Subject: RISKS DIGEST 11.72 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Monday 27 May 1991 Volume 11 : Issue 72 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Re: The RISKS of Posting to the Net (Brinton Cooper, Ralph Moonen, Phil Agre) Re: The Death of Privacy (Roger Crew, Mark W. Eichin, Bill Murray, Geoff Kuenning, Robert Allen) Smart Highways Need Privacy Tutorial (Marc Rotenberg) They *are* watching (Jim Sims) Re: SB266 (Willis H. Ware) Computer illiteracy (Ed McGuire) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. For vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 11, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Thu, 23 May 91 22:45:57 EDT From: Brinton Cooper Subject: Re: The RISKS of Posting to the Net mmm@cup.portal.com posted a fascinating note describing how a visit by an FBI agent apparently was triggered by the disclosure of unclassified info about missile destruct systems. mmm seemed unfamiliar with the notion that he may have revealed "sensitive" information. I guess it's no secret (and may not even be sensitive) that there is a body of information, growing without bound, that is "unclassified but sensitive." Folks not in the employ of the US Government are not likely to be as aware of this as civil servants. The notion is that there are many info items which, while individually innocuous are collectively sensitive. Also, there is data from the trade secrets or cost figures of industrial organizations, and personal data in individuals (e.g. employment applications). All of this is "sensitive," and we're in deep trouble if we mis-use or publicize it. I gather that mmm was not a civil servant or member of the military when he read the manual which he described. One wonders, then, how he got it and how he was supposed to know that it was "sensitive." The risk isn't too subtle: The growing body of "sensitive" information and the rules surrounding its release bring us close to a British-style "official secrets act." Many of us recall how the stamp of secrecy was misused and abused in the Nixon administration. It requires little imagination to the potential for more widespread abuse in the case of "sensitive but unclassified." I believe that we have Reagan and his national in-security advisor, Adm Poindexter, to thank for this kettle of fish. _Brint ------------------------------ Date: Fri, 24 May 91 10:30 MDT From: rmoonen@hvlpa.att.com Subject: Re: The RISKS of Posting to the Net Arghh. That's all we need now. Next thing, someone who says potentially dangerous words on the net, like say, ehh... blue box (Get that guys, BLUE BOX), or ehh... assassination of BUSH, will get a visit from our beloved Big Bro. I just hope they don't become aware of the underground nature of Usenet. If they do, it won't be long before you need a military clearance to even read news, let alone post! Aside from that, and not really a RISK, but still: Not many people know that all transatlantic phone calls are being monitored by speech recognition equipment of the NSA. If too many keywords like "Bomb", "Assassination", "Ghadaffi", "Terrorist", etc. are recognised within a certain time, a tape recorder automagically switches on. For this reason, I start all my transatlantic phone calls with a list of ten keywords, just to be sure to waste some of their undoubtedly vast amount of audio tape.. :-) --Ralph Moonen ------------------------------ Date: Sat, 25 May 91 16:54:28 +0100 From: Phil Agre Subject: the FBI and computer networks Regarding mmm's message in Risks 11.71, I am quite curious whether you had any moral unease about volunteering all of this information to this visiting FBI agent. Of course the information is perfectly public. But this guy obviously had censorship very much on his mind, and I do think it would be just as well if he had never heard of the existence of the Internet. Think how alt.drugs and rec.pyrotech and the like sound to him: rather like how the network sounds to someone who has just read a histrionic newspaper article about how the government is subsidizing the operation of a little-known computer network that is used for the distribution of pornography (e.g., alt.sex, which surely passes over some US government wires or computers, if only through government funded research projects, on a regular basis, someplace or other). What did you have in mind in volunteering all of this to a representative of a government agency with a long bad record of interference in individual liberty, whose every third sentence included words like censorship? Suppose an aide to Jesse Helms called you up and asked you for the most damaging factoids about government-funded computer networks that you could think of. Would you be sure to tell him or her that it's now possible to send netmail to the Soviet Union, using the .su domain? Do you think that a big, spurious public controversy would be a good thing? How about open FBI files on all regular contributors to rec.pyrotech? Maybe you have reasonable answers to these questions. But I can't think of what they might be. Phil Agre, University of Sussex ------------------------------ Date: Fri, 24 May 1991 03:41:14 GMT From: crew@CS.Stanford.EDU (Roger Crew) Subject: Re: The Death of Privacy > We are well on our way to a cashless society. I predict that it > will eventually be illegal to own cash. Certainly whenever a drug > dealer is busted today, you hear all about the (gasp!) several > thousand dollars in cash found. Heck, *I* know people who keep that > much at home, and they are defin[i]tely not drug dealers. It is already the case, under the RICO laws, that large amounts of cash can simply be confiscated. No warrant is necessary. I'm not sure what the necessary preconditions are, but evidently the standard road-stop to check for license & registration together with some notion of "probable cause" suffices. Police in south Florida are using this