Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
In RISKS-09.75, I summarized a March 1990 `Los Angeles Times' story about a journalist charged with breaking into Fox Television computers. The 29 May 91 `Los Angeles Times' carries the conclusion, a story by John Kendall headlined WRITER GETS PROBATION IN STING AT FOX. Excerpts: "Free-lance writer Stuart Goldman pleaded no contest Tuesday to three felony charges of illegally entering Fox Television's computer system and stealing story ideas planted by Los Angeles police in a sting operation.... [Goldman] was placed on five years' probation and ordered to pay $90,000 in restitution, reduced to $12,000 with Fox's approval. The judge ordered Goldman to serve 120 days in County Jail but stayed the sentence.... "Goldman was arrested ... last year by Secret Service agents and Los Angeles police who confiscated a personal computer, floppy disks, Rolodexes and a loaded .38-caliber handgun. "Prosecutors accused Goldman of using a password apparently gained when the journalist worked briefly for `A Current Affair' to enter the Fox production's computer system. They charged that Goldman stole bogus tips ... and attempted to sell the items to a national tabloid magazine.... "After Tuesday's court session, Goldman vowed to publish his completed book, `Snitch' [about being a gossip-media insider], as soon as possible. "[The judge] ordered authorities to return Goldman's computer. `I'm sure you know now that computers will get you in trouble,' the judge said. `If you don't, I'll see you back in here again.'"
I've finally read my May issue of Consumer Reports. Of interest to
Risks readers is their article `What price privacy?', pp. 356-360.
They mostly cover ground familiar to Risks readers:
*Databases like the files on people who have ever filed malpractice claims
or on-the job injury claims.
*The workings of credit bureaus
*The error rate in credit bureau file information
Of greater news are their suggestions on what should be done.
"CU thinks the reforms should go even further. The law should allow
information in credit reports to be disclosed only if the consumer authorizes
the disclosure. Most people realize that if they apply for a credit card or a
mortgage the prospective lender will examine their credit report. What they
don't realize is that an application for employment, housing, insurance, even a
dating service, may trigger a check. Nor do they realize that their files are
routinely prescreened on behalf of direct marketers.
Any new law should also allow the credit bureaus a maximum of 30 days to
investigate when a consumer asks that something on his or her credit report be
checked for accuracy. Bureaus should be required to disclose to comsumers
exactly how they go about investigating possible errors reported to them.
A handful of other laws are supposed to protect consumers against invasions
of privacy, but they're riddled with imprecise language, exceptions, and
loopholes. For example, a 1978 law supposedly protects against unreasonable
searches of bank accounts by government agencies — but state and local
agencies are exempt, as are the FBI and U.S. attorneys.
Ironically, video rental records may enjoy the strongest safeguards against
abuse. Because of a 1988 lay commonly known as the Bork bill (after the
Supreme Court nominee whose video-rental tastes were made public in newspaper
accounts), a list of the videos you have rented can't be obtained without a
court order. No such law protects your medical or insurance records (see box
on page 357)."
They also make some suggestions: [List shortened by RG]
"Read the disclosure statements before you sign a credit form. At least
you'll know how much privacy you're about to give up.
Check your Social Security records periodically to make certain that no one
else is using your number. (Call 800-234-5772 to request a form.)
Likewise, write to any one of the major credic bureaus to opt out of
pre-approved credit-card offerings. [The addresses and phone numbers of the
big three are included in the article, as is the suggestion to check your
record with them periodically. RG]
If a merchant insists on a phone number or address on a credit slip, you can
refuse. There is no law that requires this information, and the major
credit-card companies actually discourage or even prohibit merchants from
asking. In California, Maryland, New York, and Virginia, the practice is
illegal."
They also recommend "Privacy in America" by David F. Linowes, published by
the University of Illinois Press and available through Consumer Reports Books
as a detailed discussion of privacy issues.
I recommend the article to Risks readers (and perhaps the more knowledgeable
can make suggestions to CU about policies to pursue).
Robert Grumbine
DO YOU THINK THAT YOU ARE DOING ANYTHING WRONG? IS THERE ANYTHING WRONG WITH
THE NET?! What the FBI files or does not file is the FBI's business. Why
should the U.S. Government have less access than a student at an American
university (or a foreign one)? What the FBI investigator "thinks" about
censorship is really of no concern. Free speech (well.. free political speech)
is a protected right, and the FBI is not capable of truly infringing on it.
Just think of the outcry on the net if it tried to do so! :) However, the U.S.
Government has a legitimate right to prevent illegal activity from taking
place, especially when it occurs over taxpayer-funded networks like some
portions of the Internet. In this case, waste is added to the illegal act
itself. As for the .SU domain, if the boys at the FBI don't know that there
are electronic links to machines in the Soviet Union, you can be certain that
the fellows up at the NSA do.. and might even be doing something about it.
