The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 17 Issue 72

Weds 14 February 1996

Contents

o The CDA: Has It Fallen? Can It Get Up?
Stanton McCandlish
o REVIEW: "Digital Money" by Lynch/Lundquist
Rob Slade
o Re: RISKS (...) of typing credit-card numbers
Olin Sibert
o Re: The measurement of risk
Pete Mellor
Martin Minow
Robert Walking-Owl
o REMINDER: Privacy Digests
PGN
o Info on RISKS (comp.risks)

The CDA: Has It Fallen? Can It Get Up?

Stanton McCandlish <mech@eff.org>
Wed, 14 Feb 1996 00:48:11 -0800 (PST)

The CDA: Has It Fallen? Can It Get Up? - Stanton McCandlish, mech@eff.org

In the days after the passage of the unconstitutional "Communications Decency Act" as part of the Telecom bill, the CDA appears to be toppling just as it should have begun to ride high in the saddle of fundamentalist "victory" (though the battles are hardly over yet.)

The entire Congress passed this bill (some Members knowing it was unconstitutional, and some on the other extreme not even knowing the CDA existed), with the exception of the following legislators who voted against the whole Telecom Bill:

Representatives

Earl Hilliard (D-AL), Pete Stark (D-CA), Pat Schroeder (D-CO), Neil Abercrombie (D-HI), Lane Evans (D-IL), Sidney Yates (D-IL), Barney Frank (D-MA), John Conyers (D-MI), Collin Peterson (D-MN), Harold Volkmer (D-MO), Pat Williams (D-MT), Maurice Hinchey (D-NY), Jerrold Nadler (D-NY), Peter DeFazio (D-OR), Timothy Johnson (D-SD), Bernard Sanders (independent-VT)

Senators

Dianne Feinstein (D-CA), Patrick Leahy (D-VT), Paul Simon (D-IL), Paul Wellstone (D-WI), and John McCain (R-AZ).

(Plus a handful that did not vote.) In all, only a single Republican, out of both Houses of Congress, voted to preserve American freedom of expression.[*]

The President proclaimed, in the first State of the Union Address to mention the Internet, "When parents control what their children see, that's not censorship. That's enabling parents to assume more responsibility for their children. And I urge them to do it". Clinton then, in a signing party timed to coincide with the press attention given to the "24 Hours In Cyberspace" multimedia event, enacted a law that strips parents of the right and responsibility to decide what is appropriate for their own children. The CDA would not only fail to help "parents control what their children see" - a goal long supported by EFF, ACLU, VTW, CDT and others opposed to the "decency" bill - but actually hinder the development of tools and services to help parents and teachers filter children's Net access.

* Backlash

It is ironic that it took passage of this law to garner the public and media attention it warrants.

For 48 hours after President Clinton's signing of the CDA into law, thousands of Web users and BBS sysops world wide took part in a "Thousand Points of Darkness" protest of the new censorship law by turning their Web page and login screen backgrounds to black, to mourn the death of the Internet as we know it. Some, including online magazines such as Factsheet Five Electric and Scamizdat, blanked out their entire online offerings, replacing everything that had been available with a single sentence: "This is what censorship looks like".

The protest garnered major news coverage of the Net censorship debate for the first time. Finally the debate has shifted from false "save the children" hype to the real issue: free speech, press and association rights in new media. The "facts", figures and motives of the lobbyists and lawmakers behind the CDA are at last being more widely examined.

The "black page" protest is being followed up with a long term awareness-raising and protest effort, in which participants, already numbering in the tens of thousands, wear blue ribbons, and place graphics of blue ribbons on their online services and homepages. Participants range from individual users, to online journalism sites like HotWired, to major centers of Internet connectivity like Netcom and Yahoo!, among others.

As with Germany and France, where attempted censorship of online information has backfired, leading to proscribed data's immediate global availability from numerous anti-censorship "mirror sites", the U.S. government may have to learn the hard way. The online community is determined to knock the lesson into regulators' heads. To cater to censored U.S. users, "offshore" anonymous Internet access providers are popping up, such as Offshore Information Services Ltd - http://online.offshore.com.ai/ - offering $50/month privacy-protected accounts from tax-haven island Anguilla.