against suspected drug-runners with devastating effect. To get the money back, even if no charges are ever filed, one has to bring a civil suit against the police department in question and demonstrate that the money was not illegally obtained. The Supreme Court has upheld RICO. ------------------------------ Date: Fri, 24 May 91 01:06:04 -0400 From: "Mark W. Eichin" Subject: Re: The Death of Privacy? (RISKS DIGEST 11.71) >> We are well on our way to a cashless society. I predict that it will >> eventually be illegal to own cash. I stumbled across a television show recently (on some cable channel, I don't know what one) about the evils of a cashless society, and how it will become impossible to survive without being part of the "system" (and thus being tracked by the system...) It was titled "The Number of the Beast" and alternated between detailed explanations of the data flow in electronic funds systems used now and Biblical quotes regarding being marked with the number of the beast; being marked with the "number" was supposed to be a metaphor for being identified in the electronic funds system. [I think we've been around on this one before, but I could not find it. PGN] ------------------------------ Date: Fri, 24 May 91 07:27 EDT From: WHMurray@DOCKMASTER.NCSC.MIL Subject: Re: Death of Privacy (Jerry Leichter, RISKS-11.69) Jerry, I was around thirty years ago. I remember what privacy meant. I remember how it was compromised and manipulated for the purpose of achieving social conformity. I remember women who lived alone being ostracized from the church because they might be divorced and they certainly were not married. I remember talking about unmarried men, on the assumption that they were homosexual, and therefore fair game for gossip, if not violence. The mechanism was gossip, and the idea was that if one did not conform, that was how they would be talked about. I remember that it was considered perfectly proper to ask a job applicant what church they belonged to and what political party. It was not that anyone seriously believed that church goers were any more reliable than non-church goers; only that they were subject to social pressure to conform and excommunication if merely accused of nonconformity. I remember the activities of the FBI, the files collected by "The Director." The political and economic pressure to identify one's associates as Communists. Now we call it McCarthyism, but the idea was ideological conformity. I remember the gossip about whether such and such a movie star was "queer," whether that one had negro blood, or this one drank. John Garfield never made another film after being associated with Communists, and Ingrid Bergman could not work in this country after her divorce. Do not hold up to me as an ideal the privacy of thirty years ago. That these things were only talked about over the back fence, and never in the papers, only made it worse. The problem may not have been any worse then, but it was certainly no better. Memory plays funny tricks. No one cares about divorce, any more. Political ideology is out of favor everywhere except on college campuses. Now its worse to be a racist than to be of mixed race. Today the assumption is that everyone has been in therapy, but just twenty-five years ago it was a disqualifying defect in a vice-presidential candidate. When I was growing up the suspicion of Jewish heritage was enough to keep you out of the country club; now membership in the club is enough to keep you out of office. Today the issues are communicable diseases, high risk behavior, child abuse, sexism, seduction, abortion, and drug use, but the intent is still conformity. Robert Bork was denied a seat on the Supreme Court for opinions that would have recommended him thirty years ago. The fact is that there has always and everywhere been a battle between freedom and information. Every society in every age has used what information it had about its members in an attempt to control behavior. In France the police know who sleeps in every bed every night. Now they use computers, but they have always known. In China the Party knows who comes and who goes. They do not use computers, but they certainly know. We do not gather at the well any more; we go to the mall rather than the general store. We go to MacDonalds rather than the diner. In our age, the communities are so large that it takes computers to keep up with everyone, but the intent and the damage are no different. The content It's hard to see how we could have medical insurance on today's scale > without such records and their relatively wide availability... I couldn't disagree more; it's trivially easy to see how we can get along without such records. The whole purpose of the records is to help insurance companies avoid the self-selection problem, where their pocketbooks are emptied by people who get insurance because they know that they have a serious illness. But in a (gasp) national health-care system, this becomes a non-problem, and there is no longer any need for widespread exchanges of medical records -- except, of course, that the patient may find it in his or her best interest to make full information available to the doctor, but that's by choice. Geoff Kuenning geoff@ITcorp.com uunet!desint!geoff ------------------------------ Date: Fri, 24 May 91 12:34:05 BST From: CNEWS MUST DIE! Subject: Re: The Death of Privacy? (Robert Allen, RISKS-11.71) It is not necessary to build electronic funds transfer systems in such a way that all purchases can be tracked. There are acceptable alternatives. The cash card schemes I have read about in the UK would involve anonymous cards. The cards themselves are 'smart' cards; you would take your card to the bank and transfer money from your account to the card. You would be able to transfer as much or as little as you liked. You could then use the card as cash, for making small purchases. The card