Date: Tue, 14 May 96 06:49:44 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V8#038 Computer Privacy Digest Tue, 14 May 96 Volume 8 : Issue: 038 Today's Topics: Moderator: Leonard P. Levine Re: Privacy Phone Guard Re: Privacy Phone Guard Re: Privacy Phone Guard Re: Automated Toll Collection Re: Automated Toll Collection Re: Automated Toll Collection New Internet Journal Privacy "Management" Companies CLUB WIRED: Sameer Parekh, 16 May, 7 pm PDT Biometric Encryption Re: Medical Privacy on Nightline Info on CPD [unchanged since 11/22/95] ---------------------------------------------------------------------- From: Wotan Date: 08 May 1996 23:01:45 -0400 (EDT) Subject: Re: Privacy Phone Guard Do you worry that your phone number is available to anyone whom you call with a caller id box? [...] For a very simple phone guard that you can implement right now with little or no equipment and little or no cost send 4.95$ to: Sounds a lot like Caller Id Blocking, which your local phone company is supposed to provide info on for free if they support Caller ID. ------------------------------ From: chazl Date: 09 May 96 10:26:30 -0500 Subject: Re: Privacy Phone Guard Do you worry that your phone number is available to anyone whom you call with a caller id box? Do you worry that your phone number is very likely available to anyone who knows your name and has access to a phone book, regardless of whether or not you EVER CALL THEM? I really do not understand all the hullabaloo about how CallerID allegedly violates one's privacy. Here's the way I view it: If you walked up to my door and rang the doorbell with a bag over your head, would you be surprised that I would be unlikely to let you in? Is it be a violation of your privacy for me to request that you identify yourself before I decide whether to open the door? Why should my phone [which is another means into my home and life] be any different? Someone calls me and wants to talk to me. Why shouldn't I have the right to know who that individual is before I decide whether or not to grant that request? For a very simple phone guard that you can implement right now with little or no equipment and little or no cost send 4.95$ to: I worry far more about those who would sell a sheet of instructions on how to dial *67 before you place a call. Uh-oh, did I let the cat out of the bag? Oh, while I have your ear: Do you worry that your computer is susceptible to power surges and lightning strikes? I DO! For a very simple surge protection system that you can implement right now with little or no equipment and little or no cost, please send me $4.95. This is a simple and elegant system which involves placing a barrier of an easily obtainable gas between your computer's power cord and the electrical outlet, and will render your computer immune to power surges and lightning strikes. -- Chaz Larson - chaz@visi.com - http://www.visi.com/~chaz Once you take away my right to speak, everybody in the world's up shit creek. - Ice-T, 'Freedom of Speech' ------------------------------ From: PatrickK@Mail.Reinhardt.Edu (NYOB) Date: 09 May 1996 22:17:31 GMT Subject: Re: Privacy Phone Guard Organization: University System of Georgia (PeachNet) References: Do you worry that your phone number is available to anyone whom you call with a caller id box? You might also simply want to try the *67 feature. Many bell services offer this as an effective means of blocking caller id. Anytime you dial *67 before dialing a number it will circumvent the caller id on the recieving line. ------------------------------ From: Wotan Date: 08 May 1996 23:06:40 -0400 (EDT) Subject: Re: Automated Toll Collection The State of Virginia is encouraging drivers on the Dulles Tollway to sign up for a program that automates toll collection. A sensor at the toll station identifies your car and debits an account you set up. You can opt for automatic transfer against a credit card when the account [...] Well, the option to just toss some change into the bucket or pay the a real person is still open. If i understand the purpose of this thing correctly, it is supposed to help commuters save time by not needing to wait in line behind people paying the toll - your supposed to just drive on thru. Is it more conveinant to save the time than protect privacy on your driving habits? ------------------------------ From: dan@dvl.co.nz (Dan Langille) Date: 12 May 1996 20:24:03 GMT Subject: Re: Automated Toll Collection Organization: DVL Software Limited References: The State of Virginia is encouraging drivers on the Dulles Tollway to sign up for a program that automates toll collection. A sensor [...] As the program is voluntary, I don't see this as an invasion of privacy. If it was compulsory, that would be quite different. But I don't think any such program could be made compulsory as it would prevent non-locals from using the Tollway. It's really no different to a VISA bill; they know where you have been. But so what? -- Dan Langille DVL Software Limited - Wellington, New Zealand ------------------------------ From: ipcab@planet.eon.net Date: 13 May 1996 19:02:38 GMT Subject: Re: Automated Toll Collection Organization: Public Live Access Network (PLAnet) References: The State of Virginia is encouraging drivers on the Dulles