home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Handbook of Infosec Terms 2.0
/
Handbook_of_Infosec_Terms_Version_2.0_ISSO.iso
/
text
/
privacy
/
p05_015.txt
< prev
next >
Wrap
Text File
|
1996-09-03
|
30KB
|
613 lines
PRIVACY Forum Digest Sunday, 18 August 1996 Volume 05 : Issue 15
Moderated by Lauren Weinstein (lauren@vortex.com)
Vortex Technology, Woodland Hills, CA, U.S.A.
===== PRIVACY FORUM =====
-------------------------------------------------------------------
The PRIVACY Forum is supported in part by the
ACM (Association for Computing Machinery)
Committee on Computers and Public Policy,
"internetMCI" (a service of the Data Services Division
of MCI Telecommunications Corporation), and Cisco Systems, Inc.
- - -
These organizations do not operate or control the
PRIVACY Forum in any manner, and their support does not
imply agreement on their part with nor responsibility
for any materials posted on or related to the PRIVACY Forum.
-------------------------------------------------------------------
CONTENTS
Credit Card Company Now Marketing "Privacy" Program (Marc Carrel)
Pagers as "commonly used drug-dealing equipment" (Jonathan Thornburg)
Re: *Primary Colors* and Joe Klein (PGN, RISKS-18.26) (Joel Garreau)
What constitutes appropriate monitoring of web browsers?
([Name Withheld by Request])
Looking for Internet privacy stories (Joel McNamara)
Cookie blocking (Martin Owensby)
DoubleClick cookies (Scott Wyant)
Registering to vote (Peter Langston)
Alzheimers & Privacy (David R. Cochran)
CPSR Conference, Oct. 19-20, DC (Susan Evoy)
*** Please include a RELEVANT "Subject:" line on all submissions! ***
*** Submissions without them may be ignored! ***
-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond. The
moderator will choose submissions for inclusion based on their relevance and
content. Submissions will not be routinely acknowledged.
All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored. Excessive "signatures" on submissions are
subject to editing. Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com". Mailing list problems should be reported to
"list-maint@vortex.com".
All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations.
The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp.vortex.com",
in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password. The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access. PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system. Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.
All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum
materials is also available through the Internet World Wide Web (WWW) via
the Vortex Technology WWW server at the URL: "http://www.vortex.com";
full keyword searching of all PRIVACY Forum files is available via
WWW access.
-----------------------------------------------------------------------------
VOLUME 05, ISSUE 15
Quote for the day:
"You fill me with inertia."
-- George Spiggott ["The Devil"] (Peter Cook)
"Bedazzled" (20th Century Fox; 1967)
----------------------------------------------------------------------
Date: Wed, 31 Jul 1996 15:11:39 -0700 (PDT)
From: ML.Carrel@SEN.CA.GOV
Subject: Credit Card Company Now Marketing "Privacy" Program
I recently received an interesting letter from AT&T Universal Card. It
contained an offer for a program it calls Wallet Security Plus. The program is
free for three months, and then $49 dollars a year thereafter. Those who sign
a release form are sent materials to enter into this program which, according
to the letter, provides the following services:
(1) Comprehensive Credit Report Service "so you can check the accuracy of your
credit report on a regular basis and correct any potential discrepancies before
they cost you an important loan, health insurance, or even a job. Your credit
report is compiled from the three national credit bureaus and merged into one
easy-to-read report." The program provides unlimited access to your report, a
toll-free hotline for questions, and you will be notified "when an inquiry has
been made to your file."
>>The letter does not mention that TRW will provide one free copy per year of
an individual's credit report. Equifax and Trans Union (the other credit
bureaus) may charge a fee, but many states, such as California limit what they
can charge. Bureaus are required to provide a free copy if you have been
denied credit based on information in your report.
(2) 24-Hour Credit Card Protection against fraudulent use if any of the cards
you register with this program are lost or stolen. The program also provides
reimbursement for "your full liability for illegal charges to your account."