In case that were not enough, an ad-hoc programmer coalition, the Decense Project - at http://www.clark.net/pub/rjc/decense.html - has produced an "de-censoring" solution, which like that of the Anguilla ISP, also provides privacy protection as a bonus: Decense, "a cgi script designed to provide a double-blind pseudonym scheme which allows a site to hide behind a chain of http servers which 'proxy' for it. Neither the user [ID] requesting the document, nor the ultimate address of the destination web site is immediately available to prying government eyes."

* Action in Court and Congress

The action has spread offline as well. There has already been an public protest rally in Washington DC on Feb. 10, and there are others in the works. The University of Pennsylvania at Philadelphia will see a demonstration just before a scheduled speech by VP Gore. A DC "Electronic Freedom March" is gearing up, and even high school students are donning blue ribbons and demonstrating against reactive academic censorship

Most importantly, the new law itself is under concerted attack in the courts and on the Hill.

EFF, with ACLU and 24 other organizations, have filed a federal lawsuit against the Department of Justice (DoJ), in the Philadelphia court of Judge Ronald Buckwalter, challenging the CDA on constitutional grounds. As of Feb. 13, Judge Buckwalter has not only commended the plaintiffs on a well-
written lawsuit, but has put the case on the fast track, demanding a DoJ response by Wed. Feb. 14. The Judge further indicated that he will likely grant plaintiffs' motion for a temporary restraining order (TRO), by Thu., Feb. 15 at the latest, without further hearings. The TRO would prevent enforcement of the CDA pending a hearing before and decision from a panel of three judges, on a motion for a longer-term preliminary injunction that would prevent all enforcement of the "decency" provisions until the real meat of the case is settled - whether the CDA stands up to constitutional challenges. The hearing on the long-term injunction should take place within the next few weeks. And the balance of the legal "tests" the CDA must face are very much in plaintiffs' favor.

Though the DoJ has agreed to make no arrests under the new statutes between now and the probable issuance of a TRO this week, content and access providers should be warned that the FBI and other Justice Dept. agents may later decide to prosecute for CDA violations committed during this time, if they eventually win the case - a possibility everyone should be concerned about. And plaintiffs' attorneys warn that even the little assurance provided by DoJ for now is rather meaningless since it has not been put in writing.

The Justice Dept. and the Christian Coalition are expected to present, as evidence supporting the CDA, the most vulgar content they can possibly find online - though this tactic could backfire. After all, the CDA does not address pornography (obscenity) at all, since it is already illegal online or offline, but rather targets indecency, a broader category including nudity in almost any context, or "indecent" words like those found in any PG-rated movie.

In the meantime, the Telecom bill has been delivered a one-two-punch by some of the legislators that voted against it the first time around. Sen. Patrick Leahy (D-VT), like Rep. Jerrold Nadler (D-NY), was a high-profile participant in the WWW Blackout protest, and has, with Sen. Russ Feingold, introduced a new bill (S.1567) to repeal most of the CDA. This legislation will likely need to be re-examined and modified to make sure it actually succeeds in the goal of removing the threat posed by the Communications Decency Act.

* Women's Groups and Others Join the Battle

Rep. Pat Schroeder (D-CO) is attacking another dangerous provision of the Telecom Bill - an amendment outlawing the online distribution of certain kinds of abortion-related information. The amendment in question was slipped into the leviathan telecommuncations "deregulation" package by Rep. Henry Hyde (R-IL), who also shepherded the final version of the CDA.

Schroeder announced that she will introduce a bill, when Congress re-convenes on Feb. 26, to repeal this less well-known Telecom Bill assault on free expression. (It should be noted that although Rep. Shroeder voted against the Telecom bill in the final vote, she can be partially blamed for the existence of the CDA in that bill - she voted "yes" on it in committee deliberations, along with a majority of her colleagues.)

