Subject: RISKS DIGEST 10.61 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Friday 16 November 1990 Volume 10 : Issue 61 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Police technology; mailing list hyperstacks (Lotus) (Jerry Leichter) Privacy concerns about Lotus "Marketplace" (Jeff E. Nelson, Rick Noah Zucker) Kuwaiti citizen database (Jonathan Leech) Gas pump inaccuracies? (Paul Schmidt) "It's the computer's fault" (Andrew Klossner) Re: Voting electronically from home (Li Gong, Frank Hage, Dan Sandin) Re: Computer Mishap Forces shift in Election Coverage (Tom Perrine) Election coverage software (Gary Cattarin) Re: Juicy 911 RISKS (Amos Shapir) Ada Remarks (Paul Murdock) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. FTP VOL i ISSUE j: ftp CRVAX.sri.comlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j; j is TWO digits. Vol summaries in risks-i.00 (j=0); "dir risks-*.*" gives directory; bye logs out. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Wed, 14 Nov 90 09:19:28 EDT From: Jerry Leichter Subject: Police technology; mailing list hyperstacks The Wall Street Journal this week had two articles on privacy and technology that I thought RISKS readers might find of interest. On Monday (13-Nov; page A-1) it reports on some new technologies that are becoming available to the police. Two are of particular note: Pilotless surveillance drones developed for the military have been suggested as "just the thing" for the police. These are small planes - in techno-speak, they are UAV's (Unmanned Aerial Vehicles) - that can stay at 500 feet for about an hour. Currently, they carry cameras with telephoto lenses and infrared sensors; it's proposed that they could also carry chemical sensors to detect various chemicals used in drug manufacturing. None have apparently been used so far - they are expensive (anywhere from $20,000 to several million a piece) and the FAA has yet to approve their use. And for those of you who think that calling from a pay phone is a way to avoid wiretaps - think again: The "roving bug" can find you. This is a device that does pattern matching on phone calls, looking for a particular voice. At least one successful prosecution has already been based on evidence obtained by such a device. The details aren't clear from the article, but apparently some 15,000 calls were intercepted, more that 5,300 from one person's office and some 450 from various pay phones. Just what the technology can do today isn't clear, but it is clear that very broad-scale monitoring of digitized conversations, with scanning for voices of interest, is possible if expensive today and will rapidly become cheaper and easier. Apparently such wiretaps were authorized by Congress in 1986. The article also mentions other devices, like tiny pinhole TV cameras - one was installed over the urinals at a police station to find a vandal who was clogging the urinals, causing water to drip down into the chief's office. (Isn't it great to know what our tax dollars are paying for?) Also, LoJack-like devices are becoming much more widespread. (LoJack is a transmitter installed in your car. If your car is stolen, you tell the police; they turn it on and can track the car.) Smaller scale versions for protecting valuables exist, and systems that use satellites to allow tracking literally around the world are in the works. On Tuesday (14-Nov; page B1) the Journal reports on the controversy surrounding a product soon to be introduced by Lotus. Lotus Marketplace consists of a CD containing information on some 80,000,000 households, including names, addresses, shopping habits, likely income levels, and even a catagorization (by Equifax) into one of 50 catagories like "accumulated wealth", "mobile home families", "cautious young couples", and "inner-city singles". Also included is a program - apparently at least partly a Hypercard stack - that provides an interface to the system. The whole thing costs $695 for the program and an initial 5000 names; each additional 5000 names cost $400. How Lotus keeps you from using the other information on the CD is unclear - presumably, you sign a license and they come after you if you breach the terms. The program Lotus provides does not allow you to look up a particular individual by name, but of course if you know anything about him you can come up with a query that will find him and few others - and of course the unethical will hardly be stopped from developing their own search programs by the terms of a license agreement. All of this information has been available for some time from mailing-list vendors. However, it's been expensive and "transient". What Lotus does is provide the information permanently and cheaply. Lotus says that to prevent abuse, they will not include telephone numbers (of course, CD's with telephone number listings are increasingly available) and will sell only to "legitimate businesses" at verified addresses checked against a "fraud file". The license terms will limit the uses to which the data can be put and provide penalties for abuses. It astonishes me that anyone