Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
I had my first encounter with the Procrustes bed, when trying to give my forwarding address to Paragon Cable in Minneapolis, MN. No matter how much it was squeezed or stretched, their computer would accept it. You see, it was not a U.S. address. Being physically present there (I was returning the decoder box) I could observe exactly what was happening. The address was in Athens, Greece, zip code: 15235. When he pressed <return>, it would automatically erase "Athens, Greece" and put there "Pittsburgh, PA". Most certainly, the zip code was "soft-wired" with the city & state info. It was disturbing that the program would not simply issue a warning. I offered to pay the outstanding balance (about two weeks service) on the spot, but they could not accept it as "a bill had to be mailed by the computer", and this would take 10 days or so. As I was moving in a week, most definitely the operator had a problem in his hands. It is interesting how the operator resolved the problem: he simply backdated the disconnection date, to coincide with the last day of the last bill, so there was no need any more for a forwarding address. Can't complain, as I got two weeks' free service ... Surely a good deal for Paragon Cable as well (think of the cost to upgrade the software). I can't help wondering how often they encounter this problem. The phone company, however, had no trouble accepting this overseas address. -- Anastasios Vergis, University of Minnesota, CSci Dept.
By some odd coincidence, the recent privacy thread in Risks comes along right on the heels of an ugly incident at the company I work for. We have a very large internal network along with a system of newsgroups on a wide variety of topics. One of these is called "grumps" which is designed essentially for the venting of curmudgeonly humor. It is generally considered to be the electronic equivalent of the occasional water-cooler gripe session. Although humorous in intent, sometimes issues important to the running of the company surface there. I posted a satirical message last month, taking the company to task for some bit of silly official pomposity, and thought nothing more of it. Imagine my surprise when two weeks later, my manager's boss called me into his office, with a copy of that message on his desk. He informed me that I should think carefully about sending out this sort of thing and that it reflected poorly on me and could jeopardize my professional advancement. Upon investigation, I discovered that our personnel department has very quietly taken on the job of surreptitiously monitoring traffic on certain internal "recreational" distribution lists. When something "offensive" is detected, it gets back, via the personnel system, to the offender's management. I had a long talk with our VP of personnel who explained that they weren't "spying", they were just trying to keep "offensive" mail off the net. Of course, *they* decide what is offensive or not. There is a risk here, one which I don't recall having seen mentioned here before, and it is that personnel/management people operate under a very different set of values than the people in the technical community with whom I normally share such postings. For example, this VP pointed with pride to the fact that she doesn't have a computer in her office. The manager I talked to insisted that posting to a dl is a public act, whereas I view it as private in the same way as a conversation around the lunch table in a group of friends. These people have now set themselves up as social arbiters of a system which they themselves never use. After thinking about this incident, I implemented an anonymous mail forwarding system, which would allow people to express their opinions openly without fear of retribution on unspecified charges. Not surprisingly, word of this got around too. This system proved to be intolerable to Personnel. They could not stand the idea that anyone could say what they liked and couldn't be traced, despite the fact that the company itself operates a "Comment" system, which is designed to allow people to send anonymous comments to management. I was politely asked to stop my forwarding service. After thinking it over, I agreed, and I now regret that decision. The net result has been greatly decreased traffic on the grumps dl, and a major loss of faith on my part in the goodwill of the management of our company toward the people who work here.
In classic "life imitates art" tradition, a case has been filed that resembles
my "Mr. M" hypothetical (of the person who, for "numerological" reasons,
publishes things like PIN's, private phone numbers, and so on).
The following is summarized from the Wall Street Journal (29 May 91, Page B6):
American Airlines (AMR) has sued Travel Confidential newsletter and its
publisher, Paul Edwards, to stop it from publishing lists of discount codes.
The codes, which travelers are supposed to mention when making reservations,
entitle them to discounts of 5% to 40% on airfare, car rentals, and hotel
rooms. They are intended for people attending conventions.
