Date: Thu, 11 Apr 96 18:33:31 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V8#031 Computer Privacy Digest Thu, 11 Apr 96 Volume 8 : Issue: 031 Today's Topics: Moderator: Leonard P. Levine White Pages on the Net Re: USENET Reposters: Privacy and Copyright Concerns Re: USENET Reposters: Privacy and Copyright Concerns Re: USENET Reposters: Privacy and Copyright Concerns Re: USENET Reposters: Privacy and Copyright Concerns Caller ID in California Re: Increasingly Intrusive Capability Copyright of Usenet Articles Robert Arkow vs CompuServe and CompuServe Visa 800 ANI Re: SSN Absurdity Social Security Info Used By Stolen Credit-Card Ring Info on CPD [unchanged since 11/22/95] ---------------------------------------------------------------------- From: "Richard Schroeppel" Date: 07 Apr 1996 19:52:43 MST Subject: White Pages on the Net A nation-wide white pages has been effectively available for 40 years. Chicago 1955: The biggest downtown department store, Marshall Fields, maintains a bank of >20 public pay phones on the third floor. Next to the phones is a set of phone directories for the cities of the US and Canada. They are well used. Santa Monica 1988: I want to locate a not-quite-an-acquaintance from 1970 by his name. I recall that he lives near Toronto. I go to the public library, and consult several phone directories for the vicinity of Toronto. His name is somewhat uncommon, and I find a few possible hits. I write down the phone numbers. Later, at home, my second call finds him. -- Rich Schroeppel rcs@cs.arizona.edu ------------------------------ From: andypajta@aol.com (AndyPajta) Date: 08 Apr 1996 11:32:17 -0400 Subject: Re: USENET Reposters: Privacy and Copyright Concerns Organization: America Online, Inc. (1-800-827-6364) References: Are you willing to sue Digital? No. Copyright is largely an "interpretive" set of laws and unless there are significant damages, no lawyer will even take the case (I tried about 7 years ago for a $2000 loss). But, while we can argue about fair use of reposting, certainly if someone takes my thoughts and puts them on a CD and sells it, that's some sort of infringement. Yes? -- andypajta@aol.com ------------------------------ From: andypajta@aol.com (AndyPajta) Date: 08 Apr 1996 11:56:27 -0400 Subject: Re: USENET Reposters: Privacy and Copyright Concerns Organization: America Online, Inc. (1-800-827-6364) paul@TDR.COM (Paul Robinson) writes: If you posted an article that you are the owner, it would presume that you gave permission for its distribution. Yes, to a SPECIFIC site--I choose my audience and that is what *I allowed*. Any other use was *NOT* authorized. Your analogy of a USA Today letter further substantiates my point because they say.. ALL LETTERS BECOME PROPERTY OF USA TODAY--it is with that understanding that a submitter relinquishes copyright. Again, an author must explicity give-up copyright. There is noting implied in copyright law. Even "fair use" is highly (and typically incorrectly) interpreted by publishers. I think this area will, in the future, have plenty of legal battles coming. InformationWeek recently did a cover story on copyright and Web pages which suggested copyright may as well be throw-away because it's so easy to pluck custom clip-art and content from various sites. But just because there's no good way to control it doesn't make it right. -- andypajta@aol.com ------------------------------ From: peter@nmti.com (Peter da Silva) Date: 08 Apr 1996 15:22:36 GMT Subject: Re: USENET Reposters: Privacy and Copyright Concerns Organization: Network/development platform support, NMTI References: Paul Robinson wrote: If a site archived everything on Usenet at the end of each day to CD-ROM and distributed that, I believe it is no more infringing (and no less infringing) than copying onto tape or delivering via wire in real-time. For the first few years, Usenet was distributed to Australia in just this way. Some years later a company named Sterling Software started selling Usenet feeds on CDROM. There was much bitching, but nobody was able to make a convincing case that this was any different from any other feed. What happened to them, anyway? There is ample precedent that distribution of Usenet in ways that retain Usenet-nature is legitimate (what's Usenet-nature? Well, if it's organized into newsgroups and is unedited it's cretainly Usenet-like... and AltaVista and DejaNews qualify...). ------------------------------ From: Patrick Crumhorn Date: 09 Apr 1996 16:49:38 -0500 (CDT) Subject: Re: USENET Reposters: Privacy and Copyright Concerns John C. Rivard wrote: The courts have an established precedent to guide them on this specific example called "The Eight-Bar Rule." Essentially, it is a legal rule of thumb which states that if more than eight measures of a song is substantially (melodically) identical to a pre-existing copyrighted work, the new work is considered derivative work, and