Subject: RISKS DIGEST 11.76 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Thursday 30 May 1991 Volume 11 : Issue 76 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Privacy, credit reporting, and employment (Andrew Koenig) Job-screening via credit records (Jeff Johnson) Re: FBI and computer networks (Steve Bellovin, Andrew R. D'Uva, Phil Windley) Re: Voting by phone (Arnie Urken, Doug Hardie, Martin Ewing, Margaret Fleck, Tony Harminc, Matt Fichtenbaum, William Clare Stewart, Erik Nilsson, Paul E. Black) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. For vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 11, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Thu, 30 May 91 09:44:14 EDT From: ark@research.att.com Subject: Privacy, credit reporting, and employment A couple of days ago I saw a news item to the effect that EDS had been requesting credit reports on job applicants without their knowledge and using those reports in their employment decisions. This practice violates the Fair Credit Reporting Act. The gist of the article was that EDS agreed to contact everyone who had been turned down for a job because of a credit report in the past two years and tell them about the report. The unsuccessful applicants could then contact the credit bureaus, request copies of their files, and contest any inaccuracies that might appear. This story is a beautiful lesson in privacy for several reasons: 1. Things like the Fair Credit Reporting Act are less help than they might be because it's so hard to find out when people ignore it. 2. The FCRA is almost no help at all against employers who request credit reports on employment candidates because by the time the appeals procedure has ground its way to the end, the candidate is probably not going to work for that company anyway. 3. According to the article, it is only recently that credit bureaus have started making their information available to prospective employers on a large scale. This is a nice example of data being used for a purpose other than that for which it was originally collected. The second point is particularly important. If a company turns someone down for a job (partially) because of a credit report and the person then successfully contests that credit report, the applicant is unlikely to be hired anyway, being now a proven troublemaker. Of course the applicant may have found another job in the meantime. --Andrew Koenig ------------------------------ Date: Thu, 30 May 91 13:55:34 PDT From: Jeff Johnson Subject: Job-screening via credit records "Electronic Data Systems Corp, a unit of General Motors Corp, agreed to settle charges that it failed to tell job applicants that information in their credit reports influenced the decision not to hire them. The consent agreement was the first Federal Trade Commission action dealing with a new use of credit data marketed by credit-reporting agencies. The commission said these 'employment reports' which are being used by a growing number of businesses to make hiring decisions, often contain more credit information than the standard credit reports long used by banks and retailers. Agency officials also said some companies might not be aware that, under law, they are required to inform job applicants when a credit history is being used to evaluate them. They said the FTC is seeking voluntary compliance with the law, and will be publishing an alert to inform companies of their obligations." [...] [Excerpted from The Wall Street Journal, 29 May 91, p.B4] ------------------------------ Date: Wed, 29 May 91 21:08:05 EDT From: smb@ulysses.att.com Subject: Re: the FBI and computer networks (D'Uva, RISKS-11.75) I fear that Mr. D'Uva is sadly mistaken, both about what the FBI is permitted to do, and what abuses they have been known to commit. The FBI is *allowed* to gather information about probably criminal activity. They need ``probable cause'', as a matter of public policy and (I think) Federal law. They are manifestly *not* allowed to monitor anything because they don't like it, or because they think it might be evil, or ``un-American'', or ``subversive''. And of course, there are many examples of the FBI not following such rules: COINTELPRO, the myriad files on Dr. Martin Luther King (allegedly sleeping around is not a Federal offense), etc. The same applies to local police departments -- there was a recent uproar about some departments monitoring talk shows on black-oriented radio stations, to find out who the local activists -- ``troublemakers'' -- were, and what they were up to. Yes, the net is a public forum, and anyone who engages in criminal activity on a mailing list is pretty stupid. But the FBI has no right to engage in systematic monitoring of the net as a whole. --Steve Bellovin ------------------------------ Date: Thu, 30 May 91 0:22:44 EDT From: Andrew R. D'Uva Subject: Re: the FBI and computer networks (Agre, RISKS-11.72) I think that Steve is confusing legal terminology here. Probable cause is invoked when a law enforcement agency needs to make a search or intercept data which is not in the public view. For example, a policeman does not need "probable cause" to stop your car when you are driving in an unsafe manner. The law has been broken, and that is enough to warrant the law enforcement official's intervention. The policeman still needs an actual warrant to search an area in your car which is not under your immediate control (e.g., your trunk). The