Wouldn't it be pretty foolish of the Government not to. Would you prefer that
a US--> {any other country here} link be kept unmonitored and clandestine in
the spirit of free speech. At that point, why not let anyone transmit
sensitive, perhaps classified, data to another nation? Sounds pretty silly to
me.
The users of the net have nothing to fear
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
A momentary pause. You could object that my argument stinks.. taken to
one conclusion... "Let the police search your home any time.. if you are not
breaking the law, you have nothing to worry about" This sort of argument makes
sense to me, but I want to point out that you referenced newsgroups in your
original message, PUBLIC newsgroups. You could argue that the status of
private electronic mail is different, and I might agree with you. As far as
transmitting that mail outside the US...well, we would have to argue about that
some more. End of pause.
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
from FBI scrutiny of the newsgroups. And taxpayers do have a right to know
that some of their money is being spent relaying alt.sex.pictures to other
sites in the US, and abroad. Chalk that one up to goodwill :) The situation
with email is, granted, a different one. The way I read your response is that
the Internet would be better off without public scrutiny. Why?
->..., then did he ever stop to THINK that the time spent ->assessing phony "keywords"can prevent the investigation of an actual ->terrorist plan to commit an atrocity? Oh, this really makes me laugh. If and when a friend or relative becomes a victim of a terrorist act, it is solely the terrorists who are responsible. Furthermore, please explain to me how my actions could "prevent the investigation of an actual terrorist plan", no, even "help the terrorists" ? Gee, next time you get a parking ticket, you'd start feeling guilty about the wasted police time/money that could also have been used to track down real criminals. You'd even have helped them and might be an accessory :-O I am talking about machines monitoring phone lines, and certainly it would take any tape of my conversations 5 minutes to end up in the garbage can. If this is what they choose to spend tax-payers money on, then I am free to say *anything* I want on my phone calls. Ralph Moonen, Free citizen of The Netherlands
Mark Thorson <mmm@cup.portal.com> refers to the FBI making a mistake in the case of Steve Jackson Games. I believe it was actually the Secret Service, although I still don't understand why they thought they would be interested. [Also noted by Bill Ricker.]
It does sounds like the FBI Special Agent that Mark spoke with would have seen the difference between the SJG Cyberpunk game and a criminal communication -- if any such exist under our constitution, which I doubt — which was not understood by the SS agents hunting for allegedly stolen AT&T documents. Ignorance is definitely a contributor to the abuses; evidentiary seizures of hardware that shut down a legitimate business or FIDO node are not warranted (pun intended) when what is ordered is seizure of evidence stored on disk — a backup taken by the constables is all that is required, which can be analyzed at their leisure. But typically they wouldn't know (a) how to do a backup, (b) how to analyze it, (c) how to configure a system onto which to restore it. (They also may not have a budget code for renting a PC onto which to restore it, or be forbidden to do so by work-rules and waste-guidelines!) And who in the raiders is going to trust the Obviously Guilty Party to do a backup for them? (S)He might try something tricky to destroy evidence, like in those spy movies... /s/ Bill Ricker wdr@wang.wang.com
We had a similar inquiry by the FBI a couple of years ago. We were demoing
a synthetic TV system using a satellite link between our big computer and
the trade show. The demo pictures looked like a very low pass over a
nuclear power plant. We had relocated a nearby plant into distant terrain.
Some guy say it on his home TV and called the FBI.
People should not expect the FBI to be up to speed on everything. They are
just investigating things, they never accused us of anything. They asked
where the nuclear plant was (they clearly "saw" one on TV that didn't exist).
We explained everything, and they asked a few questions about synthetic TV. In
general they were using their position in the Government to get us to teach
them something they didn't know. I am convinced their only interest was to
determine if this was a problem they needed to investigate in detail. I
presume their approach with real criminals is different. In the previously
discussed case, they got a pretty good explanation of Internet mailing lists
without having to do a lot of legwork themselves. As long as they don't pester
the same people every time, this seems like a pretty cost effective way to get
Government business done. I would prefer it to using lots of my tax money to
find out something they could have found out just by asking. I think we need
more Government that takes simple, direct approaches like this. Give the FBI a
hand for finding an easy solution.
Randy Saunders
mmm's story about the risks of Risks postings has prompted me to write
about my experience concerning the risks of Risks postings. I'm staying
anonymous simply because I'd prefer not to have this happen again. Before
I start with the story, may I emphasize that this is not happening in U.S.A.
About a year ago, I posted a couple of articles to Risks, concerning the
crash of an aircraft in Eastern France. About a week later, my
apartment was "kindly visited" in my absence.
