Computer Privacy Digest Wed, 10 Aug 94 Volume 5 : Issue: 022 Today's Topics: Moderator: Leonard P. Levine Re: Fingerprinting Rules Re: Fingerprinting Rules Re: Answering Machine Features Re: Answering Machine Features Re: Answering Machine Features Re: Answering Machine Features Re: Are Web Servers Anonymous? Re: SSN Required by Sprint in U.S. Re: SSN Required by Sprint in U.S. Re: Towards Natl ID card? Re: Bank Account Numbers Re: Bank Account Numbers Big Brother at Checkout Stand Privacy and Marketing Privacy Rights Clearinghouse Correction!!! EPIC Seeks Release of FBI Wiretap Data --------------------------------------------------------------------- Housekeeping information is located at the end of this Digest. ---------------------------------------------------------------------- From: Mike Fischbein Date: 08 Aug 1994 14:42:44 -0400 Subject: Re: Fingerprinting Rules I wouldn't mind being fingerprinted; that's pretty much only useful for positive ID purposes. I've had several (different jobs, different agencies) high security clearances, and been fingerprinted for each, as well as when I was active duty Navy. I wouldn't have been upset at all about fingerprinting. On the other hand, even though I somewhat reluctantly admit of a reasonable need for urine testing in the military (and participate, since I'm still in the reserves), I do NOT feel it is valid before the fact in the civilian world. I have told firms that wanted samples "no," and if they wanted my services they could go ahead anyway. If they didn't, they could go elsewhere. If it was a one-time test and for permanent employment, I might put up with it, but I have not done that for consulting jobs. ------------------------------ From: poivre@netcom.com (Poivre) Date: 09 Aug 1994 22:42:43 GMT Subject: Re: Fingerprinting Rules Organization: NETCOM On-line Communication Services (408 261-4700 guest) JB Wood (JBWOOD@CHEMICAL.watstar.uwaterloo.ca) wrote: Fingerprinting is a lot more serious and I would NEVER submit to any gov't agency retaining my prints (voluntarily). About 8 years ago, my mom thought it was a good idea when the police offered the free service one weekend at the mall. They said it was to help find missing children, but in my mind they just wanted to be able to use future technologies to I.D. anybody by computer. I said I had a date that night and didn't want ink all over my fingers... worked like a charm. I have always wondered about fingerprinting children against kidnapping. What good does fingerprinting do in recovering live, coherent abductees? The only use that I can think of would be if they find the child's corpse and they fingerprint to make a positive ID, or if somehow the child escapes from the kidnappers or if the kidnappers let the child go, but the child is left too damaged to tell police their name or grown too much that family don't recognize them. Fingerprinting can't prevent crimes against children cause the practical uses of fingerprints comes AFTER a crime has already been committed. If someone could explain to me the benefits of fingerprinting children other than what i've said above, i'd like to hear it. Otherwise, its almost useless. -- . . . . . . . . . . . . . . . . . . . . . . . . . . poivre@netcom.com : #include : . . . . . . . . . . . . . . . . . . . . . . . . . . ------------------------------ From: ppxpmd@unicorn.ccc.nottingham.ac.uk (P.Debenham) Date: 09 Aug 1994 15:13:45 +0100 Subject: Re: Answering Machine Features Organization: Cripps Computing Centre, University of Nottingham Of course for those with some electronic skills there is always another option if equipment has 'remote' features you do not want, and that is open the thing up and modify it. Most of these devices use fairly simple logic circuitry which should not be too difficult to understand and modify. For those without electronic skills start trying to persuade the producers that enough people care about their privacy to give a market for equipment without the 'remote' features. Problem is that I doubt enough people care to produce a large enough market so you are back to option one. Pass the screwdriver and soldering iron.. -- ------------------------------------------------------------------------------- Peter_Debenham@vme.ccc.nottingham.ac.uk (might differ from header address but Physics Dept., Nottingham Uni, UK this one gets checked most often) ------------------------------ From: poivre@netcom.com (Poivre) Date: 09 Aug 1994 23:19:10 GMT Subject: Re: Answering Machine Features Organization: NETCOM On-line Communication Services (408 261-4700 guest) David Redish (David_Redish@GS17.SP.CS.CMU.EDU) wrote: Recently we received (as a present) an answering machine made by AT&T. On reading the manual, we discovered that not only does it have extensive remote facilities (such as changing your message, accessing messages, etc.) protected only by a limited 2 digit code (with some 2-digit pairs locked out, so <<99 possible passwords), it has a feature so that if you know the 2 digit password you can *listen to the room the phone is in*! I have an answering machine made by Panasonic and it has that