|
Computer Privacy Digest Vol 1 #106
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
Computer Privacy Digest Thu, 03 Dec 92 Volume 1 : Issue: 106
Today's Topics: Moderator: Dennis G. Rears
Re: Phone Privacy: Call Records
SSN and privacy
Grocery Store "Lottos"
Telephone Logs
Re: Lucky Supermarkets copies social security numbers on to checks.
moderator misinformation
Akron BBS trial update!
Fully automated speeding tickets
Re: Re: Blockbuster announces plan to use data from video rentals
Digital Licenses in NY State
The Computer Privacy Digest is a forum for discussion on the
effect of technology on privacy. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy
(Moderated). Submissions should be sent to
[email protected] and administrative requests to
[email protected].
Back issues are available via anonymous ftp on ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
Subject: Re: Phone Privacy: Call Records
From: [email protected] (A virtually vegetal non-entity)
Date: 2 Dec 1992 15:06 MST
Reply-To: [email protected]
Organization: University of Arizona MIS Department - Mosaic Group
In article <[email protected]>, [email protected] (Kip J. Guinn) writes...
>
> Do phone companies keep records of local calls made from your telephone?
>[Moderator's Note: They do not keep track of the local numbers you
>call.
This would be nice if it were true, but it isn't. Modern digital switches
(i.e., most switches in most cities) log every call. The data, in fact,
are huge, but this is why God invented computers, high density disk and
tape drives---to keep track of large amounts of data. Naturally, it is
reasonable for a particular local telephone company to turn off such an
option, but few do, given the current legal environment. LECs also choose
their own retention period, which I suspect gets longer every year, as
technology and the courts encourage them to store more information.
Getting access to the data is not only very difficult, but most unpleasant.
Much is written to tape and erased frequently during the day. In addition,
the data are sorted by calling, not called, number. I was recently
informed that the COBOL code to describe the billing record is four pages
in length; there's a lot of information there. Imagine the enthusiasm of
the telephone company for a request---police, court, or private---to find
out who called a particular number over some period of time, typically
without offering to pay for the costs of such a search.
Our campus, which has its own AT&T 5ESS switch (making it something like
the 67th largest phone company in the US), generates approximately 100 Mb
of records per month. I think we've got about 10K phones.
Joel M Snyder, 1103 E Spring Street, Tucson, AZ, 85719
Phone: 602.882.4094 (voice) .4095 (FAX) .4093 (data)
BITNET: jms@Arizona Internet: [email protected] SPAN: 47541::telcom::jms
Yow! Am I in Milwaukee?
------------------------------
Date: Tue, 1 Dec 92 22:10 PST
From: Michael Gersten <[email protected]>
Subject: SSN and privacy
[Moderator's Note: Once again I have to ask: Does the knowlege of
one SSN affect that's person privacy? I say no. All the SSN does is
act as a global indentifier. In today's technology it is not
difficult to for a legitimate business to get a person SSN. You
don't need a SSN to get a credit report just a name and address.
---
Well, the problem isn't this. The problem is that SSN can, and in some
cases is, being used as an ID.
How does this cause problems? Well, call up the utilities, and identify
yourself by the SSN (you only have it if you are that person, or
empowered to work for them, after all, they're private, right?), and turn
off their gas/electricity. Or, since everything anyone has ever collected
on you is availible, indexed by SSN you can get all the information ever
collected on you -- and, since it's from a computer, it must be accurate,
right?
Those are the two that come to the top of my head immediately.
Remember: Refusing to co-operate does not make you guilty unless
innocent people are required to co-operate. According to the
constitution, they aren't. (5th, paraphrased).
--
Michael Gersten [email protected]
HELLO! I'm a signature virus! Join in the fun and copy me into yours!
ex:.-1,. w $HOME/.signature
------------------------------
Date: Wed, 2 Dec 92 09:01:13 -0500
From: [email protected]
Subject: Grocery Store "Lottos"
A small local grocery store chain is giving out a small ticket with
each purchase. The ticket has three silver ovals on it. Rub them
off and if all three match you win the indicated amount of money.
I recently won a dollar this way. When I was at the store to cash
the ticket in, the cashier handed me a form requesting my name and
address. I refused and did not get my winnings.
Upon getting back home, I carefully looked at my ticket.
The back of the ticket indicates (in very fine print) that
FTC laws require winners' addresses to be posted in the store.
I did not want my complete address posted for everybody to see.
Had they asked for name and city, I would have been happy to oblige.
