The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 16 Issue 45

Monday 10 October 1994

Contents

o Anonymity and the Stock Markets...
Peter Wayner
o ICL loses 1.3m pounds poll-tax case
Jonathan Bowen
o AOL sells its subscriber list
David L. Gehrt
o Twins out of luck in Brazil
Debora Weber-Wulff
o Confidential information passed on
Nik Clayton
o Privacy Digests -- and Digital Telephony
PGN
o CFP for CFP'95 (Computers, Freedom, and Privacy)
Carey Heckman
o CALL for PAPERS: EUROCRYPT '95
Jean-Jacques Quisquater
o Info on RISKS (comp.risks)

Anonymity and the Stock Markets...

Peter Wayner <pcw@access.digex.net>
Fri, 7 Oct 1994 22:59:20 -0500
People embroiled in the debate over anonymity on the networks might want to
check out an article entitled "Reuter's Instinet is Biting Off Chunks of
Nasdaq's Territory" in October 4th edition of the Wall Street Journal (p. C1).

The article doesn't deal directly with anonymity-- it just charts the success
of Reuter's Instinet, a computer network that matches up buyers and sellers of
large blocks of stock. The article mentions that many clients selling large
blocks of stock turn to the Instinet because it is anonymous. It's main
competitors are not. It reads, "Large investors, who wish to keep their long
or short positions confidential, especially want to avoid tipping other
investors off about their bets in the volatile, mostly small-capitalization
over-the-counter market."

Ideally, this feature allows the market to be more efficient and more fair.
People who just happen to be selling, say, Apple Computer Company stock to
say, Motorola, won't be able to use their casually acquired knowledge. (Just a
hypothetical example.) Another chance for "insider" like trading is gone.

This anonymity, though, is almost certainly not absolute. The SEC would
probably be able to unwind the trades if they needed to do so. But I'm just
guessing about this.


ICL loses 1.3m pounds poll-tax case

<Jonathan.Bowen@comlab.oxford.ac.uk>
Mon, 10 Oct 94 09:58:46 BST
Front page news in "Computing", 6 October 1994:

Headline:   ICL loses 1.3m pounds poll tax case

In a landmark award, St Albans City Council has won a 1.3m pounds High Court
judgement against ICL for supplying flawed poll tax software, precipitating a
flood of similar claims against the supplier.  Monday's judgement has
industry-wide implications because the judge in the case, Mr Justice Scott
Baker, ruled that a clause in ICL's standard contract limiting the supplier's
liability if problems arose did not apply under the Unfair Contract Terms Act
1977.

Notes:

1. "Computing" is a UK computing industry weekly newspaper.
2. ICL is a Japanese owned UK based computer company.
3. 1.3m UK pounds is approximately $2 US million.
4. The "poll tax" was the abortive uniform local tax on individuals
   introduced by the Conservative government under Mrs Thatcher,
   but now replaced due to public resistance.

Jonathan Bowen, Oxford University Computing Laboratory, Programming Research,
Wolfson Building, Parks Road, Oxford OX1 3QD UK Jonathan.Bowen@comlab.ox.ac.uk


AOL sells its subscriber list

"David L. Gehrt - RIACS" <dlg@skydesign.arc.nasa.gov>
Wed, 05 Oct 1994 10:03:16 -0700
On the front page of the buiness section of the San Jose Mercury today (5 Oct
1994) is an article describing one of the most egregious privacy violations I
have heard of.  America Online, described in the article as the fastest
growing on-line service providers, has or appears to be ready to peddle
subscriber information.  The kind of information by AOL collected upon sign up
is (IMHO) excessive.  My wife signed up and I nearly told her to find another
service provider and if she had known about the possibility that the info
would be sold I am sure that she would have not signed up.

According to the article the information which might be included in the sale
of AOL subscriber info includes: "...name, gender, address, income, family,
type of computer equipment, and payments to the company."

My hope is that other subscribers will rise up in anger and convince AOL that
this invasion of their privacy will cost them more $$$ in lost subscribers
than they can hope to gain via the sale of the info.

David L. Gehrt


Twins out of luck in Brazil

Prof Weber-Wulff <weberwu@tfh-berlin.de>
5 Oct 1994 15:42:41 GMT
The German daily newspaper "Tagespiegel" notes this past weekend that for any
set of twins (or triplets, etc.), in Brazil, only one may register to vote for
the upcoming election.  Seems the unique key for the voter registration form
consists of the names of the parents and the birthdate. It was noted that the
problem could not be corrected in time for the election, presumably there will
a number of people contesting the election.