Note the following facts:
1. nothing was taken from the apartment
2. old issues of RISKS, printed on line paper and stacked in a corner had
been thoroughly examined. The proof was that my quasi-order had been clearly
transformed to a full disorder.
3. all my bank papers (account statements, letters from bank manager etc.)
had also been inspected - again my quasi-order was transformed to disorder.
I mean that it was in some sort of order, but not mine.
4. my passport was obviously examined, since it was put back in a wrong drawer.
The job was very well done. I only noticed that my apartment had been
visited because handles on a chest of drawers were sticking up, while I always
made sure that they didn't.
Since nothing had been stolen, I decided not to inform the police.
However, through some extraordinary coincidence, a man was murdered round the
corner, a block away, and the police paid a visit to everybody in the
neighborhood to investigate. While I had no information about that crime, I
decided to inform them about the break-in in my apartment. Their questions were
as follows:
"- do you keep any confidential information in your apartment, whether defence-
related or commercial ? "
"- do you work in any governmental institution and have access to classified
information ?"
"- do you do any scientifical research which could lead to you keeping
important information in your apartment ? "
"- could any friend, girlfriend, or relative have used a spare set of
keys to come into your apartment and look through your papers ? "
"- do you deal with drugs ?" (yes, they really asked that !)
Since my answer was NO to all above questions, they decided to send the
forensic unit the next day. Deductions of the forensic unit were as follows:
1. the intruder came in via the kitchen window (which was closed but didn't
have a lock at the time), stepped into the sink, and left one footmark
on the kitchen floor, due to the moisture collected by the shoe in the sink.
2. the intruder wore gloves since no fingerprints were found, neither on
the window nor on anything else (door handles, printouts, drawers, etc.)
The general feeling was that the job had been done by a professional. The
forensic unit took a record of the footmark (sneakers) and promised to contact
me a few days later.
I got a call from the police two days later. All they said was that it was
a professional job but they'd soon identify the intruder(s). Someone was trying
to find-out about my sources of income, and it was probably related to "the
fact that you deal with computers and store this computer information in your
apartment". Well, I had figured that out myself, thanks ! They then told me
they would keep me informed on the developments of the investigation.
I have not heard from them since.
A point that has always bothered me about this type of `privacy' argument is that `privacy' as we know it is a very recent phenomena. Before we had a high density, easily mobile population the conditions you describe were part of everyday life in the closely knit small communities. There was not privacy as we know it today. The easy collection of data about a person is applying modern technology to modern population levels to recreate the community knowledge that used to exist. The significant difference is that then **everybody** who wanted to know your business did, now only the authorities collecting the data can know. The real problem as I see it is to get the information back out of the collecting agencies and into the public gossip trough.
Many of the recent postings about privacy suggest that privacy is being taken by government and businesses in a one-way transaction. While that certainly occurs, the nature of collecting information is more complex than that. Consumers and employees often inform on themselves. Some are forced to reveal private information as a "voluntary" tradeoff for obtaining a job or purchasing insurance. The employers often treat this information as available for distribution or whatever use they consider as appropriate. Many corporations routinely report sensitive information about their employees to insurance and credit organizations, often without letting the employees know that this is their practice. One major hospital's medical records department receives 1500 requests for this type of information each month, to a large part from insurance and third party carriers, which distribute this information to other organizations. Other people give away their privacy for a variety of inducements. Valuable information is given freely by people in exchange for consumer benefits. Credit card account holders or those tracked through electronic scanning of their store purchases may be willing to make this trade in order to receive discounts or notices of advance sales. One survey company sends a letter to potential interviewees that offers $10 plus the following comment. "...(L)egitimate research is an important part of our world and the accuracy of survey research depends heavily on how many of the people selected into the sample actually end up participating! Often survey results are slanted because too many people are hesitant to cooperate." Who could resist that appeal? Privacy invasions in the U.S. have become almost a perfected process. The poor were the test population for information scavengers. The poor were checked for their eligibility for welfare, immigration, jobs, and law abiding-ness. They lived with few privacy rights. The poor tested well and now the technology is being improved to collect information on even more people. Investigating the poor is now the model for intensively examining the lives of the rich and the middle class. These previously protected populations are now checked for their marketability, payment of college loans, correctness of resumes, professional conduct, insurability, and driving records. The list goes on. Truly, you can run but you can't hide. One day soon, we may start our work by electronically connecting ourselves to a computer that has polygraph and urine analysis options. Our productivity, workhabits, error rates, and deviations can be automatically collected. On a "voluntary" basis, of course. One recent study found that some companies wre even attempting to restrict intra-company dating by monitoring employees. Pinhole videocameras hidden