Date: Sat, 08 Jun 96 08:01:38 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V8#046 Computer Privacy Digest Sat, 08 Jun 96 Volume 8 : Issue: 046 Today's Topics: Moderator: Leonard P. Levine Re: Credit Cards with Internet Fraud Insurance Re: Credit Cards with Internet Fraud Insurance Re: Credit Cards with Internet Fraud Insurance Fingerprint Technology AOL Punishes a User Re: unsolicited email? Air Force Sergeant Jailed in e-Mail Case New Chip Renews Privacy Debate Workshop on Medical Privacy in Cambridge Info on CPD [unchanged since 11/22/95] ---------------------------------------------------------------------- From: leppik@seidel.ncsa.uiuc.edu (Peter Leppik) Date: 04 Jun 1996 15:02:06 GMT Subject: Re: Credit Cards with Internet Fraud Insurance Organization: University of Illinois at Urbana References: arlenelea@aol.com (Arlene Lea) wrote: When we got the new ones, there was a sticker saying to call in to activate the cards. Called the number, was told by a computer voice to punch in the card number and thats it. No questions of social security number, date of birth, mother's maiden name, *nothing* - just a computer voice saying punch in the numbers. Discover (and several other credit card companies) apparently now uses the caller-ID feature of 800 numbers for credit card activation. When you call their 800 number, they capture the number you're calling from and compare it to the phone number you gave on your credit application. If the numbers match, they assume that the right person is activating the card (on the assumption that if someone stole the card, they wouldn't also break into your house to use your phone). If they don't match, then a human operator will ask for additional identification, such as mother's maiden name. I had this happen to me once, after I moved and didn't give Discover my new phone number. So this method is actually more secure than you think--it is no less secure than the old method of asking for "private" information, and maybe more secure, since (a) they can keep track of where the card activator called from, and (b) they can concentrate the human resources on the 1% of activation calls most likely to be fraudulent. -- Peter Leppik leppik@seidel.ncsa.uiuc.edu Lost in the Information Supercollider http://seidel.ncsa.uiuc.edu/ ------------------------------ From: tpeters@hns.com (Thomas Peters) Date: 04 Jun 1996 21:41:35 GMT Subject: Re: Credit Cards with Internet Fraud Insurance Organization: Hughes Network Systems Inc. References: When we got the new ones, there was a sticker saying to call in to activate the cards. Called the number, was told by a computer voice to punch in the card number and thats it. No questions of social security number, date of birth, mother's maiden name, *nothing* - just a computer voice saying punch in the numbers. Did you call from home? Was it an 800-number? They probably matched the ANI from the call against your account information. If it hadn't matched, they could transfer you to an operator for the personal info quiz. Just guessing, -- Tom Peters ------------------------------ From: eichin@kitten.gen.ma.us (Mark W. Eichin) Date: 05 Jun 1996 00:01:21 -0400 Subject: Re: Credit Cards with Internet Fraud Insurance References: When we got the new ones, there was a sticker saying to call in to activate the cards. Called the number, was told by a computer voice to punch in the card number and thats it. No questions of social security number, date of birth, mother's maiden name, *nothing* - just a computer voice saying punch in the numbers. And a computer at the other end logging the number you called from... and double checking (1) what they have on file as your home number already (2) what city they have listed for your home address. At least one of the cards I've activated in the last year has *specifically* said to call from my *home* number. It's just a consistency check against where they mailed the card... ------------------------------ From: hans4648@tao.sosc.osshe.edu (CrazySexyCool DC) Date: 04 Jun 1996 23:47:31 GMT Subject: Fingerprint Technology Organization: Oregon State System of Higher Education I have heard rumors circulated about that individuals CAN alter/change their fingerprints at any time. I am doing a research project concerning the fingerprint identification, and am asking anyone out there to contribute to my project. The question: Is there a way to alter/change your fingerprints easily? And, if so, is it there a temporary way to alter one's fingerprints, or is it only permanent? I have sifted through one hundred or so investigative articles, fingerprint subtitles, and so forth, with no answer to my simple question regarding a temporary and/or permanent way to alter/change your fingerprints! Without dismemberment of the finger/oil glands themselves, is there a way? Thank you, please post or email me -- Hans4648@tao.sosc.osshe.edu ------------------------------ From: "Prof. L. P. Levine" Date: 05 Jun 1996 08:57:53 -0500 (CDT) Subject: AOL Punishes a User Organization: University of Wisconsin-Milwaukee I found this report on a "fight censorship" mailing group. It has real privacy implications. ---------- Forwarded message ---------- At my work we have no Internet access other than email, so I was glad when I noticed the new desktop units had modems. The magazine I brought to work that night had an AOL disk inside of it, and I installed it. I tried to logon a couple of times, but it insisted that my account was invalid. A co-worker noticed what I was doing and used his name/password to logon and it worked fine. I chalked it off as a