Tollway to sign up for a program that automates toll collection. A sensor [...] That is not all,though. If you choose to enroll on-line, you must supply a credit card number and other information. It does not appear that any encryption is used to protect anyone who registers from their home page. This really is a double whammy: your car and its whereabouts can be monitored with the technology they are pushing, while at the same time their total disregard for the privacy issue is apparent in their asking you to email them your credit card information in an insecure fashion. Hmmm.... ------------------------------ From: cpsr-global@Sunnyside.COM Date: 08 May 1996 07:20:40 -0700 Subject: New Internet Journal Taken from CPSR-GLOBAL Digest 376 Sender: Andy Oram A journal that may interest readers in many countries has just started: "First Monday" at http://www.firstmonday.dk. You can read it free on the Web (just register your name) or pay to get it by email. The issue I read had an interesting article on how digital cash could weaken the currencies of small countries. ------------------------------ From: rj.mills@pti-us.com (Dick Mills) Date: 11 May 1996 09:49:29 -0400 Subject: Privacy "Management" Companies COMPUTER INDUSTRY DAILY 5/13/96 reported that Watts Wacker from SRI predicted the development of "Privacy management companies [that] would catalog facts about people then sell them to other companies." -- Dick Mills +1(518)395-5154 O- http://www.pti-us.com AKA dmills@albany.net http://www.albany.net/~dmills ------------------------------ From: ron@hotwired.com (Ron Hogan) Date: 11 May 1996 23:03:07 -0800 Subject: CLUB WIRED: Sameer Parekh, 16 May, 7 pm PDT Organization: Grifter Information Technologies Newsweek calls him one of the "50 people who matter most on the Internet." He's a programmer, entrepreneur, and activist whose company, Community Connexion, has implemented an infrastructure supporting completely private mail on the Internet, something resembling an anonymity server. Join technowhiz Sameer Parekh and Electronic Frontiers host Jon Lebkowsky for a discussion of the technological and sociopolitical issues of privacy in cyberspace on Thursday, 16 May at 7 p.m. PDT (Friday 02:00 GMT). The Club Wired 'room', unlike most of the content at the HotWired site, is only accessible by registered HotWired users. Registration, however, is free -- just use the URL below and select "Register Now", then fill out the form. When you're fully registered, go to http://www.hotwired.com/club/ to enter Club Wired. Ron Hogan ron@hotwired.com --------------------------------------------------------------------- HotWired: a website http://www.hotwired.com/ ********************************************************************* ------------------------------ From: Phil Agre Date: 12 May 1996 09:00:03 -0700 (PDT) Subject: Biometric Encryption Ann Cavoukian, the assistant privacy commissioner of Ontario, has directed my attention to an Ontario company whose products seem to have considerable positive implications for privacy protection. The company is called Mytec Technologies (10 Gateway Blvd Suite 430, Don Mills ON M3C 3A1, Canada, (416) 467-7726, (800) 845-0096, fax (416) 467-5368). Mytec sells devices for fingerprint-based biometric encryption. When we think of biometric authentication schemes, we usually have in mind systems that derive an absolute identifier from biometric information. The Mytec system, though, supports anonymous authentication protocols. A client registers with the system by supplying a text string, such as an encryption key, and pressing their finger against a lens on a device that creates a "Bioscrypt" -- the text string encoded by means of an optically transformed version of their fingerprint. Later on, then, the client can cause the text string to be reconstructed by pressing their finger against an authentication device. If the text string is an encryption key, for example, then the key can now be used to decode information on a smart card. Or the text string might be the individual's private key in an public-key encryption protocol. The system never captures an image of the fingerprint, and the Bioscrypt, they claim, cannot be decoded to reconstruct the fingerprint or the encoded text string. The authentication device can be embedded in a variety of other devices. For example, they market a personal computer mouse with the authentication device installed, so that public-key-encrypted e-mail can be sent or read without the client's private key needing to be written down or digitally stored anywhere. Key management is probably the single messiest obstacle to the widespread adoption of technologies of privacy. David Chaum, for example, has described protocols that would permit an individual to maintain separate "pseudo-identities" with different organizations, or to warrant that the individual satisfies a certain predicate (old enough to drink, eligible for welfare, etc) in a zero-knowledge manner (that is, without revealing any information beyond the predicte, e.g., how old one is, what one's income is, etc). The weak link in the chain is warranting that people are really who they say they are, without finding out who they are. Biometric encryption fixes this problem in a cheap, uniform