The "abortion gag rule" in the Telecom bill is also being slammed in in another lawsuit, Sanger v. Reno, filed in New York by the Center for Reproductive Law and Policy, and many other plaintiffs. In this case, U.S. Attorney Zachary Carter has (according to ACLU releases) admitted the unconstitutionality of the CDA, and also agreed to hold off enforcing it for a while. East District of New York Chief Judge Charles P. Sifton has asked Chief Judge Jon O. Newman of the U.S. Court of Appeals for the 2nd Circuit to convene another 3-judge panel to decide this case.

Sifton has not granted a TRO or injunction. The Judge appears to find the DoJ's assurances sufficient evidence that this particular provision will not be enforced or chill free speech. His decision may also rely on the fact that the section of the ancient Comstock censorship law modified by the Telecom Bill to ban abortion info online, has not been enforced in many years. However, no court has yet to rule the Comstock Act unconstitutional, leaving some people worried for the short term, even if they expect an eventual favorable decision from the 3-judge appellate court. Content providers and internet users, as well as women's groups, are also not particularly comforted by the platitudes of supporters of the abortion info ban, who have disingenuously claimed they simply want to update the Comstock law for consistency reasons and to show support for "Christian" ideals, but don't expect anyone to actually be censored under the new revisions.

Plaintiffs' attorney Simon Heller said, "We are extremely pleased that the Clinton Administration has recognized the invalidity of this law. However, we believe a court ruling against the provision barring receipt or provision of abortion information is still necessary to prevent a future administration or radical right-wing members of Congress from wielding it against women's health care providers and advocates."

* Shifting Lines

It is clear that the Internet and computer industries do not support the Communications Decency Act, though most organizations in these fields did not act, other than to support EFF and other advocacy groups, until too late. It has shocked the commercial world as well as the general public that Congress would actually pass a bill so terrible. The industry is, however, increasingly participating in protest, and legal, action against the CDA, realizing that such important decisions as what we each should read or avoid cannot be left up to government. Even the usually Beltway-shy Microsoft is taking a stand; in an AP interview, the company's leader, Bill Gates, said of the Internet regulation attempt, "Unfortunately, it means we're going to have to spend some time in Washington, DC. In the first 15 years of Microsoft history, we never visited Washington."

And content producers of all sorts are expressing concern, even outrage, from upstart multimedia giants, to major print publishers, all of whom now find not only their free press rights but also their livelihoods threatened. As journalism organizations have flocked to the pro-speech side, only one news association, to our knowledge, has offered anything but derision for the CDA. (Newspaper Association of America President John Sturm expressed support for the telecom bill as a whole, citing only disappointment at the censorship, and support of the "motives of the conferees to protect children from obscene and indecent material". One wonders how closely Mr. Sturm has questioned those motives.)

It is clear that the fundamentalist organizations and legislators behind the CDA have neither an understanding of the medium and issue, nor any particular desire to inform the public or the media. The Family Research Council - http://www.frc.org - disinformed readers by quoting and explaining in their newsletter the obscenity restrictions from an older draft of the bill (which they helped replace with an unconstitutional "indecency" version) in an attempt to imply that the FRC and their favorite bill would prohibit online distribution of obscenity.

Religious right spokespersons, as well as CDA sponsors like Exon and Hyde, repeatedly tell the press and tv news programs that they are trying to "protect children from pornography" as if somehow unaware that their bill actually makes it more difficult to prevent children from being exposed to inappropriate materials, by removing all incentive to continue developing services and software which genuinely perform this needed function.

But perhaps even the moralists are having second thoughts (or trying to save face): Confronted with World Wide Web co-creator Tim Berners-Lee's free Net filtration software, Christian Coalition spokesperson Heidi Strup conceded that the program "definitely would be a useful tool for us." One must wonder how and why the CC and its allies failed to realize this 6 months ago.

