The RISKS Digest
Volume 11 Issue 76

Thursday, 30th May 1991

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


o Privacy, credit reporting, and employment
Andrew Koenig
o Job-screening via credit records
Jeff Johnson
o Re: FBI and computer networks
Steve Bellovin
Andrew R. D'Uva
Phil Windley
o Re: Voting by phone
Arnie Urken
Doug Hardie
Martin Ewing
Margaret Fleck
Tony Harminc
Matt Fichtenbaum
William Clare Stewart
Erik Nilsson
Paul E. Black
o Info on RISKS (comp.risks)

Privacy, credit reporting, and employment

Thu, 30 May 91 09:44:14 EDT
A couple of days ago I saw a news item to the effect that EDS had been
requesting credit reports on job applicants without their knowledge and using
those reports in their employment decisions.  This practice violates the Fair
Credit Reporting Act.  The gist of the article was that EDS agreed to contact
everyone who had been turned down for a job because of a credit report in the
past two years and tell them about the report.  The unsuccessful applicants
could then contact the credit bureaus, request copies of their files, and
contest any inaccuracies that might appear.

This story is a beautiful lesson in privacy for several reasons:

    1. Things like the Fair Credit Reporting Act are
       less help than they might be because it's so hard
       to find out when people ignore it.

    2. The FCRA is almost no help at all against employers
       who request credit reports on employment candidates
       because by the time the appeals procedure has ground
       its way to the end, the candidate is probably not
       going to work for that company anyway.

    3. According to the article, it is only recently that
       credit bureaus have started making their information
       available to prospective employers on a large scale.
       This is a nice example of data being used for a purpose
       other than that for which it was originally collected.

The second point is particularly important.  If a company turns someone down
for a job (partially) because of a credit report and the person then
successfully contests that credit report, the applicant is unlikely to be hired
anyway, being now a proven troublemaker.  Of course the applicant may have
found another job in the meantime.
                                --Andrew Koenig

Job-screening via credit records

Jeff Johnson <>
Thu, 30 May 91 13:55:34 PDT
   "Electronic Data Systems Corp, a unit of General Motors Corp, agreed to
settle charges that it failed to tell job applicants that information in their
credit reports influenced the decision not to hire them.

   The consent agreement was the first Federal Trade Commission action dealing
with a new use of credit data marketed by credit-reporting agencies.  The
commission said these 'employment reports' which are being used by a growing
number of businesses to make hiring decisions, often contain more credit
information than the standard credit reports long used by banks and retailers.

   Agency officials also said some companies might not be aware that, under
law, they are required to inform job applicants when a credit history is being
used to evaluate them.  They said the FTC is seeking voluntary compliance with
the law, and will be publishing an alert to inform companies of their
obligations."  [...]  [Excerpted from The Wall Street Journal, 29 May 91, p.B4]

Re: the FBI and computer networks (D'Uva, RISKS-11.75)

Wed, 29 May 91 21:08:05 EDT
I fear that Mr. D'Uva is sadly mistaken, both about what the FBI is permitted
to do, and what abuses they have been known to commit.  The FBI is *allowed* to
gather information about probably criminal activity.  They need ``probable
cause'', as a matter of public policy and (I think) Federal law.  They are
manifestly *not* allowed to monitor anything because they don't like it, or
because they think it might be evil, or ``un-American'', or ``subversive''.
And of course, there are many examples of the FBI not following such rules:
COINTELPRO, the myriad files on Dr. Martin Luther King (allegedly sleeping
around is not a Federal offense), etc.  The same applies to local police
departments — there was a recent uproar about some departments monitoring talk
shows on black-oriented radio stations, to find out who the local activists --
``troublemakers'' — were, and what they were up to.

Yes, the net is a public forum, and anyone who engages in criminal activity on
a mailing list is pretty stupid.  But the FBI has no right to engage in
systematic monitoring of the net as a whole.
                                                    --Steve Bellovin

Re: the FBI and computer networks (Agre, RISKS-11.72)

Andrew R. D'Uva <>
Thu, 30 May 91 0:22:44 EDT
I think that Steve is confusing legal terminology here.  Probable cause is
invoked when a law enforcement agency needs to make a search or intercept data
which is not in the public view.  For example, a policeman does not need
"probable cause" to stop your car when you are driving in an unsafe manner.
The law has been broken, and that is enough to warrant the law enforcement
official's intervention.  The policeman still needs an actual warrant to search
an area in your car which is not under your immediate control (e.g., your
trunk).  The case here is different: we are talking about the FBI (or any other
agency) reading the information carried in a PUBLIC forum, and acting on that
information.  There is no juridictional issue here, as clearly the traffic is
interstate, not intrastate in nature.  Surely Mr. Bellovin would not wish to
prevent the members of the FBI from reading the newsgroups simply because they
are law enforcement officials.  That smacks of a different sort of censorship.