Debora Weber-Wulff, Technische Fachhochschule Berlin, FB Informatik,
Luxemburger Str. 10, 13353 Berlin, Germany email: weberwu@tfh-berlin.de


Confidential information passed on

Nik Clayton <Nik.Clayton@brunel.ac.uk>
Wed, 28 Sep 94 12:57:09 +0100
"Watchdog", a consumer affairs television program shown on the BBC, Monday
26th September, reported on the experiences of a customer of Dixons (a
computer and other electrical goods retailer).  The customer had bought a PC
from them, and had used it extensively, writing letters, doing business and
accounts and so on.  The PC started to malfunction, the symptoms being wrong
characters generated by the keyboard. For example, "w" translated to an "f"
and so on.

Dixons said that they couldn't fix it, but would charge UKP 250 for an upgrade
to a new machine. The customer agreed to this, and told them, before he gave
the computer back, that he had confidential information stored on it, and
would they remove it for him. Dixons agreed to this.  6 months later, he
received a phone call from a family who had purchased his old computer from
Dixons, saying that they had found his data still on the computer.

RISKS: Obviously, the retention of the data is a large risk. But in
addition, I think there are several others. Most obvious is the fact
that the customer, while storing important information on the machine
had made no efforts to make it secure. The situation could have been
much worse if the computer had been stolen, or if his children had
access to the data to change it.

Other risks include believing what the retailer tells you. We weren't
told any more technical information about the problem with the machine,
but it looked very much as though either the keyboard was faulty, or,
more likely, that one of the keyboard drivers had become corrupted.
Certainly not something that should UKP 250 to fix.

Also, the second owners of the machine believed that what they were
getting was brand new, with the caveat that it had been used a display
machine. Obviously, it wasn't. But even if it had been a display machine,
it should be a trivial matter to walk into one of the stores and put a
virus on many of the machines available. This could cause havoc for
first time buyers.

Nik


Privacy Digests -- and Digital Telephony

Peter G. Neumann <Neumann@csl.sri.com>
Mon, 10 Oct 94 09:00:10 EDT
Periodically I remind you of TWO useful digests related to privacy, both of
which are siphoning off some of the material that would otherwise appear in
RISKS, but which should be read by those of you vitally interested in privacy
problems.  RISKS continues to carry general discussions in which risks to
privacy are a concern.  The most recent issues of PFD and CPD include
extensive material on the newly passed Digital Telephony Bill that now awaits
Presidential signature.  Because the of the extraordinary volume of that
material, we do not attempt to cover the issues here.  If you are seriously
interested in the discussions on privacy, I recommend you try BOTH digests for
a while (free trial subscriptions are terrific, but especially when the
long-term subscriptions are also free AND, perhaps more important, you don't
wind up on anyone ELSE's mailing list!).

* The PRIVACY Forum Digest (PFD) is run by Lauren Weinstein.  He manages it as
  a rather selectively moderated digest, somewhat akin to RISKS; it spans the
  full range of both technological and non-technological privacy-related issues
  (with an emphasis on the former).  For information regarding the PRIVACY
  Forum, please send the exact line:

information privacy

  as the BODY of a message to "privacy-request@vortex.com"; you will receive
  a response from an automated listserv system.  To submit contributions,
  send to "privacy@vortex.com".

* The Computer PRIVACY Digest (CPD) (formerly the Telecom Privacy digest) is
  run by Leonard P. Levine.  It is gatewayed to the USENET newsgroup
  comp.society.privacy.  It is a relatively open (i.e., less tightly moderated)
  forum, and was established to provide a forum for discussion on the
  effect of technology on privacy.  All too often technology is way ahead of
  the law and society as it presents us with new devices and applications.
  Technology can enhance and detract from privacy.  Submissions should go to
  comp-privacy@uwm.edu and administrative requests to
  comp-privacy-request@uwm.edu.

There is clearly much potential for overlap between the two digests, although
contributions tend not to appear in both places.  If you are very short of time
and can scan only one, you might want to try the former.  If you are interested
in ongoing detailed discussions, try the latter.  Otherwise, it may well be
appropriate for you to read both, depending on the strength of your interests
and time available.
                                                  PGN


CFP for CFP'95! (Computers, Freedom, and Privacy)

Carey Heckman <ceh@leland.Stanford.EDU>
Thu, 6 Oct 1994 06:12:05 -0700 (PDT)
                  Call for Participation - CFP'95
     The Fifth Conference on Computers, Freedom and Privacy
Sponsored by the ACM SIGCOMM, SIGCAS, SIGSAC and Stanford Law School
                       28 - 31 March 1995
    San Francisco Airport Marriott Hotel, Burlingame, California

INVITATION
This is an invitation to submit session and topic proposals for
inclusion in the program of the Fifth Conference on Computers, Freedom
and Privacy. Proposals may be for individual talks, panel discussions,
debates, or other presentations in appropriate formats. Proposed topics
should be within the general scope of the conference, as outlined below.