case here is different: we are talking about the FBI (or any other agency) reading the information carried in a PUBLIC forum, and acting on that information. There is no juridictional issue here, as clearly the traffic is interstate, not intrastate in nature. Surely Mr. Bellovin would not wish to prevent the members of the FBI from reading the newsgroups simply because they are law enforcement officials. That smacks of a different sort of censorship. > monitor anything because they don't like it, or because they think it > might be evil, or ``un-American'', or ``subversive''. And of course, > there are many examples of the FBI not following such rules: I didn't say anything about "evil" or "un-American" activities. What I did say was that the FBI is entitled to prevent illegal activities, or act when evidence suggests that crimes have been committed. We are talking about crimes, not discussion. > COINTELPRO, the myriad files on Dr. Martin Luther King (allegedly > sleeping around is not a Federal offense), etc. The same applies to > local police departments -- there was a recent uproar about some > departments monitoring talk shows on black-oriented radio stations, to > find out who the local activists -- ``troublemakers'' -- were, and what > they were up to. Certainly, it would appear that this is a troublesome point..but is it? Much of the "drug war" is fought (here in Washington, D.C.) in areas which are considered "black." Yet there is no such outcry here. If the crimes are being committed, adding a racial element into the equation doesn't help. The appropriate law enforcement agencies need to be able to go to where the crime is... if that's on Usenet... so what? Caveat: I stated before, and state again that the case of e-mail (between 2 parties) is different. Intereption of e-mail is *probably* protected by the "unreasonable search and seizure" clause of the Constitution. Public communication is not (no "search"). > Yes, the net is a public forum, and anyone who engages in criminal > activity on a mailing list is pretty stupid. But the FBI has no > right to engage in systematic monitoring of the net as a whole. PUBLIC forum. Would you have the police/FBI/other agency stop reading the newspapers, listen to radio, or talk to people on the street in order to develop leads on crimes? And why not systematic monitoring? I doubt that the FBI finds my questions on Unix that interesting :-). As for my political views, well, if I choose to make PUBLIC statements on the net, I expect that somebody might hold me to them. Just what are we afraid of anyway? If you find some basis in the LAW, as opposed to your opinion, that monitoring of a public forum by law enforcement agencies is prohibited, I would love to see it. However, I doubt that such a law exists. -Andrew D'Uva ard@ctcg.COM {backbone}!uupsi!ctcg!ard ------------------------------ Date: Thu, 30 May 91 13:58:35 PDT From: Phil Windley Subject: Re: the FBI and computer networks (Agre, RISKS-11.72) Andrew R. D'Uva (ard@ctcg.com) writes: As for the .SU domain, if the boys at the FBI don't know that there are electronic links to machines in the Soviet Union, you can be certain that the fellows up at the NSA do.. and might even be doing something about it. The Naval Investigative Service (NIS) knows about it. I told them. As a Naval Reserve officer I'm required to report all contact with citizens of certain countries to NIS (so that the NSA doesn't pick it up and the NIS start an investigation of something innocent). I received mail from someone in the SU. I informed NIS who asked the nature of the contact. That done with, the agent was extremely interested in the fact that the network existed and that I could send mail from my desk all over the world. I taught her about routing and showed her that it had taken 3 hours for the mail to get from the SU to Finland and 30 seconds to get from Finland to Idaho. As an aside: the mail was routed through kremvax.hq.demos.su. Anyone know where this computer is? I couldn't get a direct IP address for it. Phil Windley, Assistant Professor, Department of Computer Science University of Idaho, Moscow, ID 83843 208-885-6501 Fax: 208.885.6645 [Sounds like Piet Beertema is at it again!?? Or another inspired spoofer? But not long ago it was April. PGN] ------------------------------ Date: Thu, 30 May 1991 00:21 EST From: AURKEN@VAXC.STEVENS-TECH.EDU Subject: Re: Voting by phone Three comments on Roy Saltman's paper. First, voting by phone enables a citizen to verify that his/her vote is actually counted, which is something that is practically impossible to do with existing election technologies. Second, voting transactions can be time-stamped to help guard against fraud and also enable voters to verify the handling of their vote. And third, allowing voters to vote for "none of the above" is an improvement on the normal method of voting, but there are strong scientific arguments for allowing citizens to cast one vote for each choice (a candidate or policy alternative) they approve and zero votes for those choices they reject. The indifference of "none of the above" can be expressed by casting 0's or 1's for all of the choices. This method is much more likely to identify the strongest choice in voter preference orderings. Imagine what would happen if voters could access online statements about candidates or issues provided by parties or interest groups! Arnie Urken ------------------------------ Date: Thu, 