> monitor anything because they don't like it, or because they think it
> might be evil, or ``un-American'', or ``subversive''.  And of course,
> there are many examples of the FBI not following such rules:

I didn't say anything about "evil" or "un-American" activities.  What I
did say was that the FBI is entitled to prevent illegal activities, or
act when evidence suggests that crimes have been committed.  We are talking
about crimes, not discussion.

> COINTELPRO, the myriad files on Dr. Martin Luther King (allegedly
> sleeping around is not a Federal offense), etc.  The same applies to
> local police departments — there was a recent uproar about some
> departments monitoring talk shows on black-oriented radio stations, to
> find out who the local activists — ``troublemakers'' — were, and what
> they were up to.

Certainly, it would appear that this is a troublesome point..but is it?  Much
of the "drug war" is fought (here in Washington, D.C.) in areas which are
considered "black."  Yet there is no such outcry here.  If the crimes are being
committed, adding a racial element into the equation doesn't help.  The
appropriate law enforcement agencies need to be able to go to where the crime
is... if that's on Usenet... so what? Caveat: I stated before, and state again
that the case of e-mail (between 2 parties) is different.  Intereption of
e-mail is *probably* protected by the "unreasonable search and seizure" clause
of the Constitution.  Public communication is not (no "search").

> Yes, the net is a public forum, and anyone who engages in criminal
> activity on a mailing list is pretty stupid.  But the FBI has no
> right to engage in systematic monitoring of the net as a whole.

PUBLIC forum.  Would you have the police/FBI/other agency stop reading
the newspapers, listen to radio, or talk to people on the street in order
to develop leads on crimes?  And why not systematic monitoring?  I doubt that
the FBI finds my questions on Unix that interesting :-).  As for my political
views, well, if I choose to make PUBLIC statements on the net, I expect that
somebody might hold me to them.  Just what are we afraid of anyway?  If you find
some basis in the LAW, as opposed to your opinion, that monitoring of a public
forum by law enforcement agencies is prohibited, I would love to see it.
However, I doubt that such a law exists.

-Andrew D'Uva   ard@ctcg.COM    {backbone}!uupsi!ctcg!ard

Re: the FBI and computer networks (Agre, RISKS-11.72)

Phil Windley <>
Thu, 30 May 91 13:58:35 PDT
Andrew R. D'Uva ( writes:

   As for the .SU domain, if the boys at the FBI don't know that there are
   electronic links to machines in the Soviet Union, you can be certain
   that the fellows up at the NSA do.. and might even be doing something
   about it.

The Naval Investigative Service (NIS) knows about it.  I told them.  As a Naval
Reserve officer I'm required to report all contact with citizens of certain
countries to NIS (so that the NSA doesn't pick it up and the NIS start an
investigation of something innocent).

I received mail from someone in the SU. I informed NIS who asked the nature of
the contact.  That done with, the agent was extremely interested in the fact
that the network existed and that I could send mail from my desk all over the
world.  I taught her about routing and showed her that it had taken 3 hours for
the mail to get from the SU to Finland and 30 seconds to get from Finland to

As an aside: the mail was routed through  Anyone know
where this computer is?  I couldn't get a direct IP address for it.

Phil Windley, Assistant Professor, Department of Computer Science
University of Idaho, Moscow, ID 83843   208-885-6501  Fax: 208.885.6645

          [Sounds like Piet Beertema is at it again!??
          Or another inspired spoofer?
          But not long ago it was April.  PGN]

Re: Voting by phone

Thu, 30 May 1991 00:21 EST
Three comments on Roy Saltman's paper. First, voting by phone enables a citizen
to verify that his/her vote is actually counted, which is something that is
practically impossible to do with existing election technologies.  Second,
voting transactions can be time-stamped to help guard against fraud and also
enable voters to verify the handling of their vote. And third, allowing voters
to vote for "none of the above" is an improvement on the normal method of
voting, but there are strong scientific arguments for allowing citizens to cast
one vote for each choice (a candidate or policy alternative) they approve and
zero votes for those choices they reject.  The indifference of "none of the
above" can be expressed by casting 0's or 1's for all of the choices. This
method is much more likely to identify the strongest choice in voter preference

Imagine what would happen if voters could access online statements about
candidates or issues provided by parties or interest groups!
                                                                  Arnie Urken

Re: Vote by Phone

Doug Hardie <doug@NISD.CAM.UNISYS.COM>
Thu, 30 May 91 8:20:42 PDT
I am concerned about several aspects of such a proposal.  There is no question
that such functionality can be created.  The question is can it fit acceptably
into our society.  For example, there has always been an opportunity for poll
watchers to challenge the registration of specific voters and their right to
vote.  With this technology, that is not easily possible.  The only real way to
permit such challanges is to record each person's vote such that a successful
challange could cause the vote to be backed out.  With this system there is no
confidentiality of vote.  Everyone's vote is available to someone.

