Date: Fri, 31 May 96 11:06:44 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V8#044 Computer Privacy Digest Fri, 31 May 96 Volume 8 : Issue: 044 Today's Topics: Moderator: Leonard P. Levine Re: unsolicited email? Re: unsolicited email? Re: All Calls are Logged Re: Privacy Phone Guard Re: Credit Cards with Internet Fraud Insurance Re: Credit Cards with Internet Fraud Insurance Re: Biometric Encryption Re: Biometric Encryption e-Mail Privacy Re: How Secure are 900 MHz Digital Cordless Phones? Re: How Secure are 900 MHz Digital Cordless Phones? Re: Equifax for Employee Background Checks Re: Free PGP shell available for Windows New Online Phone Directory Re: EPIC Alert 3.11 Info on CPD [unchanged since 11/22/95] ---------------------------------------------------------------------- From: johnl@iecc.com (John R Levine) Date: 30 May 96 12:24 EDT Subject: Re: unsolicited email? Organization: I.E.C.C., Trumansburg, N.Y. Please excuse if this has been beaten up here before, but I am interested in any legal precedents for fighting unsolicited email. Unfortunately, there aren't any. There is a law agaist junk faxes, and the definition of a fax machine in the law could, if read literally, be taken to describe most computers. (It describes a device with a modem and a printer which can print text or images.) But the junk fax law is clearly intended to address faxes rather than e-mail, and I'd be surprised if any judge thought differently. Most but not all Internet providers have Acceptable Use Policies which forbid junk e-mail, and it's usually possible by persistent polite complaining to the ISP to get the junk mailer's account cancelled. But it's very easy to get throwaway trial accounts on everyone from AOL to Interramp to Fred's Pest Control and ISP, and the most persistent spammers use those, hopping from provider to provider. A few "rogue" providers, from misguided principle or ineptness, refuse to apply any discipline to their users at all. You can read about this continuing process in far more depth than you want in news.admin.net-abuse.misc on usenet. There are many sites (soon to include mine) which reject all mail from rogue providers. Given the existence of junk fax legislation, I'd think it'd be straightforward to extend it to junk e-mail. The issues are similar, most importantly that the cost of sending the messages is very low, and the recipient bears much of the cost of receiving the message, so the junk messages have a disproportionate out-of-pocket cost to the unwilling recipients. -- John R. Levine, IECC, POB 640 Trumansburg NY 14886 +1 607 387 6869 johnl@iecc.com "Space aliens are stealing American jobs." - Stanford econ prof ------------------------------ From: prvtctzn@aol.com (Prvt Ctzn) Date: 29 May 1996 12:36:51 -0400 Subject: Re: unsolicited email? Organization: America Online, Inc. (1-800-827-6364) References: Please excuse if this has been beaten up here before, but I am interested in any legal precedents for fighting unsolicited email. The Telephone Conuser Protection Act of 1991 (47 USC 227) prohibits unsolicited advertisements to fax machines. A fax machine is define (by this law) to be equipment with the capacity to: - receive signals over a regular telephone line - convert that data into text or graphics, and - print that data on to paper Therefore, your computer - email - printer system is (by definition ) a fax machine. You can sue the sender for $500 for each such transmission so long as you have no existing or prior business relationship with the sender. Robert Bulmash Private Citizen, Inc. http://webmill.com/prvtctzn/home ------------------------------ From: Rick Carlson Date: 29 May 1996 15:37:25 -0700 Subject: Re: All Calls are Logged Organization: Manufacturing Service Center References: Crissie Trigger wrote: For those who are upset about caller I.D., I have been informed by several private investigators that every telephone call, local as well as long distance made through a typical phone company is registered on a computer as to the number of the caller and callee, date & time of the call, and the length of the call. Big brother isn't always listening, but he can usually go back and check the records. And sometimes those records have been searched - legally and illegally. A few years ago, the Ohio Bell in Cincinatti, turned over its billing records for all calls made from Cincinatti to Pittsburgh to assist Proctor and Gamble in locating a person who "leaked" company data to a Wall Street Journal writer in Pittsburgh. I seem to recall that around 10,000 calling records were turned over to the Cincinatti police who then turned over the data to P&G. ------------------------------ From: hermit@cats.UCSC.EDU (William R. Ward) Date: 29 May 1996 19:58:54 GMT Subject: Re: Privacy Phone Guard Organization: Computing and Telecommunications Services, UCSC References: The problem with caller-id is that we have people objecting to and promoting different things: 1. People who want caller ID want to know the identity of the PERSON who is calling them so they know who they're talking to. 2. People who do not want caller ID want to withold their PHONE NUMBER so businesses they call can't add them to a database. There are also businesses who want to know the phone number, and people who want to withhold their personal identity, but I believe those cases are far less common than the above. It seems that there should be a way to give your identity without giving your phone number, thus satisfying both groups. If I could program my phone to transmit "Bill Ward" instead of my phone number when I call someone, I wouldn't object to them seeing that. Wouldn't that be preferable? -- William R