listening feature too. It also has a button that you can push (this is not a remote feature) to record the phone conversation you are having. I only discovered these features upon reading the manual. Its not listed on the box. When we went to AT&T to try to exchange it, we discovered that they don't make phones without all of these remote features. So we went looking for answering machines (of a decent quality) that don't have remote features. It appears none exist. Does anyone know of a quality made answering machine that does not have these highly suspect "bugs" (they called them features, but I know better)? I dont know of answering machines without those things. I am not an answering machine hobbyist so i dont know. However, if the remote listening to the room bothers you, you can just unplug the machine from the phone line whenever you are home. -- . . . . . . . . . . . . . . . . . . . . . . . . . . poivre@netcom.com : #include : . . . . . . . . . . . . . . . . . . . . . . . . . . ------------------------------ From: Rob.Aronson@fw.gs.com (Rob Aronson) Date: 10 Aug 1994 11:07:18 +0500 Subject: Re: Answering Machine Features Organization: Goldman, Sachs & Company - Distributed Systems Services David Redish discussed the remote features of his AT&T answering machine. Well, I have one of the Panasonic all-digital models and it operates the same way. I don't have a problem with remote access to features, but I have a big problem with the security code. Like the AT&T machine, the Panasonic uses a 2-digit code which in my mind is completely unacceptable. I think a 3-digit code would be bad enough, although it would deter most >casual< attackers, but a 2-digit code is absurd. All of these vendors should wake up to reality and make their machines more difficult to get into. My guess is that they figure alot of people won't realize how many digits are in the code, but that's security through obscurity and most people would realize that that doesn't work. ------------------------------ From: glr@ripco.com (Glen Roberts) Date: 10 Aug 1994 18:19:02 GMT Subject: Re: Answering Machine Features Organization: RCI, Chicago, IL David Redish (David_Redish@GS17.SP.CS.CMU.EDU) wrote: Recently we received (as a present) an answering machine made by AT&T. On reading the manual, we discovered that not only does it have extensive remote facilities (such as changing your message, accessing messages, etc.) protected only by a limited 2 digit code (with some 2-digit pairs locked out, so <<99 possible passwords), it has a feature so that if you know the 2 digit password you can *listen to the room the phone is in*! Some fax machines also have the listen in feature.... -- Glen L. Roberts, Editor, Full Disclosure Magazine Host Full Disclosure Live (WWCR 5,810 khz - Sundays 7pm central) email glr@rci.ripco.com for information on The Best of Full Disclosure, four volumes to blow your mind. Voice/Fax on demand: (708) 356-9646 No record. No Trace calling: 1-900-STOPPER (786-7737). $1.95/min ------------------------------ From: stein-c@acsu.buffalo.edu (Craig Steinberger) Date: 09 Aug 1994 16:56:53 GMT Subject: Re: Are Web Servers Anonymous? Organization: SUNY at Buffalo CFD Lab If the person who connects to a web server is on a machine that runs the identd daemon, the username as well as the machine is available to the web server admin. For example, here is an excerpt from my web logs: cfd20.eng.buffalo.edu stein-c - [29/May/1994:13:22:55 -0400] "GET /~stein-c/craig.html HTTP/1.0" 200 2302 In fact, if your machine runs the identd daemon, all of your network connections are traceable to you. -- Craig Steinberger stein-c@eng.buffalo.edu SUNY at Buffalo, Computational Fluid Dynamics Lab http://cfd20.eng.buffalo.edu/~stein-c/craig.html ------------------------------ From: elvey-matthew@CS.YALE.EDU (Matthew Elvey) Date: 09 Aug 1994 18:33:18 -0400 Subject: Re: SSN Required by Sprint in U.S. poivre@netcom.com is a bit confused. Friends and Family is MCI's program, not Sprint's! I have it and it sucks and is a pain in the ass. But it gives the best rates I can find. (I can't imagine why they don't just give you 20% off everything. They could probably get rid of half their staff, who do nothing but add names and numbers to F&F lists. Marketing!) -- Matthew Elvey New Haven, CT | My opinions represent the elvey@gator.zoo.cs.yale.edu or | official policy of Yale U., elvey@minerva.cis.yale.edu or | all men and the American (203)772-4826 | Bar Association...NOT! ------------------------------ From: elvey-matthew@CS.YALE.EDU (Matthew Elvey) Date: 09 Aug 1994 18:37:24 -0400 Subject: Re: SSN Required by Sprint in U.S. robert heuman writes: I for one do NOT remember my SSN (SIN here in Canada, but I have BOTH) and carry it in my wallet... In fact, the Social Security card _stub_ states that the card must be carried at all times, as I recall. ------------------------------ From: kfl@access.digex.net (Keith F. Lynch) Date: 09 Aug 1994 22:05:11 -0400 Subject: Re: Towards Natl ID card? Organization: Express Access Public Access UNIX, Greenbelt, Maryland USA Mich Kabay [NCSA Sys_Op] <75300.3232@compuserve.com> wrote: Authentication might involve "a more secure Social Security card, a counterfeit-resistant driver's license and a telephone verification system." What about those of us without driver's licenses? Also, how do they propose to control the self-employed? -- Keith Lynch, kfl@access.digex.com f p=2,3:2 s q=1 x "f f=3:2 q:f*f>p!'q s q=p#f" w:q p,?