SCOPE
The advance of computer and telecommunications technologies holds great
promise for individuals and society. From convenience for consumers and
efficiency in commerce to improved public health and safety and
increased participation in democratic institutions, these technologies
can fundamentally transform our lives. New computer and
telecommunications technologies are bringing new meanings to our
freedoms to speak, associate, be left alone, learn, and exercise
political power.

At the same time these technologies pose threats to the ideals of a
just, free, and open society. Personal privacy is increasingly at risk
from invasion by high-tech surveillance and eavesdropping. The myriad
databases containing personal information maintained in the public and
private sectors expose private life to constant scrutiny. Political,
social, and economic fairness may hinge on ensuring equal access to
these technologies, but how, at what cost, and who will pay?

Technological advances also enable new forms of illegal activity, posing
new problems for legal and law enforcement officials and challenging the
very definitions of crime and civil liberties. But technologies used to
combat these crimes can threaten the traditional barriers between the
individual and the state.

Even such fundamental notions as speech, assembly and property are being
transformed by these technologies, throwing into question the basic
Constitutional protections that have guarded them. Similarly,
information knows no borders; as the scope of economies becomes global
and as networked communities transcend international boundaries, ways
must be found to reconcile competing political, social, and economic
interests in the digital domain.

The Fifth Conference on Computers, Freedom and Privacy will assemble
experts, advocates and interested people from a broad spectrum of
disciplines and backgrounds in a balanced public forum to explore and
better understand how computer and telecommunications technologies are
affecting freedom and privacy in society. Participants will include
people from the fields of computer science, law, business, research,
information, library science, health, public policy, government, law
enforcement, public advocacy, and many others.

Topics covered in previous CFP conferences include:

Personal Information and Privacy
Access to Government Information
Computers in the Workplace
Electronic Speech, Press and Assembly
Governance of Cyberspace
Role of Libraries on the Information Superhighway
Law Enforcement and Civil Liberties
Privacy and Cryptography
Free Speech and the Public Communications Network

We are also actively seeking proposals with respect to other possible
topics on the general subject of computers, freedom and privacy. Some
new topics we are considering include:

Telecommuting: Liberation or Exploitation?
Courtesy, and the Freedom to be Obnoxious
Commercial Life on the Net
How Does the Net Threaten Government Power?
Universal Access to Network Services
The Meaning of Freedom in the Computer Age
Online Interaction and Communities
Government-Mandated Databases

PROPOSAL SUBMISSION
All proposals should be accompanied by a position statement of at least
one page, describing the proposed topic. Proposals for panel
discussions, debates and other multi-person presentations should include
a list of proposed participants and session chair. Proposals should be
sent to:

     CFP'95 Proposals
     Stanford Law and Technology Policy Center
     Stanford Law School
     Stanford, California 94305-8610

or by email to:

     cfp95@forsythe.stanford.edu

with the word RProposalS in the subject line. Proposals should be
submitted as soon as possible to allow thorough consideration for
inclusion in the formal program. The deadline for submissions is
1 November 1994.

STUDENT PAPER COMPETITION
Full time students are invited to enter the student paper competition.
Winners will receive a scholarship to attend the conference and present
their papers. Papers should not exceed 2,500 words and should examine
how computer and telecommunications technologies are affecting freedom
and privacy in society. All papers should be submitted to Professor
Gary T. Marx by 20 November 1994. Authors may submit their papers either
by sending them as straight text via email to:

     Gary.Marx@colorado.edu

or by sending six printed copies to:

     Professor Gary T. Marx
     University of Colorado
     Campus Box 327
     Boulder, Colorado 80309-0327
     (303) 492-1697

Submitters should include the name of their institution, degree program,
and a signed statement affirming that they are a full-time student at
their institution and that the paper is an original, unpublished work of
their own.

INFORMATION
For more information on the CFP'95 program and advance registration, as
it becomes available, write to:

     CFP'95 Information
     Stanford Law and Technology Policy Center
     Stanford Law School
     Stanford, California 94305-8610

or send email to:

     cfp95@forsythe.stanford.edu

with the word "Information" in the subject line.

THE ORGANIZERS

General Chair
Carey Heckman
Stanford Law School
Stanford Law & Technology Policy Center
Stanford, CA  94305-8610
415-725-7788 (voice)
415-725-1861 (fax)
ceh@leland.stanford.edu

To discuss potential CFP'95 speakers, topics, and formats, and to receive
additional CFP'95 information, subscribe to the CFP95 list. Send to
cfp95@lists.stanford.edu a plain text message consisting of subscribe cfp95.