The security aspect I didn't see addressed was how do you protect the computer
collecting the votes from tampering by its users?  If I am interested enough in
influincing the outcome of a election, I will position myself such that I am an
operator of such a system.  At that point, I think you have lost control of the
outcome.  Case in point: When I was in college there was a highly contested
election for homecomming queen.  Two organizations were highly organized and
dominated the scene for many years: the marching band, and ROTC.  As a member
of both organizations, I found the process quite interesting.  Voting was
accomplished with mark-sense cards that were run through a fancy machine to
convert the pencil markings to BCD.  Then the cards were run through a simple
counting program on the school computer.  I was the acting director of the
computer center and therefore had the ability to stay in the computer center
during the counting and watch.

The outcome of this "election" was so important that one of the ROTC
participants who was a journalism major arranged for one of the San Francisco
TV stations to have a live report from the computer room.  The operator of the
computer was a relatively unknown band member.  Sometime during the middle of
the count, the computer suddenly crashed.  But no panic, no need to rerun the
count, the operator knew what the counts were at that time, reset them by hand
from the front panel and continued the count.  All of this took place during
the live feed.  The ROTC reporter was suitably impressed by this show of
technical competance to make a comment on the air about the benefits of
electronic voting.  Needless to say, the band candidate was elected.
                                                                      — Doug

Re: Vote-by-Phone

Martin Ewing <ewing-martin@CS.YALE.EDU>
Thu, 30 May 91 11:59:13 -0400
I am sure you [Roy] will receive a large number of responses to your carefully
prepared piece on voting using voice-response systems.  My particular focus
is on the human-machine interface.

Limitations of VRS for complex transactions:  I have used a number of VRS
systems.  The most complicated is Fidelity Investments FAST system, through
which you can transact mutual fund purchases, as well as obtaining account
balances and quotations.  Fidelity's system requires you to enter a lengthy
account number, a PIN, and various codes for fund numbers, etc.  The voice
prompts are good, and it is possible to do a lot of business this way.
At the end of a transaction specification, you are given a accept/reject
option and a transaction reference code if you do accept.

All these transactions can be handled alternately by phone with a human
operator.  It would be interesting to have Fidelity's statistics about VRS
vs. live preferences among its customers.  My strong feeling is that the
system would appeal to technical computer/financial people, but would be
very unappealing to people who are unused to menu-driven state machines,
which, after all, are what VRS systems are.

The standard telephone (which is not even guaranteed to be touchtone) is an
extremely limited computer I/O interface.  It offers no immediate status
information to help users understand where they are in the system, what choices
will be coming up, what the alternative routes through the logic might be.
Verbal prompts are entirely "local" to the situation the user is in at the
moment.  This is a very synthetic and un-lifelike interface, even for computer
people.  (Consider all the cues you have sitting in front of a Mac or X Windows
screen, for example.)

Furthermore, as a recent ex-resident of California, I can attest that voting
can be considerably more complex than financial transactions.  Basically, I
think VRS is woefully inadequate when you may have 50 contests on a ballot,
with lots of minor parties, etc.  I would suggest that a little "consumer
preference" research could be done with mocked up VRS systems to shed more

The Ideal Voting Interface: In Pasadena, we used the (sigh!) Hollerith Card
voting system, in which you used a stylus to punch a hole in a suitably framed
card.  I feel this is a nearly ideal system.  The card is a physical object
which has the right data capacity, which the voter can manipulate before and
after voting, and the kinesthetics are pleasing.  "Chunk!" for each candidate.
You can pore back and forth across the contests, and there is room in the
book-like card holder for a fair amount of explanatory text.  The cards are
designed for machine reading.  (Last time I heard, they were using 360/20s!)

In Connecticut, we now use voting machines.  These inspire a lot less
confidence for me.  You pull a lot of toggles, the the big lever.  There is no
physical feedback that your levers actually did anything.  There is very
limited room for text, etc.  The legends above the levers are inserted
manually, and, if they slip a little, you can end up casting your vote in the
wrong column.  (I actually discovered this situation in a recent election.)
Furthermore, the many unused levers are not blocked, so that is very easy to
cast meaningless votes.  The old-fashioned "advantage" of the mechanical
systems is that you had the "party-line" lever, to vote all Democratic, or
whatever.  Fortunately, those levers are now disabled.