royalties must be paid to the copyright holder of the original work. If the "identical" parts of the song are less than eight bars, it is generally considered an original (non-infringing) work. Well, Allan Sherman's (admittedly humorous) attempt at copyrighting the note "middle C" would not pass the eight-bar test, if judged as a musical composition, true. The problem here is that "middle C" is not a composition, but a frequency (of 256 Hertz, if memory serves correctly). And over the past several years, the US government has ruled that actual ownership of specific frequencies is indeed legal, and protected by law. There was recently some controversy over whether enormous portions of the electromagnetic spectrum should be sold to the highest corporate bidders, or should simply be given to them outright to do with as they pleased. Nowhere in the superficial coverage of this issue was there any hint that such a concept as ownership of the electromagnetic spectrum would have been laughed at as silly fantasy as little as 10-15 years ago. The Federal Communications Commission (FCC) was charged with *regulating* the use of the electromagnetic spectrum within the boundaries of the United States, and an organization called the ITU coordinates such use on a worldwide scale. This is logical, as coordination is needed to avoid interference between users of the spectrum (one would not want a kid's walkie-talkie to be operating on a frequency reserved for police or military use, for example). But in the deregulation frenzy of the Reagan years, the idea of allowing corporations to *own* frequencies outright (and resell or trade this "property" amongst themselves) was adopted. One side-effect of this is that a broadcast entity, say CBS, is outright *owning* a set of frequencies, ostensibly for use for high-definition TV broadcasting. But since they are now the owners of that part of the spectrum, they are free to sell or rent it to Burger King to use in their fast-food drive-thru 2-way communication. The resulting chaos and negative impact on the rest of the world's communications is a topic for another forum. The bottom line, though, is that if Mr. Sherman were alive today, he very well *could* get the legal rights to the frequency of 256 Hz, and anyone attempting to modulate a signal on that frequency might very well have to pay a license fee to Mr. Sherman. So his whimsy has bme reality. -- Patrick Crumhorn patrik@io.com http://www.io.com/~patrik "If you're not living on the edge, you're taking up too much space." -- Bryan Estes ------------------------------ From: Beth Givens Date: 08 Apr 1996 11:35:15 -0700 (PDT) Subject: Caller ID in California FOR IMMEDIATE RELEASE Contact: Beth Givens April 4, 1996 (619) 260-4160 CALLER ID: COMING SOON TO A PHONE NEAR YOU Privacy Rights Clearinghouse Funded to Conduct Education Campaign The Privacy Rights Clearinghouse joins a statewide campaign in California to spread the word about the privacy impacts of Caller ID. It is one of 43 consumer-related organizations to receive grant funds from Pacific Bell and GTE as part of the massive consumer awareness campaign required by the California Public Utilities Commission. "Telephone privacy is precious to many Californians," said Beth Givens, director of the Privacy Rights Clearinghouse. "Half of the households in the state have unlisted numbers, the highest percentage of any state." Starting June 1 in California, telephone numbers will be transmitted when calls are made. Those who subscribe to the Caller ID service and who purchase a special display device will be able to see and capture the calling party's number. Phone users who do not want their number to be released can take advantage of blocking options, offered free. The purpose of the consumer education campaign is to alert consumers to those blocking options -- Complete or Selective Blocking (called Per Line and Per Call Blocking, respectively, in other states). "Our job, and that of the other grantees, is to reach people who might not be aware of the announcements on TV, the radio and newspapers," said Givens. "The Clearinghouse is especially concerned about those who are at risk from the release of their phone number -- victims of domestic violence and stalking, and the shelters which serve them; people who want to remain anonymous when calling hotlines for AIDS counseling, suicide- prevention, and the like; and people in professions like law enforcement, mental health counseling, and teachers who need to shield their phone numbers when calling clients from home." The Clearinghouse offers an 8-page guide called "Caller ID and My Privacy." Consumers can call (800) 773-7748 (California only, elsewhere 619-298-3396) to order. The guide provides an in-depth discussion of the many privacy implications of Caller ID. The Privacy Rights Clearinghouse is a grant-funded program administered by the University of San