PRIVACY Forum Digest Wednesday, 13 April 1994 Volume 03 : Issue 08 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy. CONTENTS Editorial: "Crime, Privacy, and Singapore" (Lauren Weinstein; PRIVACY Forum Moderator) Searching for health care anecdotes (Marianne P. Lavelle) Postmaster Gen'l wants to "certify elec.msgs. for privacy" ??? (fwd) (Lance J. Hoffman) We Can't Heeeaaarrrr You ... (Richard Johnson) Dave Barry Responds To E-Mail Hacking Charges [extracted by MODERATOR] (Erik Nilsson) Let your fingers do the walking on the Internet (Paul Robinson) NYNEX Calling Card Fiasco (George Feil) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. ALL submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All submissions included in this digest represent the views of the individual authors and all submissions will be considered to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are also available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". For information regarding the availability of this digest via FAX, please send an inquiry to privacy-fax@vortex.com, call (818) 225-2800, or FAX to (818) 225-7203. ----------------------------------------------------------------------------- VOLUME 03, ISSUE 08 Quote for the day: "Where was it I lost control of that interview?" -- Hans Conried; "Factured Flickers" (1963) ---------------------------------------------------------------------- Date: Wed, 13 Apr 94 19:11 PDT From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Editorial: "Crime, Privacy, and Singapore" Greetings. Be warned--it's time for another PRIVACY Forum editorial. I've frequently noted that it's easy for privacy rights to gradually slip away--sometimes with people hardly even noticing the individual losses until they add up to a big chunk--and by then it's usually very difficult to do anything about them. Then again, sometimes people willingly give up aspects of privacy in the belief that they will gain something valuable in return. Unfortunately, the loss of privacy often does far more damage in the long run than the perceived benefits. There is an increasing correlation in the U.S. between privacy and crime issues. Little by little, we see more and more efforts to limit various aspects of privacy in the name of crime control. We're also seeing a rash of very broad "get tough" sentencing laws, many of which, in my opinion, are based on frail reasoning likely to have widespread unanticipated negative effects on prosecutions and society in general (but they're almost always great politics--reality be damned!) Obvious examples are the so-called "three-strikes" laws (and now, "one-strike" laws) which already literally have homeless, mentally ill persons facing life imprisonment for knocking over other homeless persons (not injuring them, just knocking them down--but it's classed as a felony violent assualt). As a society, we seem unwilling to do anything to help such persons--other than lock them in a cell for life -- *that* we're willing to pay for. Of course, you can depend on many of the folks being sucked into these laws to never have adequate representation--but what does it matter if a few innocents rot away in jail for the rest of their lives? Or for that matter, why shouldn't someone die when they've been convicted of a capital crime, just because evidence found after a particular arbitrary time *definitively* could prove the person innocent? You don't believe it? Check out the laws in some states and think about new technologies involving DNA identification. These cases exist right now. Is crime a serious problem? Absolutely. Are stiffer penalities for some classes of criminals needed? Yes, indeed. However, we must be careful in our efforts to deal with crime that we don't create broad draconian side-effects as a result. The same applies to privacy issues. An interesting example of what happens when privacy is depleted and social order (crime control) is elevated to the top of the scale is the country of Singapore. Ruled (under various titles) by the same man with an iron hand for many years, it is, on its face, clean, orderly, and prosperous--moving with incredible speed into the 21st century, becoming the Asian information/technology center supreme. It is also a land where personal privacy is vanishing, where onerous punishments for even trivial "crimes" are the rule, and where, as a result, outward migration from the country has become a significant