I feel that would fulfill informational purposes for the store.
If this is for tax reasons, I can hardly see where a single dollar
is going to impact my taxes either way.
The strange thing is that when I recently received some instant lottery
tickets as a gift, I had a few one and two dollar winners, and a ticket
or two. The dollar winning tickets were as good as cash at the lottery
ticket booth, no questions, no hassle.
Can anyone provide us with some more information on these FTC laws,
whys and wherefores?
[Moderator's Note: There a big difference between the lottery and local
games. The primary reason the FTC reguires the name and address is so
that the company sponsoring the promotion is forced to award all prizes.
._dennis ]
W WWW WWW MM MMM UU UUU U Roy Zimmer [email protected]
W WW WW MM MM UU UUU U University Computing Services
W W W W MM M M M UU UUU U Western Michigan University
W WW MM MM MM UUU UU Kalamazoo, Michigan USA
------------------------------
Date: Wed, 2 Dec 1992 9:17:09 -0500 (EST)
From: "Dave Niebuhr, BNL CCD, 516-282-3093" <[email protected]>
Subject: Telephone Logs
In Computer Privacy Digest Volume 1 : Issue: 104
Apparently-To: uunet!comp-society-privacy writes:
> Do phone companies keep records of local calls made from your telephone?
>I have heard references to "phone records"--mostly in articles about
>someone being investigated by the police--and wonder if they meant
>local calls, or long-distance.
>
>Kip
>
>[Moderator's Note: They do not keep track of the local numbers you
>call.
New York Telephone does indeed keep a record of ALL calls made from
a phone. I found this out quite by accident when, while playing around
with the phone one day (getting used to Call Return and Last Call Redial),
the number for my second line showed up on my bill when I dialed it from
my primary one.
It should be noted that I have Flat Rate service and no primary area
calls (local exchanges and adjacent ones) should ever be listed even
though logged.
Dave
Dave Niebuhr Internet: [email protected] / Bitnet: niebuhr@bnl
Brookhaven National Laboratory Upton, NY 11973 (516)-282-3093
------------------------------
Subject: Re: Lucky Supermarkets copies social security numbers on to checks.
From: [email protected] (A virtually vegetal non-entity)
Date: 2 Dec 1992 14:52 MST
Reply-To: [email protected]
Organization: University of Arizona MIS Department - Mosaic Group
In article <[email protected]>, [email protected] (Phydeaux)
writes...
>
>The California DMV has started to require a social security number
>when applying for an initial Calif. drivers license or identification
>card, or for renewing them. [text deleted]
>However all the new licenses and id cards have a magnetic
>strip. Now if you wish to make a purchase at a Lucky's Supermarket
>and pay by check the license is passed thru a magnetic card reader --
>and the social security number is read from the card and printed on
>the back of the check. Therefore the number which is not suppose to
>appear on the license is simply available to any merchant that has
>access to a card reader.
I hope that the solution to this problem is obvious: take a small
kitchen magnet, place it in close contact with your drivers license,
and erase the strip. Doing so is probably not illegal, and certainly
doesn't impair the legitimate uses for which your license was designed.
If you feel uncomfortable changing the programming on your card
purposefully, then simply leave it back-to-back with any other credit
card in your wallet, and soon both will be unreadable. If you live
where it's sunny, leave your wallet on the dash of your car.
Joel M Snyder, 1103 E Spring Street, Tucson, AZ, 85719
Phone: 602.882.4094 (voice) .4095 (FAX) .4093 (data)
BITNET: jms@Arizona Internet: [email protected] SPAN: 47541::telcom::jms
Yow! I want my nose in lights!
------------------------------
From: Paul Wallich <[email protected]>
Subject: moderator misinformation
Date: Wed, 2 Dec 1992 15:50:47 GMT
Organization: Trivializers R Us
In article <[email protected]> "Kip J. Guinn" <[email protected]> writes:
> I can see where long-distance calls would be in records, but do they
>actually keep logs on local calls made from each residential phone?
>That would seem to be an awfully huge chunk of data... And a big
>invasion of my privacy, too! Caller ID is bad enough for some
>people--women's shelter's, etc-- and I don't like the fact that if I
>call to complain to the police, or a company, etc, that they know my
>home number (which I try to keep fairly private), but if local calls
>are routinely logged--heck, what do you do?