Diego Center for Public Interest Law. In operation for over 3 years, it has received 33,000 calls from California consumers. It offers 19 guides on a variety of consumer privacy issues, including privacy in cyberspace, telemarketing, credit reporting, government records, workplace privacy and medical records. NOTE: The fact sheet "Caller ID and My Privacy" is on the Clearinghouse's Web site: URL:http://www.acusd.edu/~prc (Click on fact sheets / English / number 19.) -- Beth Givens Voice: 619-260-4160 Project Director Fax: 619-298-5681 Privacy Rights Clearinghouse Hotline (Calif. only): Center for Public Interest Law 800-773-7748 University of San Diego 619-298-3396 (elsewhere) 5998 Alcala Park e-mail: bgivens@acusd.edu San Diego, CA 92110 http://www.acusd.edu/~prc ------------------------------ From: huggins@tarski.eecs.umich.edu (James K. Huggins) Date: 09 Apr 1996 12:41:06 -0400 Subject: Re: Increasingly Intrusive Capability Organization: University of Michigan EECS Dept., Ann Arbor, MI References: Robert Ellis Smith <0005101719@mcimail.com> writes: How can people who work daily with computers and know their capabilities simply shrug whenever a new application comes along that threatens privacy? "So, what else is new?" they ask. [...] What's new is that - even though that information has always been available - to get it you would have had to search directories in public libraries - or phone booths - in hundreds of cities. It was simply impractical. Now it isn't. I guess my main response is ... what can be done about it? If I agree to have my name and address published in my local phone book, it becomes public information --- and anyone can come along and give that information to someone else without my knowledge. True, the process of compiling huge repositories of such information is far easier than it used to be. But there is nothing illegal about such activity. In the case of the local phone book, I can (partially) eliminate the problem by removing my address, or my address and phone number, from the phone book. (Of course, this may cost me extra, but that's another debate.) I think the issue that we're all dancing around is the notion that "information" about an individual is now a tradeable commodity, and that rarely does the individual described by a piece of information have control over that information. If control exists, it is often of an "all-or-nothing" nature, like the phone book example above. It would be nice to see a finer-grained level of information control introduced in many domains ... though I haven't the foggiest idea about how such a system would work, or if it would be practical. -- Jim Huggins, Univ. of Michigan huggins@umich.edu (PGP key available upon request) W. Bingham Hunter ------------------------------ From: martin@kcbbs.gen.nz (Martin Kealey) Date: 10 Apr 1996 01:48:26 +1200 (NZST) Subject: Copyright of Usenet Articles To quote from RFC-1036 section 2.1.5 (and RFC-850 section 2.1.7): "It is recommended that no message ID be reused for at least two years." To me, this means that after 2 years I can expect to publish another article with the same message-id, and that it will circulate with out any problem. In other words, all traces of the previous article will have gone. I have a reasonable expectation that anything I post won't last any longer than 731 days; if you keep it any longer than that, you're beyond the implied licence to use my article. Note that some groups and all mailing lists have a charter which in some cases will provide for their own permanent archive. In that case, you haven't a leg to stand on. In other cases, read on: I would also like to remind everyone of one of the features of usenet distribution that seems to have been overlooked in the hue and cry about DejaNews: the "Expires" header. You can set the lifetime of your message by including an "Expires" header. This is as much a part of the implied license for distribution as the act of posting since (it is machine readable), and any site which retains a message for longer than the time indicated is not covered by that implied licence. I don't know whether DejaNews abides by Expires headers, but if they don't, someone is going to sue them one of these days and succeed. (In addition to the time specified by the expiry header, there is an additional license implied by the nature of the propagation algorithm to keep the message for a small minimum amount of time to prevent looping: however this should be no more than 2 weeks, and should *decrease* as network speeds increase.) Actually, copyright legislation in some (most?) countries has provision for "private study", which in effect means that I can keep things as long as I like for my own edification, but can't make copies to pass on. Handing it to a potential employer (for their own "personal use") would be a gray area. Aside from the legal issues, there are some technical things one can