in smoke alarms, tv sets, and clocks are being sold to companies to monitor employees and customers. Even the privacy of our refuse has been trashed. Some municipalities require that garbage be put in clear bags so that garbage collectors can inspect residents' trash to ensure that they are recycling correctly. In a strange retribution (justice redux?), businesses have themselves begun to lose some of their own privacy. Industrial espionage is on the increase. Major corporations have formed business intelligence units, many run by ex-intelligence officers. Competitive business intelligence is considered as a corporate necessity today, where anything available about competitors is gathered. Information can be obtained legally through searching government records, speeches by corporate spokespersons, and reviews of want ads seeking specialists (which may indicate new product developments). Other information collection may not be legal. Consumers have also become interested in piercing the often one-way privacy interests of corporations and government. The Freedom of Information Act and the various whistleblower laws that provide cash rewards for those who report illegal activities have begun to make corporate secrets more public. Even the electronic tools that businesses use to collect information have become more readily available to those who wish to gather sensitive corporate information, such as corporate contributions to PAC's and stock holdings in South Africa, to cite readily available databases. Recent information on the East German secret police (Stasi) indicates that they had an estimated 85,000 full time agents and 500,000 part time informants in a population of 17 million citizens. In the U.S., we collect confidential information differently. We don't just gather information on dissidents. In the American way, we believe in equal opportunity collection of information. Our diseases, disorders, deviations, and other details are growing into a national Information Age dossier. Certainly there are many differences between the East German Communist government and the U.S. government. What is important to recognize, however, is that there are also some startling similarities. We have become a nation of informers and informants. Americans live surrounded by technological vacuum cleaners that such up information. Big Brother has turned out to be the Big Browser. Sanford Sherizen, Data Security Systems, Inc., 5 Keane Terrace Natick, MA 01760 USA, MCI MAIL: SSHERIZEN (396-5782), PHONE: (508) 655-9888
cdp!mrotenberg@labrea.Stanford.EDU writes:
: It's worth finding out whether the Senate committee has considered the privacy
: implications of gathering this data on drivers and whether there are any
: proposals to restrict the secondary use of the information. Likely buyers?
: Marketing firms and insurance companies.
Thieves? It seems to me if I were able to tap into this system and find out
that Fred Smith's car was in grid lock and so was his wife's, then I'd stand a
better chance of robbing their house than I would if I was just staking it out.
After all, I'd have a nice warning system if I could get periodic updates (or
just program my home computer to "beep" me whenever they got withing 3 miles or
something like that). Keep in mind that the proposed system doesn't use
encryption at all.... (And even if it did, there would be a back door in it,
right? After all, isn't that what SB618 (nee SB266) is all about)
Take a look at the book "Mindkiller" by Spider Robinson for an example of a
thief that uses the central monitoring computer to rip off people that aren't
home.
I wonder if such systems would be mandatory or optional. If they were
mandatory, does that mean that I have to pay for LA's terrible traffic problems
even though I live in Colorado and face little or no traffic on my way to work?
That doesn't sound fair to me.
Warner
>I respectfully submit that Neil Rickert is completely and very seriously wrong >as to whether sendmail is primarily responsible for the replicated error >messages... On May 24 I observed a period of perhaps 30 minutes in which it was impossible to make an SMTP connection to THINK.COM. This is presumably because it was being besieged with replies to the (apparently forged) sendsys news control message, which asked all news sites to automatically reply to COMPASS.COM (which is gatewayed through THINK.COM). Approx one year ago a message arrived at our site with a `Return-Receipt-To:' header. It was part of the distribution of a large mailing list, perhaps `unix-wizards-digest', although my memory is uncertain on which list. It took more that 24 hours before an SMTP connection could be made to deliver the return receipt, apparently because the receiving host was saturated with replies. In neither of these cases was there a "replicated error". Indeed, there was no "error" at all. I repeat my earlier assertion. The "replicated error" discussion is a bogey man, which has little to do with the problem. The problem was caused by sending into a large mailing list a message which would generate automatic replies. The fact that those automatic replies were error messages is largely incidental. The behavior of sendmail perhaps multiplied the severity of the problem by a factor of three, compared with messages generated only at final destinations. But just generating messages at final destinations can already cause a severe problem. Clearly the responsibility must be on the distribution system (mailing list software for example) to minimize the likelihood that distributed messages will generate large numbers of automatic replies. I should note that the original incident was made particularly obvious by the fact that the automatic responses happened to go through an address which was gatewayed by the same host as the mailing list management software. It is likely that many such incidents (particularly with Return-Receipt-To:) have occurred in the past, but since the return address bypassed the list distributor, the problem was only noticed at the site to which the automatic responses were addressed, and they probably decided they had no choice but to live with it. Neil W. Rickert, Computer Science <rickert@cs.niu.edu> Northern Illinois Univ. DeKalb, IL 60115 +1-815-753-6940
Please report problems with the web pages to the maintainer