>
>Kip
>
>[Moderator's Note: They do not keep track of the local numbers you
>call. Most switches do have the capability to do so if there was a
>compelling need. You might disagree with the concept but that
>information belongs to the company not to you. I hope the fact that
>medical records belong to the doctor and not to the patient doesn't
>surprise you. ._dennis ]
In many states, New York among them, medical records belong by law
to the patient. This means that the patient can legally control
access to the records (modulo what insurance companies insist on
knowing) and can compel a physician to turn those records over to
the patient or another physician. The question of who owns medical
records or phone records (or any number of other items of personal
information) is not nearly as settled as the moderator's notes might
make it appear.
paul
[Moderator's Note: I stand partially corrected. The point I was making
is that there are many records that people think belong to then when in
reality they belong to somebody else. ._dennis ]
------------------------------
Date: 02 Dec 92 11:49:08 EST
From: David Lehrer <71756.2116@compuserve.com>
Subject: Akron BBS trial update!
Akron BBS trial update: Dangerous precedents in sysop prosecution
You may already know about the BBS 'sting' six months ago in Munroe
Falls, OH for "disseminating matter harmful to juveniles." Those
charges were dropped for lack of evidence. Now a trial date of
1/4/93 has been set after new felony charges were filed, although
the pretrial hearing revealed no proof that *any* illegal content
ever went out over the BBS, nor was *any* found on it.
For those unfamiliar with the case, here's a brief summary to date.
In May 1992 someone told Munroe Falls police they *thought* minors
could have been getting access to adult materials over the AKRON
ANOMALY BBS. Police began a 2-month investigation. They found a
small number of adult files in the non-adult area.
The sysop says he made a clerical error, causing those files to be
overlooked. Normally adult files were moved to a limited-access
area with proof of age required (i.e. photostat of a drivers
license).
Police had no proof that any minor had actually accessed those
files so police logged onto the BBS using a fictitious account,
started a download, and borrowed a 15-year old boy just long enough
to press the return key. The boy had no knowledge of what was going
on.
Police then obtained a search warrant and seized Lehrer's BBS
system. Eleven days later police arrested and charged sysop Mark
Lehrer with "disseminating matter harmful to juveniles," a
misdemeanor usually used on bookstore owners who sell the wrong
book to a minor. However, since the case involved a computer,
police added a *felony* charge of "possession of criminal tools"
(i.e. "one computer system").
Note that "criminal tool" statutes were originally intended for
specialized tools such as burglar's tools or hacking paraphenalia
used by criminal 'specialists'. The word "tool" implies deliberate
use to commit a crime, whereas the evidence shows (at most) an
oversight. This raises the Constitutional issue of equal protection
under the law (14'th Amendment). Why should a computer hobbyist be
charged with a felony when anyone else would be charged with a
misdemeanor?
At the pretrial hearing, the judge warned the prosecutor that
they'd need "a lot more evidence than this" to convict. However the
judge allowed the case to be referred to a Summit County grand
jury, though there was no proof the sysop had actually
"disseminated", or even intended to disseminate any adult material
"recklessly, with knowledge of its character or content", as the
statute requires. Indeed, the sysop had a long history of
*removing* such content from the non-adult area whenever he became
aware of it. This came out at the hearing.
The prosecution then went on a fishing expedition. According to the
Cleveland Plain Dealer (7/21/92)
"[Police chief] Stahl said computer experts with the Ohio
Bureau of Criminal Identification and Investigation are reviewing
the hundreds of computer files seized from Lehrer's home. Stahl
said it's possible that some of the games and movies are being
accessed in violation of copyright laws."
Obviously the police believe they have carte blanche to search
unrelated personal files, simply by lumping all the floppies and
files in with the computer as a "criminal tool." That raises
Constitutional issues of whether the search and seizure was legal.
That's a precedent which, if not challenged, has far-reaching
implications for *every* computer owner.
Also, BBS access was *not* sold for money, as the Cleveland Plain
Dealer reports. The BBS wasn't a business, but rather a free
community service, running on Lehrer's own computer, although extra
time on the system could be had for a donation to help offset some
of the operating costs. 98% of data on the BBS consists of
shareware programs, utilities, E-mail, etc.
The police chief also stated:
"I'm not saying it's obscene because I'm not getting into that
battle, but it's certainly not appropriate for kids, especially
without parental permission," Stahl said.
Note the police chief's admission that obscenity wasn't an issue at
the time the warrant was issued.
Here the case *radically* changes direction. The charges above were
dropped. However, while searching the 600 floppy disks seized along
with the BBS, police found five picture files they think *could* be
depictions of borderline underage women; although poor picture
quality makes it difficult to tell.
