PRIVACY Forum Digest Sunday, 18 August 1996 Volume 05 : Issue 15 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. ===== PRIVACY FORUM ===== ------------------------------------------------------------------- The PRIVACY Forum is supported in part by the ACM (Association for Computing Machinery) Committee on Computers and Public Policy, "internetMCI" (a service of the Data Services Division of MCI Telecommunications Corporation), and Cisco Systems, Inc. - - - These organizations do not operate or control the PRIVACY Forum in any manner, and their support does not imply agreement on their part with nor responsibility for any materials posted on or related to the PRIVACY Forum. ------------------------------------------------------------------- CONTENTS Credit Card Company Now Marketing "Privacy" Program (Marc Carrel) Pagers as "commonly used drug-dealing equipment" (Jonathan Thornburg) Re: *Primary Colors* and Joe Klein (PGN, RISKS-18.26) (Joel Garreau) What constitutes appropriate monitoring of web browsers? ([Name Withheld by Request]) Looking for Internet privacy stories (Joel McNamara) Cookie blocking (Martin Owensby) DoubleClick cookies (Scott Wyant) Registering to vote (Peter Langston) Alzheimers & Privacy (David R. Cochran) CPSR Conference, Oct. 19-20, DC (Susan Evoy) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com"; full keyword searching of all PRIVACY Forum files is available via WWW access. ----------------------------------------------------------------------------- VOLUME 05, ISSUE 15 Quote for the day: "You fill me with inertia." -- George Spiggott ["The Devil"] (Peter Cook) "Bedazzled" (20th Century Fox; 1967) ---------------------------------------------------------------------- Date: Wed, 31 Jul 1996 15:11:39 -0700 (PDT) From: ML.Carrel@SEN.CA.GOV Subject: Credit Card Company Now Marketing "Privacy" Program I recently received an interesting letter from AT&T Universal Card. It contained an offer for a program it calls Wallet Security Plus. The program is free for three months, and then $49 dollars a year thereafter. Those who sign a release form are sent materials to enter into this program which, according to the letter, provides the following services: (1) Comprehensive Credit Report Service "so you can check the accuracy of your credit report on a regular basis and correct any potential discrepancies before they cost you an important loan, health insurance, or even a job. Your credit report is compiled from the three national credit bureaus and merged into one easy-to-read report." The program provides unlimited access to your report, a toll-free hotline for questions, and you will be notified "when an inquiry has been made to your file." >>The letter does not mention that TRW will provide one free copy per year of an individual's credit report. Equifax and Trans Union (the other credit bureaus) may charge a fee, but many states, such as California limit what they can charge. Bureaus are required to provide a free copy if you have been denied credit based on information in your report. (2) 24-Hour Credit Card Protection against fraudulent use if any of the cards you register with this program are lost or stolen. The program also provides reimbursement for "your full liability for illegal charges to your account." >>The letter fails to mention that practically all credit card companies already have 24 hour toll free hotlines to report lost or stolen cards, and will not charge you for fraudulent use after reporting the cards lost or stolen. In addition, a customer's liability for fraudulent use of their card is no higher than $50 on each credit card. This is also true for ATM and debit cards reported lost or stolen within two days of the incident. After that, liability is up to $500. (3) $500 Theft Reward for information leading to the conviction of anyone caught illegally using your credit cards. >>This may sound enticing, but notice that the money only comes if there is a conviction. Small-time credit card thieves are rarely prosecuted. It just costs the companies money to provide evidence or staff for the deposition and trial. The companies just cancel the cards and write-off the costs. (4) Valuable Property and Document Registration "to secure all your important papers and register valuable property in case of loss or theft. >>There is plenty of software out there to inventory personal property, In fact, many insurers require such an inventory for renters or homeowners insurance. (5) Customized Driver's Search "for a comprehensive review of your motor vehicle record. Now you have access to the same information auto insurance companies use to set your rates. Make sure your record is right before you pay a higher premium." >> I have no idea how accessible any state's DMV records are. (6) VIP Notification Service "to make moving a lot easier. Register four people or companies with our service, and if you move we'll forward your address to all the VIP's on your list." >>This can easily be done by filling out change-of-address cards provided free by the US Post Office. If you consider that for a move one needs to