The RISKS Digest
Volume 10 Issue 61

Friday, 16th November 1990

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Police technology; mailing list hyperstacks (Lotus)
Jerry Leichter
Privacy concerns about Lotus "Marketplace"
Jeff E. Nelson
Rick Noah Zucker
Kuwaiti citizen database
Jonathan Leech
Gas pump inaccuracies?
Paul Schmidt
"It's the computer's fault"
Andrew Klossner
Re: Voting electronically from home
Li Gong
Frank Hage
Dan Sandin
Re: Computer Mishap Forces shift in Election Coverage
Tom Perrine
Election coverage software
Gary Cattarin
Re: Juicy 911 RISKS
Amos Shapir
Ada Remarks
Paul Murdock
Info on RISKS (comp.risks)

Police technology; mailing list hyperstacks

Jerry Leichter <>
Wed, 14 Nov 90 09:19:28 EDT
The Wall Street Journal this week had two articles on privacy and technology
that I thought RISKS readers might find of interest.

On Monday (13-Nov; page A-1) it reports on some new technologies that are
becoming available to the police.  Two are of particular note: Pilotless
surveillance drones developed for the military have been suggested as "just the
thing" for the police.  These are small planes - in techno-speak, they are
UAV's (Unmanned Aerial Vehicles) - that can stay at 500 feet for about an hour.
Currently, they carry cameras with telephoto lenses and infrared sensors; it's
proposed that they could also carry chemical sensors to detect various
chemicals used in drug manufacturing.  None have apparently been used so far -
they are expensive (anywhere from $20,000 to several million a piece) and the
FAA has yet to approve their use.

And for those of you who think that calling from a pay phone is a way to avoid
wiretaps - think again: The "roving bug" can find you.  This is a device that
does pattern matching on phone calls, looking for a particular voice.  At least
one successful prosecution has already been based on evidence obtained by such
a device.  The details aren't clear from the article, but apparently some
15,000 calls were intercepted, more that 5,300 from one person's office and
some 450 from various pay phones.  Just what the technology can do today isn't
clear, but it is clear that very broad-scale monitoring of digitized
conversations, with scanning for voices of interest, is possible if expensive
today and will rapidly become cheaper and easier.  Apparently such wiretaps
were authorized by Congress in 1986.

The article also mentions other devices, like tiny pinhole TV cameras - one was
installed over the urinals at a police station to find a vandal who was
clogging the urinals, causing water to drip down into the chief's office.
(Isn't it great to know what our tax dollars are paying for?)  Also,
LoJack-like devices are becoming much more widespread. (LoJack is a transmitter
installed in your car.  If your car is stolen, you tell the police; they turn
it on and can track the car.)  Smaller scale versions for protecting valuables
exist, and systems that use satellites to allow tracking literally around the
world are in the works.

On Tuesday (14-Nov; page B1) the Journal reports on the controversy surrounding
a product soon to be introduced by Lotus.  Lotus Marketplace consists of a CD
containing information on some 80,000,000 households, including names,
addresses, shopping habits, likely income levels, and even a catagorization (by
Equifax) into one of 50 catagories like "accumulated wealth", "mobile home
families", "cautious young couples", and "inner-city singles".  Also included
is a program - apparently at least partly a Hypercard stack - that provides an
interface to the system.  The whole thing costs $695 for the program and an
initial 5000 names; each additional 5000 names cost $400.  How Lotus keeps you
from using the other information on the CD is unclear - presumably, you sign a
license and they come after you if you breach the terms.

The program Lotus provides does not allow you to look up a particular
individual by name, but of course if you know anything about him you can come
up with a query that will find him and few others - and of course the unethical
will hardly be stopped from developing their own search programs by the terms
of a license agreement.

All of this information has been available for some time from mailing-list
vendors.  However, it's been expensive and "transient".  What Lotus does is
provide the information permanently and cheaply.  Lotus says that to prevent
abuse, they will not include telephone numbers (of course, CD's with telephone
number listings are increasingly available) and will sell only to "legitimate
businesses" at verified addresses checked against a "fraud file".  The license
terms will limit the uses to which the data can be put and provide penalties
for abuses.  It astonishes me that anyone can imagine they can control how a
small piece of plastic, indistinguishable from hundreds of like copies, will be
used once it gets out into the world.