problem. It's a land where mere possession of chewing gum is considered to be a significant crime, where all citizens are reduced to "children" faced with an endless array of signs pointing out the serious penalties for even the most minor transgressions. It's also a place where government tracks citizen movements via the mass transit systems and otherwise keeps intense centralized scrutiny on all aspects of citizens' lives. It is, in certain aspects, the embodiment of some features from "1984"--taken into modern terms with a layer of high technology thrown in for good measure. From the British masters of colonial times the Singapore government has come to rely on corporal punishments for some crimes. The current case of the American youth facing "caning" has made headlines, and has caused something of an outpouring of emotion from some quarters in the U.S.--an outpouring of loud, angry, short-sighted emotionalism with some persons suggesting not only that the mutilating punishment which has been categorized as torture is appropriate for the minor, non-permanent vandalism caused by the youth, but suggesting that such punishments should be used over here. Some have also suggested even more violent punishments for such offenses. The details of caning in Singapore are instructive: From: jodi731@utxsvs.cc.utexas.edu (Werner J. Severin) Newsgroups: soc.culture.singapore Subject: Re: Caning in Singapore Date: Sat, 02 Apr 1994 10:38:41 -0600 Organization: Univ. of Texas at Austin In article <2nj1un$oja@nuscc.nus.sg>, law00138@leonis.nus.sg (Hoo Cher Liek) wrote: ... Firstly, the prisoner is examined to see if he is fit to be caned. The caning takes place in the prison itself, in a room. The prisoner is stripped naked and tied to a special X-shaped rack. He is not gagged so that his screams can be heard by the rest of the prisoners. The caning takes place behind closed doors and is generally not open to viewing. The cane, or ratan, is literally made to order. It is usually about three feet long and about half an inch thick. Before the sentence is executed, the cane is dipped in a special chemical to ensure maximum effect. The executor is no ordinary person. He is specially chosen and must have qualifications in martial arts. He practices caning regularly, so that his positioning and stroking is extremely precise to have maximum effect. The cane stroke usually ends up at the exact spot as the previous, and is inflicted on the buttocks. In the process itself, the executor uses not just his arm, but his entire body weight. Technique is crucial. The first stroke breaks the skin. Even the most hardened criminals is known to scream. Usually, by the third stroke, the accused passes out and has to be revived. A doctor is always present and must examine the accused after every stroke to ensure that he is capable of carrying on. The time interval between each stroke is around 30s to 1 minute. Wherever possible, the entire sentence is carried in one flogging to achieve maximum effect. Where that is not possible, the prisoner is allowed reprieve until such time that he is deemed fit to carry on. Because of the chemical applied on the cane, the marks are permanent and cannot be removed... ... The following is part of a news item from the March 21 Voice of America-- TEXT: MS. JONES REMEMBERS THE TRAUMA REPORTED BY ONE MAN WHO CAME TO AMNESTY INTERNATIONAL AFTER SEVERAL STROKES OF THE CANE. TAPE CUT THREE JONES "HE WAS SHIVERING AND PERSPIRING WITH FEAR JUST BEFORE. AND THEN DURING THE CANING, HE REMEMBERS HE FELT IT WAS LIKE A TEARING ACROSS HIS BUTTOCKS. HE TALKED ABOUT HOW HE SCREAMED LIKE A MAD ANIMAL AND HOW BASICALLY, IT LEAVES HUMONGOUS [FESTERING] AND HUGE SCARS ON HIS DERRIERE. IT SWELLED TO TWICE ITS SIZE AND HE WAS NOT ABLE FOR WEEKS AND WEEKS TO WEAR CLOTHING. THE TREMENDOUS BRUISING BLACK AND BLUE OF THIGHS. AND HE SAYS TO THIS DAY HE STILL HAS NIGHTMARES ABOUT IT. THIS HAPPENED WHEN HE WAS SEVENTEEN. HE'S NOW OVER 40. THIS ISN'T JUST A LITTLE SPANKING. (BEGIN OPT) THIS IS TRULY TRAUMATIC. IT MAY BE EASY FOR PEOPLE TO SAY, 'OH, THIS IS SIMPLY A LITTLE PAIN AND IT'LL GO AWAY.' IF ONE HAS UNDERGONE IT, I THINK ONE CAN REALLY UNDERSTAND THE CRUELTY OF IT. (END OPT)" Let's skip the issue of whether or not the Singapore government has applied the vandalism statutes unfairly (apparently this is the first time anyone has been sentenced to caning there for other than "politically"-oriented vandalism--which