30 May 91 8:20:42 PDT From: doug@NISD.CAM.UNISYS.COM (Doug Hardie) Subject: Re: Vote by Phone I am concerned about several aspects of such a proposal. There is no question that such functionality can be created. The question is can it fit acceptably into our society. For example, there has always been an opportunity for poll watchers to challenge the registration of specific voters and their right to vote. With this technology, that is not easily possible. The only real way to permit such challanges is to record each person's vote such that a successful challange could cause the vote to be backed out. With this system there is no confidentiality of vote. Everyone's vote is available to someone. The security aspect I didn't see addressed was how do you protect the computer collecting the votes from tampering by its users? If I am interested enough in influincing the outcome of a election, I will position myself such that I am an operator of such a system. At that point, I think you have lost control of the outcome. Case in point: When I was in college there was a highly contested election for homecomming queen. Two organizations were highly organized and dominated the scene for many years: the marching band, and ROTC. As a member of both organizations, I found the process quite interesting. Voting was accomplished with mark-sense cards that were run through a fancy machine to convert the pencil markings to BCD. Then the cards were run through a simple counting program on the school computer. I was the acting director of the computer center and therefore had the ability to stay in the computer center during the counting and watch. The outcome of this "election" was so important that one of the ROTC participants who was a journalism major arranged for one of the San Francisco TV stations to have a live report from the computer room. The operator of the computer was a relatively unknown band member. Sometime during the middle of the count, the computer suddenly crashed. But no panic, no need to rerun the count, the operator knew what the counts were at that time, reset them by hand from the front panel and continued the count. All of this took place during the live feed. The ROTC reporter was suitably impressed by this show of technical competance to make a comment on the air about the benefits of electronic voting. Needless to say, the band candidate was elected. -- Doug ------------------------------ Date: Thu, 30 May 91 11:59:13 -0400 From: Martin Ewing Subject: Re: Vote-by-Phone I am sure you [Roy] will receive a large number of responses to your carefully prepared piece on voting using voice-response systems. My particular focus is on the human-machine interface. Limitations of VRS for complex transactions: I have used a number of VRS systems. The most complicated is Fidelity Investments FAST system, through which you can transact mutual fund purchases, as well as obtaining account balances and quotations. Fidelity's system requires you to enter a lengthy account number, a PIN, and various codes for fund numbers, etc. The voice prompts are good, and it is possible to do a lot of business this way. At the end of a transaction specification, you are given a accept/reject option and a transaction reference code if you do accept. All these transactions can be handled alternately by phone with a human operator. It would be interesting to have Fidelity's statistics about VRS vs. live preferences among its customers. My strong feeling is that the system would appeal to technical computer/financial people, but would be very unappealing to people who are unused to menu-driven state machines, which, after all, are what VRS systems are. The standard telephone (which is not even guaranteed to be touchtone) is an extremely limited computer I/O interface. It offers no immediate status information to help users understand where they are in the system, what choices will be coming up, what the alternative routes through the logic might be. Verbal prompts are entirely "local" to the situation the user is in at the moment. This is a very synthetic and un-lifelike interface, even for computer people. (Consider all the cues you have sitting in front of a Mac or X Windows screen, for example.) Furthermore, as a recent ex-resident of California, I can attest that voting can be considerably more complex than financial transactions. Basically, I think VRS is woefully inadequate when you may have 50 contests on a ballot, with lots of minor parties, etc. I would suggest that a little "consumer preference" research could be done with mocked up VRS systems to shed more light. The Ideal Voting Interface: In Pasadena, we used the (sigh!) Hollerith Card voting system, in which you used a stylus to punch a hole in a suitably framed card. I feel this is a nearly ideal system. The card is a physical object which has the right data capacity, which the voter can manipulate before and after voting, and the kinesthetics are pleasing. "Chunk!" for each candidate. You can pore back and forth across the contests, and there is room in the book-like card holder for a fair amount of explanatory text. The cards are designed for machine reading. (Last time I heard, they were using 360/20s!) In Connecticut, we now use voting machines. These inspire a lot less confidence for me. You pull a lot of toggles, the the big lever. There is no physical feedback that your levers actually did anything. There is very limited room