AMR charges Travel Confidential and Edwards with fraud and racketeering for
publicizing its codes, and asks for a court order banning such publication,
$750,000 in punitive damages, and unspecified losses. "Travel Confidential
is published with the sole purpose of facilitating, aiding and inducing the
commission of fraud on American and other airlines, hotels, and car rental
agencies," AMR claims.
Mr. Edwards says he is doing nothing illegal by pulling together information
that is publicly announced by convention sponsors. "Every word comes from
publicly available sources. There is not one iota of confidential or private
information in this newsletter." He also denies that he is encouraging his
readers to commit fraud. Edwards claims that airlines rarely even ask whether
a traveler is attending the event that matches the code. "If they don't want
people to abuse it, they should police it." (Where have we heard *that*
before?) AMR says they are considering doing just that, and also claims that
they could go after individual travelers for committing fraud by using the
discount fairs.
— Jerry
PS The same issue of the Journal, on page B8, discusses new voice-activated
computer systems for bond trading. The risks that arise from traders perhaps
being able to activate each other's computers are discussed (but of course
dismissed by those who want the system as not a problem).
(D'Uva, RISKS-11.76)
>For example, a policeman does not need
>"probable cause" to stop your car when you are driving in an unsafe manner.
>The law has been broken, and that is enough to warrant the law enforcement
The policeman's observance of you driving in an unsafe or illegal manner
constitutes probable cause. You cannot be stopped without probable cause (with
the constitutionally questionable exception of sobriety checkpoints). Search
after a stop for a traffic offense requires additional justification.
It may not be a good idea for people to post about illegal activities, but
it does happen regularly. At least one newsgroup contains frequent postings in
which persons report violating Federal regulations (usually inadvertently).
Such postings are of questionable legal value as authentication is difficult
(did Jones make the posting, or did someone who used his account make it?).
Systematic monitoring issues aside, does a posting on the net constitute
probable cause for real-world surveillance of the author? I don't have an
answer for this. Is there case law that establishes precedent?
Arnie Urken writes [ Re: Voting by phone]
> voting by phone enables a citizen to verify that his/her vote is
> actually counted, [...]
Does it? How is the voter to know that his vote is not routed to the bit
bucket, or that a later disk crash doesn't obliterate it. California's
antiquated Hollerith-card method produces a physical record of a vote. Which
is more reliable? Which gives the voter a higher level of confidence?
Steve Philipson
The FBI are not just "law enforcement officials", they are public servants. The "public" are their employers. Suppose your house servant decides to look through your belongings, because they believe you might be doing something illegal. Do you have the right to tell them not to do it (even if you are doing something illegal)? My analogy is certainly trivial. The point is that many people seem to forget that the FBI, DoD, &c are working for us and not the other way around. 200 years have passed since "unreasonable search" was added to the US Constitution. The government of our "global village" must take into account the intent of the Founding Fathers, not just their words. In 1792 a "grep of /usr/spool/news" was the house-to-house search of a city. Rob nagler@olsen.ch
In RISKS 11.74, Andrew D'Uva asks, "Why should the U.S. Government have less access than a student at an American university (or a foreign one)?" I've been rethinking privacy of electronic communications, particularly radio communications, since Congress is thinking about amending ECPA sometime this session. (No bills yet, but...) My conclusion is that the government should be prohibited from intercepting *ALL* civilian radio communications, except in certain bands like AM and FM, while third parties should have full freedom to listen in on any band, as they did before 1986 and ECPA. Jerry Berman of ACLU tells me that the real concern in ECPA was to prevent the government from spying on people. My proposal addresses that concern even more fully than his ECPA — which only protects a minority of the transmissions. More importantly, a ban on the government monitoring communications is enforceable — e.g. by the exclusionary rule, as well as by existing laws giving citizens the right to sue the government for collecting dossiers on their exercise of First Amendment rights like free speech. Speech over a cellphone is still speech and is still free. A ban on interception by third parties is clearly not enforceable without direct confiscation of radio receivers. Then what's next? Typewriters and copiers, as in USSR? Shortwave radios that receive Radio Baghdad, when they only want you to hear their side of a war? Before ECPA, if you transmitted information over the air and wanted to prevent its being overheard, it was *your* responsibility. You could encrypt it, use low power, hide it in noise, whatever. ECPA created classes of users who are absolved of this responsibility, such as cellular phone providers; the government picks up the tab for "enforcing" your privacy. Only trouble is that they are incapable of providing real privacy by passing laws, so the user ends up with no privacy at all. Had the onus rested on the transmitting party, it would be clear that it was up to cellular manufacturers to provide the privacy that people assume about "phones", or to stop marketing cellular walkie-talkies as "phones". But lobbyists were cheaper than privacy technology, so we started putting our personal lives on the air. Think about it --
In the vein of recent discussions about the "dumbing" of the work force, I note
that the vote-by-phone proposal is good, but a little verbose and pedantic for
my taste. I fear that the proposal is trying to out-stoopid the voters. (on
the other hand, you have to be pretty good to listen to a list of ten choices
and come up with the right number (ever try getting a pizza parlor to list how
you can have it?). Maybe candidates will now try to be listed LAST on the
ballot).
