Date: Thu, 16 May 96 08:49:18 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V8#039 Computer Privacy Digest Thu, 16 May 96 Volume 8 : Issue: 039 Today's Topics: Moderator: Leonard P. Levine FDA Approves At-Home HIV Test Re: Automated Toll Collection Re: Automated Toll Collection Re: Automated Toll Collection Cookies Re: Privacy Phone Guard Re: Privacy Phone Guard BC Pharmacists defy Minister's Order Looking for Privacy Watch Re: Underpinnings of Web Attacked An Ethical Dilema Re: Medical Privacy on Nightline InfoSec Update '96 Chicago Daily Law Bulletin Technology Law Column Surveillance Technologies Conference Info on CPD [unchanged since 11/22/95] ---------------------------------------------------------------------- From: privacy@interramp.com (Privacy Newsletter) Date: 14 May 1996 17:24:01 GMT Subject: FDA Approves At-Home HIV Test Organization: Privacy Newsletter May 14, 1996 -- The FDA just announced that it has approved the first at-home HIV test, manufactured by Direct Access Diagnostics, a Bridgewater, New Jersey-based division of Johnson and Johnson. The test allows for the collection of blood specimens in the home. The blood samples must then be mailed to a lab for analysis. Results are available within weeks, and the tests are allegedly anonymous, though, at this point, it is not clear how so. -- John Featherman Privacy Newsletter PO Box 8206 Philadelphia PA 19101-8206 Phone: 215-533-7373 E-mail: privacy@interramp.com ------------------------------ From: "L. Jean Camp" Date: 14 May 1996 14:18:26 -0400 (EDT) Subject: Re: Automated Toll Collection References: <199605141803.NAA14424@blatz.cs.uwm.edu> If i understand the purpose of this thing correctly, it is supposed to help commuters save time by not needing to wait in line behind people paying the toll - your supposed to just drive on thru. Is it more conveinant to save the time than protect privacy on your driving habits? This is a false and unnecessary choice. You are blaming captive consumers for the production of a flawed product. The State is saving money thorugh automation, the consumer is assisting them in using this service. There is no reason for the State to additionally create a valuable database about your movements. Here the State has _all_ the power in terms of designing the system, and the consumer has all the risks of privacy or fraud. (Gee, like Microsoft in electronic commerce.) -- Jean ------------------------------ From: dan@dvl.co.nz (Dan Langille) Date: 14 May 1996 21:03:52 GMT Subject: Re: Automated Toll Collection Organization: DVL Software Limited References: The State of Virginia is encouraging drivers on the Dulles Tollway to sign up for a program that automates toll collection. A sensor [...] That is not all,though. If you choose to enroll on-line, you must supply a credit card number and other information. It does not appear that any encryption is used to protect anyone who registers from their home page. I do not feel worried about passing my credit card details over the internet. Is there any [documented] case of credit card details being stolen whilst in transmission? Such transmissions must happen thousands of times daily. Surely, if it was a reasonablely easy way to capture data, it would be done. But it isn't easy. Sure it's possible, but it's not probable. For that matter, encryption won't stop. It will still be possible but a little less probable. -- Dan Langille DVL Software Limited - Wellington, New Zealand ------------------------------ From: Rick Carlson Date: 14 May 1996 14:26:14 -0700 Subject: Re: Automated Toll Collection Organization: Manufacturing Service Center References: The State of Virginia is encouraging drivers on the Dulles Tollway to sign up for a program that automates toll collection. A sensor [...] Dan Langille wrote: As the program is voluntary, I don't see this as an invasion of privacy. If it was compulsory, that would be quite different. But I don't think any such program could be made compulsory as it would prevent non-locals from using the Tollway. It's really no different to a VISA bill; they know where you have been. But so what? Just as there have been problems with the computerization and sales of credit card information, expect that there will be privacy problems with the automation of toll collection. I would not dismiss the privacy problems with credit card information. Credit Bureaus and credit card companies have a history of intruding on people's privacy and assisting directly and indirectly - through sales - in questionable marketing activities. There is nothing to prevent the State of VI to sell the data that they collect through the automated toll booths. It would seem imprudent to expect that would not eventually try to get some money into the state treasury for this "state resource". -- Rick Carlson ------------------------------ From: lihou@ms2.hinet.net Date: 14 May 1996 18:08:17 GMT Subject: Cookies Organization: SEEDNET InterNetNews News System Browsing recent uplodads to www.shareware.com, I found this Files from the winsite-win95 archive (since May 10,1996) sm186.zip desktop/ sm186.zip Fortune program with over 66000 cookies Size 3006 K It seems to me that these cookies are cookies files from people using Netscape Navigator and MSIE. If so, how we can prevent others from getting our 'cookies'? I mean, any other way except manually deleting them every time we use a