for text, etc. The legends above the levers are inserted manually, and, if they slip a little, you can end up casting your vote in the wrong column. (I actually discovered this situation in a recent election.) Furthermore, the many unused levers are not blocked, so that is very easy to cast meaningless votes. The old-fashioned "advantage" of the mechanical systems is that you had the "party-line" lever, to vote all Democratic, or whatever. Fortunately, those levers are now disabled. I am sure that an electronic interface, based perhaps on ATM technology, could be developed to handle the authentication and the logical details of voting. I am not sure, however, that these systems can give an appropriate level of voter comfort and confidence, which are extremely valuable for the political process. Martin Ewing, Science & Engineering Computing Facility, Yale University ------------------------------ Date: Thu, 30 May 91 15:42:53 BST From: fleck@robots.oxford.ac.uk (Margaret Fleck) Subject: vote-by-phone When reading your recent posting on vote-by-phone on the risks newsgroup, I was puzzled about why you assumed the system would handle only push-button phones. There exist similar systems that can handle both dial and push-button phones: the US embassy in London uses one for its visa information line. This system uses only the digit 0, which can be used even for multiple-choice queries if you are patient, and performs an initial calibration step to discover what your 0 sounds like. Margaret Fleck (University of Oxford) ------------------------------ Date: Thu, 30 May 91 15:17:36 EDT From: Tony Harminc Subject: Vote-by-Phone ( Security) It needs to be remembered that the weakest link in a Vote-by-Phone system will be the voter. I can easily think of several tricks along the lines of the "phony bank inspector" often perpetrated on the elderly that could be done here. Automated dialing out to elderly voters a day or two before voting day with a message to "please enter your PIN for voting validation" would probably produce a large harvest. These could then be voted early in the day. Many people wouldn't complain - it's not clear what to do about those who do. Vast amounts of advertising telling people not to give out their PINs will just confuse the most vulnerable. Tony Harminc ------------------------------ Date: Thu, 30 May 91 15:39:09 EDT From: mlf@genrad.com (Matt Fichtenbaum) Subject: Re: Voting By Phone (Huggins, RISKS-11.71) > ... The main motivation behind the amendment was to provide easier ways to >vote for disabled Americans who may find it difficult to reach a polling place. I hadn't realized that any such disabled Americans were running for office. (Isn't English ambiguity wonderful?) Matt Fichtenbaum [Triply ambiguous. There is also the motivation to make it easier for people who want to vote (illegally) INSTEAD OF disabled Americans who would probably not be voting. That of course is ONE OF THE MAIN PITFALLS OF VOTE-REMOTE... PGN] ------------------------------ Date: Thu, 30 May 91 16:23:27 EDT From: wcs@erebus.att.com (William Clare Stewart) Subject: Re: Vote-by-Phone Vote-by-Phone, in addition to the usual risks about security, provides another marvelous opportunity for manipulating elections. Not only is the order of name presentation critical (as with paper and machine ballots, where layout manipulation is de rigueur), but vocal expression of the names and parties is also manipulable. In many places, such as New Jersey where ballot questions are written by the Legislature, with hopelessly biased "explanations" of how good the proposed law will be. Now they can do things like (Happy, excited voice) Honest! George! Tweedledee!, Democrat!, Press 1! (unimpressed voice) Walter Fritz Tweedledum, Republican, press 2 (If-you-really-must) Gene? um bbBurns? um LLLiberaltarian? um press 3 Oh, yeah, and for Alfred E. Anarchist, Down-With-Lawyers-Party Press 4 While it's not as effective as manipulating TV and press coverage, most elections are decided by only a few percentage points. Bill Stewart 908-949-0705 erebus.att.com!wcs AT&T Bell Labs 4M-312 Holmdel NJ ------------------------------ Date: Thu, 30 May 91 15:55:05 PDT From: Erik Nilsson Subject: Vote-by-Phone - Promises and Pitfalls Studies of computerized vote counting (including Saltman's own extensive and insightful papers) reveal that user interfaces for existing computerized vote counting systems are inadequate. Vote-by-phone user interfaces promise to be worse yet. The telephone is just too narrow an interface for modern elections. At least with current systems you can see the task before you, and see your choices, once you have made them. At least with current systems you can skip the wording of a proposition, if you already understand it. In some elections, voters would spend most of their voting time listening to paragraph after paragraph of legally required proposition text, financial impact statements, and so forth. I find such a prospect less handy than my local polling place. Even blind voters, who cannot take advantage of the visual user interface of current systems, may not find voting by phone such a boon. Currently, blind voters must have assistance to vote, but the assistant is a better interface than a phone. Just because a phone interface is no worse for blind voters than for sighted doesn't mean that phone interfaces are good interfaces for blind voters. There are better ways of helping blind voters