My belief is that vote-by-phone can be as complicated as filling out
a regular ballot (as mentioned, in CA this can be a challenge).
Also, it doesn't have to be an enjoyable experience (any more
than is standing in line at the polling booth).
My twist on what was mentioned:
1. Voter requests vote-by-phone by mail.
2. Confirmation letter contains ballot with PIN on it.
3. Voter calls to vote and uses the PIN given.
The voter is warned that the PIN is the voter's right to vote: you
lose it, you lost it; you show it to someone, you may have lost it.
Suitable warnings are given about possible scam's to get PIN's.
Reasonable mechanisms exist to deal with ballots that are lost or
stolen a reasonable time before the election.
The ballot contains all the contests, numbered, and all the choices in
each contest, numbered. Any choice is selectable by dialing a 3 (4?)
digit number (2 digits => contest, 1 digit => choice).
The voter is advised to fill in the ballot to obtain the numbers of
the people he/she is interested in voting for. Note that many voters
do not vote in all the contests available (abstaining, or in some
obscure local contests (or obtuse CA voter initiatives), a voter might
not feel that he/she can make non-random decision).
The computer you call up is generally re-active, not pro-active. Thus:
- The user enters the code of the contest and his vote,
selecting contest in his own order. This is faster, and
makes it easy to not have a vote on something. It is also
analogous to the way you vote by paper.
As pointed out, the user can more effectively get the choices
from the ballot than over the phone. If he doesn't have the
ballot, what is he doing phoning the system?
- The entire ballot is constructed by making selections, but
is not committed until the user specifically indicates that
he is finished. Up until this time, the user may disconnect
(accidentally or on purpose) and try again later.
Here is my vision of a phone call, which probably needs to be
simplified:
<Welcome to phone-a-vote, over XX million served.
Please enter your PIN now>
beep-beep...
<Please vote>
beep-beep...
<Contest 23, District vice-scoundrel, you selected Bud Bundy>
beep-beep...
<Contest 56, Clean Sewers Initiative, you selected YES>
beep-beep...
<Contest 56, Clean Sewers Initiative, you selected twice. The
selection has been erased. Please vote again.>
...
beep-beep...(0000)
<Your ballot has been accepted. Thank-you for voting.>
<click>
Maybe a special code runs through them all in order, so that you can check what
you've done. Or maybe dialing 569 tells what was selected for contest 56.
[By the way, the supposedly anonymous messages might still be traceable
based on the audit log that itemizes all e-mail to and from with a time
stamp. So if your automatic reforwarder left the original time stamp, that
was enough to nail the original sender!!! PGN]
Larry Campbell asks: Electronic voting? Who needs it? Although electing people to represent us in parliament is the generally accepted model for democracy at present, it is not full democracy. In a full democracy every voter should be able to vote on every issue, and this would be possible with electronic voting. Such a system would clearly require checks and balances well beyond those needed for electronic voting alone. In practice parliaments and politicians would probably need to be retained to keep the political system operating day-to-day. There would also need to be stringent systems of review, to prevent hot-headed decisions and to prevent interest groups from hijacking the vote on particular issues. This may not be Utopia, but anyone who complains about the voting of their representative should take heart that such a system may be achievable. Paul Nulsen pejn@wampyr.cc.uow.edu.au
<> A. Lottery spokesman David Ellis tells us that, once an instant
<> ticket is "read" by a bar-code reader, it is invalidated...