More education and outreach is clearly needed, so that legislators do not fear the net, so that lobbyist groups do not push for unneeded and hazardous legislation, and most importantly so that the general public have a better understanding of their free speech rights and recognize the early warning signs of censorship threats.

On the other side of the issue, organizations like Voters' Telecom Watch (http://www.vtw.org), with help from local activists (see, for example the "Tennessee Hit List" of bad legislators at http://www.people.memphis.edu/~mddallara/hitlist.html) vow to bring the Net constituency into its own in upcoming elections. They are gearing up to vote out legislators and other officials at all levels who betray the trust of their voters by pushing for censorship. The online voting bloc will have a number of people to remove from office, it seems, given Congresspersons like Rep. Thomas Bliley (R-VA), chair of the House Telecom Committee, who seems to consider the CDA's assault on the Constitution an inconsequential matter to be fixed by "technical corrections" to the bill later in the year. And what about Vice-President Al Gore? For all his "Information Superhighway" hype, Gore strongly supported passage of the legislation, since, after all, the courts can take care of the unconstitutional stuff. Sen. Carl Levin (D-MI) echoed both sentiments, at an "ask the politicians" event in Kalamazoo, MI, claiming that the CDA was only "one small page in a very large bill", and stating that he knew it was unconstitutional and (you won't believe this) that it is "always necessary to test the Constitutionality of some legislation", ergo no service providers would get hurt! Perhaps Sen. Levin considers this a game, but online voters may just cure him of that notion come election day. And let's not forget legislators from Connecticut and other states, who did not even know the CDA was in the Telecom Bill - they passed it without reading the bill at all, much less understanding it's impact.

* Civil Disobedience (and Decidedly Uncivil Obedience)

At present EFF cannot advise what to do and not do under the CDA. No one can. The law is too vague and overbroad to be applied meaningfully.

Some sites are already closing, with more providers broadly self-censoring their content. The moderator of an amateur radio discussion group closed the forum down, saying only, "I have closed my mailing lists to minors, not in protest but for my own protection. Since I enforce rules of conduct for the lists, I think I'm too close to being part of content creation to be safe should one of the subscribers post a 4-letter word." If the judges in the cases challenging the CDA need any evidence of the chilling effect of this legislation, this should be all they need.

Other content providers, including many who had never thought of posting "offensive" materials at all, are engaging is widespread civil disobedience, deliberately violating the new Act. A particularly creative example can be found at http://coolheart.infi.net/exon/index.html - you can send a Valentine'd Day card to Sen. Exon, reading "In honor of Valentine's Day, I thought I would send you an example of some of the nudity I've found on the Internet - Enjoy", and including your choice of several classic works of art, including Michelangelo's "David" and Boticelli's "Birth of Venus".

Yet more are being "uncivilly obedient", complying - barely - by ROT13-encrypting "dirty words", putting "CENSORED!" banners all over their web pages, replacing scatological terms with legislators' surnames, and other actions of visible obedience-under-duress.

Still, helpful as these actions may - or may not - prove to be, some protest activities are decidedly unhelpful. "Spamming" Senate and House email addresses, particularly with indecent material is self-defeating. Please remember that this legislation passed because legislators by and large were too ignorant of the medium to recognize that the Net is not really a den of pornographers and terrorists. Irresponsible and overtly threatening gestures - especially threat letters or dirty stories - will only prove to legislators' minds that they were right after all.

Lastly, please keep in mind that obvious civil disobedience can be dangerous, particularly as "Oklahomans for Children and Families" and other local fundamentalist groups are on the prowl, vowing to report to police any CDA violations they find. The current hold on enforcement of these laws by the Justice Dept. does not even mean you can't be prosecuted for violations occurring now (assuming the court cases fail, which is probably not a good assumption, fortunately), only that you won't be prosecuted right now.

Stanton McCandlish, Online Activist & Webmaster, Electronic Frontier Foundation San Francisco - Feb. 13, 1995

[* I observe that only one Republican voted against the CDA because it is a fact. This does not constitute an endorsement of the Democractic Party or any other kind of endorsement on my or EFF's part.]