contact all credit card companies, banks, relatives, doctors, frequent flyer cards, alumni associations, other membership associations, magazine subscriptions, etc., there are many more than four VIPs that need to be notified anyway. Maybe this is a good program, but I am extremely cynical. Consider that by registering your cards, VIP contacts, personal property and document information with this program, you are handing over most of your important personal information to a company you know nothing about. Will they take information about your personal possessions (e.g. he owns a personal computer, she owns three racing bikes) and sell that information to direct marketers? Or when they combine the three bureau's credit reports into one, will they keep that information? I would be interested in hearing what others think of this service, and if anyone has ever heard of CUC International, Inc., the provider of Wallet Security Plus. Marc Carrel ML.Carrel@sen.ca.gov ------------------------------ Date: Mon, 12 Aug 96 18:20 PDT From: bkis@island.net (Jonathan Thornburg) Subject: pagers as "commonly used drug-dealing equipment"? In PRIVACY Forum Digest v05 n14, Phil Agre said (commenting on a New York Times article describing the recent "Mountain Dew" pager promotion): | the article makes no mention | on restrictions on minors getting ahold of commonly used drug-dealing | equipment without their parents' consent. I agree that a significant fraction of drug transactions make use of pagers. However, it's also true that a significant fraction of drug transactions make use of ball point pens, ring-back notebooks, quarters, pay phones, and $20 bills (and many, many other items). In my opinion it's highly misleading, indeed inflammatory, to describe any of these items -- pagers included -- as "commonly used drug-dealing equipment", since in each case the legitimate uses are far more frequent than the illegitimate ones. I also have a couple of questions about the more general topic of parental-consent requirements for minors using pagers: Are there any parts of the world where pagers are freely aviailable to adults, but require parental consent for minors? If so, are the parental-consent requirements imposed only by the pager companies for defense against lawsuits, or are they "official" government laws? And if the latter, what are the penalties (levied on the pager service, I presume) for their violation? And finally, what fraction of current pager users are minors? - Jonathan Thornburg (personal E-mail) U of British Columbia / Physics Dept / ------------------------------ Date: Sun, 21 Jul 1996 06:48:04 -0700 (PDT) From: Joel Garreau Subject: Re: *Primary Colors* and Joe Klein (PGN, RISKS-18.26) [ From Risks-Forum Digest; Volume 18 : Issue 27 -- MODERATOR ] PGN makes excellent points about the difficulty of living a lie in his report on Joe Klein being unmasked as the author of "Primary Colors." But as the editor of *The Washington Post* team that had a lot of fun and a lot of pain reporting the "Primary Colors" story, allow me to cough a little dryly about the positive spin you put on the role of computers in the eventual success of our efforts. For openers, the lesson I drew from my experience was that I would *never* trust a computer text analysis again. We ran a massive such effort independent of Professor Foster and *New York* magazine, and ours turned up results that at the time seemed fascinating, but in retrospect were ludicrous. Even Foster didn't trust his results enough to bet the ranch on it. As recently as the day we finally broke the story, he was saying he thought it was Klein plus somebody else, and was still berating *New York* magazine for editing into his copy the flat statement that Klein was the author. Said flat statement was inserted by an editor with no special computer experience. Klein, however, first achieved note as a political columnist for the very same *New York* magazine. I suspect, therefore, that human intuition if not specific knowledge had more to do with that piece than the computer did. We at *The Post* *did* get a frightening amount of financial information on Klein and his wife by computer, including the cost of his house, the amount of his mortgage, his address, his previous address, everything there is to know about his cars, and so forth. And we did it in a startlingly short period of time. It's amazing what you can do when you have a person's social security number and date of birth, and equally sobering how easy it is to get that information. Only our sense of journalistic propriety prevented us from pursuing and using further information that was readily available. But again, the information so gathered ended up being largely tangential to the final report. I find it marvelous that what finally broke the case was good old-fashioned, if imaginative, gumshoe reporting. David Streitfeld, a Washington Post reporter with eclectic literary interests, receives all sorts of snail-mail catalogues from tiny second-hand bookstores. He saw offered for sale a copy of the manuscript...and the rest you can read in your newspapers. The