Date: Fri, 14 Jun 96 10:05:17 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V8#047 Computer Privacy Digest Fri, 14 Jun 96 Volume 8 : Issue: 047 Today's Topics: Moderator: Leonard P. Levine What's the Word on Cookies? RISKS: HTTP Cookie Privacy Risk Re: All Calls are Logged Re: Fingerprint Technology Are Keboard Recorders Legal? Re: Air Force Sergeant Jailed in e-Mail Case Key Escrow in France and Britain [long] Info on CPD [unchanged since 11/22/95] ---------------------------------------------------------------------- From: kmp@spiritone.com (Ken Peterson) Date: 08 Jun 1996 11:05:20 -0700 Subject: What's the Word on Cookies? Organization: Someone using Xplor's internet service What is the current wisdom on Netscape Cookies? I have tried to configure Netscape 3.0b4 (Macintosh) to "ask" before accepting a cookie, but some sites try to send 10-20 of the damn things during loading the first page and during the simplest navigation of their site. So endlessly clicking NO in the Ask dialog is a tremendous hassle. I know about Cookie Monster, but I have no other reason to run AppleScript and don't want the extension-load it adds. Cookies aren't executable code, I guess. What harm can they do? What possible downsides are there? Anybody? Are there any non-AppleScript Cookie Crumblers out there? -- Ken Peterson Peterson TechSystems, Portland, OR "Any nitwit can understand computers. Many do" ------------------------------ From: "Prof. L. P. Levine" Date: 11 Jun 1996 14:01:51 -0500 (CDT) Subject: RISKS: HTTP Cookie Privacy Risk Organization: University of Wisconsin-Milwaukee Taken from RISKS-LIST: Risks-Forum Digest Monday 10 June 1996 Volume 18 : Issue 19 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator From: hgoldste@bbs.mpcs.com (Howard Goldstein) Date: 08 Jun 1996 01:38:13 GMT Subject: HTTP cookie privacy risk I recently installed Netscape 3.0b4, a beta version, to try out the new (compared to 1.1N) features and see how well FreeBSD runs foreign binaries. One of the new features, a security feature strangely categorized as a 'network' feature, queries the user before allowing "cookies" to be set. Out of curiousity I set it so as to find out how often this feature was invoked. Cookies (discussed in earlier RISKS volumes, I seem to recall) [YES: RISKS-14.36, 17.89. PGN] are documented at http://www.netscape.com/newsref/std/cookie_spec.html . I was surprised to find that every night for the last two weeks after enabling this I've been handed a "cookie" by a site I never knowingly visited, at http://ad.doubleclick.net . Upon visiting this site I discovered they engage in attempts to collect various data about web users including their o/s. Why they feel it necessary to 'ping' me each night to set a cookie I do not know, but it seems they are also collecting data about browser usage. Such a statistic regarding times online while in a browser would seem valuable from a marketing standpoint. While cookies may be useful when voluntary and insofar as they may be helpful to the user (as I feel the cookie I'm handed that avoids an access validator for a particular newspaper's site). Cookies from marketing companies benefit me not. Categorize this as a risk to users of older netscapes lacking the conditional-cookie setting? Or to advertisers who will find their targets are hidden behind "mini" HTTP firewalls that hide the users from cookies along with advertisement filter such as the one being tested by a North Carolina startup? -- Howard Goldstein Computer Risks Moderator: [And you'd probably be surprised to know how many people are affected. But you *know* there has to be a gotcha with free web sites and free browsers, and lots of folks are selling lists. Always look a gift Trojan horse in the mouth (and everywhere else too).] ------------------------------ From: Ofer Langberg Date: 09 Jun 96 11:02:19 GMT Subject: Re: All Calls are Logged Crissie Trigger wrote: For those who are upset about caller I.D., I have been informed by several private investigators that every telephone call, local as well as long distance made through a typical phone company is registered on a computer as to the number of the caller and callee, date & time of the call, and the length of the call. Big brother isn't always listening, but he can usually go back and check the records. That's true in most cases, but there are ways to circumvent this feature, usually by transferring the call through an analogue phone directory (they still exist in some countries...), and so if someone really want to hide his/her identity it's possible. ------------------------------------- Ofer Langberg CPA(ISR) CISA Raveh - Ravid & Co. P.O.B. 33538 Tel-Aviv,61334,ISRAEL Tel:973-3-6963267 Fax:972-3-6963260 Date: 06/09/96 Time: 10:37:46 ------------------------------------- ------------------------------ From: kfl@access.digex.net (Keith F. Lynch) Date: 09 Jun 1996 11:13:21 -0400 Subject: Re: Fingerprint Technology Organization: Express Access Public Access UNIX, Greenbelt, Maryland USA References: CrazySexyCool DC wrote: Is there a way to alter/change your fingerprints easily? from David Fisher's _Hard Evidence_: In 1941, a criminal named Roscoe James Pitts gained a painful place in sci-crime history by having the skin surgically removed from his fingertips, which were then sewn onto his chest until they healed. That actually worked. Pitt's fingertips had no ridge pattern; he had successfully destroyed his fingerprints. But