tells us even more about the Singapore government's views). International organizations have officially classified the punishment as torture. There is little crime in Singapore--because the population is effectively the property of the state and treated as such. The ruler of the country claims that the reason Singapore is so crime free is that Asian cultures value society more highly than the individual, in distinction to Western cultures. I certainly agree that corporal punishments can be effective. If you treat humans as slabs of meat to be tortured for minor transgressions, I have no doubt you can achieve wonders in law enforcement. As they say, the trains run on time under dictatorships. But is this really the sort of society we should emulate? Do we really want "1984", "Clockwork Orange", and "The Running Man" all rolled into one when it comes to crime control and privacy? I hope not. --Lauren-- ------------------------------ Date: Mon, 28 Mar 1994 17:22:50 -0500 (EST) From: "Marianne P. Lavelle" Subject: searching for health care anecdotes Hello, I'm a writer for The National Law Journal, a newspaper for lawyers, and would like to send a query to members of the PRIVACY mailing list. I am writing about some legislation that would provide privacy protection regarding health care information, and I am looking for anecdotes about misuse of health information. Have there been documented instances of Job Discrimination, Insurance Discrimination, or other harms? If this is an inappropriate use of the list, please forgive me. I trust that because it is a moderated list, the moderator will be able to screen this message out. I hope you'll be able to help me on this important privacy issue. Marianne Lavelle The National Law Journal mlavelle@cap.gwu.edu voice: 202-662-8921 ------------------------------ Date: Mon, 28 Mar 1994 21:46:49 -0500 (EST) From: "Lance J. Hoffman" Subject: Postmaster Gen'l wants to "certify elec.msgs. for privacy" ??? (fwd) Forwarded message: >From jwarren@autodesk.com Mon Mar 28 19:46:12 1994 Date: Mon, 28 Mar 94 15:41:11 PST From: jwarren@autodesk.com (Jim Warren) Message-Id: <9403282341.AA15794@megalon.autodesk.com> To: eff@eff.org Subject: Postmaster Gen'l wants to "certify elec.msgs. for privacy" ??? Just got this from Jon Erickson, Ed-in-Chief of Dr. Dobb's Journal. Part of it came from an Associated Press story by Randolph Schmidt; part from Jon's follow-up conversations with folks at USPS, including their new Technology Applications Group. I consider it likely, reliable, but not authoritative. --jim Reportedly: Postmaster General Marvin Runyon suggested that the Postal Service should be certifying electronic messages to safeguard privacy, "securing one company's market-sensitive information from the intruding eyes of its competitors," or so he said in March 24th testimony before the Senate Governmental Affairs Subcommittee. The AP story apparently somewhat mentioned Commerce and the Department of Justice, but not the detailed link. Jon called USPS and worked his way beyond the p.r. flacks. Asked if this proposal to certify electronic messages to assure their privacy and its coordinating with Commerce and Justice was a reference to Clipper, and he was told yes. It appears that the PM General has proposed that the USPS get in the business of certifying electronic messages [via what channels?] to assure their INsecurity by using Capstone/Clipper/Skipjack. Advanced Technology Group is also working on handwriting recognition -- but only for recognizing addresses on letters, I'm sure. --jim Jim Warren, columnist for MicroTimes, Government Technology, BoardWatch, etc. jwarren@well.sf.ca.us -or- jwarren@autodesk.com 345 Swett Rd., Woodside CA 94062; voice/415-851-7075; fax/415-851-2814 1984 is a bit late this decade. But it does appear to be arriving. Feel free to repost and resend. I'm bcc'ing to lots of others. -- Professor Lance J. Hoffman Department of Electrical Engineering and Computer Science The George Washington University (202) 994-4955 Fax: (202) 994-0227 Washington, D. C. 20052 hoffman@seas.gwu.edu ------------------------------ Date: Tue, 29 Mar 1994 08:39:40 -0800 (PST) From: rdj@plaza.ds.adp.com (Richard Johnson) Subject: We Can't Heeeaaarrrr You ... (quotes from 21 March, 1994 "Aviation Week"), pg 51 AT&T has applied acoustinc and digital signal processing technology developed for antisubmarine warfare to produce a vehicular traffic surveillance system. The