>>The letter fails to mention that practically all credit card companies
already have 24 hour toll free hotlines to report lost or stolen cards, and
will not charge you for fraudulent use after reporting the cards lost or
stolen. In addition, a customer's liability for fraudulent use of their card
is no higher than $50 on each credit card. This is also true for ATM and debit
cards reported lost or stolen within two days of the incident. After that,
liability is up to $500.
(3) $500 Theft Reward for information leading to the conviction of anyone
caught illegally using your credit cards.
>>This may sound enticing, but notice that the money only comes if there is a
conviction. Small-time credit card thieves are rarely prosecuted. It just
costs the companies money to provide evidence or staff for the deposition and
trial. The companies just cancel the cards and write-off the costs.
(4) Valuable Property and Document Registration "to secure all your important
papers and register valuable property in case of loss or theft.
>>There is plenty of software out there to inventory personal property, In
fact, many insurers require such an inventory for renters or homeowners
insurance.
(5) Customized Driver's Search "for a comprehensive review of your motor
vehicle record. Now you have access to the same information auto insurance
companies use to set your rates. Make sure your record is right before you pay
a higher premium."
>> I have no idea how accessible any state's DMV records are.
(6) VIP Notification Service "to make moving a lot easier. Register four
people or companies with our service, and if you move we'll forward your
address to all the VIP's on your list."
>>This can easily be done by filling out change-of-address cards provided free
by the US Post Office. If you consider that for a move one needs to contact all
credit card companies, banks, relatives, doctors, frequent flyer cards, alumni
associations, other membership associations, magazine subscriptions, etc.,
there are many more than four VIPs that need to be notified anyway.
Maybe this is a good program, but I am extremely cynical. Consider that by
registering your cards, VIP contacts, personal property and document
information with this program, you are handing over most of your important
personal information to a company you know nothing about. Will they take
information about your personal possessions (e.g. he owns a personal computer,
she owns three racing bikes) and sell that information to direct marketers? Or
when they combine the three bureau's credit reports into one, will they keep
that information?
I would be interested in hearing what others think of this service, and if
anyone has ever heard of CUC International, Inc., the provider of Wallet
Security Plus.
Marc Carrel
ML.Carrel@sen.ca.gov
------------------------------
Date: Mon, 12 Aug 96 18:20 PDT
From: bkis@island.net (Jonathan Thornburg)
Subject: pagers as "commonly used drug-dealing equipment"?
In PRIVACY Forum Digest v05 n14, Phil Agre <pagre@weber.ucsd.edu>
said (commenting on a New York Times article describing the recent
"Mountain Dew" pager promotion):
| the article makes no mention
| on restrictions on minors getting ahold of commonly used drug-dealing
| equipment without their parents' consent.
I agree that a significant fraction of drug transactions make use of
pagers. However, it's also true that a significant fraction of drug
transactions make use of ball point pens, ring-back notebooks, quarters,
pay phones, and $20 bills (and many, many other items). In my opinion
it's highly misleading, indeed inflammatory, to describe any of these
items -- pagers included -- as "commonly used drug-dealing equipment",
since in each case the legitimate uses are far more frequent than the
illegitimate ones.
I also have a couple of questions about the more general topic of
parental-consent requirements for minors using pagers: Are there any
parts of the world where pagers are freely aviailable to adults, but
require parental consent for minors? If so, are the parental-consent
requirements imposed only by the pager companies for defense against
lawsuits, or are they "official" government laws? And if the latter,
what are the penalties (levied on the pager service, I presume) for
their violation?
And finally, what fraction of current pager users are minors?