The debate, as presented by the Journal, is on familiar grounds.  Anti: This is
a major invasion of privacy - "They've crossed the line" (Marc Rotenberg,
CPSR).  Pro: There's nothing new here; Lotus is just making a service available
to smaller businesses who couldn't afford it previously.  "What this lets you
do is send a few more pieces of mail.  What's the harm in that?  Lots of people
like to get mail."  (Dan Schimmel, developer of the system.)  You CAN keep your
name off the CD by written request to Lotus, Equifax, or the Direct Marketing
Associations mail preference service.  (It's an interesting question whether
this actually keeps your name off the CD or just marks it as "doesn't wish to
receive mail".  While such a marking would keep legitimate users away from you,
it would do nothing to stop abusers, like those the Journal suggests could look
for "unmarried wealthy women over 65 in this neighborhood".)

The article contains a wonderful cartoon by Mark Stamaty.  The scene: Two
women, one (A) looking at and later opening an envelope.  Prelude: "Every
purchase gets recorded in psycho-data central.  They'll have samples of
everyone's handwriting.  Soon millions of computer-driven autopens will
transcribe junk mail in the handwriting of each person's best friend, spouse or

A)  I got a letter from *Bill*!
B)  Maybe he wants to get back together.
A)  Think so?
B)  So what's he got to say?  Is he sorry?  Does he want to try again?
A)  He says I'm very special to him and to show me *how* special...
    he's offering me 40% off the newstand rate on a subscription to
    Sports Illiterated!
                            — Jerry

              [With Dreamy Indolence, Lotus Leaves nothing to be desired?  PGN]

Privacy concerns about new Lotus "Marketplace" product

Jeff E. Nelson <>
Wed, 14 Nov 90 09:53:47 PST
The following is extracted from an unofficial electronic newspaper edited and
published within Digital for Digital employees. Reproduced with permission. The
issues raised herein should be familiar to regular RISKS readers.

Jeff E. Nelson           | Digital Equipment Corporation, Nashua, NH, USA | Affiliation given for identification purposes only

>>>>>>>>>>>>>>>>  T h e   V O G O N   N e w s   S e r v i c e  >>>>>>>>>>>>>>>>
 Edition : 2195            Wednesday 14-Nov-1990            Circulation :  8428

VNS COMPUTER NEWS:                            [Tracy Talcott, VNS Computer Desk]
==================                            [Nashua, NH, USA                 ]

 Lotus - New program spurs fears privacy could be undermined
    {The Wall Street Journal, 13-Nov-90, p. B1}
   Privacy advocates are raising the alarm about a new Lotus product that lists
 names, addresses, shopping habits and likely income levels for some 80 million
 U.S. households. Due for release early next year, Lotus Marketplace packs the
 data on palm-sized compact disks aimed at small and mid-sized businesses that
 want to do inexpensive, targeted direct-mail marketing. But critics say the
 product is just too good. "It's going to change the whole ball game," says
 Mary Culnan, an associate professor at Georgetown University's School of
 Business Administration. "This is a big step toward people completely losing
 control of how, and by whom, personal information is used." Janlori Goldman, a
 staff attorney with the American Civil Liberties Union, adds that the product
 raises "serious legal and ethical questions." Lotus' critics concede that the
 product offers little more than is already available from established
 mailing-list brokers. But they say it is a greater potential threat to personal
 privacy because of its low cost, ease of use and lack of effective safeguards
 over who ultimately has access to it and why. They also say that the way it is
 designed allows users to ask a series of increasingly specific questions about
 small subgroups of people - identifying, for example, unmarried, wealthy
 women over 65 in a neighborhood. "They've crossed the line," says Marc
 Rotenberg, Washington director for the nonprofit Computer Professionals for
 Social Responsibility. "It simply shouldn't be allowed on the market." Lotus
 counters that the product, still under development, has been tailored to
 address privacy concerns. No phone numbers will be included, it won't be
 available in retail stores and it will be sold only to "legitimate businesses"
 at verified addresses checked against a "fraud file," Lotus says. A contract
 will specifically limit its use and provide penalties for abuses. Owners will
 be be allowed unlimited use of the names and addresses they buy, at a cost of
 $695 initially for the program plus 5,000 names and $400 for each additional
 5,000 names.


    Permission to copy material from this VNS is granted (per DIGITAL PP&P)
    provided that the message header for the issue and credit lines for the
    VNS correspondent and original source are retained in the copy.