SmartSonic Traffic Surveillance System detects vehicles acoustically and can differentiate between large vehicles, such as buses and trucks, and automobiles, from the signatures. Here's the rub ... ... Processing and computing capacity in excess of that needed for vehicular traffic surveillance allows for future signal processing growth, such as a more detailed classification of vehicles. A possible auxiliary use would be detecting accidents and alerting authorities .... While monitoring traffic flow is probably a good thing, simply possessing the ability to collect all kinds of data in addition to the vehicle count just invites abuse. It seems that a simple piece of software could differentiate (mathematically) the signal of a vehicle and determine it's speed. Together with vehicle identification from acoustic signature, tracking of your car and it's behavior becomes simple. Another (not so simple) program could locate and identify footfalls. Or conversation. And again, acoustic signatures and possibly even voiceprints could be used to the advantage of some unscrupulous person or agency. I'm sure you can think of other possible side-effects and risks, too. Don't count on me to be the first on our block to request one of these. -- Richard Johnson (rdj@plaza.ds.adp.com) (richard@agora.rdrop.com) We meet our destiny along the road we take to avoid it. -- C.G. Jung ------------------------------ Date: Fri, 8 Apr 1994 01:48:31 -0700 From: erikn@goldfish.mitron.tek.com (Erik Nilsson) Subject: Dave Barry Responds To E-Mail Hacking Charges [extracted by MODERATOR] [ Extracted from CPSR/PDX 7 #4 by MODERATOR ] CPSR/PDX received the following letter from syndicated columnist Dave Barry's office: > Let me tell you what happened, and you can decide how immoral it was. > During the Olympics, a lot of rumors about Tonya Harding were floating > around the press center. One of these was that some numbers were > Tonya Harding's e-mail code. A lot of people punched these into the > computer to see if they were. I was one of those. As soon as I saw > the numbers worked, I signed off, _without_ reading any e-mail. > > Perhaps you wouldn't have done what I did. I respect that. But I > view what I did as checking out a rumor, and no more. I never saw any > private correspondence, nor, as far as I know, did other reporters. > When some reporters' names surfaced in connection with this, I > volunteered the information that a lot of people, including me, had > tried those numbers. I was trying to put what happened into > perspective; Unfortunately, the quotes that were printed made it sound > as though I was defending the practice of reading other people's mail. > I wasn't. > > Sincerely, > > Dave Barry > > DB/js ------------------------------ Date: Mon, 11 Apr 1994 03:47:29 -0400 (EDT) From: Paul Robinson Subject: Let your fingers do the walking on the Internet Organization: Tansin A. Darcos & Company, Silver Spring, MD USA ----- Saturday I was over at Micro Center, a computer store in Vienna, Virginia. Visiting the book department, I spotted a new set of three books, highlighted in plain view, all having the word "Internet" on the cover. One was a book on things you can find, e.g. a list of sources for things such as Weather information, FTP sites for various types of files, and so on, e.g. a list of services similar to the ones on the internet, only broader and much better organized. It was also about an inch thick, which meant it was about 500 pages long. I didn't have much chance to look at it since I don't have that much interest in the services on the Internet. I know they are comprehensive, I just never thought about it. The second book was printed on yellow paper and I think it referred to itself as "The Internet Yellow Pages". In essence it was a topic and subject cross reference for news groups and mailing lists. This, I think is a good idea. It's better if someone knows that, for example, Com Priv deals with the Commercialization and Privatization of the Internet and not with say, Private Compost heap management. (Although some people who read that group might think the latter is more accurate.) Or that the Bitnet list ETHICS-L@VM.GMD.DE deals with the ethics of computer programming and computer-related ethical issues, rather than it being a general ethics list. This too, was a Phone Book sized tome, about 3/4 inch thick, and it also mentioned that it covers about 2700+ newsgroups, which doesn't