manner. I am curious if anybody knows of any criticisms of this approach. I can see one problem, which is that it will be very difficult to explain the system to people who are accustomed to organizations lying and ripping them off and using technology to invade their privacy under a cloud of PR. The idea is hard enough to explain to professional technologists, much less the public. "Digital cash" has the virtue of being analogous to something familiar (paper cash), but I can't think of a simple way to explain anonymity through biometric encryption and zero-knowledge proofs. -- Phil Agre, UCSD ------------------------------ From: bgold@platinum.com (Barry Gold) Date: 13 May 1996 12:22:32 -0700 Subject: Re: Medical Privacy on Nightline testing and is looking forward to something positive becoming law. He sees bills moving forward that would forbid insurance companies denying coverage in health insurance based on information gained from such tests. He pointed out that no law had yet passed both houses and been signed by the President however. This is one of those problem areas with no easy answers. The proposed legislation would create the opposite problem: adverse selection. If it is possible to know whether you have a condition _and_ to conceal that information from an insurer, then you don't buy the insurance unless/until you have the condition. For example, you can be tested for HIV without your insurer finding out. (In some cases, without leaving any sort of record, using a totally anonymous testing protocol.) If you are young, you have relatively little need of medical insurance -- your odds of getting sick are very small. At most, you need insurance against accidental injury. But if you are HIV positive, you suddenly have a desperate need of insurance because you know you're going to have enormous medical bills within a few years. So you can get a situation where the only people who buy insurance are those who know they will need the payout. It's like buying car insurance when you've already found out (somehow) that you're going to have an accident this month. If we extend this to enough conditions, the only people who will buy insurance are the ones who have problems that will involve expensive payouts. This defeats the purpose of insurance: sharing the risk among a large pool of people, most of whom won't "use" the insurance. When that happens, insurance either becomes very expensive or all the insurance companies stop writing health (and maybe life) insurance because they have run out of money to pay claims. Or maybe we _require_ all insurance companies to write health and life, and property/casualty insurance disappears or becomes prohibitively expensive because it has to subsidize health/life insurance. Then we end up either with no insurance at all (and if you are unlucky enough to need any of a variety of expensive treatments, you're SOL) or some scheme of "universal" insurance. Universal insurance solves the adverse selection problem, but then you don't get any choice. You can have any color of model T you want, as long as you want black. Want a fee-for-service plan? Sorry, we only offer HMOs (or vice versa). You want the Cigna HMO? Sorry, we only offer Kaiser and Maxicare. Remember the furore about the Clinton health plan? It wasn't just because of insurance company propaganda (though that helped). It was also because people who have good health insurance through their jobs (like me) didn't want to be forced into some sort of HMO. I voted for Clinton, but I wasn't having any, thank you very much. this to get the point across. His final remark was "...we all have glitches in our DNA... probably 4 or 5 genes that are pretty fouled up, and we are going to have the opportunity to find that out pretty soon. If that is going to be used against us, who will be left insurable, whose privacy is going to be safe. We have to act now." Well, if _everybody_ has some sort of genetic problems, it will probably all even out. It won't be _just_ Diabetes and Fragile X, _everybody_ will have one or more problems that would raise their rates. Then you can just fall back on the existing rules that require health insurers to insure all conditions rather than picking and choosing. Everybody will still pay about the same rates, and nothing much will change. The problem will be the transition period when we can only find a few genetic problems (as is the case now). One possible approach would be to sell a special policy: insurance against having a high-risk condition. You buy it _before_ you have any tests. Then if you turn out to have some problem, your health-risk insurance pays the difference between "standard" rate and what you acutally need to pay. Since only a small part of the population has such a condition (at least among those we can test for now), the premium should be (relatively) affordable. ------------------------------ From: "Prof. L. P. Levine" Date: 14 May 1996 09:14:50 -0600 (CST) Subject: Info on CPD [unchanged since 11/22/95] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the Subject: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Web browsers will find it at gopher://gopher.cs.uwm.edu. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V8 #038 ****************************** .