can imagine they can control how a small piece of plastic, indistinguishable from hundreds of like copies, will be used once it gets out into the world. The debate, as presented by the Journal, is on familiar grounds. Anti: This is a major invasion of privacy - "They've crossed the line" (Marc Rotenberg, CPSR). Pro: There's nothing new here; Lotus is just making a service available to smaller businesses who couldn't afford it previously. "What this lets you do is send a few more pieces of mail. What's the harm in that? Lots of people like to get mail." (Dan Schimmel, developer of the system.) You CAN keep your name off the CD by written request to Lotus, Equifax, or the Direct Marketing Associations mail preference service. (It's an interesting question whether this actually keeps your name off the CD or just marks it as "doesn't wish to receive mail". While such a marking would keep legitimate users away from you, it would do nothing to stop abusers, like those the Journal suggests could look for "unmarried wealthy women over 65 in this neighborhood".) The article contains a wonderful cartoon by Mark Stamaty. The scene: Two women, one (A) looking at and later opening an envelope. Prelude: "Every purchase gets recorded in psycho-data central. They'll have samples of everyone's handwriting. Soon millions of computer-driven autopens will transcribe junk mail in the handwriting of each person's best friend, spouse or lover." A) I got a letter from *Bill*! B) Maybe he wants to get back together. A) Think so? B) So what's he got to say? Is he sorry? Does he want to try again? A) He says I'm very special to him and to show me *how* special... he's offering me 40% off the newstand rate on a subscription to Sports Illiterated! -- Jerry [With Dreamy Indolence, Lotus Leaves nothing to be desired? PGN] ------------------------------ Date: Wed, 14 Nov 90 09:53:47 PST From: Jeff E. Nelson Subject: Privacy concerns about new Lotus "Marketplace" product The following is extracted from an unofficial electronic newspaper edited and published within Digital for Digital employees. Reproduced with permission. The issues raised herein should be familiar to regular RISKS readers. Jeff E. Nelson | Digital Equipment Corporation, Nashua, NH, USA jnelson@tle.enet.dec.com | Affiliation given for identification purposes only <><><><><><><><> T h e V O G O N N e w s S e r v i c e <><><><><><><><> Edition : 2195 Wednesday 14-Nov-1990 Circulation : 8428 VNS COMPUTER NEWS: [Tracy Talcott, VNS Computer Desk] ================== [Nashua, NH, USA ] Lotus - New program spurs fears privacy could be undermined {The Wall Street Journal, 13-Nov-90, p. B1} Privacy advocates are raising the alarm about a new Lotus product that lists names, addresses, shopping habits and likely income levels for some 80 million U.S. households. Due for release early next year, Lotus Marketplace packs the data on palm-sized compact disks aimed at small and mid-sized businesses that want to do inexpensive, targeted direct-mail marketing. But critics say the product is just too good. "It's going to change the whole ball game," says Mary Culnan, an associate professor at Georgetown University's School of Business Administration. "This is a big step toward people completely losing control of how, and by whom, personal information is used." Janlori Goldman, a staff attorney with the American Civil Liberties Union, adds that the product raises "serious legal and ethical questions." Lotus' critics concede that the product offers little more than is already available from established mailing-list brokers. But they say it is a greater potential threat to personal privacy because of its low cost, ease of use and lack of effective safeguards over who ultimately has access to it and why. They also say that the way it is designed allows users to ask a series of increasingly specific questions about small subgroups of people - identifying, for example, unmarried, wealthy women over 65 in a neighborhood. "They've crossed the line," says Marc Rotenberg, Washington director for the nonprofit Computer Professionals for Social Responsibility. "It simply shouldn't be allowed on the market." Lotus counters that the product, still under development, has been tailored to address privacy concerns. No phone numbers will be included, it won't be available in retail stores and it will be sold only to "legitimate businesses" at verified addresses checked against a "fraud file," Lotus says. A contract will specifically limit its use and provide penalties for abuses. Owners will be be allowed unlimited use of the names and addresses they buy, at a cost of $695 initially for the program plus 5,000 names and $400 for each additional 5,000 names. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> Permission to copy material from this VNS is granted (per DIGITAL PP&P) provided that the message header for the issue and credit lines for the VNS correspondent and original source are retained in the copy. <><><><><><><><> VNS Edition : 2195 Wednesday 14-Nov-1990 <><><><><><><><> ------------------------------ Date: Thu, 15 Nov 90 09:47:13 -0800 From: noah@cs.washington.edu (Rick Noah Zucker) Subject: all US consumers on CD-ROM This was forwarded to me: [Discussion of PBS item on Lotus deleted. PGN] The database does not contain any of the data covered by the fair credit practices act so Lotus is under no legal obligation to let you see what they are saying about you (unless you buy the product, of course...) and has no provision for allowing you to change what is in there. The Lotus spokesman said that if people wrote a letter to Lotus saying they did not want to be in the database, they would be excluded. Unfortunately, the interviewer did not say to whom the letter should be addressed. ------------------------------ Date: Thu, 15 Nov 90 10:27:54 -0500 From: Jonathan Leech Subject: Kuwaiti citizen database Last night's (11/14) BBC News reported that a computer database containing fingerprints and other information on all Kuwaiti citizens had been smuggled out of the country. Apparently the Iraqi government is attempting to eliminate all evidence of the nation's existence, and this database may be important in setting things up again (assuming the Iraqis leave). Perhaps this may be considered an anti-RISK of government databases? ------------------------------ Date: Mon, 12 Nov 90 13:57:11 PST From: prs@titan.eng.ileaf.com (Paul Schmidt) Subject: Gas pump inaccuracies? I have noticed an interesting characteristic that seems to be shared by all self-serve gas pumps. They all shut off automatically _shortly_after_ reaching the amount I gave the attendant, but before reaching the next higher penny. (The gallons display continues to advance.) So what algorithm is used to determine the shut-off point? The fairest algorithm ought to be: WHILE delivered_amount <= amount_wanted DO pump_gas But I seem to be getting $0.005 - $0.01 more gas every time, because the pump seems to be doing: WHILE delivered_amount <= amount_wanted DO pump_gas Whereas if the gas company wanted to make an average of one- half cent per transaction: WHILE delivered_amount < amount_wanted+0.01 DO pump_gas Is the public the group beneficiary of about $0.005 per transaction due to what would otherwise be a bad algorithm? Did the programmer do this on purpose because s/he felt Big Oil wasn't paying enough? What implication might this have on computer controlled delivery of other liquids (insulin?) or gasses (oxygen?) Paul Schmidt prs@ileaf.com ------------------------------ Date: Wed, 14 Nov 90 14:20:38 PST From: Andrew Klossner Subject: "It's the computer's fault" My wife and I visited a restaurant in Cannon Beach, Oregon for Sunday breakfast. The service was slow, but that's okay, we were sitting down and had coffee and plenty to read. A distraught-looking hostess crossed the room to our table and asked me "Are you a computer expert?" "Why, yes," I responded. "Would you please come fix our computer?" As we walked to the back room, she cackled "Try to tell me I'm not psychic ..." The "computer" turned out to be an electronic cash register, whose printer ribbon had slipped out of the feed mechanism. I fixed it and returned to my table. Service continued to be very slow -- the family next to us left after waiting 45 minutes. To one and all, the hostess proclaimed "We had a computer problem, but it's fixed now and you'll get your food soon." But the cash register was used only to print bills when the meal was over, and had nothing to do with slow food service, which apparently was caused by an AWOL server. -=- Andrew Klossner (uunet!tektronix!frip.WV.TEK!andrew) [UUCP] (andrew%frip.wv.tek.com@relay.cs.net) [ARPA] ------------------------------ Date: Thu, 15 Nov 90 11:58:24 EST From: li@diomedes.UUCP (Li Gong) Subject: Re: Voting electronically from home (revisited) John Roe (in RISKS DIGEST 10.60) quoted a report that "A Boulder CO group has rediscovered Bucky Fuller's 50-year-old suggestion that everyone should be able to vote telephonically from home or wherever." and raised a few risks in the proposed scheme. He also pointed out that "The current system is NOT based on honesty: it is based on physical security. If it is sufficiently hard for the same person to vote multiple times, voter fraud can be reduced to acceptable levels (but not eliminated, of course)." I would like to add that the current system not only provides physical security of identification, but also physical security against harassment. Nobody else is allowed to go into the booth when a voter, say Alice, is voting inside. On the one hand, this gives Alice privacy; on the other, she can vote according to her own will. Moreover, since this individual vote is among maybe a billion other votes, no ordinary person could find out for whom Alice has voted. This potentially discourage "buying" votes with money or menace, because it is difficult (if not impossible) to "physically" influence a voter at voting time and/or to verify a voter's vote afterwards. In any trivial scheme such as voting with SSN over a phone line, all these good features disappear. Professor David Wheeler (my PhD thesis