The sysop had *removed* these unsolicited files from the BBS hard
drive after a user uploaded them. However the sysop didn't think to
destroy the floppy disk backup, which was tossed into a cardboard
box with hundreds of others. This backup was made before he erased
the files off the hard drive.
The prosecution, lacking any other charges that would stick, is
using these several floppy disks to charge the sysop with two new
second-degree felonies, "Pandering Obscenity Involving A Minor",
and "Pandering Sexually Oriented Matter Involving A Minor" (i.e.
kiddie porn, prison sentence of up to 25 years).
The prosecution produced no evidence the files were ever "pandered".
There's no solid expert testimony that the pictures depict minors. All
they've got is the opinion of a local pediatrician. All five pictures
have such poor resolution that there's no way to tell for sure to what
extent makeup or retouching was used. A digitized image doesn't have
the fine shadings or dot density of a photograph, which means there's
very little detail on which to base an expert opinion. The digitization
process also modifies and distorts the image during compression.
The prosecutor has offered to plea-bargain these charges down to
"possession" of child porn, a 4'th degree felony sex crime
punishable by one year in prison. The sysop refuses to plead guilty
to a sex crime. Mark Lehrer had discarded the images for which the
City of Munroe Falls adamantly demands a felony conviction. This
means the first "pandering" case involving a BBS is going to trial
in *one* month, Jan 4th.
The child porn statutes named in the charges contain a special
exemption for libraries, as does the original "dissemination to
juveniles" statute (ORC # 2907.321 & 2). The exemption presumably
includes public and privately owned libraries available to the
public, and their disk collections. This protects library owners
when an adult item is misplaced or loaned to a minor. (i.e. 8 year
olds can rent R-rated movies from a public library).
Yet although this sysop was running a file library larger than a
small public library, he did not receive equal protection under the
law, as guaranteed by the 14'th Amendment. Neither will any other
BBS, if this becomes precedent. The 'library defense' was allowed
for large systems in Cubby versus CompuServe, based on a previous
obscenity case (Smith vs. California), in which the Supreme Court
ruled it generally unconstitutional to hold bookstore owners liable
for content, because that would place an undue burden on bookstores
to review every book they carry, thereby 'chilling' the
distribution of books and infringing the First Amendment.
If the sysop beats the bogus "pandering" charge, there's still
"possession", even though he was *totally unaware* of what was on
an old backup floppy, unsolicited in the first place, found unused
in a cardboard box. "Possession" does not require knowledge that
the person depicted is underage. The law presumes anyone in
possession of such files must be a pedophile. The framers of the
law never anticipated sysops,or that a sysop would routinely be
receiving over 10,000 files from over 1,000 users.
The case could set a far ranging statewide and nationwide precedent
whether or not the sysop is innocent or guilty, since he and his
family might lack the funds to fight this--after battling to get
this far.
These kinds of issues are normally resolved in the higher courts--
and *need* to be resolved, lest this becomes commonplace anytime
the police or a prosecutor want to intimidate a BBS, snoop through
users' electronic mail, or "just appropriate someone's computer for
their own use."
You, the reader, probably know a sysop like Mark Lehrer. You and
your family have probably enjoyed the benefits of BBS'ing. You may
even have put one over on a busy sysop now and then.
In this case; the sysop is a sober and responsible college student,
studying computer science and working to put himself through
school. He kept his board a lot cleaner than could be reasonably
expected, so much so that the prosecution can find very little to
fault him for.
*Important* Please consider a small contribution to ensure a fair
trial and precedent, with standards of evidence upheld, so that
mere possession of a computer is not grounds for a witch hunt.
These issues must not be decided by the tactics of a 'war of
attrition'; *however far* in the court system this needs to go. For
this reason, an independent, legal defense trust fund has been set
up by concerned area computer users, CPA's, attorneys,etc.
Mark Lehrer First Amendment Legal Defense Fund
(or just: MLFALDF)
Lockbox No. 901287
Cleveland, OH 44190-1287
*All* unused defense funds go to the Electronic Frontier
Foundation, a nonprofit, 501c3 organization, to defend BBS's and
First Amendment rights.
Help get the word out. If you're not sure about all this, ask your
local sysops what this precedent could mean, who the EFF is--and
ask them to keep you informed of further developments in this case.
Please copy this file and send it to whoever may be interested.
This case *needs* to be watchdogged.