billing error and decided to look into it the next day after I woke up. A small crowd gathered around the computer we were using and someone asked, "So where are all of the BAD places I keep hearing about on the Internet?" I hate when someone says that about the Net. It's even worse when there idea of it involves a wild story they saw on the local news about child molesters lurking. I know it happens, but nothing like some media portrays. So I broke into a description about how most of the Internet pales in comparison to America Online's chat rooms. I proceeded to show them all of the 'private' rooms, loaded with raunchy names. I showed them some of the GIF-related rooms where you could get tons of porno images whether you wanted them or not (you don't even have to ask -- enter the room and you are on the list.) I then took them to a room called WAREZ. This is where you can request to get on a mailing list that will dump 400-500 messages in your mailbox with attached files. Attached files like Microsoft Office 95, and Duke Nukem III. They were amazed. I told them the same things were on the Internet, but it took a little more effort to find it. On America Online, you can literally stumble on it -- that's how I found it. I described how, on AOL, I discovered hundreds of people trading stolen credit card numbers and trying to sell fraudulently obtained equipment. The next day I tried to logon at my house, and my account still came up invalid. I then phoned customer service and they promptly told me that I had been banned from AOL for life. "Why?", I asked. "Because you were in a chat room called Jaurez." "Jaurez? I have never been a chat room called Jaurez." "It is spelled W-A-R-E-Z." I explained to her that one was tequila, and the other was software. She begain to explain the situation in detail. I broke out my notepad and starting asking questions. She put a legal person on the phone and we had a brief conversation. Long-story-short; AOL has decided to crack down on all of the illegal software that is being traded online. They now automatically log everyone who enters WAREZ (or WAREZ1, WAREZ2, etc...) and cancel the account. You can get back on by writing them a letter begging for forgiveness and telling them that you will never do it again -- but I am not going to. I decided not to because when I asked her what they were going to do about the porno rooms, some of which contain horrible pedophile stories and pictures --- she proceeded to tell me that pornographic material does not exist on America Online. A few days later, my co-worker had his account canceled because I showed him how to find the bad areas. He asked me if I could write the letter for him. (steve) Steven : Access@Phoenix.Net or Steven.Baker@Roche.Com Baker :__________________.d.i.g.i.t.a.l..l.i.f.e.________________ : http://www.taponline.com/tap/net/features/digital.html ---------- End Forwarded message ---------- -- Leonard P. Levine e-mail levine@cs.uwm.edu Professor, Computer Science Office 1-414-229-5170 University of Wisconsin-Milwaukee Fax 1-414-229-2769 Box 784, Milwaukee, WI 53201 PGP Public Key: finger llevine@blatz.cs.uwm.edu ------------------------------ From: gmcgath@mv.mv.com (Gary McGath) Date: 07 Jun 1996 13:12:03 GMT Subject: Re: unsolicited email? Organization: Conceptual Design References: eck@panix.com (Mark Eckenwiler) wrote: For the contrary view (that the TCPA does not apply to e-mail), see my article (acknowledging Bob Bulmash's position and referring to him) at http://techweb.cmp.com/net/issues/036issue/036law.htm The issue has also been beaten to death multiple times this year in misc.legal.computing and other Usenet groups. A suitable set of AltaVista and DejaNews searches should turn up much archived discussion on the subject. If those who want to get E-mail regulated as fax transmissions have their way, not only will this have a severe chilling effect on electronic communications, it will presumably require us to put our phone numbers on all E-mail -- including cease-and-desist requests to junk mailers. Won't *that* have a lovely effect on our privacy! -- Gary McGath gmcgath@mv.mv.com http://www.mv.com/users/gmcgath ------------------------------ From: jwarren@well.com (Jim Warren) Date: 06 Jun 1996 13:32:25 -0700 Subject: Air Force Sergeant Jailed in e-Mail Case ----- forwarded message ----- Date: 06 Jun 1996 11:40:59 -0400 To: freematt@coil.com (Matthew Gaylor) From: freematt@coil.com (Matthew Gaylor) Subject: US Air Force Times article: Master sergeant is sent to jail in e-mail case [Note from Matthew Gaylor: I find it ironic that while our military is sworn to uphold and defend the US constitution, the military brass is busy eliminating personal freedoms enjoyed by our troops. I'd advise my military subscribers to Freematt's Alerts to get a private IP for Email and other net use.] To: freematt@coil.com Subject: FW: Email use for private/unauthorized use, Right to privacy..... Following is an AF Times article concerning the consequences of Email abuse. The Information Protection Office is asking everyone to please read this article and be aware of what can happen to abusers of gov't Email. Air Force Times June 10, 1996 Master sergeant is sent to jail in e-mail case By Andrew Compart. Times staff writer It was a case that tested the right of military employees to electronic-mail privacy. The judge's conclusion was they had none. As a result, an Air Force master sergeant will spend the next three months in jail for using his office computer to exchange sexually explicit stories, jokes and comments with other consenting