supervisor at Cambridge) and I once worked on a voting scheme that supports these features and also allows voting by phone or post. This effort, together with a generalization of the idea into a notion of "zero-knowledge transactions", is still in progress (I hope :-). Li Gong, ORA Corporation, Ithaca, New York (607) 277-2020 ------------------------------ Date: Thu, 15 Nov 90 14:34:49 MST From: fhage@sherlock.rap.ucar.EDU (Frank Hage) Subject: Voting by phone risks in error The risks assumed by John Roe in his note regarding the Boulder, Colorado demonstration of voting by phone are not valid. The system was *not* part of the official voting process, but was intended only to introduce people to the possibility of voting by phone. This fact was clearly mentioned in the articles the local paper (Boulder Daily Camera) printed and, in addition, the demonstration ran for three days prior to, but not on election day. It was emphasized that the votes cast using the phone based system would not be "real" and that voters would still have to go to the polls to cast legal votes. The organizers of the demonstration specifically mentioned that *if* this were an official voting method, a more secure authentication system would be necessary. They suggested that a security system similar to the one currently used for automated teller bank cards might be used. Each voter would receive a personal authentication number when registering, which would have to be entered correctly before the phone vote would be counted. Several other possible authentication methods were also mentioned, including "voice prints". Because this was only a demonstration, and would have no affect on the official vote count, they used the birth date of the voter, which they obtained from public voter registration records, as an example of the concept of requiring voter authentication. One can easily envision mechanisms where the caller ID feature that many areas now have in place, could be used to foil attempts by people to cast large numbers of votes from one phone, even if the authentication system were compromised. As I see it, the risk of phone voter ballot stuffing is much smaller than the risk phone the voter's ballot would not be secret. The only risks the demonstration illuminated was the risk of people making poor judgements about computer technology based on information provided to them by the popular media. -Frank Hage (fhage@rap.ucar.edu) ------------------------------ Date: Thu, 15 Nov 90 22:38:55 GMT From: sandin@uicbert.eecs.uic.edu (Dan Sandin) Subject: Re: Voting electronically from home (revisited) Although the potential risks of voting by telephone seem great, I think the potential benefit would far outweigh them. For example, in the most recent election, I found myself rushing to the polling place near my home (since you can only vote at the registered polling place) and arrived too late. If I could have voted at a location near my work, or by telephone, problem solved. So, how do we deal with the identification of voters by phone? How does this sound: before each election, each voter is mailed a confirmation of registration (since, I believe, to vote one must be registered, and to register, one must have a permanent address) In this confirmation of registration would be a random number, with perhaps a checksum or something to discourage forgery, issued on a double blind basis. The user would have to punch in the registration number, with perhaps a ss#, birthdate, or other identification. However, leaving this out would encourange secrecy of voting. For those who cannot handle vote-by-phone, of course, the old system would be available. The problems of voter security seem easier than, say, credit card security. Unlike a credit card, "stealing" a single vote would not be worth much. This system would also permit simple absentee ballotting... stephan meyers c/o sandin@uicbert.eecs.uic.edu ------------------------------ Date: Thu, 15 Nov 90 12:58:43 PST From: tep@tots.logicon.com Subject: Re: Computer Mishap Forces shift in Election Coverage (RISKS-10.60) >There are some interesting risks. First that unclean data was used and >second that the big news agencies now all use the same polling source. What >a risk if someone hacked them to create false trends. [bahn_pr] All of the major news agencies have been using the same information base for at least 6 years now. It is called the National Election Service (NES), and its information is by definition "unclean" and "hacked to create false trends". The NES reports any and all information from the official polling sources, but filters out all references to any candidates other than the Republicans and Democrats. This filtered (incorrect, incomplete) information is then made available to all of the news agencies. This filtering is, of course, done by computers. There is a rumor that this intentional bias uncovered an interesting bug/assumption in some display software at one of the southern TV stations: The display SW "knew" that there would only be info on two candidates, so it calculated the