do to ensure that articles are not retained: * include !dejanews.com! somewhere in the "Path" header * keep a store of 2-year-old message IDs and deliberately reuse them (we aren't under any obligation to make indexing easy after all) And to give yourself some legal standing when it eventually comes to blows: * include an Expires header hrick@gate.net (Rick Harrison) wrote: Personally I hope messages posted to Usenet will be proven to be public domain material [unless otherwise endorsed] There is no need for articles to fall into the public domain if an automatic licence to copy and forward the message is granted by posting; you have all the licence you need *and no more*. All such a suggestion would do would be to encourage people to plaster pseudo copyright notices over their messages and take up yet more bandwidth for no good reason. Other rights should not be extinguished by any sort of publication, including the right to be identified as the author. jcr@mcs.com (John C. Rivard) said: The current copyright law states that any item fixed is automatically copyrighted by the author, copyright notice or not. The act specifically states that copyrighted items do NOT fall into the public domain unless specifically placed their by the copyright holder. This is the general tenor of such legislation around the world, including here; I believe this is as required by the Berne Convention. johnl@iecc.com (John R Levine) said: Finally, remember that copyright is a civil, not a criminal law. Unless you've registered your copyright, which requires a paper form and $20, you can only claim actual damages from an infringer. This is the nub of the matter; if I write something, and then five years down the track I write a book "my life on the net", then I can claim real losses if someone else prints a copy of my book in competition with me based on the messages they've stored - they are still mine to distribute how I see fit, and by then any implied licence to use should have expired. (See the 2-year note above.) On the other hand, if I lose a contract because someone hands my client a note I wrote 5 years ago, it's going to be a lot harder to prove a material COPYRIGHT loss. DejaNews does more than index: an index is legal; a permanent archive isn't necessarily so. Paul Robinson said: I believe that the legal doctrine of "fair use" and "implied license" would apply here: by posting a message on usenet you are permitting its distribution to other sites that carry it. [...] if a place has the disk space to store everything, it would be permissible for it to do so. I disagree; there is an implied maximum of two years, and provision to set an explicit maximum. -- Martin. ------------------------------ From: Urs Gattiker Date: 10 Apr 96 14:15:43 -0700 Subject: Robert Arkow vs CompuServe and CompuServe Visa Organization: University of the German Federal Armed Forces at Hamburg I am looking for information on Robert Arkow and his lawsuit against CompuServe and CompuServe Visa. The information I have to date is that the lawsuit was filed, however I need to know what the outcome was or if it is still pending. Do you have such information, and if so, could you please let me know where I can find it? Thank you for your help, and I look forward to hearing from you. Sincerely, Linda Janz ------------------------------ From: dgc@mar.del (David G. Cantor) Date: 10 Apr 1996 15:12:30 -0700 Subject: 800 ANI Organization: CCR References: I have a personal 800 number. I have to pay for every call on that number. I certainly want to know who's calling. But how about the following: Someone calling an 800 (or 888) number who wants privacy (no ANI) PAYS for the call. In other words, there should be a privacy prefix, as in Caller-ID), but use of this prefix will cause the CALLING number to be billed. -- dgc David G. Cantor CCR San Diego, CA dgc@ccrwest.org ------------------------------ From: wrfuse@mab.ecse.rpi.edu (Wm. Randolph U Franklin) Date: 09 Apr 1996 23:06:05 GMT Subject: Re: SSN Absurdity Organization: ECSE Dept, Rensselaer Polytechnic Institute, Troy, NY, 12180 USA References: There are other examples of peoples' SSNs being listed. - The public tax returns (form 990) of nonprofit orgs list many of the orgs' officials' SSNs. - The Daily Racing Form lists SSNs of suspended jockeys. Concerning SSNs there was a recent story about some SSA employees being disciplined for selling personal info to be used for credit card fraud. Does anyone remember when the SSA itself used to sell SSN info to credit agencies? -- Wm. Randolph Franklin, Rensselaer Polytechnic Institute. ------------------------------ From: taxhaven@ix.netcom.com (Adam Starchild ) Date: 07 Apr 1996 21:55:00 GMT Subject: Social Security Info Used By Stolen Credit-Card Ring Organization: Netcom Social Security Info Used By Stolen Credit-card Ring NEW YORK (Apr 6, 1996) -- In what computer experts say may be one of the