unfortunately for him, both his original print card, as well as the prints taken when he was arrested, included portions of the ridges just below the first joint, allowing him to be positively identified by a comparison of the ridges in the middle of his fingers. No criminal has ever escaped prosecution by obliterating his fingerprints, although they continue to try. In 1990 Miami police arrested a suspect in a drug case whose prints were severely scarred. Latent-print experts soon discovered that the suspect had actually sliced his fingerprints into small pieces and transplanted those pieces onto other fingers. His fingertips had healed, leaving him with new prints in which broken ridges ran in all different directions, making it impossible to link him to previous crimes by comparing his prints. Or so he thought. Latent-print specialist Tommy Moorefield was intrigued by the problem. He cut photographs of these prints into small pieces and began trying to fit these ridge patterns together; it was literally a human jigsaw puzzle. Nights and weekends, working at home and in his spare time in the office, Moorefield painstakingly restored small sections of several prints to their original pattern, until specialists in the Technical Section [of the FBI] were able to match them to those of a fugitive convicted in another major drug case. That comparison led directly to the man's conviction. -- Keith Lynch, kfl@access.digex.net http://www.access.digex.net/~kfl/ ------------------------------ From: lihou@ms2.hinet.net (Lee) Date: 13 Jun 1996 08:11:16 GMT Subject: Are Keboard Recorders Legal? Organization: DCI HiNet Today I received the following junk mail message. Is the use of such sofware by employers (and others) legal? For instance, monitoring if employees play games during office hours, etc. If remember right, similar sofware ("virus") that records online shoppers' credit card numbers was created by DigiCash to prove unreliability of some online payment sofware. -- Sean Taipei PS. In order not to advertise their products, I cut their contact nos. If sombody wants these, mail me. Cut Message - - " Is your computer being monitored by someone else? Is someone using your computer without your knowledge? Is your mate chatting online with someone else? Are your children chatting online with the wrong crowd? Now , you can monitor your computer with my private collection of keyboard recoders from around the world. Also known as:Keyboard Grabber, Keyboard Key Logger, Keyboard Monitor. PURPOSE: Captures keystrokes and sends & saves them to a hidden file. Now you can keep a record of any keyboard activity on your computer. Monitor your computer at home or office. My private collection of keyboard recorders is yours for only $9.95. You will receive 19 different programs on a 3 1/2 disk." For Dos,Windows,and Mac's.(some come with actual source codes) You'll get:Keycopy,Keyfake,Keyread,Keytrap,Keyrec,Keylogwn(Windows), Hackkey,Bagkeys,Getit,Playback,Robokey,Record,Encore, Kcap10,Ptm229N,Qwertman,GKG,Depl,Maclife(Mac). Cut Message - - ------------------------------ From: bdonovan@gtn.net (Donovan, Bill) Date: 13 Jun 96 09:21:26 GMT Subject: Re: Air Force Sergeant Jailed in e-Mail Case References: [Note from Matthew Gaylor: I find it ironic that while our military is sworn to uphold and defend the US constitution, the military brass is busy eliminating personal freedoms enjoyed by our troops. I'd advise my military subscribers to Freematt's Alerts to get a private IP for Email and other net use.] [...] As a result, an Air Force master sergeant will spend the next three months in jail for using his office computer to exchange sexually explicit stories, jokes and comments with other consenting adults. While I believe strongly in personal privacy for email, my position on use of corporate/government accounts and equipment would be that everything is up for grabs, and that only the corporation has a right to privacy. These are *not* personal accounts. I would even extend this principal to listening in on phone conversations made through company phones. (I don't agree with video cameras monitoring staff, though.) Re the severity of the penalty? Yikes! Unless there was a pre-existing policy, I would have issued a "cease and desist" order, or at most, yanked the account priveleges. I reiterate your recommendation that people get a private IP account for private email and other net use. That's my two cents; and now, I have to get back to work. And, um... this in no way represents the views of GTN Communications Corp. :) -- Bill Donovan ------------------------------ From: "Prof. L. P. Levine" Date: 14 Jun 1996 08:54:30 -0500 (CDT) Subject: Key Escrow in France and Britain [long] Organization: University of Wisconsin-Milwaukee Taken from CPSR-GLOBAL Digest 393 1) British and French/ Clipper-like key escrow plans (@) by Andy Oram (by way of marsha-w@uiuc.edu (Marsha Woodbury)) ----- From: Andy Oram (by way of marsha-w@uiuc.edu (Marsha Woodbury)) Date: 13 Jun 1996 15:29:48 -0500 To: cpsr-global@cpsr.org Subject: British and French/ Clipper-like key escrow plans (@) Sender: Andy Oram At almost exactly the same moment, the French parliament and British government have announced key escrow programs. This comes just as a scandal emerges in the U.S. over the improper release of FBI files concerning prominent Republicans to the White House, demonstrating once again why the government cannot be trusted to keep confidential