>>>>>>>>>>>>>>>>   VNS Edition : 2195   Wednesday 14-Nov-1990   >>>>>>>>>>>>>>>>

all US consumers on CD-ROM

Rick Noah Zucker <>
Thu, 15 Nov 90 09:47:13 -0800
      This was forwarded to me:  [Discussion of PBS item on Lotus deleted.  PGN]

The database does not contain any of the data covered by the fair credit
practices act so Lotus is under no legal obligation to let you see what they
are saying about you (unless you buy the product, of course...) and has no
provision for allowing you to change what is in there.

The Lotus spokesman said that if people wrote a letter to Lotus saying they did
not want to be in the database, they would be excluded.  Unfortunately, the
interviewer did not say to whom the letter should be addressed.

Kuwaiti citizen database

Jonathan Leech <>
Thu, 15 Nov 90 10:27:54 -0500
    Last night's (11/14) BBC News reported that a computer database
containing fingerprints and other information on all Kuwaiti citizens had
been smuggled out of the country. Apparently the Iraqi government is attempting
to eliminate all evidence of the nation's existence, and this database may be
important in setting things up again (assuming the Iraqis leave).
    Perhaps this may be considered an anti-RISK of government databases?

Gas pump inaccuracies?

Paul Schmidt <>
Mon, 12 Nov 90 13:57:11 PST
  I have noticed an interesting characteristic that seems
to be shared by all self-serve gas pumps. They all shut
off automatically _shortly_after_ reaching the amount I gave
the attendant, but before reaching the next higher penny.
(The gallons display continues to advance.) So what algorithm
is used to determine the shut-off point? The fairest algorithm
ought to be:
    WHILE delivered_amount <= amount_wanted DO pump_gas

But I seem to be getting $0.005 - $0.01 more gas every time,
because the pump seems to be doing:
    WHILE delivered_amount <= amount_wanted DO pump_gas

Whereas if the gas company wanted to make an average of one-
half cent per transaction:
    WHILE delivered_amount < amount_wanted+0.01 DO pump_gas

Is the public the group beneficiary of about $0.005 per transaction due to what
would otherwise be a bad algorithm?  Did the programmer do this on purpose
because s/he felt Big Oil wasn't paying enough? What implication might this
have on computer controlled delivery of other liquids (insulin?) or gasses

Paul Schmidt                                     

"It's the computer's fault"

Andrew Klossner <>
Wed, 14 Nov 90 14:20:38 PST
My wife and I visited a restaurant in Cannon Beach, Oregon for Sunday
breakfast.  The service was slow, but that's okay, we were sitting down
and had coffee and plenty to read.

A distraught-looking hostess crossed the room to our table and asked me
"Are you a computer expert?"  "Why, yes," I responded.  "Would you
please come fix our computer?"  As we walked to the back room, she
cackled "Try to tell me I'm not psychic ..."

The "computer" turned out to be an electronic cash register, whose
printer ribbon had slipped out of the feed mechanism.  I fixed it and
returned to my table.

Service continued to be very slow — the family next to us left after
waiting 45 minutes.  To one and all, the hostess proclaimed "We had a
computer problem, but it's fixed now and you'll get your food soon."

But the cash register was used only to print bills when the meal was
over, and had nothing to do with slow food service, which apparently
was caused by an AWOL server.

  -=- Andrew Klossner   (uunet!tektronix!frip.WV.TEK!andrew)    [UUCP]
                        (   [ARPA]

Re: Voting electronically from home (revisited)

Li Gong <li@diomedes.UUCP>
Thu, 15 Nov 90 11:58:24 EST
John Roe (in RISKS DIGEST 10.60) quoted a report that "A Boulder CO group has
rediscovered Bucky Fuller's 50-year-old suggestion that everyone should be able
to vote telephonically from home or wherever."  and raised a few risks in the
proposed scheme.  He also pointed out that "The current system is NOT based on
honesty: it is based on physical security.  If it is sufficiently hard for the
same person to vote multiple times, voter fraud can be reduced to acceptable
levels (but not eliminated, of course)."