That doesn't prevent people with access to unsold tickets from stealing winners
and selling only losers.
Presumably losing tickets seldom if ever get read by the barcode reader even
once, so an agent who sells one will not be trapped by the invalidation
performed when he culls his supply of tickets. However, since indeed reading a
losing ticket should be rare, I would hope that the security system will be
suspicious of the operator of any barcode reader that gets too big a dose of
losing tickets.
-dk
In RISKS-11.78, Martin Minow quoted a representative of the Massachusetts state lottery as saying that as soon as an instant ticket is read by a bar-code reader, it will be flagged so that it cannot not be cashed again. What was not clear was a) whether the physical ticket itself was flagged, b) the number of the ticket was stored in the card reader, or c) the number was stored in a central computer? In case a), what is to prevent an unscrupulous person from xeroxing the ticket (perhaps onto the correct weight of card stock, if necessary) and bar-code-reading the xerox? In case b), what is to prevent the person from going to another bar-code-reader for the next reading? In case c), could not a bar-code-reader unconnected to the central computer read the stored information, which could then be decrypted? The system's security would then depend on the security of that encryption algorithm. Alayne McGregor alayne@gandalf.ca
In Risks 11.77, David Reisner comments on the effects of using "lossy"
compression techniques. His comments are quite interesting, but I think he,
and many others commenting on this issue early, miss an important point: What
is new here is not the FACT of losses, but what we KNOW about them.
Reisner's example of the new Phillips Digital Compact Cassette (DCC)
compression scheme provides an excellent example of this. It is quite true
that such a system throws away information. On the other hand, *so does every
recording scheme ever invented*. All recording schemes are bandwidth limited.
All will saturate at high amplitudes. All analogue systems add noise. It's
easy to contrast DCC with CD's and say "aha, they've thrown away some
information" - but in fact CD's ALSO throw away information: The Nyquist limit
means that they absolutely cannot record any information about about 22Khz, the
14-bit encoding places a limit on their amplitude resolution. In addition,
CD's used for audio purposes use error correction schemes - what you hear may
not be what was recorded, and will even vary from playback system to playback
system. Of course, all these "losses" - sounds above 22Khz, the error
correction "patches", and so on - have been chosen to be "unnoticeable" to the
human ear. This is no different from the DCC scheme; the DCC scheme is just
more clever about it. It's also no different from many older schemes, from FM
(limited to 15Khz) to Dolby encoding.
A traditional photograph or X-ray isn't "exact" in any sense either. There is
a finite grain size, a limited amplitude resolution (and a generally quite
non-linear amplitude response), and so on. Grain size is chosen to be small
enough to (mainly) be ignored by the human visual system. The details of
response to different light levels and colors in film is chosen for its
appropriateness in a particular use. Color snapshot film is built to "look
pleasing", not to be "highly accurate" in any objective sense. X-ray film is
built to produce high contrast of "medically interesting" things.
NTSC color television encoding uses less transmitted energy and bandwidth for
chrominance than for luminance information because the human eye has much less
sensitivity to loss of high spatial frequencies for chrominance. The color
encoding used is inherently unable to represent some colors that the eye can
perceive (certain dark browns). All of these choices were made based on
studies of the human eye's abilities. In fact, JPEG is just uses more
sophisticated versions of the same tricks - and interestingly JPEG is NOT
necessarily lossy: JPEG is a class of parameterized compression algorithms,
with the parameters chosen by whoever does the compression, and it is possible
to set the parameters to avoid any (deliberate) losses.
