Computer Privacy Digest Mon, 22 Aug 94 Volume 5 : Issue: 025 Today's Topics: Moderator: Leonard P. Levine Re: Electronic Cash Re: Electronic Cash Re: Electronic Cash Re: Bank Account Numbers Re: Bank Account Numbers Re: Big Brother at Checkout Stand Re: SSN Dial In Database Re: Multiple SSNs Microsoft "Chicago" OS National Registry: Equifax for Driving Records? Remailers and "Anonymous Personas" (aliases) --------------------------------------------------------------------- Housekeeping information is located at the end of this Digest. ---------------------------------------------------------------------- From: mckeever@cogsci.uwo.ca (Paul McKeever) Date: 12 Aug 1994 20:42:44 GMT Subject: Re: Electronic Cash Organization: University of Western Ontario, London, Ont. Canada Anonymity is not a problem with digital cash. For example, I hold a card for a photocopier. Currently, I pay cash to have credits (for example, money) charged-up onto it's magnetic strip. When I use my card at the photocopier, the copier does not know to whom the card belongs...it simply takes credits off of my photocopy card. THIS technology, and not that which is currently under use (in a limited way) in Canada guarantees anonymity because the information about how much money a cardhold has is encoded LOCALLY (i.e., on a card in the holder's pocket) rather than CENTRALLY (e.g., on a hard disk in a computer in Toronto). The problem of anonymity being lost occurs only when we use cards that use the latter (i.e., CENTRALIZED storage) approach. In other words, PART 1 of my argument is that the technology exists to have anonymous cash which is digital (and virtual) rather than physical (like paper or coin). THE REAL PROBLEM: Is one of politics and lawmaking. Plastic cards etc. need card-readers (or what have you) to transfer credits from one card to another...the card readers of digital cash, therefore, are the hands used to transfer physical cash. NOW, that being understood, consider human psychology. Governments have a difficult time telling people what they can do with their bodies, especially note the abortion issue, in which many people want the state to stay out of their wombs and reproductive choices). In contrast, governments find relatively little resistance when they attempt to regulate machinery. THUS: WHATEVER sort of electronic cash you use, the machines used to transfer credits will be easily regulated by government -- this will probably mean centralized monitoring of all transactions, even between two anonymous parties: you don't have to know WHO the party is, for example, to remove sales tax from his card. CONCLUSION: While the techology exists to mimick the anonymity of physical cash, it is extremely UNWISE to ignore the ease with which machines can be regulated by government. Consequently, it is unwise to assume that the benefits of anonymity will continue if digital cash replaces physical cash, and even if they did, somehow, continue, taxation would still be quite easily done by regulating the possession and use of the machines that transfer credits from one entity to another. ABANDONING PHYSICAL CASH, ANONYMOUS COINS OR PAPER, WILL *END* THE LIFE OF ANONYMOUS TRADE, PRECISELY BECAUSE IT IS DIFFICULT FOR GOVERNMENT TO PASS LAWS WITH RESPECT TO PEOPLE'S BODIES, AND EASY FOR GOVERNMENT TO PASS LAWS WITH RESPECT TO THE POSSESSION AND USE OF MACHINES SUCH AS DEBIT CARD READERS. Now ignore me, and let's get on with the dismantling of privacy and freedom in North America. Rantingly yours, Paul McKeever ------------------------------ From: wayne@arrow.HIP.berkeley.edu (Wayne Christian) Date: 13 Aug 1994 19:56:05 GMT Subject: Re: Electronic Cash Organization: University of California, Berkeley The August, 1992 Scientific American contained an article by David Chaum, "Achieving Electronic Privacy", which proposed a scheme involving multiple public keys which could issue you a "Magic Cookie", which could be authenticated, used only once, and not traced. I didn't understand it, and I'm not sure I believe it. Is the proposal sound? There have been a number of technical articles on electronic cash which can be found in the CS literature. The concept is sound technically, although there are various implementations. The problem is to get a bank or other finanial institution to provide the infrastructure and payments system to support it. After all you will want to convert electronic cash into other types of money. Unless the system was set up by the government