browser. Is 'history' file also dowloadable from unsuspicious user's PC? -- Sean Taipei ------------------------------ From: bo774@FreeNet.Carleton.CA (Kelly Bert Manning) Date: 14 May 1996 19:37:00 GMT Subject: Re: Privacy Phone Guard Organization: National Capital Freenet, Ottawa, Canada chazl (chazl@leonardo.lmt.com) writes: Do you worry that your phone number is very likely available to anyone who knows your name and has access to a phone book, regardless of whether or not you EVER CALL THEM? I really do not understand all the hullabaloo about how CallerID allegedly violates one's privacy. Here's the way I view it: What statistics are you basing this estimate of proabiliity on? "Privacy Journal" published some %non-published number stats for different USA cities/regions a few years back. I don't have a copy in front of me but my recollection is that having an unlisted number was the norm, by a factor of 2:1(over 60%) in Los Angeles, the only US city with 2 area codes. Even in areas such as the Pacific Northwest about 1 number in 3 is non-published. On the face of it this seems to demonstrate a clear and widespread interest in keeping home phone numbers private. Disclosure of non-published numbers would seem to directly attack a privacy interest in which individuals invest hundreds of millions of dollars, if not millions(non-published fee * 12 months/year * millions of non-published numbers). If you have figures that show that the actual % of non-published numbers is a tiny minority please share them with us. Can you assure us that the majority of LA home numbers are actually published, contrary to the "Privacy Journal" report? -- notice: by sending advertising or solicitations to this account you will be indicating your consent to paying me $70/hour for a minimum of 2 hours for my time spent dealing with it ------------------------------ From: bob.landry@u.cc.utah.edu (Bob Landry) Date: 16 May 1996 09:23:07 GMT Subject: Re: Privacy Phone Guard Organization: Your Organization References: PatrickK@Mail.Reinhardt.Edu says... Do you worry that your phone number is available to anyone whom you call with a caller id box? Or, you can simply tell your phone co. to permanently block caller ID on your line. Then you dial *81 (I think) if someone insists on seeing your number. Personally, I rarely call strangers, and if a business (one actually did this) wants to see my phone # before they'll talk to me, then they obviously have to much business to handle already. Since I went to the trouble of requesting a non-listed, non-published number on my modem line, I see ne reason to let people have it whenever I happen to also use the phone on that line. And before you ask, No, I don't take incoming calls thru the modem. -- Bob Landry ------------------------------ From: bo774@FreeNet.Carleton.CA (Kelly Bert Manning) Date: 14 May 1996 19:49:55 GMT Subject: BC Pharmacists defy Minister's Order Organization: National Capital Freenet, Ottawa, Canada Last month the BC Minister of Health ordered Pharacists to stop peddling prescribing profile information to IMS Canada Ltd. which uses it to target doctors in an attempt to increase sales of particular drugs. The 1996/May/13 edition of the Victoria Times-Colonist had an editorial which begins: "Information: Access vs Abuse Aside from the obvious protection of your personal privacy, should there be any other restrictions on the computer data about your prescription drug usage?" The editorial goes on to describe how the College of Pharmacists has taken advantage of the current election to ignore the minister's order. The legislature is not sitting and there is no enforcement statute. The editorial concludes "The B.C.College of Pharmacists is supposed to uphold the ethics of its profession. It's fallen far short here." -- notice: by sending advertising/solicitations to this account you will be indicating your consent to paying me $70/hour for a minimum of 2 hours for my time spent dealing with it ------------------------------ From: Robert Grosshandler Date: 14 May 1996 17:30:27 -0400 Subject: Looking for Privacy Watch Organization: Intercast, LLC I am trying to track down a service or company called Privacy Watch. Any info or pointers would be much appreciated. Thanks in advance. -- Robert. ------------------------------ From: dan@dvl.co.nz (Dan Langille) Date: 15 May 1996 08:44:14 GMT Subject: Re: Underpinnings of Web Attacked Organization: DVL Software Limited References: glr@ripco.com (Glen L. Roberts) wrote: Underpinnings of Web Attacked "Banyan Revival Bets Heavily on the Web" reads a headline in the 3/96 issue of Web Week. Banyan Systems International is apparently looking for corporate success through the Internet and it's world wide web. Now, however, they appear to be attacking the entire structure of the web. [SNIP] How inappropriate of Banyan. How do they define "misappropriation of Switchboard"? Are the guidelines for appropriation defined & published? As I've said before, all that this site does is automate a manual process. If one wants privacy, one will not be in the phone book. -- Dan Langille DVL Software Limited - Wellington, New Zealand ------------------------------ From: Simon Rogerson Date: 15 May 1996 10:53:31 +0100 (BST) Subject: An Ethical Dilema Problems associated with the uniqueness of IT abound. Consider these three statements: * Hacking is wrong * Counselling