handwriting analyst was an expert human. No computers were significantly involved. Also, the reason Klein is in hot water today is that back when the *New York* article ran, we had our junk-yard dog, my boss, David Von Drehle, put him up against the wall by reminding him that credibility is the only asset a journalist has. Von Drehle than asked him to swear on his journalistic credibility that he was not the author of "Primary Colors." That's when he most memorably lied, as Klein himself acknowledged at his press conference. In short, we put an extraordinary amount of computer effort into this story, including a passworded spreadsheet to keep track of all our reporting. But the cyberheroics ended up at best a sideshow if not a distraction, at least in our experience. It finally was cracked and developed by old-fashioned means. Joel Garreau [And in subsequent elections, Joe may now be saddled with Primary Collars. Somehow, I am reminded of a quote from the cast party after the final episode of an early TV serial, Peyton Place, in which one of the actors who had been on the show longest was asked, ``To what do you owe your success in acting?'' The answer was this: ``Honesty. Once you've learned how to fake that, you've got it made.'' PGN] ------------------------------ Date: Wed, 7 Aug 1996 23:31:21 -XXXX From: [Name Withheld by Request] Subject: What constitutes appropriate monitoring of web browsers? A "feature/bug" in the javascript of version 2.0 of Netscape allowed web servers to send a page that triggered the client machine to send email to an address that is specified by the server, without the knowledge of the user. In so doing, a web server could effectively log email addresses of the people that browsed their sites, which is a boon to direct marketers. Netscape corrected this in version 2.01 of their browser, but many people continue to use the old version (my statistics show that approximately 18% of the visitors to a site I administer currently use a vulnerable version). In the course of my work I recently came across a government site that exploits this and attempts to log email addresses. The site is located at http://www.hr.doe.gov/ucsp/doeucsp.htm The page http://www.hr.doe.gov/ucsp/ that leads to the page in question has the following statement on it: All Department of Energy telecommunications and automated information systems and related equipment are for the communication, transmission, processing, and storage of U.S. Government information only. The systems and equipment are subject to authorized monitoring to ensure proper functioning, to protect against unauthorized use, and to verify the presence and performance of applicable security features. Such monitoring may result in the acquisition, recording, and analysis of all data being communicated, transmitted, processed, or stored in this system by a user. If monitoring reveals possible evidence of unauthorized use or criminal activity, such evidence may be provided to appropriate DOE management or law enforcement personnel. Anyone using this system expressly consents to such monitoring. I understand their monitoring to prevent abuse, but I don't see where the user consents to give up a private piece of information that is not ordinarily transmitted as part of web browsing. Strangely enough, this same web page contains a link to a statement from Archer L. Durham, Department of Energy Assistant Secretary for Human Resources and Administration, that reads as follows: ... We, as Federal employees, are expected to hold ourselves to the highest standards of behavior and stewardship. We should remind ourselves and those whom we supervise of the risks associated with inappropriate use of Federal resources, including electronic mail or duty time. When I complained to the administrator of this site, it was defended on the grounds that it constitutes appropriate monitoring of users. If you follow this line of reasoning, the next thing we know, web browsing at a government site will implicitly give consent for - the video camera atop your machine to be activated to monitor what use you make of the information you gather from the site. - the microphone on the sound card to be activated for the purpose of eavesdropping, perhaps written in ActiveX and digitally signed by the government. - a virus to be installed on your machine to track the use of all government supplied information. Perhaps it will be written in javascript, along the lines of http://www.osf.org/~loverso/javascript/www-sec-Mar22.html After all, we should expect these things to be possible in the future through some bug or capability of a web browser. Is this where we are heading in the interests of deterring computer abuse? Whatever happened to "informed consent"? ------------------------------ Date: Sat, 20 Jul 1996 20:03:39 -0700 From: Joel McNamara Subject: Looking for Internet privacy stories I'm compiling what I hope will be the definitive source of worldwide case studies that demonstrate the benefits of Internet privacy tools. These stories will have a human focus, and clearly show the importance of PGP, anonymous