some corporation would have to be willing to guarrentee the system against error or 'hacking'. There was an article either in the NYT or Economist recently about a test implementation of a electronic cash system in England using a credit card like mechanism. ------------------------------ From: huggins@quip.eecs.umich.edu (Jim Huggins) Date: 15 Aug 1994 09:46:01 GMT Subject: Re: Electronic Cash Organization: University of Michigan EECS Dept. Paul Gilmartin wrote: The August, 1992 Scientific American contained an article by David Chaum, "Achieving Electronic Privacy", which proposed a scheme involving multiple public keys which could issue you a "Magic Cookie", which could be authenticated, used only once, and not traced. I didn't understand it, and I'm not sure I believe it. Is the proposal sound? Yes. I read a paper by Chaum describing the process and worked through the mathematics of it. It uses some variants on 'cut-and-choose' and is thus not completely secure (though with very low odds of failure either in authentication or forgeability). Unfortunately, I don't remember enough of the details to recount them here. -- Jim Huggins, Univ. of Michigan huggins@eecs.umich.edu "You cannot pray to a personal computer no matter how user-friendly it is." (PGP key available upon request) W. Bingham Hunter ------------------------------ From: Paul Robinson Date: 19 Aug 1994 21:23:57 -0400 (EDT) Subject: Re: Bank Account Numbers Organization: Tansin A. Darcos & Company, Silver Spring, MD USA amy young-leith (alyoung@kiwi.ucs.indiana.edu) wrote: What I want to ask is: WHEN did I give my bank authorization to allow other people to take money out of my account? How can they allow these "dedictions" with just a signature at a company (most say, "Just fill in your account number and sign below...." I would hope that you are overreacting. What can be done is if an automatic deposit is made to your account in error, either because it is too large (like a double transfer, or a post by mistake to your account) the issuer has the right to reclaim the amount in error, by issuing a reduction of the deposit. This is not an authorization to withdraw money from your account; what it *is* is an authorization for them to effectively cancel the deposit and reissue it for an amount less than the first transaction. In no case should the sum total of these transactions be less than zero. Glen Roberts , writes: The telemarketers have come up with a new trick...they will ask for your bank account number off the bottom of one of your checks. They will then have a "facisimile" check made, that looks like a real check, but in the spot for the signature it, says "no signature required." The telemarketer (or other business) then deposits these checks. I will bet that somewhere on that document is a statement that the issuer guarantees the validity of the transaction. And there's another issue I'll come to in a moment. What happens if a check of $100 is run through as $1000... you're balance is $900 less than you think, and if you write a check that bounces, you could be arrested for a felony. It is only a felony if you intentionally bounce a check which you knowingly had no funds available. If you were the victim of check fraud, then there was no criminal intent. The biggest problem would be if you don't keep good records and suspect you might have made a mistake. If you *know for certain* you are supposed to have enough money in the account, then you know something is wrong. This might not help much if you're trying to cover some checks, but you otherwise might be able to prevent a prosecution. The bank that accepts an automatic draft must have an authorization from the account holder to accept it. If you didn't authorize them to issue these drafts, it's the same as if the bank accepted forged checks. The bank is responsible to verify the signature on a check. If the signature is missing or is clearly invalid, the bank is responsible to refund the value of the check, which it should then return to the issuing bank as a forged check, or most likely eats it. It would be much worse, of course, if someone stole your checking account number and took money out. Unlike the credit cards that have a easy procedure for contesting charges... have fun at the bank! If it's an electronic transfer or automatic debit, ask the bank for the signed authorization they have on file. If it's a check, show them that the signature doesn't match the signature card and that it's not