- Jonathan Thornburg <bkis@island.net> (personal E-mail)
U of British Columbia / Physics Dept / <thornbur@theory.physics.ubc.ca>
------------------------------
Date: Sun, 21 Jul 1996 06:48:04 -0700 (PDT)
From: Joel Garreau <garreau@well.com>
Subject: Re: *Primary Colors* and Joe Klein (PGN, RISKS-18.26)
[ From Risks-Forum Digest; Volume 18 : Issue 27 -- MODERATOR ]
PGN makes excellent points about the difficulty of living a lie in his
report on Joe Klein being unmasked as the author of "Primary Colors." But
as the editor of *The Washington Post* team that had a lot of fun and a lot
of pain reporting the "Primary Colors" story, allow me to cough a little
dryly about the positive spin you put on the role of computers in the
eventual success of our efforts.
For openers, the lesson I drew from my experience was that I would *never*
trust a computer text analysis again. We ran a massive such effort
independent of Professor Foster and *New York* magazine, and ours turned up
results that at the time seemed fascinating, but in retrospect were
ludicrous.
Even Foster didn't trust his results enough to bet the ranch on it. As
recently as the day we finally broke the story, he was saying he thought it
was Klein plus somebody else, and was still berating *New York* magazine for
editing into his copy the flat statement that Klein was the author. Said
flat statement was inserted by an editor with no special computer
experience. Klein, however, first achieved note as a political columnist
for the very same *New York* magazine. I suspect, therefore, that human
intuition if not specific knowledge had more to do with that piece than the
computer did.
We at *The Post* *did* get a frightening amount of financial information on
Klein and his wife by computer, including the cost of his house, the amount
of his mortgage, his address, his previous address, everything there is to
know about his cars, and so forth. And we did it in a startlingly short
period of time. It's amazing what you can do when you have a person's
social security number and date of birth, and equally sobering how easy it
is to get that information. Only our sense of journalistic propriety
prevented us from pursuing and using further information that was readily
available. But again, the information so gathered ended up being largely
tangential to the final report.
I find it marvelous that what finally broke the case was good old-fashioned,
if imaginative, gumshoe reporting. David Streitfeld, a Washington Post
reporter with eclectic literary interests, receives all sorts of snail-mail
catalogues from tiny second-hand bookstores. He saw offered for sale a copy
of the manuscript...and the rest you can read in your newspapers. The
handwriting analyst was an expert human. No computers were significantly
involved.
Also, the reason Klein is in hot water today is that back when the *New
York* article ran, we had our junk-yard dog, my boss, David Von Drehle, put
him up against the wall by reminding him that credibility is the only asset
a journalist has. Von Drehle than asked him to swear on his journalistic
credibility that he was not the author of "Primary Colors." That's when he
most memorably lied, as Klein himself acknowledged at his press conference.
In short, we put an extraordinary amount of computer effort into this story,
including a passworded spreadsheet to keep track of all our reporting. But
the cyberheroics ended up at best a sideshow if not a distraction, at least
in our experience.
It finally was cracked and developed by old-fashioned means.
Joel Garreau
[And in subsequent elections, Joe may now be saddled with Primary Collars.
Somehow, I am reminded of a quote from the cast party after the final
episode of an early TV serial, Peyton Place, in which one of the actors
who had been on the show longest was asked,
``To what do you owe your success in acting?''
The answer was this:
``Honesty. Once you've learned how to fake that, you've got it made.''
PGN]
------------------------------
Date: Wed, 7 Aug 1996 23:31:21 -XXXX
From: [Name Withheld by Request]
Subject: What constitutes appropriate monitoring of web browsers?
A "feature/bug" in the javascript of version 2.0 of Netscape allowed web
servers to send a page that triggered the client machine to send email to an
address that is specified by the server, without the knowledge of the user.
In so doing, a web server could effectively log email addresses of the people
that browsed their sites, which is a boon to direct marketers. Netscape
corrected this in version 2.01 of their browser, but many people continue to
use the old version (my statistics show that approximately 18% of the visitors
to a site I administer currently use a vulnerable version).