adults. Master Sgt Jeffrey Delzer, 37, who has 19 years of service, was convicted of misuse of a government computer; distribution of obscene writing; communicating indecent language on topics such as sexual intercourse, oral sex, masturbation and bestiality; and obstruction of justice for allegedly trying to delete his e-mails. Delzer's punishment also includes demotion to staff sergeant, a reduction of two ranks that will cost him about $300 a month in retirement pay. The military judge's ruling said Delzer had no expectation of privacy on a government computer and that investigators could look at the postings without a search warrant, said Mike Powell, an Alexandria, Va., lawyer who defended Delzer, as did two Air Force lawyers, Capts Mike Apol and Print Maggard. The ruling will not set a precedent for similar cases unless Delzer appeals the case to a higher court. But it is similar to civilian court rulings that do not offer employees any e-mail privacy, an American Civil Liberties Union attorney said. Powell said his client's conviction and sentence send a clear message. It means there is no right to privacy in the workplace in the Air Force, that s what it means; and you should never use your e-mail for a personal message, Powell said just after the guilty verdict was announced May 24 at Malmstrom Air Force Base near Great Falls Mont. Malmstrom officials did not immediately respond to questions about the case. The court-martial also raised the issue of the sale of adult-oriented magazines such as Playboy, Penthouse and Hustler at military exchanges including the base exchange at Malmstrom. The defense won the right to submit stories from the magazines in a failed attempt to prove the e-mail postings had not violated community standards of decency. In an interview on May 26, the day before he was to go to jail, Delzer said his situation still seemed unreal although the case had dragged on for a year. Nobody can believe you're being investigated or prosecuted for something like this, he said. The bottom line is I don t think this was anyone else's business. I'm not saying there shouldn't be limits, but I think they went way too far. What makes this case unusual is that the alleged obscenity involves only written material. Obscenity prosecutions for material that does not include pictures or videos are rare, said Ann Beeson, an American Civil Liberties Union lawyer specializing in Internet law. Beeson also said it is unusual and disturbing to prosecute someone for e-mail, which is sent to a specific person instead of being posted in a public area, such as a computer bulletin board, accessible to virtually anyone with Internet access. The investigation of Delzer began last spring after a co-worker reported him to superiors. The co-worker said he saw some obscene words on Delzer's computer screen when he walked by, Powell said. Air Force Times June 10, 1996 ***** Subscribe to Freematt's Alerts: Pro-Individual Rights Issues Send a blank message to: freematt@coil.com with the words subscribe FA on the subject line. List is private and moderated (7-30 messages per week) Matthew Gaylor,1933 E. Dublin-Granville Rd.,#176, Columbus, OH 43229 ***** ----- end forwarded message ----- ------------------------------ From: "Prof. L. P. Levine" Date: 05 Jun 1996 15:40:58 -0500 (CDT) Subject: New Chip Renews Privacy Debate Organization: University of Wisconsin-Milwaukee Japanese Data-Scrambling Chip Renews Privacy Debate A recent copyrighted article in the New York Times (6/4/96) describes a powerful data-scrambling chip-set that is now being quietly sold by Nippon Telegraph and Telephone Corp. According to John Markoff, the author of the Times article, the product is likely to severely undermine the Clinton Administration's efforts to restrict the international export of the fundamental technology for protecting secrets and commerce in the information age. According to the article, the existence of the chip set was disclosed in Washington in a speech at a public policy workshop by the chief executive of RSA Data Security, a Silicon Valley-based company that has frequently dueled with the administration over its export-control policies. The company plans to resell the chips in the United States. He CEO of RSA Data Security said "There is clearly going to be a lot of demand for their chips." The executive has been a vocal and longtime opponent of U.S. export laws that prohibit the sale, without a special license, of products that have powerful data-scrambling capabilities. The government's policy is directed at limiting the spread of systems that could make it more difficult for American intelligence and law enforcement agencies to conduct electronic surveillance. The device also underscores fundamental differences that exist between Japan and the United States on the issue of privacy in the Information Age. While U.S. officials have struggled to maintain their ability to conduct electronic surveillance, Article 21 of Japan's Constitution specifically forbids wiretapping. Next, the article quotes Mark Rotenberg, director of the Electronic Privacy Information Center as saying: "It's very interesting that the Japanese regard for privacy in their Constitution translates into better cryptographic technology." It is reported that the chips were far more powerful than the so-called Clipper chip, a data-scrambling system that the administration proposed for the nation's telephone system. Furthermore, the report continues that while the Clipper system has a built-in "back door" intended to permit the FBI to gain wiretap information, the