support for the suicidal is right * Anonymity between the counsellor and the counselled is a right And here is the dilemma: * Is it right to employ hackers to develop an anonymous Internet counselling service for the suicidal? What do you think? -- Simon Rogerson Director, Centre for Computing & Social Responsibility School of Computing Sciences De Montfort University TEL: +44 116 257 7475 The Gateway, Leicester FAX: +44 116 254 1891 LE1 9BH, UK EMAIL: srog@dmu.ac.uk visit our home page at http://www.cms.dmu.ac.uk/CCSR ------------------------------ From: madnix.uucp!zaphod@nicmad.nicolet.com (Ron Bean) Date: 15 May 96 18:54 CDT Subject: Re: Medical Privacy on Nightline bgold@platinum.com (Barry Gold) writes: This is one of those problem areas with no easy answers. The proposed legislation would create the opposite problem: adverse selection. If it is possible to know whether you have a condition _and_ to conceal that information from an insurer, then you don't buy the insurance unless/until you have the condition. I thought the bill currently in congress had a "grandfather clause" in it, so they couldn't deny coverage if you currently had insurance with another company, but they *could* if you didn't. And anything you can test for, they can test for. The purpose of this is to allow you to transfer your coverage to a different company, which is important if you're in a local HMO and need to relocate. Something like 4 million of us are ready to change jobs the minute the bill gets signed... If you are young, you have relatively little need of medical insurance -- your odds of getting sick are very small. At most, you need insurance against accidental injury. Well, having survived cancer at age 24 (nine years ago), I beg to differ. Insurance works *because* the odds are low. And young males probably need more insurance for accidental injury than the general population (that's why your car insurance rates drop in half when you turn 25). Universal insurance solves the adverse selection problem, but then you don't get any choice. You can have any color of model T you want, as long as you want black. There is another possibility-- you pick the coverage, but you can't upgrade later (or at least not easily). I've heard that Germany has a universal system that allows rich people to opt out, but they can't get back in. also because people who have good health insurance through their jobs (like me) didn't want to be forced into some sort of HMO. I voted for Clinton, but I wasn't having any, thank you very much. I hope you have good job security. Whatever we do, we really must get rid of employer-paid insurance. There is no way to level the playing field as long it exists. -- madnix!zaphod@nicmad.nicolet.com (Ron Bean) ------------------------------ From: Mich Kabay <75300.3232@CompuServe.COM> Date: 16 May 96 08:13:53 EDT Subject: InfoSec Update '96 Information Technology Security Update '96 Wednesday and Thursday, June 12-13, 1996 Hull, QC (National Capital Region of Canada) sponsored by The Institute for Government Informatics Professionals (Hull, QC) and The National Computer Security Association (Carlisle, PA) Program Two-Day InfoSec Update Sponsored by IGIP and NCSA DAY1 TOPIC Information Warfare: Concepts and Implications InfoWar Concepts and Case Studies News from the 4th Intl Conference on IW (Brussels, May 1996) Discussion of InfoWar Computer Crime Update Recent International Case Studies News from the 6th Intl Conf on Virus Prevention (Washington, April 1996) Computer Crime and Fraud in Canada IS/RECON: Tracking Potential Crime DAY2 TOPIC Internet Security Commerce on the Internet: Benefits and Risks Cryptography Report: Algorithms, Attacks and Laws Recent CERT/CIAC Alerts Firewall Certification Program Security Management Psycho-social Factors for Successful Security Policies Security Certification: The (ISC)^2 and the CISSP For more information or to register call NCSA HQ: 717-258-1816 x.226 or send any e-mail message to the NCSA Infobot (info@ncsa.com) or point Web browser to http://www.ncsa.com/update96.html Registration Deadline: 7 June 1996 -- Michel E. Kabay, Ph.D. (Kirkland, QC) Director of Education, National Computer Security Association (Carlisle, PA) ------------------------------ From: David@Loundy.com (David J. Loundy) Date: 14 May 1996 15:49:58 -0500 Subject: Chicago Daily Law Bulletin Technology Law Column Published in the Chicago Daily Law Bulletin, May 9, 1996, at page 6. ----------------------------------------------------------------------- Two rulings on encryption speak different language. Copyright 1996 by David Loundy Reprinted with permission This and past articles archived at http://www.Loundy.com/ ----------------------------------------------------------------------- Two district courts were recently presented with the issue of whether the Department of State can constitutionally restrict certain forms of encryption or whether the materials at issue constitute "speech" protected by the First Amendment. The first case, Karn v. U.S. Department of State, No. 95-1812 (CRR) (D. D.C. Mar. 22, 1996) concerned whether a computer disk containing encryption code is a defense article under the Arms Export Control Act (AECA), 22 U.S.C. Sections 2751-2796d, and the International Traffic in Arms Regulations (ITAR), 22 C.F.R. Sections 120-130, and is thus subject to a licensing requirement in order to export