make it comprehensive (as someone corrected me earlier this month, the worldwide set of public newsgroups is currently over 8,000 and runs close to 100 megabytes a day.) What I found most interesting was the third book, also about an inch thick, e.g. phone book sized, and what could probably be called "The Internet White Pages". Someone started collecting E-Mail addresses and names for people from public messages, probably those posted on newsgroups and heavily circulated mailing lists and put them in alphabetical order. A practice very similar to that done by the address lookup program on rtfm.mit.edu (formerly "pit-manager"). Apparently the compiler of the book collected some 100,000 people's names and printed them up. This book is fairly recent but not that much. As with most people, I looked myself up. While it does have my address on access.net and MCI Mail, it does not have my address here on TDR.COM, which implies that it stopped collecting before I started using it almost exclusively, which would be before December 5, 1993, which is when the TDR.COM domain is listed as last updated via WHOIS. Some people seem to have gotten upset over the collection of E-Mail addresses for advertising. Now, here, someone has generally collected everyone's address off public messages, and published them in a book that is sold over the counter in a computer store. I wonder how people feel about this issue. The author said in the preface quite frankly that he had started "surrepticiously" collecting E-Mail addresses for a while. I put that word in quotes because I think that was his term, not mine. I am trying to avoid being judgemental here, because I don't see it as that big a problem. My E-Mail address is not my street address and doesn't tell you where I live or what I do or how much money I make or how educated I am. But this practice does annoy some people and I wanted to let some people know that if you are worried about the collection of names and E-Mail addresses, you are a little late, someone's already done a White Pages that anyone can purchase. And if it's successful, I'll bet there will be new issues, as well as possibly competitors. Seriously, I have a full newsgroup feed coming into the site I use, there's nothing that says I couldn't set up a cron job that runs several times a day to scan the spool files and collect addresses for subsequent publication. Anyone who has access to a full news feed could have done the same thing. Here's some questions to think about: What do you think about the practice? Is it right or wrong and why? Does this impact people's security? Are there risks involved if your E-Mail address becomes well known or if it is misprinted in a published "white pages"? Are there other considerations to think about? --- Paul Robinson - Paul@TDR.COM ------------------------------ Date: Tue, 12 Apr 94 16:45:21 -0400 From: "George Feil" Subject: NYNEX Calling Card Fiasco Recently, NYNEX sent all its calling card holders in New York a flyer for an "Only in New York" sweepstakes. The idea was that customers would automatically get one entry into the sweepstakes for every call they made on the calling card. (The calling card number consists of the customer's area code and phone number, followed by a four-digit PIN). Unfortunately, this has led to two problems. First of all, a private corporation has been given access to every customers' calling card number. Secondly, the flyer was sent taped together, and not in a sealed envelope. On the inside was printed a facsimile of a calling card, with the customer's PIN. This could be easily read without breaking the seal by bending the flyer slightly. Therefore, anyone who picked up this flyer could determine a person's calling card number by looking up their phone number in the book, and appending the PIN to it! As a result, thousands of outraged customers (including myself) have called NYNEX requesting a new PIN. NYNEX has set up a special hot line specifically to handle such requests. In addition, they promised that no customer would be responsible for any fraudulent usage on their card caused by this promotion. By the way, this got a lot of media attention in the New York City area, which probably fueled even more calls by customers to NYNEX. George Feil feil@sbcm.com voice: 212-524-8059 fax: 212-524-8081 Opinions are not those of SBCM Inc. ------------------------------ End of PRIVACY Forum Digest 03.08 ************************