Please send any questions, ideas or comments directly to the sysop:
Mark Lehrer
CompuServe: 71756,2116 InterNet: 71756.2116@compuserve.com
Modem: (216) 688-6383 USPO: P.O. Box 275
Munroe Falls, OH 44262
------------------------------
Date: 2 Dec 92 18:16:00 +1800
From: [email protected]
Subject: Fully automated speeding tickets
------------ REPLY ATTACHMENT --------
SENT 12-02-92 FROM KRUSE_NEIL
CAMERA ACTIVATED SPEEDING TICKETS SYSTEM
One company I have heard is exploring the idea of a camera activated
speeding tickets system. Here is what they want: digital cameras
installed in strategic public highway locations; these cameras
attached to a computer system, 24 hours a day, 7 days a week,
reporting pictures of speeding cars taken, by activating the camera on
a radar readout on a speeding car. This picture somehow, hopefully not
manually, will provide the ASCII data representing the license plate
of the "offending" car, this will trigger a ticket via mail and
a subsequent collection of the payment.
"Honest your Honor, that wasn't me behind the wheel" ;)
Neil Kruse
[Moderator's Note: New Jersey has banned the use of photo radar. ._dennis ]
------------------------------
Subject: Re: Re: Blockbuster announces plan to use data from video rentals
From: "Roy M. Silvernail" <[email protected]>
Date: Wed, 02 Dec 92 23:27:14 CST
Organization: Villa CyberSpace, Minneapolis, MN
Sam Lowry <[email protected]> writes:
> In article <[email protected]> "Roy M. Silvernail" <roy@cybrs
>
> >Your message does bring up an interesting point, though. While we are
> >all understandably concerned about our privacy, the very organizations
> >we decry for violating our privacy must have some reasonable expectation
> >of privacy, as well. Since the two imperatives obviously conflict, how
> >should this conflict be resolved?
> >
> What you are telling me is that companies, which are not a human
> being has the same rights as a living person? This is a problem we
> all will have to deal with.
Sure, it is. But you misunderstood my question. Both I and the company
have rights of one kind or another. Those rights are not necessarily
equal, but they will and do conflict at times. To unilaterally decide
in favor of an individual strikes me as Neo-Luddite.
> Do companies have rights?
As Dennis pointed out, corporations are legal entities, with rights.
I asked how we should resolve the conflict between these rights.
--
Roy M. Silvernail | #include <stdio.h> | "press to test"
roy%[email protected] | main(){ | <click>
[email protected] | float x=1; | "release
| printf("Just my $%.2f.\n",x/50);} | to detonate"
------------------------------
From: Mike Johnston <[email protected]>
Subject: Digital Licenses in NY State
Organization: Lehman Brothers
Date: Thu, 3 Dec 1992 14:47:32 GMT
Apparently-To: uunet!comp-society-privacy
Today's (12/3/92) New York Times carried a small article in the Metro
section describing NY's new licenses. In a nutshell, drivers will
have *both* their pictures and signatures digitally stored on the
state's computers. This makes me nervous.
The reasons given are 'easier storage and retrieval and will result in
more secure and higher-quality licenses and ID's'. Also noted is that
duplicate licenses will be available within three weeks WITHOUT visiting
the DMV. This is probably the hardest part of all to believe, as anyone
who's ever tried to get ANYTHING from Motor Vehicles will attest.
My biggest problem is this: I don't want my picture and signature
digitally stored on NY's computers, where it can easily be transmitted
to anyone the state deem's fit to receive it. This could include
the Federal Government, other State's and various agencies within
our own state. I won't even get into the ramifications of having
my SIGNATURE stored where someone can replicate it, perfectly, every
time they need to.
It seems the privacy issues here have either been ignored or swept
under the carpet. There is no review process on this, and I suspect
and enormous amount of money has been spent on the hardware to handle
all the storage needed for image retrieval on eleven million drivers and
ordinary state ID holders. The reason I say this is because the article
noted the system is now in effect and has been since the beginning of
September.
What's worse is that you don't even need to be a licensed driver to
be on the state's computer. NY State, and probably many others, delegate
responsibility to the DMV to process requests from people needing ordinary
ID cards. This means that, from now on, if you show up at the DMV for
a simple ID card, you'll wind up on their computers and probably another
dozen or so databases.
This is really getting to be too much.
MJ
--
Michael R. Johnston, System Administrator [email protected]
"The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore, all progress
depends on the unreasonable man." - G.B. Shaw
------------------------------
End of Computer Privacy Digest V1 #106
******************************
|
|