the disk. In the Karn case, the plaintiff filed a "commodity jurisdiction request" to export the book "Applied Cryptography" by Bruce Schneier. The book explains different aspects of cryptography-- history, politics, different encryption algorithms, and techniques to implement cryptographic algorithms. One part of the book contains computer source code for a number of cryptographic algorithms. Stuck in the back of the book was also a computer disk containing the same source code found printed in the book. The Department of State's Office of Defense Trade Controls declared that it did not have jurisdiction under the ITAR as to the book, but explicitly did not extend this determination to the disks. Karn then filed a commodity jurisdiction request for the computer disks. The Office of Defense Trade Controls responded that it did have jurisdiction over the disk, and the disk constituted a restricted defense article. This decision was then appealed twice, and the appeal was denied twice-- resulting in the current case. The U.S. District Court for the D.C Circuit held that the AECA specifically bars judicial review of the President's (or the President's designee-- the Department of State) designation of items as defense articles. The court then held that a challenge based on the Administrative Procedure Act, 5 U.S.C. Section 706(2)(a), constituted an attempted end-run around the non-reviewability provision of the AECA, and thus also failed. Most importantly though, the court addressed a constitutional challenge to the regulations. The court held that the regulations are content-neutral, regardless of whether they are, as the Plaintiff contended, nonsensical because they allow export of the computer code printed on paper, but not the same code "printed" on a floppy disk. Having determined that the regulations were content-neutral, the court then applied the test for constitutionality which was developed in U. S. v. O'Brien, 391 U.S. 367 (1968). The O'Brien test requires that a regulation be within the constitutional power of the government, that it further an "important and substantial government interest," and that the regulation be narrowly tailored to the government interest. The plaintiff did not contest the first two elements, but rather claimed that by classifying the disk as a munition, the government would not satisfy its interest in limiting access to strong cryptography. The court found that this argument was another veiled attack on the President's determination that the material at issue should be on the munitions list-- a determination that the court had already found unreviewable. Karn is now on appeal. Unlike Mr. Karn, Daniel Bernstein fared a bit better in his challenge of the constitutionality of the same regulations. Mr. Bernstein developed an encryption algorithm called "Snuffle." He wrote an academic paper discussing his algorithm, he wrote some source code implementing the algorithm, and he wished to present talks about it at conferences and on the Internet. Bernstein also requested a Commodity Jurisdiction determination from the Office of Defense Trade Controls regarding his paper, and two portions of his software implementation of the Snuffle algorithm. The Office of Defense Trade Controls declared that his system is considered a defense article, and thus is subject to a licensing requirement before it can be exported. Not knowing which elements this decision referred to, Bernstein requested a separate determination as to five distinct elements-- the paper, the two software components, and two texts on implementation and use of the algorithm. The response to his request was that all of the elements constitute defense articles. This determination resulted in Bernstein v. United States Department of State, No. C-95-0582 (N.D. Cal. April 15, 1996). After the suit was filed, the Office of Defense Trade Controls wrote to Bernstein to "clarify" that its determination applied only to the software elements, and not to the texts. In the Bernstein case the Department of State made the same arguments it made in the Karn case. Both cases acknowledged the non-reviewability provision of the regulations, and both acknowledged that the provision will not stop a constitutional challenge. This, however, is largely where the similarity between the two decisions ends. In addressing the constitutional issues, the court in Bernstein first looked at whether if the encryption system constitutes "speech" or whether it is more appropriately labeled "conduct" (and thus is easier to regulate). The court determined that the encryption system is speech, albeit "functional" speech. Rather than using the analogy that the encryption system is "conduct," like burning a flag, the court held that the computer software is more analogous to speech in a foreign language. The court reasoned, "[n]or does the particular language one chooses change the matter for First Amendment purposes. This court can find no meaningful difference between computer language, particularly high-level [computer] languages... and German or French. All participate in a complex system of understood meanings within specific communities." The court found further support for the argument that computer languages constitute speech for constitutional purposes by looking to the Copyright Act-- which protects computer software as "literary works" 17 U.S.C. 101, 