In the course of my work I recently came across a government site that
exploits this and attempts to log email addresses. The site is located at
http://www.hr.doe.gov/ucsp/doeucsp.htm
The page http://www.hr.doe.gov/ucsp/ that leads to the page in question has
the following statement on it:
All Department of Energy telecommunications and automated information systems
and related equipment are for the communication, transmission, processing, and
storage of U.S. Government information only. The systems and equipment are
subject to authorized monitoring to ensure proper functioning, to protect
against unauthorized use, and to verify the presence and performance of
applicable security features. Such monitoring may result in the acquisition,
recording, and analysis of all data being communicated, transmitted,
processed, or stored in this system by a user. If monitoring reveals possible
evidence of unauthorized use or criminal activity, such evidence may be
provided to appropriate DOE management or law enforcement personnel. Anyone
using this system expressly consents to such monitoring.
I understand their monitoring to prevent abuse, but I don't see where the user
consents to give up a private piece of information that is not ordinarily
transmitted as part of web browsing. Strangely enough, this same web page
contains a link to a statement from Archer L. Durham, Department of Energy
Assistant Secretary for Human Resources and Administration, that reads as
follows:
... We, as Federal employees, are expected to hold ourselves to the
highest standards of behavior and stewardship. We should remind
ourselves and those whom we supervise of the risks associated
with inappropriate use of Federal resources, including electronic
mail or duty time.
When I complained to the administrator of this site, it was defended on the
grounds that it constitutes appropriate monitoring of users. If you follow
this line of reasoning, the next thing we know, web browsing at a government
site will implicitly give consent for
- the video camera atop your machine to be activated to monitor what use you
make of the information you gather from the site.
- the microphone on the sound card to be activated for the purpose
of eavesdropping, perhaps written in ActiveX and digitally signed by
the government.
- a virus to be installed on your machine to track the use of all government
supplied information. Perhaps it will be written in javascript,
along the lines of
http://www.osf.org/~loverso/javascript/www-sec-Mar22.html
After all, we should expect these things to be possible in the future through
some bug or capability of a web browser. Is this where we are heading in the
interests of deterring computer abuse? Whatever happened to "informed
consent"?
------------------------------
Date: Sat, 20 Jul 1996 20:03:39 -0700
From: Joel McNamara <joelm@eskimo.com>
Subject: Looking for Internet privacy stories
I'm compiling what I hope will be the definitive source of worldwide case
studies that demonstrate the benefits of Internet privacy tools. These
stories will have a human focus, and clearly show the importance of PGP,
anonymous remailers, and other tools to cultural, economic, and political
processes.
The goal is to have a body of accounts that show Internet privacy
technologies being used to benefit society. These stories will be published
on a Web page, and can be used by privacy advocates to contrast against
government claims that encryption and other tools will solely benefit
criminals. If there are enough compelling stories, they may eventually find
their way into a book.
If you have a story to tell, or know someone who does, I'd like to hear it.
It doesn't have to be an exciting "rebels in the jungle" account either. In
many ways, the everyday "slice of life" stories may be more important in
showing the value of electronic privacy.
Confidentiality will be maintained, of course.
For details see: http://www.eskimo.com/~joelm/privacy.html
Joel McNamara
joelm@eskimo.com
------------------------------
Date: Sun, 21 Jul 1996 22:22:49 -0400
From: Martin Owensby <owensby@ix.netcom.com>
Subject: cookie blocking
>Date: Sat, 15 Jun 1996 18:11:18 -0700 (PDT)
>From: Runs With Scissors <gozer@oro.net>
>Subject: Blocking Cookies
>A company called "PrivNet" (http://www.privnet.com) has a product
>called "Internet Fast Forward" which can selectively block and/or
>allow cookies. It is currently in beta and works only with Netscape
>under a couple of flavors of MS Windows. It is available from the
>web site free right now. It also blocks advertisements.
---
Thought it worth mentioning that the latest beta of Internet Explorer
(3.02b) provides for selective blocking/allowing of cookies.