I would like to add that the current system not only provides physical security
of identification, but also physical security against harassment.  Nobody else
is allowed to go into the booth when a voter, say Alice, is voting inside.  On
the one hand, this gives Alice privacy; on the other, she can vote according to
her own will.  Moreover, since this individual vote is among maybe a billion
other votes, no ordinary person could find out for whom Alice has voted.  This
potentially discourage "buying" votes with money or menace, because it is
difficult (if not impossible) to "physically" influence a voter at voting time
and/or to verify a voter's vote afterwards.

In any trivial scheme such as voting with SSN over a phone line, all these good
features disappear.  Professor David Wheeler (my PhD thesis supervisor at
Cambridge) and I once worked on a voting scheme that supports these features
and also allows voting by phone or post.  This effort, together with a
generalization of the idea into a notion of "zero-knowledge transactions", is
still in progress (I hope :-).

Li Gong, ORA Corporation, Ithaca, New York   (607) 277-2020

Voting by phone risks in error

Frank Hage <fhage@sherlock.rap.ucar.EDU>
Thu, 15 Nov 90 14:34:49 MST
The risks assumed by John Roe in his note regarding the Boulder,
Colorado demonstration of voting by phone are not valid. The system was
*not* part of the official voting process, but was intended only to
introduce people to the possibility of voting by phone. This fact was
clearly mentioned in the articles the local paper (Boulder Daily
Camera) printed and, in addition, the demonstration ran for three days
prior to, but not on election day. It was emphasized that the votes
cast using the phone based system would not be "real" and that voters
would still have to go to the polls to cast legal votes. The organizers
of the demonstration specifically mentioned that *if* this were an
official voting method, a more secure authentication system would be
necessary. They suggested that a security system similar to the one
currently used for automated teller bank cards might be used.  Each
voter would receive a personal authentication number when registering,
which would have to be entered correctly before the phone vote would be
counted. Several other possible authentication methods were also
mentioned, including "voice prints". Because this was only a
demonstration, and would have no affect on the official vote count,
they used the birth date of the voter, which they obtained from public
voter registration records, as an example of the concept of requiring
voter authentication.

One can easily envision mechanisms where the caller ID feature that many
areas now have in place, could be used to foil attempts by people to
cast large numbers of votes from one phone, even if the authentication
system were compromised. As I see it, the risk of phone voter ballot
stuffing is much smaller than the risk phone the voter's ballot would not
be secret.

    The only risks the demonstration illuminated was the risk of people
making poor judgements about computer technology based on information provided
to them by the popular media.
                                        -Frank Hage (

Re: Voting electronically from home (revisited)

Dan Sandin <>
Thu, 15 Nov 90 22:38:55 GMT
Although the potential risks of voting by telephone seem great,
I think the potential benefit would far outweigh them.

For example, in the most recent election, I found myself rushing
to the polling place near my home (since you can only vote at
the registered polling place) and arrived too late. If I could have
voted at a location near my work, or by telephone, problem solved.

So, how do we deal with the identification of voters by phone?

How does this sound: before each election, each voter is mailed a
confirmation of registration (since, I believe, to vote one must be
registered, and to register, one must have a permanent address)
In this confirmation of registration would be a random number, with
perhaps a checksum or something to discourage forgery, issued on a
double blind basis. The user would have to punch in the registration
number, with perhaps a ss#, birthdate, or other identification.
However, leaving this out would encourange secrecy of voting.

For those who cannot handle vote-by-phone, of course, the old
system would be available.

The problems of voter security seem easier than, say, credit card
security. Unlike a credit card, "stealing" a single vote would not be worth
much. This system would also permit simple absentee ballotting...

stephan meyers c/o

Re: Computer Mishap Forces shift in Election Coverage (RISKS-10.60)

Thu, 15 Nov 90 12:58:43 PST
>There are some interesting risks.  First that unclean data was used and
>second that the big news agencies now all use the same polling source.  What
>a risk if someone hacked them to create false trends.  [bahn_pr]

All of the major news agencies have been using the same information
base for at least 6 years now. It is called the National Election
Service (NES), and its information is by definition "unclean" and
"hacked to create false trends".

The NES reports any and all information from the official polling sources, but
filters out all references to any candidates other than the Republicans and
Democrats. This filtered (incorrect, incomplete) information is then made
available to all of the news agencies. This filtering is, of course, done by

There is a rumor that this intentional bias uncovered an interesting
bug/assumption in some display software at one of the southern TV stations: The
display SW "knew" that there would only be info on two candidates, so it
calculated the percentage information for the "second" candidate by subtracting
the poercentage infomation for the first candidate from 100%.  Unfortunately
for the station, the local Libertarian candidate recieved enough votes (at some
point in the voting), that the second candidate was shown to be in the lead
(based on his votes + the votes for the Liberatrian).