yours. Tell them you are willing to prosecute if it is a forgery. In the case of an electronic transaction the bank must find out what is going on within 10 business days or credit your account until it does. --- Paul Robinson - Paul@TDR.COM Voted "Largest Polluter of the (IETF) list" by Randy Bush ------------------------------ From: skypatrl@crl.com (Albert Zhou) Date: 21 Aug 1994 00:30:33 -0700 Subject: Re: Bank Account Numbers Organization: CRL Dialup Internet Access (415) 705-6060 [login: guest] John Palkovic writes: amy young-leith writes: I was just thinking today.... "Am I the only one bothered by this new gimick of "Have your payment deducted monthly from your checking account...." thing I'm seeing everywhere. This is the standard method of bill payment here in Germany. The authorization comes from the account holder. You fill out a form, giving your account number and "Bankleitzahl" (bank number), sign it, and mail it off. The withdrawals can be stopped by the acct. holder at any time. Personally, I think it is great. I have had no problems with such payments. The problem in the U.S. is that the automatic withdrawl cannot be stopped through your bank. Only the merchant can make it stop. So if the merchant doesn't cooperate, sometimes the only way to stop it is to close the account. There are extensive laws to protect consumers in the case of billing dispute in the U.S. That is, you can refuse to pay if you think the bill is incorrect. You'd be out of luck if the payment has been automatically paid before you see the bill. I don't have to worry about writing checks each month for water, gas, etc. Notice of the withdrawal is mailed to you, and is also printed on your account statement (I can get a statement at any time by going to the bank and running my ATM card through a little machine). If there is a problem with the amount, you are given a grace period to contest it. Just like when you pay by check. They are several electronic bill paying services available in the U.S. The difference is the consumer initiates a payment, not the merchant. I think this is a safest way of paying bill, until new laws are enacted to provide better consumer protection. ------------------------------ From: dunn@nlm.nih.gov (Joe Dunn) Date: 16 Aug 94 13:53:17 GMT Subject: Re: Big Brother at Checkout Stand Organization: NLM/NCBI klootzak@stein3.u.washington.edu (Michael Stuyt) writes: I know the new Colorado Licenses have a magstrip on the back. Probably be at the point where you drag the license through a reader as proof of age... isn't that great. Your driving record will be on that magnetic strip. how many liquor stores or bars will sell to you knowing you've been dwi?? think of the legal ramifications they face if they do and you get in an accident after drinking there?? I'd take a magnet and make sure that strip never works, complete invasion of privacy... ------------------------------ From: glr@ripco.com (Glen Roberts) Date: 22 Aug 1994 19:01:55 GMT Subject: Re: SSN Dial In Database Organization: RCI, Chicago, IL Todd Leonard (todd@meaddata.com) wrote: Glen Roberts (glr@ripco.com) wrote: Now, there is something new. SSN-BASE, a public, free, interactive SSN database. It's easy to check out. Just call from your modem (2400 baud): (708) 838-3378. I tried this service. First, I entered a number that "looked like" a SSN, to which it replied something to the effect of "I've never heard of that, but I'll add it to the database". Next I tried 000-00-0000, and then 123-45-6789, both of which were found, leading me to suspect somebody before me had tried the same experiment. I'm glad I didn't try a real SSN, particularly my own. Such a system could clearly be used to collect SSNs and use them illicitly, if that were the motive of the providers. This presents a risk similar to the fake ATM machines used to collect PINs... Which is exactly the point. What do you think happens when you give your SSN to a business, voter registration clerk, etc? They are collected and used for the benefit of that business.. not you. -- Glen L. Roberts, Editor, Full Disclosure Magazine Host Full Disclosure Live (WWCR 5,810 khz - Sundays 7pm central) email glr@rci.ripco.com for information on The Best of Full Disclosure, four volumes to blow your mind. Voice/Fax on demand: (708) 356-9646 No record. No Trace calling: 1-900-STOPPER (786-7737). $1.95/min ------------------------------ From: jmcging@access.digex.net (John McGing) Date: 22 Aug 1994 15:26:47 -0400 Subject: Re: Multiple SSNs Organization: Express Access Online Communications, Greenbelt, MD USA cybrland@aol.com (Cybrland) writes: What prevents a person from going the the SS Admin and getting a 2nd, 3rd, or Nth, SSN? Is there some number that THEY match with your SSN? The ID data you present with documentation is used to see if an SSN with that data has already been issued. If you say you never had an SSN and are over 18, you gotta bring in a birth certificate and some other documentation. They then enter your parents names, date of birth, place of birth and name and see if they get a match (or a series of matches). You can even have a different name but the match will still find you under the old name. So unless you have fake documentation (of a fictictious person or a person who never had an SSN) they'll match through your biographical data. And as an aside, SSA is now, in many States, verifying birth certificates electronically, amking it harder to forge one. -- jmcging@access.digex.net Nobody knows the troubles I've seen jmcging@ssa.gov .... and nobody cares! J.MCGING on GEnie 70142,1357 on Compuserve Team OS/2 ------------------------------ From: jya@pipeline.com (John Young) Date: 22 Aug 1994 19:01:56 -0400 Subject: Microsoft "Chicago" OS Organization: The Pipeline dpbsmith@world.std.com (Daniel P. B. Smith) wrote: Apparently [Chicago] will also query your system automatically for hardware configuration. How far does it go? How far _could_ it go? Will it tell Microsoft if you have WordPerfect loaded on your disk, so they can send you an extra-special competitive upgrade offer? Will it time your keystrokes and tell Microsoft whether you're a fast typist? If you have 8 meg, will they sell your name to a RAM vendor so they can advertise upgrades? Will it search your disk for files with a .GIF extension and upload them to Microsoft to add to Bill Gates' personal collection? :-) The list has discussed possibilities for this and other future OSs: Search your disk for encryption programs and their passwords. Search your disk for encrypted files. Search for just about anything that is contracted, or legislated by government authorities, and private parties who wish to monitor your system. Store system data and transmit covertly along with innocent email or other electronic transmissions for stripping or mining by remailers. On a related matter: Hardware devices and software can do the same under guise of "metering" systems for software usage. CPU and board manufacturers can embed such features for covert system monitoring with reports piggybacked to electronic transmissions for auto-mining by remailers. Such hardware can similarly attach identification of authors and senders of encrypted and anonymously remailed electronic data for retrieval during transmission. These features can be added by contract, or legislated by governmental authorities, in lieu of, or parallel to, the implementation of the Clipper chip for telephonic systems. The capability for this is available through military downsizing and concomitant commercializing of human and material resources once devoted primarily to national security. ------------------------------ From: skypatrl@crl.com (Albert Zhou) Date: 22 Aug 1994 16:12:33 -0700 Subject: National Registry: Equifax for Driving Records? Organization: CRL Dialup Internet Access (415) 705-6060 [login: guest] It seems like many states rely on a database National Registry rather than respective DMV's for driving records. According to some personal accounts, this database is full of eroneous and outdated information, and in many cases, the drivers have to bear the burden of correcting the errors. Does anyone have more info on who owns National Registry, and how it operates? ------------------------------ From: vimrich@athena.mit.edu (Vernon R Imrich) Date: 21 Aug 1994 04:31:12 GMT Subject: Remailers and "Anonymous Personas" (aliases) Organization: Massachusetts Institute of Technology First of all, please post any remailer/anonymous-posting FAQ's. I've seen related things sporatically, but have not saved them. I can't recall if this or similar issues are covered. Issue: I think the remailer concept does not allow for true "anonymous personas." That is, should you wish to set up an alias identity and post anonymously but identified with the alias, the remailer system fails. First "the watchers" watch all incoming messages to the remailer site to find out where THOSE messages come from. They either come from people, or