Provides some info on cookie also.
owensby@ix.netcom.com
------------------------------
Date: Mon, 22 Jul 1996 11:40:02 -0700
From: Scott Wyant <scott_wyant@loop.com>
Subject: DoubleClick cookies
>In Volume 05 : Issue 12, hgoldste@bbs.mpcs.com (Howard Goldstein) wrote:
>
>> One of the new features, a security feature strangely categorized as a
>> 'network' feature, queries the user before allowing "cookies" to be set.
>
>> I was surprised to find that every night for the last two weeks after
>> enabling this I've been handed a "cookie" by a site I never knowingly
>> visited, at http://ad.doubleclick.net .
I posted a fairly long description of what DoubleClick is actually doing, to
a library listserve called JESSE, and received a blizzard of messages. You
can read about it yourself -- just use AltaVista or Yahoo to find
DoubleClick, and read the marketing materials on their site.
The most interesting thing about this company is that you DON'T have to
visit their site to get a cookie from them. Unliess I misread the Cookie
specs, this is a violation (at least in spirit) of what the cookie file is
supposed to be used for. You can read those specs, too. They're at:
<www.netscape.com/newsref/std/cookie_spec.html>
Scott Wyant
Spinoza Ltd.
------------------------------
From: Peter Langston <psl@langston.com>
Date: Sat, 3 Aug 96 18:30:44 -0700
Subject: Registering to vote
Forwarded-by: Keith Bostic <bostic@bsdi.com>
Forwarded-by: "John P. Kole" <kole@mailhost.rsn.hp.com>
Forwarded-by: John Stewart <jstewart@scopus.com>
Original-From: rickh[SMTP:rickh@sybase.com]
Thanks to the Motor Voter law, you can now register to vote
electronically.
Just follow your nose at:
http://netvote96.mci.com/register.html
[ Don't panic! It turns out this isn't really a service
that actually registers you to vote. It does ask for name
and address, date of birth, and party affiliation. The
service then fills out an appropriate voter registration
card with that info, and physically *mails* it to you.
You must then sign the card and send it in to the
appropriate state authorities. Whether or not you feel
comfortable sending your date of birth and party
affiliation over the net on a plaintext form is of course
a personal decision, but this ends up being widely
disseminated information no matter how you register.
Filing a false card would still constitute a criminal act.
-- MODERATOR ]
------------------------------
Date: Thu, 15 Aug 1996 21:47:39 EDT
From: davidrc@juno.com (DAVID R COCHRAN)
Subject: Alzheimers & Privacy
Scam-Artist are targeting the elderly that have alzheimers with the intent
to embezzle. With the aid of a telephone, these racketeers extract money
through cleverly woven yarns to the unexpected. Through the means of mailing
lists, scam-artist target their own customer's with these high tech
demographic tools of communications. Mailing list companies can produce
detailed lists that show marketing specialist information on people with
such disease's as alzheimers. List can be compiled geographically. They have
access to phone numbers and mailing address. All this information can be
purchased in label format or diskette for computers. I feel that list
companies should be more responsible with their marketing information.
Supplying lists with such information should be handled with a little more
scrutiny and discretion...
David R. Cochran
davidrc@juno.com
------------------------------
Date: Tue, 23 Jul 1996 23:27:00 -0700
From: Susan Evoy <sevoy@Sunnyside.COM>
Subject: CPSR Conference, Oct. 19-20, DC
COMMUNICATIONS UNLEASHED
What's at Stake? Who Benefits? How to Get Involved!
Computer Professionals for Social Responsibility
Conference and Annual Meeting
October 19-20, Georgetown University, Washington, DC
The Telecommunications Act of 1996 precipitated a dramatic change in the way
we look at, think about, use, and provide communications and information. As
old boundaries disappear, public interest and consumer interests take on new
meanings. What will the sleek infobahns of the new era offer consumers,
including rural and remote area residents and the urban underserved? What
will the changes mean for the rights of consumers to express themselves and
access information freely, and to conduct transactions reasonably, without
fear of big brother or big business invading their privacy, or worse? What
are the new roles for regulators? How will they interact with each other and
where will jurisdictional lines be drawn? And how do we, as citizen
activists, work to guarantee our rights and pursue the public interest in the
new legislative, regulatory, and commercial landscape?