information about citizens. We are indebted to two journalists for the following reports: T. Bruce Tober for Britain and Jerome Thorel for France. These are also on the cyber-rights FTP site. Let me know if you'd like to see the full press release on the British situation, or an article by Tober. Andy ---------------------------------------------------------------- DTI Press Release P/96/430 10 June 1996 GOVERNMENT SETS OUT PROPOSALS FOR ENCRYPTION ON PUBLIC TELECOMMUNICATIONS NETWORKS To meet the growing demands to safeguard the integrity and confidentiality of information sent electronically over the public telecommunications networks, the Government has today published a paper on the provision of encryption services. These services cover the digital signature (an electronic equivalent of a hand-written signature) of electronic documents and the protection of the accuracy and the privacy of their contents. In recognition of the need to set the right balance between commercial and personal confidentiality and the continuing ability of the law enforcement agencies to fight serious crime and terrorism, the Government proposes to introduce the licensing of Trusted Third Parties (TTPs) to provide such services. Licensed TTPs are the way to offer encryption services to the public. Ultimately, it is for organisations or individuals to consider whether or not the benefits of such licensing will outweigh any existing arrangements that they have. In a written answer to a parliamentary question from Peter Luff MP (Worcester), Science and Technology Minister Ian Taylor said: "Following the discussion between Departments to which I referred in my replies to the hon Member for Brigg and Cleethorpes of 6 March, Official Report column 229 and 25 March, Official Report column 411, I am today publishing a paper outlining the Government's policy on the provision of encryption services on public networks. Copies of the paper are available in the library of both Houses. "The Government aims to facilitate the development of electronic commerce on the emerging global information infrastructure. This is of significant importance in maintaining the UK's competitiveness and is a component of the Department's Information Society Initiative. There is a growing demand for encryption services to safeguard the integrity and confidentiality of electronic information transmitted on public telecommunications networks. The Government therefore proposes to make arrangements for licensing Trusted Third Parties (TTPs) who would provide such services. These TTPs would offer digital signature, data integrity and retrieval, key management and other services for which there is a commercial demand. The licensing policy will aim to protect consumers as well as to preserve the ability of the intelligence and law enforcement agencies to fight serious crime and terrorism by establishing procedures for disclosure to them of the encryption keys, under safeguards similar to those which already exist for warranted interception under the Interception of Communications Act. "Officials within my department have held preliminary discussions with industry groups on the concepts set out in the paper. The Government intends to bring forward proposals for legislation following consultation by DTI on detailed policy proposals." (Details deleted--Andy) -- | Bruce Tober - octobersdad@reporters.net - Birmingham, England | | pgp key ID 0x9E014CE9. For CV/Resume:http://pollux.com/authors/tober.htm | | For CV/Resume and Clips: http://nwsmait.intermarket.com/nmfwc/tbt | -------------------- netizen's --> Lambda Bulletin 2.08 <-- contents French Telco Act puts the Internet in leash + New rules regulating Internet content + First key-escrow encryption rules As the Communications Decency Act was declared unconstitutional yesterday, June 12, the French Parliament (Senate and Assembly) passed a kind of Telco Act a la francaise last week, June 7. This law, aimed at providing new regulations for the telecommunications market (including the end of telephone monopoly in 1998), stresses two interesting points for Internet users : 1) a kind of CDA amendement was introduced en force in the Senate on Wednesday, June 5, just two days before it was voted Friday, at 3 in the morning. 2) the law establishes the first ever key escrow encryption rules created in industrialised countries. It will create trusted third parties (TTPs), private companies that would keep encryption keys in custody for law enforcement purposes. It turns out that before the vote of the law, French military circles had already choosen which firms would be well suited to be TTP : Alcatel, Sagem and Bertin. All of them are well connected to the French military complex, and are all big defense contractors. The amendment number 200 in the Loi sur la Reglementation des Telecommunications (LRT) was sponsored by French Senator Larcher and introduced by French telmecom minister Francois Fillon. At first glance, it depenalizes Internet Access Providers for the content of text, images and documents that they are transmitted. But there is an IF. The condition stresses on that they must conform to future recommendations that will be establish by a French government's council: the Comite Superieur de la Telematique. Created in February 1993, the CST has a mission of regulation of Minitel services (text and voice based services), through a professional code of ethics. The CST will no longer depends