I am sure that an electronic interface, based perhaps on ATM technology, could
be developed to handle the authentication and the logical details of voting.  I
am not sure, however, that these systems can give an appropriate level of voter
comfort and confidence, which are extremely valuable for the political process.

Martin Ewing, Science & Engineering Computing Facility, Yale University


Margaret Fleck <>
Thu, 30 May 91 15:42:53 BST
When reading your recent posting on vote-by-phone on the risks newsgroup, I was
puzzled about why you assumed the system would handle only push-button phones.
There exist similar systems that can handle both dial and push-button phones:
the US embassy in London uses one for its visa information line.  This system
uses only the digit 0, which can be used even for multiple-choice queries if
you are patient, and performs an initial calibration step to discover what your
0 sounds like.
                           Margaret Fleck (University of Oxford)

Vote-by-Phone ( Security)

Tony Harminc <TONY@VM1.MCGILL.CA>
Thu, 30 May 91 15:17:36 EDT
It needs to be remembered that the weakest link in a Vote-by-Phone system
will be the voter.  I can easily think of several tricks along the lines
of the "phony bank inspector" often perpetrated on the elderly that could
be done here.  Automated dialing out to elderly voters a day or two before
voting day with a message to "please enter your PIN for voting validation"
would probably produce a large harvest.  These could then be voted early in
the day.  Many people wouldn't complain - it's not clear what to do about
those who do.  Vast amounts of advertising telling people not to give out
their PINs will just confuse the most vulnerable.

Tony Harminc

Re: Voting By Phone (Huggins, RISKS-11.71)

Matt Fichtenbaum <>
Thu, 30 May 91 15:39:09 EDT
> ...  The main motivation behind the amendment was to provide easier ways to
>vote for disabled Americans who may find it difficult to reach a polling place.

I hadn't realized that any such disabled Americans were running for office.

(Isn't English ambiguity wonderful?)

Matt Fichtenbaum

   [Triply ambiguous.  There is also the motivation to make it easier for
   people who want to vote (illegally) INSTEAD OF disabled Americans who would
   probably not be voting.  That of course is ONE OF THE MAIN PITFALLS OF

Re: Vote-by-Phone

William Clare Stewart <>
Thu, 30 May 91 16:23:27 EDT
Vote-by-Phone, in addition to the usual risks about security, provides another
marvelous opportunity for manipulating elections.  Not only is the order of
name presentation critical (as with paper and machine ballots, where layout
manipulation is de rigueur), but vocal expression of the names and parties is
also manipulable.  In many places, such as New Jersey where ballot questions
are written by the Legislature, with hopelessly biased "explanations" of how
good the proposed law will be.  Now they can do things like

(Happy, excited voice) Honest! George! Tweedledee!, Democrat!,  Press 1!
(unimpressed voice)    Walter  Fritz   Tweedledum,  Republican, press 2
(If-you-really-must)   Gene? um bbBurns? um LLLiberaltarian? um press 3
     Oh, yeah, and for Alfred E. Anarchist, Down-With-Lawyers-Party Press 4

While it's not as effective as manipulating TV and press coverage,
most elections are decided by only a few percentage points.

Bill Stewart 908-949-0705!wcs AT&T Bell Labs 4M-312 Holmdel NJ

Vote-by-Phone - Promises and Pitfalls

Erik Nilsson <>
Thu, 30 May 91 15:55:05 PDT
Studies of computerized vote counting (including Saltman's own extensive and
insightful papers) reveal that user interfaces for existing computerized vote
counting systems are inadequate.  Vote-by-phone user interfaces promise to be
worse yet.  The telephone is just too narrow an interface for modern elections.
At least with current systems you can see the task before you, and see your
choices, once you have made them.  At least with current systems you can skip
the wording of a proposition, if you already understand it.  In some elections,
voters would spend most of their voting time listening to paragraph after
paragraph of legally required proposition text, financial impact statements,
and so forth.  I find such a prospect less handy than my local polling place.

Even blind voters, who cannot take advantage of the visual user interface of
current systems, may not find voting by phone such a boon.  Currently, blind
voters must have assistance to vote, but the assistant is a better interface
than a phone.  Just because a phone interface is no worse for blind voters than
for sighted doesn't mean that phone interfaces are good interfaces for blind
voters.  There are better ways of helping blind voters than voting by phone.

