Date: Mon, 08 Jun 92 12:43:15 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@PICA.ARMY.MIL Subject: Computer Privacy Digest V1#044 Computer Privacy Digest Mon, 08 Jun 92 Volume 1 : Issue: 044 Today's Topics: Moderator: Dennis G. Rears Re: SSN's and blood Re: How to defeat call block (and how to guard against it) My view on Caller ID Can I lose the rights to my name and address? Privacy and Telco Microwave links Re: Privacy in video rental records? Computer Entrapment is there a FAQ file for comp-privacy? Re: SSN's and blood The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@pica.army.mil and administrative requests to comp-privacy-request@pica.army.mil. Back issues are available via anonymous ftp on ftp.pica.army.mil [129.139.160.200]. ---------------------------------------------------------------------- From: Khan Subject: Re: SSN's and blood Date: Fri, 5 Jun 1992 19:41:19 GMT In article stevef@wrq.com (Steve Forrette) writes: >In article johnl@iecc.cambridge.ma.us (John R. Levine) writes: >>>The local red cross wanted my ssn when I gave blood. They got really >>>ugly when I refused. >> >>The people at the Red Cross can be remakably dense, particularly >>considering that all their blood comes from unpaid volunteers. I donate both >>here in Boston and at my beach house near Philadelphia. Both wanted my SSN. > >In California, there is a statewide database of people who should be >excluded from donating blood for any reason. It is of course useful these >days for donors with AIDS, but the database predates the AIDS epidemic. Seems pretty silly to me. Not only is it a misuse of the SSN, but suppose AIDS Mary, who got infected and is now bitter and wants revenge on the world, decides to give blood in the hope of infecting others. She gives blood once, they test it, find out it has AIDS. Her SSN is added to the list. She gives blood again, only this time they refuse since her SSN is on the list. She catches on quickly, and gives a fake SSN the next time. They accept her blood. I sure hope they test each and every donation, since she has easily circumvented the system. And since they have to test each and every donated pint *anyway*, what's the point in keeping the stupid database? The earlier posters both neglected to report whether or not the red cross actually GOT their SSNs out of them. It seems likely, however, that the RC could easily get by without misusing the SSN. ------------------------------ Date: Fri, 5 Jun 92 17:27:47 CDT From: Alan L Varney Subject: Re: How to defeat call block (and how to guard against it) In article <1992Jun1.104006.1194@drycas.club.cc.cmu.edu> perry@drycas.club.cc.cmu.edu writes: >How to defeat call block for those who have caller ID. > >I have used this several times, so this method is based on fact, and works >in Baltimore, Maryland. I post this so that people who use call block will >be aware of this 'loophole'. ...... >3) Hang up and wait for call back. This should not be very long since the >person who answered the phone in step 3 will hang up after nobody is there. > >4) Phone rings, and the 'blocked number' appears unblocked. I'm not saying you are wrong, you understand. But *69 calls are from your phone to the other person's phone. If Caller-ID shows up on the "ring-back" to you (just before the call is made to the other party), that must be an unusual implementation. And your number will be sent to the *69-ed party, who can use the same mechanism (if it works) on you.... > I have an AT&T cheap generic cordless phone, 1 channel, no digital >coding, no security measures. If I drive around a neighborhood with the >handset on, listening to the static, all of a sudden I'll get a dialtone. >This works best in apartments. Moral of the story: Keep the handset on the >base unit. I also discovered this by accident when I had the handset in >my jacket and drove over my friends house. I felt the handset in my pocket >and decided to try it. His neighbor's house had a cordless too.. >Baby Monitors have tremendous range. A good bearcat scanner will pick up >a clear signal blocks away. Most people run these 24 hours. Very unwise. >Anyone who has tried to listen to Celluar phone calls knows that you need >two receivers to understand the call, since send and receive are on separate >channels. It's not surprising you make so many "accidental" discoveries: you seem to be pushing the limits of "good behavior" in each of these areas. How many people drive around with cordless handsets without really planning on a little "trial" here and there? And are "bearcat"s something the average person uses to scan "baby monitor" (and cordless) frequencies? And cellular -- now you on the illegal side, somewhat, no? Are you sure these are all "accidents"? Al Varney - just my opinion ------------------------------ Subject: My view on Caller ID From: Art Hunter Date: Sat, 6 Jun 1992 04:42:10 -0400 | Oh well, if they implement that system in Alberta I guess that my answering | machine will be taking a lot more of my calls for me. (As it is with the | only partially complete net up here I get more than enough Unknown Number | signals than I like, but surprisingly few people have paid the $0.75 to get | 411 to call me anonymously... So I don't think the MAJORITY of the people wan | this service destroyed.... As free call blocking would do. The CRTC has made a decision to permit free call blocking in Canada. However, there is a catch. You must dial a prefix in front of every call that is made and the service is not automatic. You must ask for it first. Further, the called party knows that Call Blocking has been turned on and can take the appropriate action by blocking the blocker . Call Blocking is not implemented here in Ottawa yet but it will be soon. I will certainly be blocking the blockers as I presently do with those pesky telemarketers and a few