remailers, and other tools to cultural, economic, and political processes. The goal is to have a body of accounts that show Internet privacy technologies being used to benefit society. These stories will be published on a Web page, and can be used by privacy advocates to contrast against government claims that encryption and other tools will solely benefit criminals. If there are enough compelling stories, they may eventually find their way into a book. If you have a story to tell, or know someone who does, I'd like to hear it. It doesn't have to be an exciting "rebels in the jungle" account either. In many ways, the everyday "slice of life" stories may be more important in showing the value of electronic privacy. Confidentiality will be maintained, of course. For details see: http://www.eskimo.com/~joelm/privacy.html Joel McNamara joelm@eskimo.com ------------------------------ Date: Sun, 21 Jul 1996 22:22:49 -0400 From: Martin Owensby Subject: cookie blocking >Date: Sat, 15 Jun 1996 18:11:18 -0700 (PDT) >From: Runs With Scissors >Subject: Blocking Cookies >A company called "PrivNet" (http://www.privnet.com) has a product >called "Internet Fast Forward" which can selectively block and/or >allow cookies. It is currently in beta and works only with Netscape >under a couple of flavors of MS Windows. It is available from the >web site free right now. It also blocks advertisements. --- Thought it worth mentioning that the latest beta of Internet Explorer (3.02b) provides for selective blocking/allowing of cookies. Provides some info on cookie also. owensby@ix.netcom.com ------------------------------ Date: Mon, 22 Jul 1996 11:40:02 -0700 From: Scott Wyant Subject: DoubleClick cookies >In Volume 05 : Issue 12, hgoldste@bbs.mpcs.com (Howard Goldstein) wrote: > >> One of the new features, a security feature strangely categorized as a >> 'network' feature, queries the user before allowing "cookies" to be set. > >> I was surprised to find that every night for the last two weeks after >> enabling this I've been handed a "cookie" by a site I never knowingly >> visited, at http://ad.doubleclick.net . I posted a fairly long description of what DoubleClick is actually doing, to a library listserve called JESSE, and received a blizzard of messages. You can read about it yourself -- just use AltaVista or Yahoo to find DoubleClick, and read the marketing materials on their site. The most interesting thing about this company is that you DON'T have to visit their site to get a cookie from them. Unliess I misread the Cookie specs, this is a violation (at least in spirit) of what the cookie file is supposed to be used for. You can read those specs, too. They're at: Scott Wyant Spinoza Ltd. ------------------------------ From: Peter Langston Date: Sat, 3 Aug 96 18:30:44 -0700 Subject: Registering to vote Forwarded-by: Keith Bostic Forwarded-by: "John P. Kole" Forwarded-by: John Stewart Original-From: rickh[SMTP:rickh@sybase.com] Thanks to the Motor Voter law, you can now register to vote electronically. Just follow your nose at: http://netvote96.mci.com/register.html [ Don't panic! It turns out this isn't really a service that actually registers you to vote. It does ask for name and address, date of birth, and party affiliation. The service then fills out an appropriate voter registration card with that info, and physically *mails* it to you. You must then sign the card and send it in to the appropriate state authorities. Whether or not you feel comfortable sending your date of birth and party affiliation over the net on a plaintext form is of course a personal decision, but this ends up being widely disseminated information no matter how you register. Filing a false card would still constitute a criminal act. -- MODERATOR ] ------------------------------ Date: Thu, 15 Aug 1996 21:47:39 EDT From: davidrc@juno.com (DAVID R COCHRAN) Subject: Alzheimers & Privacy Scam-Artist are targeting the elderly that have alzheimers with the intent to embezzle. With the aid of a telephone, these racketeers extract money through cleverly woven yarns to the unexpected. Through the means of mailing lists, scam-artist target their own customer's with these high tech demographic tools of communications. Mailing list companies can produce detailed lists that show marketing specialist information on people with such disease's as alzheimers. List can be compiled geographically. They have access to phone numbers and mailing address. All this information can be purchased in label format or diskette for computers. I feel that list companies should be more responsible with their marketing information. Supplying lists with such information should be handled with a little more scrutiny and discretion... David R. Cochran davidrc@juno.com ------------------------------ Date: Tue, 23 Jul 1996 23:27:00 -0700 From: Susan Evoy Subject: CPSR Conference, Oct. 19-20, DC COMMUNICATIONS UNLEASHED What's at Stake? Who Benefits? How to Get Involved! Computer Professionals for Social Responsibility Conference and Annual Meeting October 19-20, Georgetown University, Washington, DC The Telecommunications Act of 