This conference brings together experts in policy and activism to explore the
current state of policy development. They will help you to translate this
knowledge into effective advocacy and action in order to protect the
interests of the underserved from an onslaught of revolutionary changes that
deregulation and unfettered competition will bring. The speakers will
explain the real-world implications of the changes in telecommunications
laws, along with the regulatory activity that implements these laws and how
to influence these processes. Activists at many levels will share success
stories and tactics that work, and will build our collective knowledge and
experience into networks of activists that can support each other into the
future.
Please plan to attend this information-rich weekend of October 19-20, at the
epicenter of the earthquake that is shaking up the telecommunications
landscape, Washington, DC. Further details will be distributed in the next
month and will be posted on our Web site at http://www.cpsr.org/home.html
CONFERENCE PROGRAM FOR SATURDAY, OCTOBER 19
KEYNOTE SPEAKER - RALPH NADER (invited)
Green Party Presidential nominee and legendary consumer advocate
THE COMMUNICATIONS TSUNAMI
In the new blurry world of corporate mergers and mega-packaging of services,
where is the consumer and public interest stake and who will represent it?
Panelists will examine the post-telecom act world with a view toward
interpreting the impact and effects of universal service, the opening of
local exchanges to competition, the provision of fair pricing rules, and
stewardship of the dazzling array of newly emerging broadband services.
TOOLKITS FOR ACTIVISTS
This panel will assess the kinds of tools, methods, and techniques available
to activists and practitioners at state, local, and community levels. How
can activists get a wedge in among the telecom and media giants? For
community nets, what works, what doesn't, and why? How can public interest
concerns be leveraged at the micro-level? How can citizens learn to grasp
and work with the new market and regulatory realities at national, state, and
local levels?
THE INTERNET: COMMERCIALIZATION, GLOBALIZATION, AND GOVERNANCE
The accelerating commercialization and globalization of the Internet raises
new and divisive problems of governance and control. What might these trends
mean for the Internet in the years to come? Can we create cooperative
institutions for Internet management that are globally inclusive and
effective? Will governments adopt policies that promote or stifle innovative
new services like Internet telephony? What new pricing schemes will be
developed, and what will be the impact on access to information and services?
INFORMATION RIGHTS
New information technologies and policy responses to them raise many issues
related to information rights on the Internet. Panelists will discuss new
threats to privacy enabled by the collection of personal information on the
web, and ways to combat them; freedom of speech online, including the
Communications Decency Act as well as state and international issues; and the
consequences of new measures to protect copyright, including currently pending
legislation and technical proposals from industry.
COMPUTERS AND ELECTIONS: RISKS, RELIABILITY AND REFORM
There are widespread and legitimate concerns about the accuracy, integrity
and security of computer-generated vote totals. Panelists will discuss the
technical, social and political origins of these concerns within the context
of today's election system. They will also make recommendations for changes
in the areas of technology, election law, accountability and oversight.
CONFERENCE PROGRAM FOR SUNDAY, OCTOBER 20
CONCURRENT WORKSHOPS
SESSION ONE
Competition and the Internet Consumer
Civic Networking: By-passing the Big Boys
Media Tactics and Outreach
SESSION TWO
Internet Legal Issues
Broadcasting and Mass Media
Fundraising for the Public Interest
CPSR 1996 ANNUAL MEETING
--
Susan Evoy * Deputy Director
http://www.cpsr.org/home.html
Computer Professionals for Social Responsibility
P.O. Box 717 * Palo Alto * CA * 94302
Phone: (415) 322-3778 * Fax: (415) 322-4748 * Email: evoy@cpsr.org *
------------------------------
End of PRIVACY Forum Digest 05.15
************************