others that I have no desire to talk to. I presently have a database of 1300 callers (all identified by name) of which 30 are terminated as soon as CallerID tells the computer who they are. The log of all this activity is very interesting to see when those that have been locked out try several times prior to getting the message. ------------------------------ From: "Daniel P. B. Smith" Subject: Can I lose the rights to my name and address? Date: Sat, 6 Jun 1992 18:09:42 GMT The IBM PS/2 model 35SX and 40SX my company recently bought come with the usual "you-don't-really-have-to-send-this-in- but-let's-make-you-think-it-has-something-to-do-with-your warranty-card." Specifically it is a Customer Response Form, number 80X1040. It asks where the machine was purchased, type, serial number, how I would rate my satisfaction, did the seller set up and test the system, what was my role in purchasing the system, how much education I've had, and my name, address, and phone. Now here's the interesting part. It says: "IBM may use and distribute any of the information you supply in any way it believes appropriate without incurring any obligation whatsoever. You may, of course, continue to use the information you supply." It's that last sentence that really has me going. Are they saying that when I mail in cards to LESS generous companies I could be LOSING my right to use the information I supply -- such as my name and address? Can I expect a friendly lawyer letter from Black and Decker or Maytag offering to let me continue to use my name for a very reasonable royalty? --Daniel P. B. Smith dpbsmith@world.std.com ------------------------------ From: Joe Pistritto Subject: Privacy and Telco Microwave links Date: Sun, 7 Jun 1992 00:23:14 GMT Well, actually, although it's only a small subset of people who have the ability to listen in on telco microwave links, it IS possible with relatively common equipment if you happen to be in the right spot. In particular, a synthesized receiver and a home TVRO dish will work in the right place. There a couple of tricks involved, but I've actually seen this done with all parts involved available from Radio Shack (TM). As a matter of face, the people who live in such places and own satellite dishes tend be annoyed about the high level of microwave interference, which is quite visible in the received picture. (A telco microwave link a mile away has *A LOT* of power compared to the satellite in geosync orbit, you don't have to be right on axis to receive the signals, which are in the same band as used for downlinks of TV sats. Also, a TVRO dish is a very high gain (>60db) antenna.) I suppose your neighbors would start wondering if your satellite dish was always pointed at a nearby tall building though... Digitally multiplexed circuits are another matter entirely, requiring much more advanced equipment to decode. But there's a lot of microwave analog around these days. One of the more interesting uses of analog microwave is for relaying network TV signals around the country, and for feeding from mobile vans to the tv station. -jcp- -- Joseph C. Pistritto (jpistrit@oracle.com) +1 415 506 2866 "You may not be interested in strategy, but strategy is interested in You." -Trotsky ------------------------------ From: Steve Forrette Subject: Re: Privacy in video rental records? Date: Sun, 7 Jun 1992 05:29:57 GMT In article john@zygot.ati.com (John Higdon) writes: >And is it not amusing that the California DMV database is secure from >absolutely no one except "the people"? Any collection agency, bank, >governmental agency from the Toonerville PD on up, or marketing firm >can look at your DMV file with more ease than you can. Indeed, >many credit and check verifying companies have direct connections to >the DMV computer. Some privacy! This wonderful law was passed in response to that actress that was murdered in LA a few years ago. The killer got her home address from her DMV file. Of course, everyone was "outraged" as they always are for a few days after these things, so the CA legislature passed the "quick fix" bill. So, what did they do? Did they amend the public availability of the driver record access to exclude home address, but still leave access to the driving record part of it? No, they made everything unaccessible, unless of course you're anyone BUT Joe Public, as you point out. This "quick fix" reminds me of another recent example from CA. Last year, a taxicab driver was killed by a passenger, and it was thought that he would have been able to get out of the car in time if it were not for is seat belt, whose use is mandatory in California. Within a couple of weeks, the seat belt law was amended to exclude taxicab drivers. It would be funny if it weren't such a good example of our legislature at work. :-( Steve Forrette, stevef@wrq.com ------------------------------ Date: Sun, 7 Jun 1992 12:38:26 GMT From: "Mark P. Neely" Subject: Computer Entrapment Computer underground Digest Sun May 17, 1992 Volume 4 : Issue 22 The Defense of Entrapment As it Applies to Bulletin Board System Operators By Randy B. Singer, Esq. For now, it is unclear how the law applies to protect speech communicated through electronic bulletin boards. There are hundreds, maybe thousands, of enthusiast-run bulletin boards across the country provided for the free use of the public to exchange ideas and publicly distributable software. The system operators of these bulletin boards are providing a wonderful public service, out of the goodness of their hearts, usually for no monetary gain (in fact, often at a considerable loss). These sysops cannot afford to fall into a gray area of the law and find themselves having to defend an expensive criminal suit or having to do without their computer equipment because it has been confiscated by the police as evidence. Running a public bulletin