People complain about the awkwardness of voice-mail, but vote-by-phone would
have to be even more awkward: "Soil conservation board, vote for two.  You have
voted for zero candidates so far.  If you wish to vote for candidate
Washington, push 1, if you wish to vote for cadidate Jefferson, press 2, if you
wish to vote for candidate Adams, press 3.  If you wish to write in, press #,
if you wish to spoil this ballot and start over, press *, if you wish to skip
this constest, press # twice, if you wish to review your current choices for
this office, press * twice, if you wish to hear your choices again, press #
then press *."  It is not clear to me that voter participation and drop-off
would improve under such a system.

Saltman's article brings up many other important concerns.  For example, making
such a system secure would be difficult.  As it stands, most observers council
against sending unencrypted voting information over telephone lines.  This
system requires it.

Voting by phone?  No thanks.           - Erik

erikn@boa.MITRON.TEK.COM           (503) 690-8350           fax: (503) 690-9292

Re: Vote-by-Phone - Promises and Pitfalls

Paul E. Black <>
Thu, 30 May 91 16:20:29 PDT
My compliments.  It sounds like you have thought this through well.  A few
thoughts occurred to me.  Perhaps they may be of use to you.  Here in
California each voter already gets an individually addressed voter guide.  Some
of my suggestion only make sense where each voter gets something before hand.
I twice served on the local election board (precinct clerk), so I have seen how
people actually vote with the current system.

Identification: the PIN could be randomly assigned to each voter and sent with
the voter's guide.  If the PIN is associated with a voter's name, PIN's could
be repeated: they would be pass codes.  The voter states his name, which is
recorded for auditing, and enters it through the keypad.  The pass code
confirms it.

Write-in votes: Instead of, or in addition to, write-in names entered through
the keypad, the voter states the name vocally, and it is recorded.  With a
pre-mailed voter's guide, the voter could figure out the number codes
corresponding to the name before calling.

Confirmation: I think it would inspire more confidence in the voters if after
each vote the system repeated, "You voted for <name>.  Press 1 if that is
correct, otherwise press 2."  Anything other than 1 causes the system to prompt
for the vote again.  (Clearly anything can be used instead of 1 and 2 as long
as it is consistent.  Perhaps 9 (Y) for yes and 6 (N) for no.)

Serial presentation: the voter's guide tells which number corresponds to each
person.  The voter is told that they can enter the number at any time.  Thus
voters with premarked ballots could go through the system rather quickly.

    Another option or a refinement is to go through the names quickly the
first time (e.g., "For president Washington, 1; Jefferson, 2; or Franklin, 3")
then if the system does not detect an entry, detects an invalid entry (e.g. "4"
in the above), or detects a help button ("#" maybe?), it reads the names in
greater detail (e.g., "For president of the United States, to vote for George
Washington, Whig, press 1; to vote for ...")

Overvote and undervote: In a election where it is "Vote for up to 3 of the
candidates," the system states how many are left: "You voted for Jones, you may
vote for up to 2 more."  The voter may then cancel that vote, or not vote for
the rest.  The voter cannot overvote.  If an undervote is not allowed ("vote
for exactly 2"), the system refuses to continue (with the appropriate message)
until all votes are cast or the voter indicates the desire to not vote on that
at all.

Failure to complete: In case of hang up, either because of emergency or
equipment failure (or accidentally bumping the 'phone), the safest thing is to
erase the entire proceeding to that point, except to note in the database that
a vote was interrupted (like a spoiled ballot).  Perhaps after three failures,
the system directs the person to talk with election officials.

Audit & accountability: the entire voting procedure should be recorded in as
raw a form as feasible.  Perhaps a slow tape like used for 911 would do.  If
not, a record of each input keystroke and a code indicating the system's
message could be written to a write-only media such as optical disk.

Trial & development: perhaps Federal funding could help develop and test the
concept and answer questions in a few areas for a few years.  Another
possibility is having an organization like ACM, IEEE, or a university try it
out: they want to innovate, and those voters would tend to be more careful,
give useful suggestions (i.e. help development) than the population at large.
The results would not be fully extensible to the population at large, but it
could be a place to start.

I feel the problem with low voter turn-out is a social, not a technical,
problem.  With the LONG hours and absentee ballots now available, there is
really very little excuse for people not voting.  I'm afraid the length of time
voting over the 'phone or waiting to get a line would be seen as a similar

I hope this may be of some help.

Paul E. Black, CIRRUS LOGIC Inc MS 62, 3100 Warren Avenue, Fremont CA 94538 USA

Please report problems with the web pages to the maintainer