Stanton McCandlish Electronic Frontier Foundation mech@eff.org
http://www.eff.org/~mech/

REVIEW: "Digital Money" by Lynch/Lundquist

"Rob Slade" <roberts@mukluk.hq.decus.ca>
Tue, 13 Feb 1996 12:07:47 EST

BKDGLMNY.RVW 960126

"Digital Money", Lynch/Lundquist, 1996, 0-471-14178-X, U$24.95/C$29.50
%A Daniel C. Lynch
%A Leslie Lundquist
%C 22 Worchester Road, Rexdale, Ontario M9W 9Z9
%D 1996
%G 0-471-14178-X
%I Wiley
%O U$24.95/C$29.50 416-236-4433 fax: 416-236-4448 800-263-1590 800-567-4797
%P 285
%T "Digital Money"

This book does cover, briefly but well, the concepts involved in preparing digital money which is safe (for both customer and vendor) and private. Some additional time and space could have been given to the strengths and weaknesses of encryption, even given the non-technical target audience.

There are a number of other topics which are related, but not really essential. Much space is given to new forms of marketing, and even to a discussion (those who know the history of this review series will note the irony) of copyright. While these fields are interesting, they do detract from the central issue of commercial information security in an open environment.

copyright Robert M. Slade, 1996 BKDGLMNY.RVW 960126
Vancouver Institute for Research into User Security Canada V7K 2G6
roberts@decus.ca rslade@vanisl.decus.ca Rob.Slade@f733.n153.z1.fidonet.org

Re: RISKS (...) of typing credit-card numbers (Fisher, RISKS-17.71)

Olin Sibert <wos@oxford.com>
Tue, 13 Feb 96 12:47:42 EST

Mark Fisher suggests that running a secure OS (e.g., Windows NT) is a "real solution" to these attacks. I think this is misleading. The suggested approach (an API call to retrieve a string not visible to keyboard interceptors) is not qualitatively different from the notion of displaying a calculator keypad and entering the number with mouse clicks. Both approaches make it necessary to target the attack more precisely, and perhaps to use different means (such as grabbing the number from a memory bufffer or a disk file), but don't materially improve the security of the information.

A secure OS is no panacea, for all it can do is prevent the things it knows about. It can't stop a program that I run from accessing files to which I have legitimate access. It can't really even stop me from breaching the OS security perimeter: after all, if one of that interminable series of diskettes says "On Windows NT, log in as Administrator and run this SETUP program to install an improved device driver", what can I do? I can refuse, but then I won't get whatever software I wanted. I can't exactly examine anything to see if it's "safe"; I can't even figure out what "safe" might be. In a personal desktop computer, the user is responsible for everything that happens, and there is no "system administrator" to set the rules and to decide what's safe and what isn't. The PC environment poses fundamentally different security problems from the ones we've spent 30 years figuring out how to solve.


Re: The measurement of risk (Shaw, RISKS-17.71)

Pete Mellor <pm@csr.city.ac.uk>
Wed, 14 Feb 96 10:10:37 GMT

> ... Sandman's seven characteristics that determine an issue's
> "outrage valency" in a community.

Add another one:-

Immediate vs deferred risks: if something has an immediate effect, it inspires more dread than something which takes a long time, e.g., it is well known that smoking leads to fatal diseases, but these usually manifest themselves only after many years of consumption.

> Plane accidents are much rarer, cause fewer deaths, but because they
> can cause large fatalities, air travel is much more widely feared
> than car travel. [Perhaps this explains (in part) the number of
> articles regarding air safety in comp.risks ;-) ]

As a captain is reported to have said over the PA after landing, "Thank you for flying with us. The safest part of your journey is now over."