Ward Bay View Consulting http://www.bayview.com/~hermit/ hermit@bayview.com 1803 Mission St. #339 voicemail +1 408/479-4072 hermit@cats.ucsc.edu Santa Cruz CA 95060 USA pager +1 408/458-8862 ------------------------------ From: John Pettitt Date: 29 May 1996 14:01:41 -0700 Subject: Re: Credit Cards with Internet Fraud Insurance Organization: software.net References: Winston Edmond wrote: A few weeks ago, I got a piece of junk mail asking me to apply for a VISA card. What made the offer unique was that it had the word WEB in big letters on the outside envelope and a novel feature: it explicitly said that the card holder would not be held liable for any charges resulting from the number being stolen in the course of its use over the Internet. This was not limited to encypted transmission. The intestesting thing here is that you only have $50 liability anyway and in most cases the bank will wave that (USA - othe countries may vary, as I recall in the UK it's UKL 50). Anyway it's another sales gimmick thats all. Question: can anybody cite an instance of a card stolen in flight on the net, not the local lan or by breaking into a machine but on the net itself? I can't find one. The big issue in internet credit card fraud is identity theft, that is somebody gets your card and address the old fashioned way (mostly they talk you our of it) and then they order stuff over the net. In this case the merchant gets stuck with the fraud costs. Thats why merchants like us what so much info before we process a transaction - we are trying to mitigate our fraud risk. -- John Pettitt jpp@software.net VP Engineering, CyberSource Corp. +1 415 473 3065 (V) (fax 3066) ------------------------------ From: tpeters@hns.com (Thomas Peters) Date: 29 May 1996 22:39:54 GMT Subject: Re: Credit Cards with Internet Fraud Insurance Organization: Hughes Network Systems Inc. References: A few weeks ago, I got a piece of junk mail asking me to apply for a VISA card. What made the offer unique was that it had the word WEB in big letters on the outside envelope and a novel feature: it explicitly said that the card holder would not be held liable for any charges resulting from the number being stolen in the course of its use over the Internet. This was not limited to encypted transmission. Since when have card holders been liable for unauthorized charges made with a stolen card number? As long as you don't lose the physical card, you may be inconvenienced by fraud, but you are not liable for the losses. That the card number was disclosed over the web instead of over the phone or in a dumpster is beside the point. This clever card issuer is giving up something he never had. -- Tom Peters ------------------------------ From: "Michael Lewkowitz" Date: 29 May 96 23:08:24 UT Subject: Re: Biometric Encryption I have actually seen the Mytec device and had it demonstrated to me. With regard to the worry that fingerprints can be lifted off of glasses etc. and used as a replica, this is not possible. For that to work, a 3D model of the fingerprint would have to be recreated with a material that has the same elasticity of the individual's skin. When "swiping" the finger, the print distorts which affects the biocrypt. Furthermore, you can have a number of fingers registered so that in the event one gets disfigured or is lost by malicious action or accident, one can activate another as back up. Technologically speaking, the product is sound and has vast potential. In regard to encrypting, I'm sure there will be much debate as to how to set it up. If you have any specific questions, they do have a web site through which you should be able to contact them directly. And finally, to end this disjointed letter, I was told that they are attempting :-) to get a patent on fingerprint data encryption over the net (or something along those lines). -- Michael Lewkowitz Com.Point Innovations Inc. ------------------------------ From: gtomko@noc.tor.hookup.net (George Tomko) Date: 29 May 1996 09:42:54 -0400 (EDT) Subject: Re: Biometric Encryption Dear Mr. Levine: Subject: Biometric Encryption I have noticed a number of communications in your news group regarding Biometric Encryption, especially some concerns about its use. As one of the developers of this technology, I would appreciate if the attached response could be posted in the news group to provide people with some answers and also to obtain feedback and discussion. Kind regards. George J. Tomko, Ph.D. Several people commented on four concerns in using a finger pattern for biometric encryption, namely: 1. It's easy to get someone's fingerprints since they are left on a vast number of everyday objects, such as drink cans and door handles; 2. Muggers would start cutting off people's fingers when stealing their cards; 3. The crooks would forcibly hold down an individual's finger against the biometric encryption authentication device to extract the string coded by the individual's Bioscrypt; and 4. If the finger used to code the Bioscrypt is damaged or destroyed, then an individual will not have access to the files associated with the Bioscrypt. I will try to answer these concerns in order. But, first, let me define a Bioscrypt. A Bioscrypt is a two-dimensional image of a string or set of characters which can represent a PIN, encryption key or pointer and which has been coded (encrypted) by the two-dimensional information in a fingerprint pattern. It has the following properties: - it has no resemblance to the original fingerprint. - it cannot be reconverted to the original fingerprint. - if an optical image of the correct live fingerprint is transmitted through the Bioscrypt, then the output light beam uniquely represents the coded number. By successfully decoding their Bioscrypt, the person also confirms who they claim to be. For purposes of the discussion below, it is important to note that the optical authentication device is a coherent system and uses the phase information in a finger pattern (complex domain) as a discriminating parameter. 