What's the point of all this? Just that there is actually nothing new in
losses in representation: They've been with us from the first time we sketched
on cave walls. Early losses came about as inherent, uncontrolled side-effects
of poorly understood processes. As we've become more technologically
sophisticated, we've been able to understand the origins of these losses and
ultimately either eliminate them (hiss, rumble, wow and such are non-issues for
CD's) or deliberately choose where they will occur. Today's recording
technologies, losses and all, are orders of magnitude better than what was
available in the past.
However, from a political/legal/social point of view, there is one significant
difference: What no one could understand or control, no one could be blamed or
penalized for. If an important distinction is lost in a X-ray because the
film's grain size can't represent it, well, that's the way it is. But when the
loss can be attributed to someone's particular, definite decision, all of a
sudden blame can be attached: "If they hadn't chosen to save a few bucks on
storage by compressing the image, my client would be healthy today." Once you
can name the chemical added to the food, you can sue someone for adding it -
and never mind all the thousands of chemicals already there that have never
been analyzed.
Systems have to be built appropriately for their intended use. The more we
understand and can control about a system, the more choices we can make - and
the more choices we HAVE to make. When we were not in a position to make the
choice, "nature" made it for us - but it WAS made.
— Jerry
>From: synthesis!dar@UCSD.EDU (David Reisner) >There are, in fact, lots of compression algorithms that ARE lossy. ... This is a part of a much more pervasive problem: rendering errors. For example, a digitally encoded image is ALWAYS an approximation of the continuous input. There are mathematical constraints for getting the right results out of a digital display system without encountering aliasing effects, but these require filtering — and this filtering is generally assumed to be done by the viewer's eyes. I'll talk about rendering of images, but the same applies to any area of digital signal processing. The challenge of image processing is to play around as much as you can without exceeding a JND (just noticeable difference). Sometimes we go a bit further (e.g., 300 dpi laser printers, most computer displays) and accept what I'll call a JID (just ignorable difference), and some people end up pulling their hair out because they can't ignore what we want them to. Many RISKs enter, in that the JND is a physiological concept, not a physical concept. Hence: - JND is an averaged measurement, some people notice more (like people who can hear TV sets — ouch!). - Sometimes the JND is not a constant parameter, so a subtle change in the application can wreak havoc. For example, visual flicker sensitivity depends on frequency, brightness, and the part of the retina that is receiving the signal. When Cinemascope was tried out some years ago (a very wide curved screen), it was found necessary to decrease the intensity of the bulbs used in projectors or viewers would complain of flicker in the corners of the screen when they looked at its center. - Multiple JND's typically apply to a situation; you have to take them all into account. For example, the set of pictures of Mars from the Viking I lander included an impressive sunrise with rings around the sun. The New York Times printed this picture in a two page spread. Actually, the lines were spurious contours (optical illusion), deriving from a linear quantization of gray levels in the digital camera. How many million people thought that there really WERE lines around the sun on Mars? (Moral: rendering errors can ADD to, as well as subtract from, detail in a picture) - Sometimes the result is not processed by the unaided human eye. For example, if a doctor uses a magnifying glass (or a microscope!) to better see some fine detail on a rendered picture (especially with lossy compression, but even a photo will do), he may violate the limitations of resolution imposed by the imaging process. In this case, who knows what he might or might not see? The solutions that I come up with: - Over-engineer rendering so that the user is unlikely to exceed the limitations unknowingly imposed on him. This is what we do in photography. Obviously, this is what computer compression schemes are specifically trying to avoid... - Educate the users to understand what they have. For example, a medical imaging system might have a warning notice on the screen that an enlargement of the image is not guaranteed to be accurate, or (better) may provide "safe" enlargement primitives that are guaranteed not to exceed the limitations of the compression scheme. Any other ideas? geof@aurora.com / aurora!geof@decwrl.dec.com / geof%aurora.com@decwrl.dec.com
I consider image compression schemes which take advantage of the eye's limited color resolution to be about as dangerous as audio systems which cut off at 20 KHz. As long as the data is to be used by humans, there are physiological limitations that are universal and exploitable. Of course, there are people who still think vinyl records are better than CDs.
Please report problems with the web pages to the maintainer