from other remailers. If they come from other remailers then they just watch that remailer to see what comes into it. Now, if you use PGP on the way to the remailer and latent time on the way out, they have no way of knowing which in messages led to which out messages, but they do have a bounded set of possible addresses (at most, all the users of a given remailer in say a week) since PGP doesn't hide the address on the way to the first (or only) remailer site. Since they can't be sure, they will keep track now of ALL the remailers and log ALL who use them. They'll be able to (eventually) identify anyone with an aliased "persona" by: number of incoming posts to all remailers from address X = number of remailed posts to public sites labeled with alias Y. X is likely the same as Y. This can be refined by comparing X(t) to Y(t) over time t. E.g. they grep usenet for all posts from someone calling themselves "Mr. Terrorist" over say, a week. Perhaps there are 80 such posts. Now, look over that same period at all the known remailer sites and chart the numbers of posts coming in from EACH user that is not another remailer. Anyone who sent out about a 80 posts to the set of all remailers is a possiblity (need not be exact since latent time effects might be there on first last few days of week's survey, and may have sent some posts w/o "Mr. Terrorist" name attached). Anyway, do this for a month instead of a week and it will narrow further. Track someone at weekly or monthly intervals over long enough time and the conincidences will also be eliminated. One way I see to avoid this is to use different originating sites. But this is possibly still a problem since the watchers will be able to link all address names to real people through the address providers. A log in the form of: person A = electronic addresses, A@delphi.com, A@aol.com, A@mit.edu, and so on could be arranged. A program could cross reference all electronic addresses to their associated "real person" and avoid problems. The main other way I see is for a given alias to post only at the level of "noise" so that s/he only posts as many times as the great bulk of remailer users do. Even so, that will just make tracking take longer, as the watchers use longer tracks to eliminate the noise and match the usage levels. E.G. Number of Posts to ALL Remailers users Week 1 2 3 4 5 6 7 8 ... A 5 10 3 7 12 4 9 6 B 9 8 5 3 10 12 2 8 C 15 3 4 9 3 7 4 6 D 100 5 7 50 4 20 2 7 E 1 0 2 0 3 2 1 0 F 0 1 0 0 2 6 0 1 ... Alias Number of posts seen on (say) Usenet "Mr. Idiot" 97 7 3 53 9 23 1 8 "Mr. Terrorist" 6 9 1 8 10 5 11 4 Obviously, "Mr. Idiot" is user D. "Mr. Terrorist" was smarter, posting only at the noise levels of several other users, but still: users E,F dropped out of contention in week 1 or 2 (too low usage), user C dropped out through weeks 5 and 7, user B dropped out through weeks 6 and 7. Must be A. And with automated covariance (correct term?) programs to do these comparisons it would be even faster. As long as the watching was done well, the comparision of usage (and storage of usage data) would be trivial even for millions of possible candidates. Basically, since there are a finite number of remailers to "watch" and all anonymous posts from a given alias must go through a remailer there will be a finite number of users in the list to compare to any given alias. Question, what might be the quantitative numbers on this? Are there so many possible users and so much "noise" that looking at such patterns is useless practically? Might there be ways to send "dummy messages" to remailers that have no mention of ones alias (or having long lag times of weeks or months) to distort the usage pattern? -------------------------------------------------------------------- | Vernon Imrich | market failure, n. The inabilty of the | | MIT OE, Rm 5-329b | market to recover from a blow by | | Cambridge, MA 02139 | intervention. (the Exchange) | -------------------------------------------------------------------- ------------------------------ The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. Back issues are available via anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The archives are in the directory "pub/comp-privacy". People with gopher capability can access the library at gopher.cs.uwm.edu. Mosaic users will find it at gopher://gopher.cs.uwm.edu. Archives are also held at ftp.pica.army.mil [129.139.160.133]. End of Computer Privacy Digest V5 #025 ******************************