1. "Picking up latent prints from door handles, etc." To perpetrate a masquerade using a latent fingerprint of a legitimate user is very difficult for the following reasons: * The system requires a three-dimensional reconstruction of the legitimate user's fingerprint because the height of the various fingerprint ridges can modify the two-dimensional complex optical image which is the input to the authentication device. There is little information in a two-dimensional latent print about the depth and the height of grooves and ridges of the actual fingerprint. * The three-dimensional reconstruction of the legitimate user's fingerprint from a latent print would also need to duplicate the approximate oil and moisture content of the skin, since this is one of the factors which affects (modulates) the two-dimensional image read by the system. Quantifying this information from a latent print is very difficult. Even if it were, the three-dimensional reconstruction would have to be made from a synthetic material which had the same oil and moisture properties as the legitimate user's skin. To use an oil/water based solution to place on the input scanning window would be useless since this would frustrate all of the light bouncing off the window and would convey little or no useful information to the optical system. * The reconstructed fingerprint would also need to be made from a material with approximately the same elastic properties as the legitimate user's finger skin. During enrollment, and subsequently on authentication attempts, the user slides a finger over the input scanning window. This action warps the skin and the corresponding fingerprint pattern based on the elastic properties of the skin. Within the population, warping can vary significantly based on age, dryness of skin, etc. and is thus another unique aspect of the individual's finger pattern. 2. "Severing the finger to obtain access." As already mentioned in some of the previous communications in this newsgroup, measuring the temperature, humidity, pulse rate and even heart rate to verify a live finger can be accomplished. One of the key factors, though, is after the finger is severed the elastic properties of the skin change rapidly and thereby would not warp in the same manner as a live finger pattern. This would make a cadaverous finger useless after a period of time. (Can't find subjects to do a double blind study though). 3. "Crooks would forcibly hold down the finger." By forcibly sliding an individual's finger against the biometric encryption authentication device (reading device), the string coded by the Bioscrypt can be extracted. The string coded by the individual's finger pattern Bioscrypt could then be used for a one-time access for whatever purposes the string was intended. However, assuming that the individual is freed, he can then use his finger pattern to code a completely different string to prevent repetitive access. The system is robust in that it is very easy to change PINs, encryption keys or computer pointers. It was suggested in some of the messages that a pass phrase be used in conjunction but, again, if an individual is holding your finger down forcibly, to extend that to pointing a gun to your head to divulge the pass phrase is not an extreme assumption. There is no perfect security system out there and I doubt one will ever be designed since it has to work with real human beings. I suggest that the goal is to provide privacy-enhancing technology that handles the majority of the infringement cases and that, for exceptional circumstances where extreme privacy and security must be guaranteed, we combine the biometrics (something you are) with the pass phrase (something you know) and a token (something you have). If the combination of those three doesn't do it, then at this stage of technological evolution, nothing will cut it. 4. "Losing or damaging a finger with the result of not being able to access the Bioscrypt and related files." One of the properties of optical processing is that composite patterns can be made and thereby used to make the Bioscrypt. Accordingly, more than one finger could be used or a finger and a proprietary pattern (which one keeps hidden away somewhere). Of course, there is a penalty. The more patterns one uses, the smaller the signal to noise ratio of the system. The system is currently designed to give signal to noise ratios in the order of 10 to 12 dB and thereby significant degradation can still occur which would allow comfortably two to three patterns to be superimposed in the same Bioscrypt. If you are interested, more information can be gained by accessing Mytec's web page at http://www.mytec.com. -- George J Tomko Mytec Technologies Inc. Toronto, Ontario ------------------------------ From: mdc@mbay.net Date: 29 May 1996 23:52:51 GMT Subject: e-Mail Privacy Organization: Monterey Bay Internet, Monterey, CA I am interested in e-mail security and would like to hear from anyone who knows about legal case histories, company policies, or personal experience with e-mail privacy (particularly the lack thereof). The gist of my research is should e-mail be treated like other forms of communication as far as searches and warrants go? Thanks for any input. ------------------------------ From: pfeifer@lf.hp.com (Mark Pfeifer) Date: 30 May 1996 17:41:13 GMT Subject: Re: How