percentage information for the "second" candidate by subtracting the poercentage infomation for the first candidate from 100%. Unfortunately for the station, the local Libertarian candidate recieved enough votes (at some point in the voting), that the second candidate was shown to be in the lead (based on his votes + the votes for the Liberatrian). Tom Perrine (tep) Logicon Tactical and Training Systems Division San Diego CA UUCP: sun!suntan!tots!tep +1 619 455 1330 ------------------------------ Date: Thu, 15 Nov 90 14:07:24 est From: Gary_Cattarin@dg_support.ceo.dg.com Subject: Election coverage software CEO summary: Computerized and centralized election coverage poses a bigger risk than the "unclean data" and program glitches pointed out in RISKS 10.60. And this one is unfortunately intentional. The News Election Service, the central clearing house for election information, has their systems set up to deliver vote percentages that show the major party candidates' votes adding up to 100%, even when the major party candidates don't capture 100% (as they usually don't). . In the 1988 presidential election, the public was told that anyone who didn't vote for George Bush (shudder) voted for Mike Dukakis (bigger shudder). In other words, George + Mike = 100%. That was a lie; in fact George + Mike = about 99%. Small, but significant difference. Same thing happened here in Massachusetts last week: the third candidate took 2%, but most reports read "Weld 51%, Silber 49%" (not sure of exact numbers). Now, they can omit small guys if they want, but don't lie to the public as if they didn't exist. The point here is that a bad policy decision is multiplied by the technology used to spread lies and mistruths to the general public. ------------------------------ Date: 15 Nov 90 12:50:03 GMT From: amos@taux01.nsc.com (Amos Shapir) Subject: Re: Juicy 911 RISKS (Smaha, RISKS-10.60) This points out another class of risks: hidden features. I wouldn't be surprised if that answering machine contained the full circuitry of a phone, with the dial-out part disconnected; it is often cheaper to design a machine around an existing product than to redesign new down-graded part. Likewise, a "dumb" answering machine may turn out to have undocumented remote-command capability, a computer terminal may have hidden escape code functions, etc. The obvious risk is that people who know about such features, might use more sophisticated methods than pure tomato juice to make the devices behave in ways their owners never anticipated nor took precautions too avoid. Amos Shapir, National Semiconductor (Israel) P.O.B. 3007, Herzlia 46104, Israel Tel. +972 52 522255 fax: +972-52-558322 amos@nsc.nsc.com ------------------------------ Date: 13 Nov 90 10:48 +0100 From: Paul Murdock Subject: Ada Remarks In response to Chet Laughlin's note about ADA multitasking (10.50) ... >The first lab involved two tasks running in parrellel. In reality it was >figured that the tasks would time-slice on a single machine. However, this was >not the case. The compiler would simply run the highest priority task until it >ended, and then run the lower task. My understanding would be that, providing the highest priority task was always computable (and what is meant by time-slicing here is not exactly clear), then this behaviour is a valid interpretation of the text of the Ada standard :- "If two tasks with different priorities are both eligible for execution and could sensibly be executed using the same physical processors and the same other processing resources, then it cannot be the case that the task with the lower priority is executing while the task with the higher priority is not." [ Par. 9.8:4, VAX Ada Ref Manual ("Digital-supplemented text of ANSI/MIL-STD-1815A-1983")] ... and note that my remark comments on the interpretation of the text and not the text itself. Chet continues ... >It was interesting to note that programs that ran correctly on SUNS did not >run correctly on the PS/2s - even though they compiled without change. One of the most painful characteristics of the Ada standard is that although "its purpose is to promote the portability of Ada programs to a variety of data processing systems" (par 1.1:1) it also "specifies permissible variations in the effects of consituents of a program unit" (par 1.1.1:16) where "the operational meaning of the program unit as a whole is understood to be the range of possible effects that result from all these variations, and a conforming implementation is allowed to produce any of these possible effects" (par 1.1.1:16). So although the portability between the SUNS and the PS/2's might have been expected (given the AJPO conformance testing procedures), the assumption that a given program will exhibit identical behaviour across various platforms cannot be made and is not implied by the standard. There are, of course, RISKS here. Paul ... (Paul Murdock, Paul Scherrer Institute, 5234 Villigen. Switzerland. murdock@cageir5a, murdock@cvax.psi.ch) ------------------------------ End of RISKS-FORUM Digest 10.61 ************************