 1029) unlawful interception of electronic communications (18 USC 2511) and "destructive activity in connection with computers." (18 USC 1030) [DMK: citations mine, not UPI's] >> The information he accessed is considered "confidential," Stern said, but "did not include national security information." <<[DMK: "C2 in 92!"] >> Ardita's alleged cracking was first detected last August when the Naval Command Control and Ocean Surveillance Center in San Diego detected a computer intruder, officials said. << ... >> The Naval Criminal Investigative Service did an analysis of the intruder's "computer habits," including signature programs used to intercept passwords. << ... >> Eventually, an intruder who called himself "griton" -- Spanish for "screamer" -- was detected using four computer systems in Bueons Aires to crack the Harvard computer, and the illegal accessing of the other sites was discovered. << Dave Kennedy [US Army MP][CISSP] Volunteer SysOp Natl. Computer Security Assoc Forum on Compuserve ------------------------------ From: bo774@FreeNet.Carleton.CA (Kelly Bert Manning) Date: 31 Mar 1996 09:07:41 GMT Subject: Re: The Stalker's Home Page Organization: The National Capital FreeNet References: "Michael J. McClennen" (michaelm@eecs.umich.edu) writes: In fact, this is nothing new. The capability to find anyone anywhere in the country has existed for at least 20 years now. Case in point: 20 years ago, my cousin fled an abusive relationship in California. For the next four years, until she found someone able to protect her, she was regularly visited and threatened by this man. No matter where she moved (or how far off the beaten path) he was always able to find her within a few months. All this technology does is make available to the casual user the kinds of information that were formerly available to anyone willing to track down the right sources and pay the right fees or bribes. I don't think it does make this available to the casual user. White pages online give less than 50% coverage in many areas. A lot can be done just by being consistent in using an alias when setting up utility accounts, and when asking for your name, etc. Never give your home address or real name to someone who doesn't need to know it. The biggest exposure is unavoidable public records. I've been able to trace all of the personalized crap mail I've recieved at home in the past 6 years (5 items) to releases from public records. The Provincial I&P act should reduce that to nothing. Crap mailers seem to be running scared. The last clown to pull my address of a provincial record initially claimed that he had pulled it off municipal records not yet covered. A different story emerged when I got a Judge's order to produce documents. That source is no longer legally available to him or anyone else. My personal view is that despite claims to the contrary he was fully aware of the act, it's dates for coverage of different areas, and the fact that he was doing something that the act prohibits. Besides, properly designed access audit trails can make information just as secure as financial accounts. It's also quite easy to flag a name with a distinctive misspelling/variation to tell who passed it on without your consent. Your bank can't guarantee that someone won't embezell money from your bank account, but with properly designed controls they can follow the trail once you notice. Sometimes conscience is just a small voice saying "someone might be watching". -- notice: by sending advertising/solicitations to this account you will be indicating your consent to paying me $70/hour for a minimum of 2 hours for my time spent dealing with it ------------------------------ From: "anonymous" Date: 01 Apr 1996 11:21:21 -0600 (CST) Subject: Informed View on 800 ANI To protect the guilty (me) I have asked our moderator to put this into the "pile" anonymously. [moderator: I have posted it under my own email address] I am one of those, who among many other things, helps design and install these 800 ANI Data Gathering systems for businesses. I don't try to impose my morals on my clients, and they know what they buy from me is not affected by my personal agenda. In some cases, clients pay me to be on the other side of the issue. I take their money, and do the best job that I can. So I have a professional stance on both sides of the fence. Like most things, the use of 800 number ANI as a marketing tool started slowly. Over the last decade, I have watched it grow from a simple time saving device for calling up customer data files, to it's present form. Over that time, business needs have changed; client management has changed. New people; new ideas; new agendas! I have reasons to expect that this little tiger cub has grown up, and is about to eat the children ... Recently: Dean Ridgway commented: I think this discussion on ANI/CLID is getting way out of hand. ANI is a fact of life for 800 callers, get used to it. If you don't want them to get your number use a phone booth. It may not be the discussion that is getting out of hand, but the practice itself. While this situation is currently a "way of life" there is no reason for it to remain so. An aware public, concerned with its own privacy can create the necessary change. The most common excuse for providing 800 ANI data to the customer (as opposed to stopping at the central office ... like all other calls) is the auditing of the bill. This is (at