Secure are 900 MHz Digital Cordless Phones? Organization: Hewlett-Packard Little Falls Site References: I keep hearing that digital cordless phone conversations are private. Could someone please explain to me why? Is it simply because scanners which intercept digital transmissions are not commonly available? Or is there something about digital transmission technology that makes the transmissions un-decodable? I recently purchased a Toshiba 900MHz digital cordless phone. It does claim to encrypt calls. According to the documentation, each time the handset is placed in the base unit, a new 16-bit key is picked and used until the phone is placed in the base again (they quote 65536 unique codes). Part of the security comes from the fact that digital scanners appear to be much less common than analog ones, so that helps keep down the number of casual observers. The digital encryption should help matters a bit more. -- Mark Pfeifer (302) 633-8260 E-mail: pfeifer@lf.hp.com Hewlett-Packard Little Falls Site #include Wilmington, DE 19808 #define OPINIONS mine ------------------------------ From: Ed Frankenberry Date: 30 May 1996 17:30:41 -0400 Subject: Re: How Secure are 900 MHz Digital Cordless Phones? Do digital cordless phones routinely scramble their transmissions? If so, what kind of algorithms are used for scrambling? How hard would it be to unscramble if someone was reasonably determined? Digital cordless phones are "reasonably" secure. There are different types of 900-MHz digital transmission. Early digital cordless phones (e.g. the VTech Tropez and AT&T 9100) use a fixed channel frequency and session key for the duration of the call. The conversation is digitally encoded so an eavesdropper would need to perform digital signal processing (beyond simply using a scanner). The key length is typically 16-bits, so a determined eavesdropper could recover the clear signal. More recent digital cordless phones (e.g. the Uniden EXP 9100) have frequency-agile transceivers that use spread-spectrum transmission. Rather than using a fixed channel, the signal is transmitted over multiple frequencies. This technique offers greater noise immunity, and requires synchronization between the base and handset regarding the set of transmission frequencies. It is difficult for a would-be eavesdropper to distinguish spread-spectrum transmission from wideband random noise. from a privacy/security perspective, both forms of digital transmission represent an improvement over conventional unencrypted analog (AMPS) cellular telephones or analog cordless phones. ------------------------------ From: Wotan Date: 30 May 1996 18:42:00 -0400 (EDT) Subject: Re: Equifax for Employee Background Checks anonymous said: They are very intrusive into your private life, and once info gets into their computers it is hard to get it out. I've got to disagree with this statement. They did once place bad info in my report by mistake (combined mine and my sisters - our SS's our only one number different.) They corrected the problem and deleted the bad info immediately. And periodically send me a gratis copy to ensure that the info is still correct. Which is better that TRW ever was - I shouldn't have needed to file an complaint with the FTC to get bad info off of TRW's records. -- God is an atheist. ------------------------------ From: dallas@eskimo.com (Dallas Waite) Date: 30 May 1996 17:52:51 -0700 (PDT) Subject: Re: Free PGP shell available for Windows Organization: Eskimo North (206) For-Ever I've downloaded PGPn123, and experimented with it a few times. No virus probs, and can report no major bugs. Since I've not used any other program of this type, I can not say if it is any better or worse than others that are out there. Hope this helps. -- "Dr. Tom Blinn, 603-881-0646" wrote: ------------------------------ From: Paul Szabo Date: 31 May 1996 06:23:22 -0700 Subject: New Online Phone Directory I found a new online phone directory that allows you to search in Canada and the U.S: http://www.infospaceinc.com/space.html This one had slightly out of date information, and also neglected to include my (last years) apartment number. This one does NOT have the feature of allowing you to delete yourself from the directory, unlike [moderator, if you know this, please insert here, I lost the URL]. Although they claim privacy is important, obviously it is not any where near the highest on their list. For information about this new startup: http://www.infospaceinc.com/space.html To do a search http://www.infospaceinc.com -- Paul Szabo ------------------------------ From: epic-news@epic.org (EPIC-News Mail Server) Date: 29 May 1996 14:47:53 -0400 Subject: Re: EPIC Alert 3.11 Epic Alert, Volume 3.11 May 29, 1996 Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/ Table of Contents [1] Children's Privacy Bill Introduced [2] Recent Problems in Direct Marketing Industry [3] New Medical Privacy Bill Introduced [4] Canadian NII Panel Calls for Privacy Law [5] Supreme Court Rejects California Caller ID Case [6] NRC to Release Crypto Report [7] FTC To Examine Privacy Issues [8] Upcoming Conferences and Events [moderator: this listing of excellent material is too long to post here. I have archived it in CPD archives, or a copy can be found in the URL indicated above.] ------------------------------ From: "Prof. L. P. Levine" Date: 17 Mar 1996 09:14:50 -0600 (CST) Subject: Info on CPD [unchanged since 11/22/95] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the Subject: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Web browsers will find it at gopher://gopher.cs.uwm.edu. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V8 #044 ****************************** .