Tom Perrine (tep) Logicon Tactical and Training Systems Division San Diego CA
UUCP: sun!suntan!tots!tep  +1 619 455 1330

Election coverage software

Thu, 15 Nov 90 14:07:24 est
CEO summary:

Computerized and centralized election coverage poses a bigger risk than the
"unclean data" and program glitches pointed out in RISKS 10.60.  And this one
is unfortunately intentional.  The News Election Service, the central clearing
house for election information, has their systems set up to deliver vote
percentages that show the major party candidates' votes adding up to 100%, even
when the major party candidates don't capture 100% (as they usually don't).  .
In the 1988 presidential election, the public was told that anyone who didn't
vote for George Bush (shudder) voted for Mike Dukakis (bigger shudder).  In
other words, George + Mike = 100%.  That was a lie; in fact George + Mike =
about 99%.  Small, but significant difference.  Same thing happened here in
Massachusetts last week: the third candidate took 2%, but most reports read
"Weld 51%, Silber 49%" (not sure of exact numbers).  Now, they can omit small
guys if they want, but don't lie to the public as if they didn't exist.  The
point here is that a bad policy decision is multiplied by the technology used
to spread lies and mistruths to the general public.

Re: Juicy 911 RISKS (Smaha, RISKS-10.60)

Amos Shapir <>
15 Nov 90 12:50:03 GMT
This points out another class of risks: hidden features.  I wouldn't be
surprised if that answering machine contained the full circuitry of a phone,
with the dial-out part disconnected; it is often cheaper to design a machine
around an existing product than to redesign new down-graded part.

Likewise, a "dumb" answering machine may turn out to have undocumented
remote-command capability, a computer terminal may have hidden escape code
functions, etc.  The obvious risk is that people who know about such features,
might use more sophisticated methods than pure tomato juice to make the devices
behave in ways their owners never anticipated nor took precautions too avoid.

Amos Shapir, National Semiconductor (Israel) P.O.B. 3007, Herzlia 46104, Israel
Tel. +972 52 522255  fax: +972-52-558322             

Ada Remarks

Paul Murdock <>
13 Nov 90 10:48 +0100
In response to Chet Laughlin's note about ADA multitasking (10.50) ...

>The first lab involved two tasks running in parrellel.  In reality it was
>figured that the tasks would time-slice on a single machine.  However, this was
>not the case.  The compiler would simply run the highest priority task until it
>ended, and then run the lower task.

My understanding would be that, providing the highest priority task was always
computable (and what is meant by time-slicing here is not exactly clear), then
this behaviour is a valid interpretation of the text of the Ada standard :-

"If two tasks with different priorities are both eligible for execution and
 could sensibly be executed using the same physical processors and the same
 other processing resources, then it cannot be the case that the task with
 the lower priority is executing while the task with the higher priority is

 [ Par. 9.8:4, VAX Ada Ref Manual
               ("Digital-supplemented text of ANSI/MIL-STD-1815A-1983")]

... and note that my remark comments on the interpretation of the text and
not the text itself.

Chet continues ...

>It was interesting to note that programs that ran correctly on SUNS did not
>run correctly on the PS/2s - even though they compiled without change.

One of the most painful characteristics of the Ada standard is that although
"its purpose is to promote the portability of Ada programs to a variety of
data processing systems" (par 1.1:1) it also "specifies permissible variations
in the effects of consituents of a program unit" (par 1.1.1:16) where "the
operational meaning of the program unit as a whole is understood to be the
range of possible effects that result from all these variations, and a
conforming implementation is allowed to produce any of these possible effects"
(par 1.1.1:16). So although the portability between the SUNS and the PS/2's
might have been expected (given the AJPO conformance testing procedures), the
assumption that a given program will exhibit identical behaviour across various
platforms cannot be made and is not implied by the standard.

There are, of course, RISKS here.

Paul ...                          (Paul Murdock,
                                   Paul Scherrer Institute,
                                   5234 Villigen. Switzerland.


Please report problems with the web pages to the maintainer