best) garbage, at worse, deliberate misleading drivel designed to protect the status quo! ... Most, if not all, 800 billing is _time_ based. There is absolutely no valid reason to know the source of the call to audit a bill based on connect time alone. As far as going to a pay phone, why should I have to inconvenience myself to protect my privacy. Also, just maybe, the location of the pay phone tells them more than they need to know ... like the name of the company I am calling from (semi-public pay phones do show the name of the company that they are located at). The real problem is one of choice. Increasingly, I (you, or anyone) has no choice about calling that 800 number. It is a sad, but true, fact that many companies give out _only_ 800 numbers for certain departments. They refuse to provide callers with a "regular" number for access. [If you don't believe me, try to find the non-800 numbers for any 10 vendor support groups taken at random. Many of the people staffing those numbers don't even _know_ the non 800 number!] Many voice mail and return messages contain only 800 numbers. Some are labeled _urgent_ (of course they are nothing of the sort). If this is not a knowledgeable attempt to invade my privacy, it sure comes close! [BTW, there is a whole subject here based on "Who Owns That 800 Number, and Who _am_ I calling?"] I think I have said this once before here. If I am calling a business' 800 number, more than likely I want to do business with them. Thus I don't particularity care if they get my name, number, and credit rating. There are any number of fallacies here ... almost too many to list ... let us start with the fact of the "credit rating". How about if you are calling from a friend or co-workers house whose credit rating is less than sterling? As a result, your inquiry is shuffled off to the "less than important" file, or your are "tagged" with an increased "risk based fee" based on someone else's credit rating or where they live. [Yes, such things do happen.] Still happy? Or, maybe you are calling from home (or the office) and, after listening to what they had to say, you decide not to do business after all, or maybe you did ... dosen't matter. Now they are calling you back every 2 months with some "new offer", repeatedly until they get through, (computer driven dialers are relatively cheap) and are a constant pest. [Unfortunately, this is becoming more common (and they are calling your co-worker too, they think that he is you, or vis-versa).] Still Happy? If you are, read on... Let us assume that like many others you are an independent consultant (or a financial advisor, independent sales representative, social worker, or any number of other people who value not just their own privacy but have an interest in protecting the IDENTITY OF THEIR CLIENTS.) Let us also assume that you sometimes contact businesses from the client location. ... if you can't see the picture yet, let me make it just a little more clear. If I know you, and I know where you _usually are_, and I know what you usually do, then I can start to build a data base that shows _every location_ that you have called from. Just a _little_ work on my part will have a partial list of your clients. A less than scrupulous provider of services to *me* would know more about my business than I wanted known, maybe enough to cause me problems. [And I'm talking _history_ here! Personal experience is the best teacher!] Remember the lesson of Deja-vu and the Net ... what is going to happen when some of these companies decide to "pool" those reels of tape provided by the phone company, (or the months of history in their own files) into an easily accessible data base? What if they decide to "publish" this information and charge for access to that data base? Calls to a specific 800 number indicate an interest in a unique company, product, service, or concept. Consider for example an 800 number for information on Diabetic products and treatment run by a drug chain. How about one for "sexual aids", or something innocent like a slightly racy lingerie company. These things might be of more interest to your future employers (estranged wife/husband, prospective insurance company, new in-laws, etc.) than what you post in alt.sick.jokes. I know of no present law that would prevent this from happening. Do you? [Before you dismiss such a thing as far fetched, you should know that I was once offered over $30,000 for a record of a single client's long distance calls for the preceding 3 months. More than 3 times the actual cost of the calls!] It gets worse. I *am* an independent consultant. My client list *is* confidential. Yet I have to contact multiple "support numbers" from a client location to do my job. "No problem", say those who want to keep ANI on 800 numbers, "You should have nothing to hide!". Well, it is no secret that my client is using a vendor's system (of course it might not be the client that I am calling from so that could pose a problem). No secret that I am a consultant (I have nothing to hide, except maybe the identity of my client where we are not yet ready to act). *Maybe* not even a secret that I am working for a particular client; but many clients would like to keep it one. They go to significant lengths to do so, and expect me to do so too. What *IS* a secret that a particular client, has a specific number, located in proximity to, or associated with ______ (fill