than voting by phone. People complain about the awkwardness of voice-mail, but vote-by-phone would have to be even more awkward: "Soil conservation board, vote for two. You have voted for zero candidates so far. If you wish to vote for candidate Washington, push 1, if you wish to vote for cadidate Jefferson, press 2, if you wish to vote for candidate Adams, press 3. If you wish to write in, press #, if you wish to spoil this ballot and start over, press *, if you wish to skip this constest, press # twice, if you wish to review your current choices for this office, press * twice, if you wish to hear your choices again, press # then press *." It is not clear to me that voter participation and drop-off would improve under such a system. Saltman's article brings up many other important concerns. For example, making such a system secure would be difficult. As it stands, most observers council against sending unencrypted voting information over telephone lines. This system requires it. Voting by phone? No thanks. - Erik erikn@boa.MITRON.TEK.COM (503) 690-8350 fax: (503) 690-9292 ------------------------------ Date: Thu, 30 May 91 16:20:29 PDT From: paul@cirrus.com (Paul E. Black) Subject: Re: Vote-by-Phone - Promises and Pitfalls My compliments. It sounds like you have thought this through well. A few thoughts occurred to me. Perhaps they may be of use to you. Here in California each voter already gets an individually addressed voter guide. Some of my suggestion only make sense where each voter gets something before hand. I twice served on the local election board (precinct clerk), so I have seen how people actually vote with the current system. Identification: the PIN could be randomly assigned to each voter and sent with the voter's guide. If the PIN is associated with a voter's name, PIN's could be repeated: they would be pass codes. The voter states his name, which is recorded for auditing, and enters it through the keypad. The pass code confirms it. Write-in votes: Instead of, or in addition to, write-in names entered through the keypad, the voter states the name vocally, and it is recorded. With a pre-mailed voter's guide, the voter could figure out the number codes corresponding to the name before calling. Confirmation: I think it would inspire more confidence in the voters if after each vote the system repeated, "You voted for . Press 1 if that is correct, otherwise press 2." Anything other than 1 causes the system to prompt for the vote again. (Clearly anything can be used instead of 1 and 2 as long as it is consistent. Perhaps 9 (Y) for yes and 6 (N) for no.) Serial presentation: the voter's guide tells which number corresponds to each person. The voter is told that they can enter the number at any time. Thus voters with premarked ballots could go through the system rather quickly. Another option or a refinement is to go through the names quickly the first time (e.g., "For president Washington, 1; Jefferson, 2; or Franklin, 3") then if the system does not detect an entry, detects an invalid entry (e.g. "4" in the above), or detects a help button ("#" maybe?), it reads the names in greater detail (e.g., "For president of the United States, to vote for George Washington, Whig, press 1; to vote for ...") Overvote and undervote: In a election where it is "Vote for up to 3 of the candidates," the system states how many are left: "You voted for Jones, you may vote for up to 2 more." The voter may then cancel that vote, or not vote for the rest. The voter cannot overvote. If an undervote is not allowed ("vote for exactly 2"), the system refuses to continue (with the appropriate message) until all votes are cast or the voter indicates the desire to not vote on that at all. Failure to complete: In case of hang up, either because of emergency or equipment failure (or accidentally bumping the 'phone), the safest thing is to erase the entire proceeding to that point, except to note in the database that a vote was interrupted (like a spoiled ballot). Perhaps after three failures, the system directs the person to talk with election officials. Audit & accountability: the entire voting procedure should be recorded in as raw a form as feasible. Perhaps a slow tape like used for 911 would do. If not, a record of each input keystroke and a code indicating the system's message could be written to a write-only media such as optical disk. Trial & development: perhaps Federal funding could help develop and test the concept and answer questions in a few areas for a few years. Another possibility is having an organization like ACM, IEEE, or a university try it out: they want to innovate, and those voters would tend to be more careful, give useful suggestions (i.e. help development) than the population at large. The results would not be fully extensible to the population at large, but it could be a place to start. I feel the problem with low voter turn-out is a social, not a technical, problem. With the LONG hours and absentee ballots now available, there is really very little excuse for people not voting. I'm afraid the length of time voting over the 'phone or waiting to get a line would be seen as a similar inconvenience. I hope this may be of some help. Paul E. Black, CIRRUS LOGIC Inc MS 62, 3100 Warren Avenue, Fremont CA 94538 USA {ames,uunet,amdahl,sun}!oliveb!cirrusl!paul paul%cirrusl@oliveb.ATC.olivetti.com ------------------------------ End of RISKS-FORUM Digest 11.76 ************************