Program Committee
Sheri Alpert, Internal Revenue Service
Judi Clark, ManyMedia
Kaye Caldwell, Software Industry Coalition
Esther Dyson, EDventure Holdings
Mike Godwin, Electronic Frontier Foundation
Peter Harter, National Public Telecommuting Network
Lance J. Hoffman, George Washington University
Ellen Kirsh, America OnLine
Bruce R. Koball, Motion West
Gary T. Marx, University of Colorado
Mitch Ratcliffe, Digital Week
Marc Rotenberg, Electronic Privacy Information Center
Deborah Runkle, American Association for the Advancement of Science
Barbara Simons, USACM
Ross Stapleton-Gray, Georgetown University
Glenn Tenney, Fantasia Systems
Jeff Ubois, Author and Consultant
J. Kent Walker, Jr., Department of Justice
  [Affiliations are listed for identification only.]


CALL for PAPERS: EUROCRYPT '95

Jean-Jacques Quisquater <jjq@dice.ucl.ac.be>
29 Sep 1994 14:47:11 GMT
EUROCRYPT '95

May 21 - 25, 1995,  Saint-Malo,  France

FINAL CALL FOR PAPERS

General information
Eurocrypt '95 continues the tradition of European IACR conferences dedicated
to the theory and applications of cryptologic techniques.  Original papers
are solicited on all aspects of cryptology.

Topics of interest
The topics of interest include but are not limited to:
.   Applications
.   Authentication
.   Combinatorial aspects
.   Computational complexity aspects
.   Computer security aspects
.   Conventional cryptosystems
.   Cryptanalysis
.   Cryptographic hash functions
.   Digital signatures
.   Electronic money
.   Foundation and theory
.   Implementation aspects
.   Information theoretical aspects
.   Key distribution
.   Number theoretical aspects
.   Practical aspects
.   Protocols
.   Pseudo randomness
.   Public key
.   Secret sharing
.   Standards
.   Voting systems
.   Zero knowledge

Instructions for authors
Send a cover letter, one title page and 18 copies of an extended abstract to
be received by November 21, 1994, (or postmarked by November 10, 1994 and
sent via airmail).  The title page should contain the title, the name of the
authors, their phone and fax numbers, their postal and e-mail address and the
abstract.  The extended abstract should start with the title and the abstract,
but should be anonymous (Please, reserve the acknowledgments for the final
version of the paper).  This should be followed by a succinct statement
appropriate for a non-specialist reader specifying the subject addressed,
its background, the main achievements, and their significance to cryptology.
Technical details directed to the specialist should then follow.  A limit of
10 single-spaced pages of 12pt type (not counting the bibliography and clearly
marked appendices) is placed on all submissions.  Since referees are not
required to read the appendices, the paper should be intelligible without them.

Abstracts that have been or will be submitted in parallel to other conferences
or workshops that have proceedings are not eligible for submission to
Eurocrypt.  The authors must state compliance to this rule in their cover
letter.  A LaTex style file and an example of a cover letter will be available.

Conference proceedings
Eurocrypt '95 will be the first Eurocrypt conference where proceedings will be
available at the meeting.  The proceedings will be published in the
Springer-Verlag's  Lecture Notes in Computer Science.  Clear instructions
about the final copy will be sent to the authors.  The final copies of the
accepted papers will be due on March 6, 1995.  Authors of accepted papers
must guarantee that their paper will be presented at the conference.

A limited number of stipends are available to those unable to obtain funding
to attend the conference.  Students whose papers are accepted and who will
present themselves are encouraged to apply if such an assistance is needed.
Requests for stipends should be addressed to the general chairperson.

Program Committee
Chaired by Louis Guillou, the following persons are the
Members of the Program Committee:

Mihir Bellare      Johannes Buchmann   Mike Burmester             Paul Camion
Donald W. Davies   Amos Fiat           Hideki Imai                Lars Knudsen
Ueli Maurer        Birgit Pfitzmann    Jean-Jacques Quisquater    Ronald Rivest
Jacques Stern      Douglas Stinson     Moti Yung                  Gideon Yuval

Important information

Submission receipt deadline:    November 21
(or postmarked airmail:     November 10)

Notification sent to authors:   January 23

Final copies due:   March 6


Send submissions to:
Louis Guillou, Program Chair
CCETT  (Eurocrypt '95)
4, rue du Clos Courtel
F-35512 Cesson-Se'vigne' Cedex
FRANCE
Tel:    +33 99 12 42 47
Fax:    +33 99 84 56 00
Email:  iacr95@ccett.fr


For other information, contact:
Franc,oise Scarabin, General Chair
CCETT  (Eurocrypt '95)
4, rue du Clos Courtel
F-35512 Cesson-Se'vigne' Cedex
FRANCE
Tel:    +33 99 12 41 98
Fax:    +33 99 12 40 98
Email:  iacr95@ccett.fr

Please report problems with the web pages to the maintainer

Top