102(a)-- even purely "functional" speech such as player-piano rolls. Next, as did the Karn court, the Bernstein court looked to the aforementioned O'Brien test. However, the Bernstein court determined that speech was at issue, and not conduct, and it found the O'Brien test to be an inappropriate standard. However, because the case was only a motion for summary judgment, the court applied the standard to ascertain whether Mr. Bernstein had a colorable claim sufficient to avoid the defendant's motion for summary judgment. Again, neither party debated much over the first two prongs of the O'Brien test-- that the government has the power to regulate in this area, and that it has an important interest at stake (national security). However, the Bernstein court, noting the presumption against prior restraints on speech, found that the Department of State's only response was that the software is conduct, not speech-- a proposition that the court had already rejected. Continuing, the court held that Bernstein had a colorable claim that the regulations were overbroad, and that the regulations could compromise protected speech. Furthermore, the court found no difficulty in holding that the regulations were vague. Although the Department of State claimed that the definition of cryptographic software and the exemptions from the definition are clear to a person of ordinary intelligence, the court pointed out that the Office of Defense Trade Controls itself mistakenly categorized Bernstein's academic paper as a defense article. In other words, the court found that Bernstein's vagueness claims were also colorable enough to survive a motion for summary judgment. In discussing these two cases, one commentator speculated that the two judges must have come from different planets. In the judges' opinions, the courts are clearly speaking different languages. In the past, speaking in different languages (specifically, Navajo) was used to avoid enemy interception of communications during war. According to the Bernstein court, it should not matter whether someone speaks in English, Navajo, or PGP-- all speech has some constitutional protection. On the other hand, I would be interested to see how the Karn Court would handle the matter if the Department of State declared a software algorithm that automatically converts English to Navajo a defense article. ------------------------------ From: pi@privacy.org (Privacy International Washington Office) Date: 15 May 1996 15:35:07 -0400 Subject: Surveillance Technologies Conference Organization: Privacy International Preliminary Conference Announcement ADVANCED SURVEILLANCE TECHNOLOGIES II Sponsored by Privacy International Electronic Privacy Information Center September 16, 1996 Citadel Ottawa Hotel and Convention Centre Ottawa, Canada ----------------------------------------------------------------------- The rapid evolution of technology is leading to the creation of a seamless web of surveillance across much of the world. Powerful technologies originally developed for the military are being adopted by law enforcement and civilian agencies, and private companies to monitor entire populations. This has been further fueled by the end of the Cold War and increasing demands for greater bureaucratic efficiency. Existing laws and regulations have failed to keep up with these developments. This one day conference will examine a range of advanced surveillance technologies and their impact on privacy and other civil liberties. It will explore the process of planning and implementation of the technologies, their operating conditions, and the people and organizations responsible for them. The conference will also examine possible technical, regulatory and legal responses. The conference will also address in detail the findings of Privacy International's "Big Brother Incorporated" report which examined the international trade in surveillance technology and the involvement of the arms industry. ----------------------------------------------------------------------- PARTIAL LIST OF SPEAKERS Phil Agre, University of California, San Diego Dave Banisar, Electronic Privacy Information Center Colin Bennett, University of Victoria Simon Davies, London School of Economics & Director, Privacy International Wayne Madsen, Author, Handbook of Personal Data Protection Bruce Schneier, Counterpane Systems & Author, Applied Cryptography CONFERENCE SUBJECTS * Artificial Intelligence Systems * Biometric Identification * Digital Cash * Information Superhighways * Information Warfare * Infrared and Passive Millimeter Wave Detectors * Intelligent Transportation Systems * Other New Technologies ----------------------------------------------------------------------- MORE INFORMATION More information on the conference will be available at the Privacy International mailing list at pi-news@privacy.org (subject: subscribe) or at the PI Home Page at http://www.privacy.org/pi/conference/ottawa/ [additional material removed by moderator CPD] ------------------------------ From: "Prof. L. P. Levine" Date: 17 Mar 1996 09:14:50 -0600 (CST) Subject: Info on CPD [unchanged since 11/22/95] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the Subject: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Web browsers will find it at gopher://gopher.cs.uwm.edu. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V8 #039 ****************************** .