in your own critical item). Now the marketing (or research, or personnel, or ... whatever) department of a (maybe not so reputable vendor) has yet another number to access. Of course the intent might not be something as innocent as marketing! [Yep, personal experience again!] While I can, and do, use a cellular phone for some of those calls, others must go by land lines for reasons of security. Some things just can't be discussed over the air. So, I'm in a catch-22. Can't use 800 numbers with Cellular; can't dial 800 numbers over the regular land line from certain locations; can't get a non-800 number to reach the support group. All this because the phone companies decided to market ANI as a business tool. What happens? Projects take longer (by weeks sometimes) than they should; clients pay more (meetings, "research time" which is really just making the call from my own office, and my cost for the phone calls); and some vendors loose out because I have to assume that ALL vendors are capturing this data (even though I know that some are not). Therefore, all vendors are being tared with this same brush. The only people being served here are the "control freaks" in business who assume that more data; means more control; means greater market share; means more money. Short term, maybe. Long term ... well the jury is still out on that one. What I *DO* care about is them selling this information to a third party. Most companies see this as "free" money and the only way to get them to stop this despicable practice will be some kind of legislative action. Yes! And if they didn't have it to start with, they couldn't sell it! And there is NO REASON for them to have it, especially if you don't want them to get it! ------------------------------ From: "Dave Banisar" Date: 01 Apr 1996 16:24:53 -0500 Subject: ACM/IEEE Letter on Crypto Reply to: ACM/IEEE Letter on Crypto Association For Computing Machinery Office of US Public Policy 666 Pennsylvania Avenue SE Suite 301 Washington, DC 20003 USA (tel) 202/298-0842 (fax) 202/547-5482 Institute of Electronics and Electrical Engineers United States Activities 1828 L Street NW Suite 1202 Washington, DC 20036-5104 USA (tel) 202/785-0017 (fax) 202/785-0835 April 2, 1996 Honorable Conrad Burns Chairman, Subcommittee on Science, Technology and Space Senate Commerce, Science and Transportation Committee US Senate SD-508 Washington, DC 20510 Dear Chairman Burns: On behalf of the nation's two leading computing and engineering associations, we are writing to support your efforts, and the efforts of the other cosponsors of the Encrypted Communications Privacy Act, to remove unnecessarily restrictive controls on the export of encryption technology. The Encrypted Communications Privacy Act sets out the minimum changes that are necessary to the current export controls on encryption technology. However, we believe that the inclusion of issues that are tangential to export, such as key escrow and encryption in domestic criminal activities, is not necessary. The relaxation of export controls is of great economic importance to industry and users, and should not become entangled in more controversial matters. Current restrictions on the export of encryption technology harm the interests of the United States in three ways: they handicap American producers of software & hardware, prevent the development of a secure information infrastructure, and limit the ability of Americans using new online services to protect their privacy. The proposed legislation will help mitigate all of these problems, though more will need to be done to assure continued US leadership in this important hi-tech sector. Technological progress has moved encryption from the realm of national security into the commercial sphere. Current policies, as well as the policy-making processes, should reflect this new reality. The legislation takes a necessary first step in shifting authority to the Commerce Department and removing restrictions on certain encryption products. Future liberalization of export controls will allow Americans to excel in this market. The removal of out-dated restrictions on exports will also enable the creation of a Global Information Infrastructure sufficiently secure to provide seamless connectivity to customers previously unreachable by American companies. The United States is a leader in Internet commerce. However, Internet commerce requires cryptography. Thus American systems have been hindered by cold-war restraints on the necessary cryptography as these systems have moved from the laboratory to the marketplace. This legislation would open the market to secure, private, ubiquitous electronic commerce. The cost of not opening the market may include the loss of leadership in computer security technologies, just at the time when Internet users around the world will need good security to launch commercial applications. For this legislation to fulfill its promise the final approval of export regulations must be based on analysis of financial and commercial requirements and opportunities, not simply on the views of experts in national security cryptography. Therefore, we urge you to look at ways to further relax restrictive barriers. Finally, the legislation will serve all users of electronic information systems by supporting the development of a truly global market for secure desktop communications. This will help establish private and secure