board can expose a system operator (sysop) to all sorts of legal problems that have yet to be adequately defined. For instance: What happens if one user posts slanderous/libelous information about another user? Is the sysop liable? Is a bulletin board more like a newspaper in this regard or is it more like a meeting hall? What happens if a user uploads something clearly illegal, like child pornography, which other users download before the sysop has a chance to review the material? Is the sysop liable? What is the liability of the sysop if he runs a bulletin board in his/her back room and he/she almost never monitors the activity on it? Is the sysop required to constantly monitor the goings-on on their board to prevent illegal activity? It is therefore understandable that sysops have tried to protect themselves legally the best that they have known how. Unfortunately, there has been a lot of misinformation spread about what the law is and how it pertains to the community of bulletin board users and operators. Hopefully this text file will clear up one of the most common legal misconceptions that is going around. I have often seen posts that evidence a complete misunderstanding of what constitutes the defense of entrapment. As an attorney I would like to explain this law and its application, especially as it pertains to electronic bulletin board operators. Entrapment is a complete defense to a crime that a person has been charged with. It varies in how it is interpreted in each state, and on the federal level, but generally it is as I have defined it here. Entrapment only exists when the crime involved is the creative product of the police. (That is, the idea to commit this crime came from a police officer, or an agent of the police. The alleged criminal never would have thought of committing this crime if it hadn't been suggested to him by the police, or if the means to commit the crime had not been offered to the alleged criminal by the police.) AND the accused was not otherwise predisposed to commit the crime involved. (That is, the accused probably wouldn't have committed this or any other similar crime if the police had never been involved.) BOTH elements must exist for the defense of entrapment to apply. For instance: When John DeLorean, owner of the (then about to fail) DeLorean Motor Company, was arrested and tried for selling cocaine, he was found not guilty by reason of the defense of entrapment because, the jury determined, the police took advantage of the fact that his failing company made him a desperate individual. The police sent in an undercover officer to offer him a bag of cocaine to sell to raise money to save his company. The entire idea for the crime came from the police; they provided the instrumentality (the coke); and John DeLorean probably would never in his life have sold drugs to anybody if the police hadn't shown up to offer him the drugs to sell at the exact right time. The reason for the law is obvious: we don't want the police setting up desperate people to get busted just because those people are unfortunate enough to find themselves in desperate situations. In fact, we don't want the cops to set up any law abiding citizens, even if they are not desperate. Tempting people who would not ordinarily commit a crime is not what we want police officers to do. Now that you have the definition of entrapment, let's talk about what entrapment is NOT. I've read a lot of posts from people on boards who think that entrapment exists when a police officer goes undercover and does not reveal his true identity when asked. This is NOT covered by the defense of entrapment per se. The defense of entrapment does NOT require a police officer to reveal himself when asked. Going undercover is something that the police do all the time, and there is nothing that prohibits them from doing so. If you are predisposed to commit a crime (e.g., you are already engaged in illegal activity before an undercover police officer comes on the scene), and an undercover police officer simply gathers evidence to convict you, the defense of entrapment does not apply. So, for instance, if an undercover police officer logs onto a bulletin board and lies and says that he/she is not a police officer when asked, and he/she finds illegal material or goings-on on this bulletin board, then whatever he/she collects and produces against the system operator as evidence towards a criminal conviction is not precluded from being used against the sysop in court. At least it is not excluded by the defense of entrapment, because in this instance the defense of entrapment does not apply. The police officer is allowed to act undercover, and the illegal acts were not the creative product of the police. Also remember that the defense of entrapment is a COMPLETE defense. So it does not act to exclude evidence, but rather it acts towards one of three things: having a grand jury find that there is not sufficient evidence that a conviction could be obtained to proceed to a criminal trial against the sysop; having the case dismissed before trial; or a finding of 'not guilty' after a criminal trial. The defense of entrapment also doesn't necessarily apply if the police officer simply asks the system operator to do something illegal and he does it. In this case the district attorney would argue that the sysop was predisposed to commit the illegal act, especially if the illegal act was already going on in one form or another on the board. For instance, if the police officer asks the sysop to download to him some commercial software, the defense of entrapment will not apply if there is already commercial software available in the files section of the bulletin board. What would probably be required for the defense of entrapment to apply would be for the police officer to have enticed or misled the system