$x\8+1*8 ------------------------------ From: John Palkovic Date: 10 Aug 1994 09:30:31 GMT Subject: Re: Bank Account Numbers amy young-leith writes: I was just thinking today.... "Am I the only one bothered by this new gimick of "Have your payment deducted monthly from your checking account...." thing I'm seeing everywhere. This is the standard method of bill payment here in Germany. The authorization comes from the account holder. You fill out a form, giving your account number and "Bankleitzahl" (bank number), sign it, and mail it off. The withdrawals can be stopped by the acct. holder at any time. Personally, I think it is great. I have had no problems with such payments. I don't have to worry about writing checks each month for water, gas, etc. Notice of the withdrawal is mailed to you, and is also printed on your account statement (I can get a statement at any time by going to the bank and running my ATM card through a little machine). If there is a problem with the amount, you are given a grace period to contest it. Just like when you pay by check. -- palkovic@desy.de Deutsches Elektronen-Synchrotron, Relativity Engineering "I ask each of you to be intolerant of creeping bureaucracy." - Bob Wilson finger for PGP public key. MIME and PGP mail welcome ------------------------------ From: wayne@arrow.HIP.berkeley.edu (Wayne Christian) Date: 10 Aug 1994 17:09:26 GMT Subject: Re: Bank Account Numbers Organization: University of California, Berkeley I have had money removed from my account by a previous employer. I had set up direct deposit of my paycheck into my checking account. Then one time that I received a statement of my account, I noticed that money had been witdrawn by my employer. As I recall, this has happened twice. There are also very strict rules about electronic funds transfers (EFT) which you will find listed in a disclosure form you get with your account or you can request from the bank. You have 60 days to dispute a EFT, and a legitimate basis for dispute is that you did not authorize the transfer. You may legitmately dispute a transfer even if you have authorized other transfers. It is the responsibility of the other party to prove that you authorized this individual EFT. In practice banks differ in how they interpret the law and it is up to the bank offical you talk to to actually initiate a reversal. If your bank seems too willing to allow unauthorized transfers you can take your business to another bank or even sue the bank. The law on EFT is administered by the Federal Reserve, but I have been unsucessful in even finding a office at the FED which will accept complaints. Citibank seems unwilling to exercise consumer rights under the law. My experience with EFT is that a lot of mistakes get made and companies will often not even provide an invoice to document what they claim to have provided. This is also true of credit cards. I terminated my account with CheckFree because of their billing errors. ------------------------------ From: wmccarth@t4fsa-gw.den.mmc.com (Wil McCarthy) Date: 09 Aug 1994 14:25:29 GMT Subject: Big Brother at Checkout Stand Organization: Martin Marietta Corporation I went grocery shopping yesterday at a King Soopers in Denver, where I bought all the usual comestibles, pet food, kitty litter, and a six-pack of beer. Like most people, I do this about every two weeks. Yesterday, though, the bar code scanner stopped dead on the beer, and the words "ID CHECK REQ'D" appeared on the little LED display. The clerk was then forced to ask for my driver's license, and to type in my date of birth, to prove to the computer that I was old enough to buy beer. I'm 28 years old and look every day of it, and there was quite a long line behind me, and the clerk was clearly furious at having to do this for the nth time on a busy day. I'm concerned that the clerk is no longer permitted to exercise judgment of any sort, and that the specter of underage drinking is _so_ terrible that every shopper must be inconvenienced to prevent it. I'm also concerned that the process is 50% automated at this point. Much simpler if you just surrender your license at the start, yes? The computer will give it back to you if you haven't broken any laws... -- The ideal state provides its Wil McCarthy (wmccarth@t4fsa-gw) citizens with the tools to succeed Martin Marietta Corporation and the freedom to fail. I made this stuff up myself. ------------------------------ From: gast@CS.UCLA.EDU (David Gast) Date: 09 Aug 94 23:21:17 PDT Subject: Privacy and Marketing Marc Thibault writes: Jeremy D. Allaire writes: ... hence, the advertiser will shape the contents of your box more than you ... Although there is a privacy issue here, there are also some benefits (which is why we routinely give up bits of privacy). First it appears