biggest breaches of security of personal data held by the federal government, several employees of the Social Security Administration passed information on more than 11,000 people to a credit-card fraud ring, according to federal prosecutors in New York. That information, the prosecutors said in court papers filed last week, included Social Security numbers and mothers' maiden names, and allowed the ring to activate cards stolen from the mail and run up huge bills at merchants ranging from J&R Music World to Bergdorf Goodman. The court papers do not name the Social Security employees who prosecutors said stole the information from the agency. But the documents refer to an unidentified female employee of the Brooklyn office of the agency who pointed investigators to Emanuel Nwogu, a New York City employee who was charged last week with fraud in federal court. He was released on bond. A spokesman for the U.S. attorney in Manhattan said that the investigation is ongoing, and that others are likely to be charged. The court documents link this case to one involving Tony Iohya, arrested in Louisiana in February with what prosecutors said was also personal information stolen from the same Social Security office. The New York case is the first known widescale break into the vast Social Security database, which contains personal information on virtually every working American, said Philip A. Gambino, the director of press affairs for the agency. The agency is "shocked and disheartened" by the case, Gambino said, and will look for ways that its security can be improved. The case is also part of an increasing number nationwide in which information is stolen from business, medical and government files. While much attention has been paid to hackers who break into electronic databases through high-tech back doors, experts say most computer crime is committed by employees who are authorized to use the systems. "The human link is the weakest link in any information security program," said Ira Winkler, technical director for the National Computer Security Association. "If you are a clerk making $12,000 or $18,000 a year, and someone offers you a few hundred to a few thousand dollars every so often to look up some specific information, it's a tempting offer." Such personal information is increasingly necessary to commit credit card fraud, because antifraud measures like holograms have made it harder to manufacture a fake card simply with an account number stolen from a discarded receipt. Credit card fraud is estimated to be $1.5 billion in 1995, according to H. Spencer Nilson, publisher of the Nilson Report, a newsletter. The fastest growing type of fraud, he said, involves stealing valid cards out of the mail or filing a change-of- address from for existing cardholders. The scheme involving Social Security records was first detected in February by Citibank, which noticed an unusual amount of fraudulent charges on credit cards that it had mailed to customers, but that the customers said they had not received, according to court papers. Citibank, like many banks, now requires customers who receive new cards to activate them by calling a special telephone number and providing information like their mother's maiden name. But the bank discovered that its security system had been foiled in 52 cases in which cards were activated by someone who was not the cardholder but had access to the cardholder's mother's maiden name. Citibank got in touch with Social Security, which keeps files of maternal maiden names and records the identification number of employees who call up files. The agency determined that a female employee at the Brooklyn Social Security office had checked the records of at least 23 of the 52 cases and had looked at personal records for 10,000 people since January 1995. Ten other employees in the same office had looked at the records of 1,200 to 1,400 other people. When confronted by federal investigators, the female worker chose to cooperate, the court papers say. According to the papers, she met Nwogu, a case worker at the New York City Human Resources Administration in Brooklyn, in mid-1993, and over the last two years she has checked the records of 30 people per day for him. The government says it has identified at least $330,000 in unauthorized charges, and the total is "believed to be much greater," according to the court papers. -- Posted by Adam Starchild Asset Protection & Becoming Judgement Proof at http://www.catalog.com/corner/taxhaven ------------------------------ From: "Prof. L. P. Levine" Date: 17 Mar 1996 09:14:50 -0600 (CST) Subject: Info on CPD [unchanged since 11/22/95] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the Subject: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Web browsers will find it at gopher://gopher.cs.uwm.edu. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V8 #031 ****************************** .