spaces for the work of users, which is of particular interest to the members of the IEEE/USA and the USACM. On behalf of the both the USACM and the IEEE/USA we look forward to working with you on this important legislation to relax export controls and promote the development of a robust, secure, and reliable communications infrastructure for the twenty-first century. Please contact Deborah Rudolph in the IEEE Washington Office at (202) 785-0017 or Lauren Gelman in the ACM Public Policy Office at (202) 298-0842 for any additional information. Sincerely, Barbara Simons, Ph.D.3 Chair, U.S. Public Policy Committee of ACM Joel B. Snyder, P.E. Vice President, Professional Activities and Chair, United States Activities Board cc: Members of the Subcommittee on Science, Technology and Space ------------------------------ From: peter@nmti.com (Peter da Silva) Date: 30 Mar 1996 00:43:38 GMT Subject: Re: Privacy and Electronic Commerce Organization: Network/development platform support, NMTI References: Joe Collins wrote: I find some of Peter da Silva's arguments do not consider the breadth of what I consider electronic commerce to be. I think you're making overly optimistic assumptions about what happens to your privacy when you engage in commercial transactions already. I'm not limiting the nature of electronic commerce, I'm just commenting on what part of the privacy problem with electronic commerce is due to its electronic nature. And, honestly, I don't think any of it is. I also find the specific examples Peter da Silva cites of privacy ensuring methods either make overly optimistic assumptions or are in agreement with the concepts of privacy brokerage. You'll have to elaborate more on the second part of that. First, I do not consider commerce to be restricted to simple purchase transactions of money for goods. I would also consider extension of credit to be part of commercial activity. I agree, it *is* part of commercial activity. It is, however, not a part of commercial activity where your privacy is well protected. Look at all the messages on this list about credit bureaus... the fact that the credit-based exchange is electronic doesn't change the nature of credit. The fact that there are privacy problems with electronic credit transactions doesn't mean that there's an inherent problem with electronic transactions. It just means that if you want someone to extend credit to you you have to let them know something about you. There are a wide range of commercial contractual arrangements that are not restricted to either of these. Examples: secured mortgage agreements, You mean like when you buy a house? That's still a matter of credit. The bank is depending on you to maintain the value of the property you're living in. real property transactions, These, and similar transactions where there are specific government regulations involved for non-monetary reasons (for example, buying prescription drugs), are an exception... but not one that has anything to do with this issue that I can see. insurance-covered medical treatment (requires identification), etc. Insurance-covered medical treatment *is* a credit transaction. Any transaction where you receive goods or services before complete specific payment is made is credit, whether or not you're the payer. The basic problem with the arguments presented by Peter da Silva lie in assumptions in the following statement: ... Then you wouldn't have to reveal your identity unless you had a dispute with the electronic bank holding your deposit. Commerce is mediated by contracts: implicit, verbal, or written. A contract is a bilateral or multilateral arrangement requiring trust from all parties. If any party can remain anonymous, the contract cannot be enforced against that person, and there is no reason to trust that person. That's true. That means that in a transaction where one party is anonymous, the other party has to receive non-refundable payment from the anonymous party before delivering the goods. The anonymous party has fulfilled their part of the contract atomicly, and there are no remaining terms in the contract that *need* to be enforced against them. You engage in such anonymous transactions all the time, when you pay cash for a Burger King Whopper Combo your identity is not known to Burger King. You can walk up in disguise and buy your meal and provide no identification. The only requirement is that the payment be sufficiently non-counterfeitable that the occasional loss to the seller from counterfeiting is low enough they can support it. Cryptographically protected drafts against a cash deposit with an electronic bank, if they're committed atomically before delivering the goods, satisfy that requirement... and are no more tracable than the cash used to open the account. -- Peter da Silva (NIC: PJD2) 1601 Industrial Boulevard Bailey Network Management Sugar Land, TX 77487-5013 +1 713 274 5180 "Har du kramat din varg idag?" USA Bailey pays for my technical expertise. My opinions probably scare them ------------------------------ From: "Prof. L. P. Levine" Date: 17 Mar 1996 09:14:50 -0600 (CST) Subject: Info on CPD [unchanged since 11/22/95] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the Subject: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Web browsers will find it at gopher://gopher.cs.uwm.edu. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V8 #029 ****************************** .