that Mr. Thibault may be engaged in the privacy-invading/marketing business and it would be proper for him to state so up front, so that others can decide if he might be considered to have a conflict of interest due to his job. I think we usually give up privacy because we are forced to, not because we expect some benefit unless you mean that staying alive out of prison is a benefit as opposed to what should be normalcy. That is, I do not think that most people give up privacy voluntarily. In any event, if you want to use information about someone, you should first get the permission of that person. (1) If you had to pay the full cost of delivering television programming to your home, you would spend more time in theatres. A lot of people would choose to do without TV. Advertisers pick up the tab and make TV cheap for us to watch. It is appropriate that they get some compensation in the form of viewer attention. I don't watch TV now. I cannot think of a bigger waste of time or a less informative medium. One of the problems is that because the adversisers pay for the full cost, the TV networks do not have to care *directly* whether the shows are popular; the networks only care if advertisers like the show, which depends on the message and demographics. That is, a show could be really popular, but it would be canceled if there no advertisers. (There were some very interesting Congressional hearings in the sixties. The big advertisers testified about all the types of programs, based on content, they would not advertise on. A corollary is that nothing of substance or importance can be shown on TV because the commercials have to be able to fix all of our problems in 15 or 30 seconds. It would detract from the happy message of the ad if serious problems requiring more than 15 seconds to solve or unhappy endings were common. The so-called content is nothing more than glue to keep the viewer vegetating between commercials, the true content of TV. Many people do not want to see the Internet degenerate in this way. (2) Smarter marketing as a result of effective use of consumer databases means that the time you do spend watching ads will more likely be useful. But I am not interested in spending any time watching ads unless I specifically choose to do so, and then only for the specific purpose I have in mind. I would not have an account with Prodigy in part because I do not want to get the constant stream of ads. No advertiser is going to waste selling dollars trying to sell you something you don't want or need if they can help it. You'll get ads for stuff you are actually interested in buying. In the end, you do in fact shape the contents of your box; effortlessly. Most ads are not for things that we truly "need." One of the purposes of advertising is to create a "need" or a desire for a product. Further, advertising will remain demographically based. Further, most ads have zero content in terms of information. The purpose in large part is to attempt to differentiate through emotional attachment nearly identical products so that the consumer will pay for one product than another. Advertisers hope we will be stupid and pay more for brand loyalty. (3) Smarter marketing will also make it cost effective to advertise niche products, so you won't have to dig all over the place for that special item - the producer will find you. Thanks, but I don't want advertisers finding me. Further, advertising costs money, and that means that ceteris paribus an unadvertised product can be sold for less money than a heavily advertised product. Anyway, even if the producer did find me, the information he sends will likely be happy faces, and image rather than real information. ------------------------------ From: Privacy Rights Clearinghouse Date: 09 Aug 1994 23:42:06 -0700 (PDT) Subject: Privacy Rights Clearinghouse Correction!!! <> Correction!!! Information on the PRC gopher site is in error. The phone number for the California hotline was incorrectly listed on the factsheets contained on the gopher. The correct number for the PRC Hotline, in California only is, 1-800-773-7748. We are sorry for any inconvince. The Privacy Rights Clearinghouse (PRC) a non-profit consumer education group, now has a gopher site. The gopher site contains State (California) and Federal legislation relating to the issue of privacy and informational fact sheets that are constantly being updated. Some of the topics include; Your Social Security number, junk mail, e-mail in the work place and wiretapping, and many others. Gopher to gopher.acusd.edu. To telnet to the PRC: telnet teetot.acusd.edu, login: privacy. Once in the USD Gopher, Select #4. USD Campus-Wide Information System/. then select #8. Privacy Rights Clearinghouse. The Privacy Rights Clearinghouse is a service for California consumers. It is administered by the University of San Diego's Center for Public Interest Law. It is funded by the telecommunications Education Trust, a program of the California Public Utilities Commission. It has been in operation since October 1992. Voice (619)298-3396. ------------------------------ From: Dave Banisar Date: 09 Aug 