operator into doing the illegal act, and it would have had to have been an illegal act that wasn't already going on on this bulletin board. This MAY allow the use of the defense of entrapment. I say "may" because it depends on the facts in each individual situation to see how closely they meet the requirements for the defense of entrapment to apply. You may surmise from my reticence to commit to saying that the defense of entrapment definitely WOULD apply that the defense of entrapment is not a defense that I recommend that you rely on. I've seen some bulletin boards say something to this effect in their logon screen: "Access restricted. Police officers must identify themselves, and are forbidden from gaining entry to this bulletin board." This type of message not only does not protect a bulletin board from the police (assuming that there is something that might be interpreted as illegal going on on this board), but it actually alerts any police officer who may casually log on to this board to immediately suspect the worst about this board and its system operator. There is nothing that I know of that would keep an agent of the police from lying about his/her status and logging on as a new user and gathering evidence to use against the sysop. In fact, I'm not sure, but I would not be surprised to find in the current legal climate that such a logon message is enough evidence to get a search warrant to seize the computer equipment of the system operator of this bulletin board to search for evidence of illegal activity! At some future date I hope to write a file that will detail how sysops can protect themselves from legal liability. (That is, by avoiding participating in arguably illegal activity, and by avoiding liability for the uncontrollable illegal acts of others. I have no interest in telling sysops how to engage in illegal acts and not get caught.) But for now, I hope that this file will give sysops a better understanding of the law and how one aspect of it applies to them. Disclaimer: The information provided in this document is not to be considered legal advice that you can rely upon. This information is provided solely for the purpose of making you aware of the issues and should be utilized solely as a starting point to decide which issues you must research to determine your particular legal status, exposure, and requirements, and to help you to intelligently consult with an attorney. No warrantees, express or implied, are provided in connection with the information provided in this document. This document is provided as is, and the reader uses the information provided here at their own risk. (Sorry for the necessity of covering my behind! Just remember, you get what you pay for, so I cannot guarantee anything I have written here. If you want legal advice that you can take to the bank, you should hire an attorney. Besides, just like everyone these days, we need the work!) About the Author: Randy B. Singer is an attorney in the San Francisco bay area. He does business law, personal injury, computer law, and Macintosh consulting. He also gives seminars at the Apple offices in downtown San Francisco for attorneys and others who are interested in learning about the Macintosh computer. He can be reached at 788-21st Avenue, San Francisco, CA 94121; (415) 668-5445. Copyright (C) 1992 Randy B. Singer. All rights reserved. This document may be freely distributed as long as it is not for monetary gain or as part of any package for sale. This work may not be modified in any way, condensed, quoted, abstracted or incorporated into any other work, without the author's express written permission. This reprint taken from ST Report #8.19, used with permission ------------------------------ From: Edward Bertsch Subject: is there a FAQ file for comp-privacy? Date: Sun, 7 Jun 92 17:16:49 CDT is there a FAQ file for this list? Perhaps it should be sent out every month? if it doesn't exist, I can think of some things that should be in it. current state of the laws regarding privacy/lack of on computers variations by city/county/state/country current state of the art, and law regarding encryption known ftp sites with source code/descriptions public key 'phone books' index of references on cryptosystems use/development current hot issues - legislation pending, dangerous implications of a new technology (cellular, when first introduced, would have been an excellent example) ways to subvert current methods of privacy invasion -Ed -- Edward A. Bertsch (eab@msc.edu) Minnesota Supercomputer Center, Inc. Operations/User Services 1200 Washington Avenue South (612) 626-1888 work Minneapolis, Minnesota 55415 (612) 645-0168 voice mail [DISCLAIMER: MY OPINIONS; NOT MSCI'S] ------------------------------ Subject: Re: SSN's and blood Date: 7 Jun 92 23:59:07 EDT (Sun) From: "John R. Levine" [in response to my complaint about the Red Cross trying to pry an SSN out of me when I donated] >It would seem that with all the problems (many of them deadly) that having >"bad" blood in the blood supply can cause, that there is a compelling public >interest in maintaining such a database. Perhaps, but as has been gone around a zillion times before, the SSN is a rather poor ID, since there is no check digit, people have more than one, some are used by many people deliberately or accidentally, etc. If a malicious person wants to donate tainted blood, all he needs to do is to give a fake SSN. Their data base is completely ineffective against that. Furthermore, if they are serious about their donor database the first thing they might to is to let me use my Massachusetts Red Cross assigned donor ID when I give blood in New Jersey. Sheesh. Regards, John Levine, johnl@iecc.cambridge.ma.us, {spdcc|ima|world}!iecc!johnl ------------------------------ End of Computer Privacy Digest V1 #044 ******************************