upon the French telecom ministry, but will be placed under the tutelage of another famous regulation watchdog : the CSA (A for audiovisuel - a kind of French FCC), aimed at regulating radio and TV broadcasts. The law makes clear that if IAPs don't respond to "black" lists of Internet sites or newsgroups (in case where these sites may be in opposition to French law), the IAP will be held responsible for what it is carrying. These lists will be set up by the CST. Internet organisations and professionnals are scheduled to be members of the new CST -- today, in its "Minitel" form, it has 20 members, magistrates, ministry officials, France Telecom reprsentatives, Minitel providers, family and consumer organisations... So, the French amendment smells like the CDA, with the introduction of a so-called reprentative body. In the U.S. the IAP or ISP must control its content. In France this is a centralised body that will do the job. It feels that the French succeeded in what some in the US dreamt : to give the FCC the power to rate sites or content on the Internet. The French State, once again, plays the Big Mother (mother =3D the Republic) game with a huge sense of precipitation. Furthermore, the law broke in great haste -- and mess. Because before the amendment 200, telecom minister Fillon established an interministerial commission to work on guidlines and recommendations to enforce French law on the Internet. It came after a Jewish organisation sued IAPs for transmitting neo-nazi propaganda; and early in May, when 2 IAP directors were arrested for one day, and convicted, for transmission of pedophile pictures. The mess comes about because that Fillon didn't wait for the Commission: it was scheduled to publish a report on its work around June 15. Another mess concerns French pro-users organizations. The newly created French Chapter of the Internet Society (ISOC-France) decided, apparently with the government commission's consent, to organize a mailing list consultation on the issue. Another group, the AUI (Association of Internet users), published a report this week about ethics, Internet content selection, and so on. Both organizations were openly ignored by Fillon. He did this even after saying during various interviews that the problem of IAP legal responsability on the Internet will be the result of a "broad consensus". It turns out, however, that a small pressure group of IAPs (the AFPI) were consulted Monday, June 2, and had the opportunity to read the amendment before its final review in the Senate. The IAPs are quite satisfied now, because they didn't want to be treated as "pedophiles" and "neo-nazi" anymore. But they will have to adopt the CST guidelines. During my personnal inquiry of the CST last year, I found some clues to understanding how the CST has been working at regulating Minitel services. The CST has a surveillance assignment on the Minitel market (to ensure that each provider follows deontology principles written in his contract with France T=E9l=E9com). But surveillance operations are not organized by the CST, but by a small army of France Telecom spook agents in Bordeaux: they are 5 to 8 people regulating hundreds of thousands of services! It is no surprise to learn that France Telecom regularly intervenes in this choice, and that France Telecom itself is a big Minitel provider, through a lot of business affiliates. It turns out that theses spook agents are infiltrating private discussions in adult-oriented forums to check for indecent speech (which may be sanctionned by the CST). Here is what here in France we have inherited to regulate the Internet! The second important point of this Telco Act concerns encryption. France was already the first country in the OECD to forbid an individual to use any crypto system not approved by the French authorities (ie, the military). Thus, PGP-like software were, de facto, forbidden. The new law introduces the first key-escrow regulation. It frees cryptography use ONLY for digital signature; but to ensure privacy of email messages, however, the liberation of use is under condition : to give encryption keys to a so-called TTP. Some confidential reports in the press said that one or three private companies are already on the list to serve as TTPs for the French government. The first is Bertin & Co., an engineering company that has some competence in cryptography, and the others seem to be Alcatel-Alsthom (a big industrial conglomerate in telecommunications, defense and public-works engineering), and Sagem, another telecom conglomerate. It seems clear that all of these companies were choo! sen according to their defense expertise and good relations with the French military. The mess is that these choices, if confirmed, have been made before the vote on the law, and even before "applications decrees" were published (they may be prepared this summer). France has no NSA. But some big ideas. (During the oil crisis in the 70's, a government commercial stated : "In France we have no oil. But we have good ideas".) -- Jerome Thorel ------------------------------ From: "Prof. L. P. Levine" Date: 11 Jun 1996 09:14:50 -0600 (CST) Subject: Info on CPD [unchanged since 11/22/95] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the Subject: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Web browsers will find it at gopher://gopher.cs.uwm.edu. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V8 #047 ****************************** .