1993 13:15:11 +0000 Subject: EPIC Seeks Release of FBI Wiretap Data Electronic Privacy Information Center PRESS RELEASE _____________________________________________________________ For Release: August 9, 1994 2:00 pm Group Seeks Release of FBI Wiretap Data, Calls Proposed Surveillance Legislation Unnecessary Washington, DC: A leading privacy rights group today sued the Federal Bureau of Investigation to force the release of documents the FBI claims support its campaign for new wiretap legislation. The documents were cited by FBI Director Louis Freeh during testimony before Congress and in a speech to an influential legal organization but have never been released to the public. The lawsuit was filed as proposed legislation which would mandate technological changes long sought by the FBI was scheduled to be introduced in Congress. The case was brought in federal district court by the Electronic Privacy Information Center (EPIC), a public interest research organization that has closely monitored the Bureau's efforts to mandate the design of the nation's telecommunications infrastructure to facilitate wiretapping. An earlier EPIC lawsuit revealed that FBI field offices had reported no difficulties conducting wiretaps as a result of new digital communications technology, in apparent contradiction of frequent Bureau claims. At issue are two internal FBI surveys that the FBI Director has cited as evidence that new telephone systems interfere with law enforcement investigations. During Congressional testimony on March 18, Director Freeh described "a 1993 informal survey which the FBI did with respect to state and local law enforcement authorities." According to Freeh, the survey describes the problems such agencies had encountered in executing court orders for electronic surveillance. On May 19 the FBI Director delivered a speech before the American Law Institute in Washington, DC. In his prepared remarks, Freeh stated that "[w]ithin the last month, the FBI conducted an informal survey of federal and local law enforcement regarding recent technological problems which revealed over 180 instances where law enforcement was precluded from implementing or fully implementing court [wiretap] orders." According to David L. Sobel, EPIC's Legal Counsel, the FBI has not yet demonstrated a need for the sweeping new legislation that it seeks. "The Bureau has never presented a convincing case that its wiretapping capabilities are threatened. Yet it seeks to redesign the information infrastructure at an astronomical cost to the taxpayers." The nation's telephone companies have consistently stated that there have been no cases in which the needs of law enforcement have not been met. EPIC is a project of the Fund for Constitutional Government and Computer Professionals for Social Responsibility. ================================================================ FBI Director Freeh's Recent Conflicting Statements on the Need for Digital Telephony Legislation _______________________________________________________________ Speech before the Executives' Club of Chicago, February 17: Development of technology is moving so rapidly that several hundred court-authorized surveillances already have been prevented by new technological impediments with advanced communications equipment. * * * Testimony before Congress on March 18: SEN. LEAHY: Have you had any -- for example, digital telephony, have you had any instances where you've had a court order for a wiretap that couldn't be executed because of digital telephony? MR. FREEH: We've had problems just short of that. And I was going to continue with my statement, but I won't now because I'd actually rather answer questions than read. We have instances of 91 cases -- this was based on a 1993 informal survey which the FBI did with respect to state and local law enforcement authorities. I can break that down for you. * * * Newsday interview on May 16: We've determined about 81 different instances around the country where we were not able to execute a court-authorized electronic surveillance order because of lack of access to that particular system - a digital switch, a digital loop or some blocking technology which we didn't have to deal with four or five years ago. * * * Speech before the American Law Institute on May 19: Within the last month, the FBI conducted an informal survey of federal and local law enforcement regarding recent techno- logical problems which revealed over 180 instances where law enforcement was precluded from implementing or fully implementing court orders [for electronic surveillance]. ============================================================ ------------------------------ The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. Back issues are available via anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The archives are in the directory "pub/comp-privacy". People with gopher capability can access the library at gopher.cs.uwm.edu. Mosaic users will find it at gopher://gopher.cs.uwm.edu. Archives are also held at ftp.pica.army.mil [129.139.160.133]. End of Computer Privacy Digest V5 #022 ******************************