is not marked in any way with your name, and there is no PIN or signature; if the card were to be stolen, the person stealing it would be able to use the money in the card. In other words, the proposed cashcard is just like real cash in every respect bar the fact that it's easier to carry around and easier for electronic cash registers to process. Clearly carrying large amounts of money on cashcards would be quite risky from the point of view of possible theft; but then, carrying large amounts of cash around is risky too. The system is quite similar to the way Phonecards work; I'm not sure whether the US has similar schemes, so I'll explain: You can buy Phonecards in shops, with anywhere between 20 and 200 units of pre-payment for telephone calls encoded into them. This corresponds to 1 to 10 pounds sterling on the card, in units of 5p -- approximately $2 to $20 in units of 10 cents. The Phonecard is completely anonymous. When you have spent all the money on the card on telephone calls, you have to buy another phonecard. With the cashcard system, you would be able to re-charge the card you already have, which is clearly better from an ecological point of view; and unlike Phonecards, the cashcards should be useful for general purchases. To summarize, whilst we should be careful to make sure that the electronic funds transfer systems which get implemented are acceptable from a privacy point of view, I don't think the situation is necessarily as bleak as Robert Allen makes it out to be. mathew ------------------------------ Date: Mon, 27 May 91 10:43:15 PDT From: cdp!mrotenberg@labrea.Stanford.EDU Subject: Smart Highways Need Privacy Tutorial As vacationers flocked to the beaches on this Memorial Day, the Washington Post reported that "smart" highways which would relieve traffic congestion may soon be a reality. About $20 million will be spent this year in federal funds to develop Intelligent Vehicle-Highway Systems (IVHS). Last week a Senate committee approved a measure that would devote $150 million a year for the next five years to IVHS. And, according to the Post, proponents call that cheap. Estimates for lost productivity resulting from traffic congestion are pegged at $100 billion annually. The GAO estimates that a full-scale IVHS system could cut commute time by 50% in such places as Los Angeles. The article describes technologies that range from variable message signs that are tied to networks which monitor traffic flow to roadway-based guidewires with radio-controlled autopilots. The story also describes tollgates that will "read code radioed from a rolling car and automatically bill a credit card." The article notes that in Europe and Japan trials of such systems have been underway for years. Privacy aside -- Gary Marx is fond of a song by the Police that begins "every step you take, every move you make . . .I'll be watching you." Maybe it's time for an update -- "every turn you take, every time you brake . . . I'll be watching you." It's worth finding out whether the Senate committee has considered the privacy implications of gathering this data on drivers and whether there are any proposals to restrict the secondary use of the information. Likely buyers? Marketing firms and insurance companies. Marc Rotenberg, CPSR Washington Office ------------------------------ Date: 24 May 91 18:32:40 GMT From: sims@starbase.mitre.org (Jim Sims) Subject: They *are* watching In response to poster's lament about the govt getting access to his phone bill to see if he was calling the wrong people: The government *already* has electronic access to your phone call transactions (numbers & [i think] length of call, not content), without a court order. They just have to show probable cause for a warrant to tap the *contents* of your calls... jim DECUS AI SIG Symposium Representative The MITRE Corporation, 7525 Colshire Drive MS W418 McLean, Va. 22015 ------------------------------ Date: Fri, 24 May 91 08:57:55 PDT From: "Willis H. Ware" Subject: Re: SB266 SB 266 has been folded in toto into Title V of SB 618 --Violent Crime Control Act of 1991. The old Sect 2201 of 266 is now Sect 545 of 618. Latter is also sponsored by Biden and deConcini. It's very long - 194 pages -- and covers everything but everything. Here's a list of the major titles: Title I Safe streets and neighborhoods Title II Death penalty Title III Death penalty for murder of law enforcment officer Title IV Death penalty for drug criminals Title V Prevention and punishment of terrorist acts Title VI Drive-by shooting Title VII Assault weapons Title VIII Police and law enforcement training Title IX Federal law enforcement agencies Title X Habeas corpus reform Title XI Punishment of gun criminals Title XII Prison for violent drug offenders Title XIII Boot camps Title XIV Youth violence Title XV Rural crime and drug control Title XVI Drug emergencies Title XVII Drunk driving child protection Title XVIII Commission on crime and violence Title XIX Protection of crime victims Title XX Crack house eviction Title XXI Organized crime and dangerous drugs Title XXII Exclusionary rule Title XXIII Drug testing Many of these titles have several sub-titles and most have many sections. ------------------------------ Date: Fri, 24 May 91 11:56:44 CST From: Ed McGuire Subject: computer illiteracy I received in the mail today a new product announcement. The product is software that tutors new computer users in basic operating system concepts, thereby bringing an end to repetitive questions about logging in, current working directory, and so forth. The announcement included comments from users of the product, including this direct quote: "I am very excited about [the product] and highly recommend its use to finally accomplish the goal of computer illiteracy." [To badd he didnt spel ilitteracy write. PGN] ------------------------------ End of RISKS-FORUM Digest 11.72 ************************