NTT system has no such surveillance feature. It also uses much stronger data-encryption algorithms than U.S. export laws permit. According to the article, those laws restrict the export of encryption systems which employ digital "keys" of more than 40 bits in length. The new NTT chips, however, use a 56-bit key, and actually triple the strength of that standard. Such a scrambling system is believed to be beyond the capability of the most powerful code-breaking system. In addition to the "private" key system for scrambling data, NTT uses RSA Data's "public" key method to permit computer users who have not previously exchanged information to swap private key information safely. The NTT system uses the RSA Data key which is 1,024 bits in length, also far stronger than the U.S. export regulations permit. "If there is anyone in the government who hasn't already seen the writing on the wall, here it is," the article concludes. ------------------------------ From: rja14@cl.cam.ac.uk (Ross Anderson) Date: 04 Jun 1996 11:36:33 GMT Subject: Workshop on Medical Privacy in Cambridge Organization: University of Cambridge, England This conference is being sponsored by the British Medical Association and the Isaac Newton Institute for Mathematical Sciences at Cambridge. We hope to bring together computer security professionals with clinicians and policy makers to explore how we can ensure the privacy and safety of clinical information, and thus facilitate the uptake of telematics in medicine. WORKSHOP ON PERSONAL INFORMATION Security, Engineering and Ethics Isaac Newton Institute, University of Cambridge 21-22 June 1996 FRIDAY 21 JUNE 9 - 10 Registration and Coffee 10.00 Welcome Mac Armstrong, BMA 10.05 Introduction Ross Anderson, Isaac Newton Institute 10.15 Simon Jenkins Comments on the Information Strategy of the NHS 10.45 Otto Ulrich The relationship between the patient and the security infrastructure 11.15 - 11.30 Coffee 11.30 Reid Cushman Exceptionalism Redux: Is Health Care Information Practice Really Different? 12.00 Bernd Blobel Clinical Record Systems in Oncology. Experiences and Developments on Cancer Registers in Eastern Germany 12.30 Mary Hawking Organisation of General Practice: implications for IM&T in the NHS 13.00 - 14.00 Lunch 14.00 Ruth Roberts, Practical Protection of Confidentiality Joyce Thomas, Michael J Rigby, John G Williams 14.30 Alan Hassey, Mike Wells Clinical systems security - Implementing the BMA policy & guidelines 15.00 Peter Landrock Using Commercial Off-the-Shelf Technology to John Williams Secure GP Provider Links 15.30 - 16.00 Tea 16.00 Paula J. Bruening Medical Information Privacy Law in the United States 16.30 Beverly Woodward Information management is no longer records management but a risk management issue 17.00 Discussion 19.30 Reception followed by dinner SATURDAY 22 JUNE 9.00 Andrew Blyth Responsibility Modelling: A New Approach to the Re-Alignment and Re-Engineering of Health-Care Organisations 9.30 Michael J Rigby Keeping Confidence in Confidentiality 10.00 Ronald Draper Electronic Patient Records : Usability vs Security, with Special Reference to Mental Health Records 10.30 - 11.00 Coffee 11.00 Ulrich Kohl User-Oriented Control of Personal Information Security in Communication Systems 11.30 Gerrit Bleumer Privacy Oriented Clearing for the German Health Matthias Schunter Care System 12.00 Yoshikazu Okada, Series of Personal Health Data on Optical Yasuo Haruki, Youichi Memory Cards Ogushi, Masanobu Horie 12.30 - 13.30 Lunch 13.30 Fleur Fisher The Perspective of Medical Ethics 14.00 Dave Banisar Legal Requirements for Computer Security: An American Perspective 14.30 A.G. Breitenstein U.S. Health Information Privacy Legislation: Theory and Practice 15.00 - 15.30 Tea 15.30 Roderick Neame Healthcare Informatics Security in New Zealand 16.00 Ross Anderson An Update on the BMA Security Policy 16.30 Discussion 17.00 Adjourn ****************************************************************************** REGISTRATION FORM (Please return to s.miller@newton.cam.ac.uk) Last Name:....................................Title:..................... Forenames:.................................................................... Present Position:............................................................. Date of Birth:.......................... Nationality:......................... Address of Home Institution: Permanent Home Address: .................................... ..................................... .................................... ..................................... .................................... ..................................... .................................... ..................................... .................................... ..................................... Office Phone:........................ Home Phone:........................... Fax Number:.......................... E-mail:.............................. Institution of graduation: ................................................. Date of Arrival:.................... Date of Departure:.................... I would like help with finding accommodation in Cambridge YES / NO* (* Please delete as required) ------------------------------ From: "Prof. L. P. Levine" Date: 17 May 1996 09:14:50 -0600 (CST) Subject: Info on CPD [unchanged since 11/22/95] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the Subject: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Web browsers will find it at gopher://gopher.cs.uwm.edu. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V8 #046 ****************************** .