A good way of saving weight would be to remove the life-jackets from under the seats of the smoking section! :-)

Peter Mellor, Centre for Software Reliability, City University, Northampton Square, London EC1V 0HB, UK. Tel: +44 (171) 477-8422, p.mellor@csr.city.ac.uk

Re: The measurement of risk (Shaw, RISKS-17.71)

Martin Minow <minow@apple.com>
Tue, 13 Feb 1996 17:01:12 -0800

Dave Shaw's summary of "outrage at the unknown," notes seven characteristics that determine an issues "outrage valency" in a community. I should like to add an additional characteristic that is implied, but not stated by Dave's article: "Us vs. Them"

In the particular example, a new mobile phone transmission tower adjacent to a school, all of the benefit of the transmission tower will go to people who can afford a mobile phone, while all of the risks -- however miniscule -- will be borne by the children in the adjacent school. Since the children derive no benefit from the tower, it is not unreasonable that their families are unwilling to bear the medical risks, even if they are trivial.

This subject is also discussed in Charles Perrow's book, "Normal Accidents," which should be on every Risk reader's bookshelf.

Martin Minow minow@apple.com

Re: The measurement of risk (Shaw, RISKS-17.71)

Robert Walking-Owl <WlkngOwl@unix.asb.com>
Tue, 13 Feb 96 20:16:22

>Hence, if Telstra could have found a better way of measuring the
>risk of their towers (i.e., the Radiation Laboratory and their
>EMR meters), they may have avoided publicity like the angry

An interesting point, but the perception I think is not based on distinctions like voluntary/involuntary, familiar/exotic risks, etc. but in what many people view as a distinction between a "risk" and a "hazard". Much literature on technology and society (Langdon Winner comes to mind) discusses this distinction.

To call something a "risk" is to emphasize probability and chance while minimizing the danger. There are no value judgements in discussing risks: losing change in a vending machine or getting cancer from a nearby toxic waste dump can be both termed as a "risk". The latter is viewed as a "hazard" by most people, since the "risk" involves a person's health and well-being.

Indeed, the "risk" of getting ill from a nearby tower may be incredibly small, but it isn't nil either: would *you* want to be the one in a million who catches cancer?

That some in government or a business would actually weigh the economic costs of "health risks" versus the costs of avoiding them, and deciding a lawsuit is cheaper to settle than to clean up a toxic waste site or move a tower (or public perception that this is happening) can fuel public outrage.


REMINDER: Privacy Digests

<Neumann@CSL.sri.com>
22 Jan 1996

Periodically I remind you of TWO useful digests related to privacy, both of which are siphoning off some of the material that would otherwise appear in RISKS, but which should be read by those of you vitally interested in privacy problems. RISKS will continue to carry general discussions in which risks to privacy are a concern.

* The PRIVACY Forum is run by Lauren Weinstein. He manages it as a rather
selectively moderated digest, somewhat akin to RISKS; it spans the full range of both technological and non-technological privacy-related issues (with an emphasis on the former). For information regarding the PRIVACY Forum, please send the exact line:

information privacy

as the first text in the BODY of a message to:

privacy-request@vortex.com

You will receive a response from an automated listserv system. To submit contributions, send to "privacy@vortex.com".

Information and materials relating to the PRIVACY Forum may also be obtained from the PRIVACY Forum Archive via ftp to "ftp.vortex.com", gopher at "gopher.vortex.com", and World Wide Web via: "http://www.vortex.com". Full keyword searching of the PRIVACY Forum Archive is available through the World Wide Web access address.

* The Computer PRIVACY Digest (CPD) (formerly the Telecom Privacy digest) is
run by Leonard P. Levine. It is gatewayed to the USENET newsgroup comp.society.privacy. It is a relatively open (i.e., less tightly moderated) forum, and was established to provide a forum for discussion on the effect of technology on privacy. All too often technology is way ahead of the law and society as it presents us with new devices and applications. Technology can enhance and detract from privacy. Submissions should go to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu.

There is clearly much potential for overlap between the two digests, although contributions tend not to appear in both places. If you are very short of time and can scan only one, you might want to try the former. If you are interested in ongoing discussions, try the latter. Otherwise, it may well be appropriate for you to read both, depending on the strength of your interests and time available.

PGN

Please report problems with the web pages to the maintainer

Top