1996 precipitated a dramatic change in the way we look at, think about, use, and provide communications and information. As old boundaries disappear, public interest and consumer interests take on new meanings. What will the sleek infobahns of the new era offer consumers, including rural and remote area residents and the urban underserved? What will the changes mean for the rights of consumers to express themselves and access information freely, and to conduct transactions reasonably, without fear of big brother or big business invading their privacy, or worse? What are the new roles for regulators? How will they interact with each other and where will jurisdictional lines be drawn? And how do we, as citizen activists, work to guarantee our rights and pursue the public interest in the new legislative, regulatory, and commercial landscape? This conference brings together experts in policy and activism to explore the current state of policy development. They will help you to translate this knowledge into effective advocacy and action in order to protect the interests of the underserved from an onslaught of revolutionary changes that deregulation and unfettered competition will bring. The speakers will explain the real-world implications of the changes in telecommunications laws, along with the regulatory activity that implements these laws and how to influence these processes. Activists at many levels will share success stories and tactics that work, and will build our collective knowledge and experience into networks of activists that can support each other into the future. Please plan to attend this information-rich weekend of October 19-20, at the epicenter of the earthquake that is shaking up the telecommunications landscape, Washington, DC. Further details will be distributed in the next month and will be posted on our Web site at http://www.cpsr.org/home.html CONFERENCE PROGRAM FOR SATURDAY, OCTOBER 19 KEYNOTE SPEAKER - RALPH NADER (invited) Green Party Presidential nominee and legendary consumer advocate THE COMMUNICATIONS TSUNAMI In the new blurry world of corporate mergers and mega-packaging of services, where is the consumer and public interest stake and who will represent it? Panelists will examine the post-telecom act world with a view toward interpreting the impact and effects of universal service, the opening of local exchanges to competition, the provision of fair pricing rules, and stewardship of the dazzling array of newly emerging broadband services. TOOLKITS FOR ACTIVISTS This panel will assess the kinds of tools, methods, and techniques available to activists and practitioners at state, local, and community levels. How can activists get a wedge in among the telecom and media giants? For community nets, what works, what doesn't, and why? How can public interest concerns be leveraged at the micro-level? How can citizens learn to grasp and work with the new market and regulatory realities at national, state, and local levels? THE INTERNET: COMMERCIALIZATION, GLOBALIZATION, AND GOVERNANCE The accelerating commercialization and globalization of the Internet raises new and divisive problems of governance and control. What might these trends mean for the Internet in the years to come? Can we create cooperative institutions for Internet management that are globally inclusive and effective? Will governments adopt policies that promote or stifle innovative new services like Internet telephony? What new pricing schemes will be developed, and what will be the impact on access to information and services? INFORMATION RIGHTS New information technologies and policy responses to them raise many issues related to information rights on the Internet. Panelists will discuss new threats to privacy enabled by the collection of personal information on the web, and ways to combat them; freedom of speech online, including the Communications Decency Act as well as state and international issues; and the consequences of new measures to protect copyright, including currently pending legislation and technical proposals from industry. COMPUTERS AND ELECTIONS: RISKS, RELIABILITY AND REFORM There are widespread and legitimate concerns about the accuracy, integrity and security of computer-generated vote totals. Panelists will discuss the technical, social and political origins of these concerns within the context of today's election system. They will also make recommendations for changes in the areas of technology, election law, accountability and oversight. CONFERENCE PROGRAM FOR SUNDAY, OCTOBER 20 CONCURRENT WORKSHOPS SESSION ONE Competition and the Internet Consumer Civic Networking: By-passing the Big Boys Media Tactics and Outreach SESSION TWO Internet Legal Issues Broadcasting and Mass Media Fundraising for the Public Interest CPSR 1996 ANNUAL MEETING -- Susan Evoy * Deputy Director http://www.cpsr.org/home.html Computer Professionals for Social Responsibility P.O. Box 717 * Palo Alto * CA * 94302 Phone: (415) 322-3778 * Fax: (415) 322-4748 * Email: evoy@cpsr.org * ------------------------------ End of PRIVACY Forum Digest 05.15 ************************