PRIVACY Forum Archive Document
PRIVACY Forum Digest Saturday, 7 August 1999 Volume 08 : Issue 11 (http://www.vortex.com/privacy/priv.08.11) Moderated by Lauren Weinstein (email@example.com) Vortex Technology, Woodland Hills, CA, U.S.A. http://www.vortex.com ===== PRIVACY FORUM ===== ------------------------------------------------------------------- The PRIVACY Forum is supported in part by the ACM (Association for Computing Machinery) Committee on Computers and Public Policy, Cable & Wireless USA, Cisco Systems, Inc., and Telos Systems. - - - These organizations do not operate or control the PRIVACY Forum in any manner, and their support does not imply agreement on their part with nor responsibility for any materials posted on or related to the PRIVACY Forum. ------------------------------------------------------------------- CONTENTS Administrivia; Upcoming Article; Reality Reports (Lauren Weinstein; PRIVACY Forum Moderator) "Bright Light" POP-based Spam Filtering: A Bad Idea (Lauren Weinstein; PRIVACY Forum Moderator) Give Us Your Password, and Trust Us (Lauren Weinstein; PRIVACY Forum Moderator) Cell Phones Become Instant Bugs! (Lauren Weinstein; PRIVACY Forum Moderator) Citibank Privacy Issues (Monty Solomon) CFP2000 CFP (Susan Evoy) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "firstname.lastname@example.org" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are via an automatic list server system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "email@example.com". Mailing list problems should be reported to "firstname.lastname@example.org". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the list server system. Please follow the instructions above for getting the list server "help" information, which includes details regarding the "index" and "get" list server commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com/". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com"; full keyword searching of all PRIVACY Forum files is available via WWW access. ----------------------------------------------------------------------------- VOLUME 08, ISSUE 11 Quote for the day: "Politics is a practical profession." -- Spartacus (Kirk Douglas) "Spartacus" (Universal; 1960) ---------------------------------------------------------------------- Date: Sat, 7 Aug 99 13:52 PDT From: email@example.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Administrivia; Upcoming Article; Reality Reports Greetings. I've lately been receiving increasing numbers of PRIVACY Forum submissions which consist solely of wire service copy or various URLs pointing at stories on web sites, whose submitters then wonder why I haven't used their items. While I appreciate such material as an "FYI" for my attention, submissions for possible publication in the digest should be in your own words, with any quotes from source material being brief and fully attributed. Thanks! Coming in an upcoming future PRIVACY Forum Digest, the results of my discussions with a firm selling software for the automatic registration (and remote disabling) of software packages over the Internet (via recording of IP numbers and related information). It's an interesting case study of how smart programmers frequently design systems with significant privacy implications, but without even basic privacy concerns having been adequately considered. On another note, the collection of my RealAudio "Vortex Daily Reality Report & Unreality Trivia Quiz" segments concerning privacy and related issues continues to grow. If you haven't checked them out recently, you might wish to take a look at the archive: http://www.vortex.com/reality Thanks much. --Lauren-- Lauren Weinstein firstname.lastname@example.org Moderator, PRIVACY Forum --- http://www.vortex.com Member, ACM Committee on Computers and Public Policy Host, "Vortex Daily Reality Report & Unreality Trivia Quiz" --- http://www.vortex.com/reality ------------------------------ Date: Sun, 25 Jul 99 16:04:56 PDT From: email@example.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: "Bright Light" POP-based Spam Filtering: A Bad Idea Greetings. Bright Light Technologies (http://www.brightlight.com), which sports an impressive list of technology partners and investors, has introduced a new "free" service to users of POP-based e-mail (previously Bright Light has apparently mainly worked through ISPs) that attempts to filter out most unsolicited e-mail (SPAM) before it reaches the user. They do this by trying to detect spam flowing around the net and then applying filtering rules. Rejected messages are pushed aside and can be viewed later if the user wishes, and lists of rejected messages are made available. I'm a long time spam-fighter myself--I maintain a public spam blocking list at http://www.vortex.com. I'm more than willing to declare the concept of trying to filter out spam (so long as there aren't many messages rejected that *aren't* really spam) to be a good one. Unfortunately, the method chosen by Bright Light for end-user POP e-mail system use is a potentially major invasion of privacy--ironic in light of Bright Light's written statements that they want to "avoid the appearance of violating email privacy" (exact quote). The problem doesn't take a masters degree in Internet engineering to understand. To use their new POP e-mail spam filtering, you have to route ALL of your inbound e-mail through Bright Light servers. Your POP account accesses Bright Light, then they login to your ISP to pick up your mail. It passes through Bright Light, and then to you. Both from privacy and risks standpoints, it's hard to imagine a system more primed for potential trouble. Any centralization of e-mail handling systems in this manner, funneling in e-mail from numerous ISPs, represents an immense target for all manner of mischief--possibly even more attractive to problems than the largest individual ISPs. Systems failures and overloading can happen. Hackers can target the facilities. And of course, the concentration of e-mail traffic could make Bright Light the recipient of choice for legal actions, by those seeking to track or access e-mail messages for any number of purposes (an increasingly popular legal maneuver, as you probably know). The requirement to provide such information could occur regardless of how little (or how much) of users' e-mail is "normally" stored on disk at the service (as opposed to passing through) in the course of routine operations. With this service, users now have two entities with which they have to entrust their e-mail--their "real" ISP, and Bright Light. And what's more, users' unencrypted POP access passwords must traverse the wider Internet, vulnerable to snooping, when using the Bright Light service, rather than just over the more limited domain of the user's ISP internal network. Bright Light has other products that send spam filtering rules directly to ISPs with the spam blocking applied at the ISP level--such services don't present these same concerns. The fundamental problem with the new service, aimed at individual POP e-mail users, is having the full text of users' total incoming e-mail passing through a centralized third party e-mail service outside of the users' direct control or affiliation. This isn't rocket science--it should be obvious that this sort of centralization of actual e-mail traffic flow is exactly the wrong direction to be moving in. I'd recommend thinking long and hard before participating, as an end-user, in any third party service that asks you to route all of your incoming e-mail through them. Even with the best of intentions (and I assume these on the part of Bright Light), and even with a "free" service, the price is much too high. My RealAudio "Vortex Daily Reality Report & Unreality Trivia Quiz" for 7/19/99 (see below for URL to the archive of segments) was devoted to this topic. --Lauren-- Lauren Weinstein firstname.lastname@example.org Moderator, PRIVACY Forum --- http://www.vortex.com Member, ACM Committee on Computers and Public Policy Host, "Vortex Daily Reality Report & Unreality Trivia Quiz" --- http://www.vortex.com/reality ------------------------------ Date: Sat, 7 Aug 99 14:29 PDT From: email@example.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Give Us Your Password, and Trust Us Greetings. The proliferation of Internet-based services asking users to hand over their e-mail passwords, in exchange for benefits of sometimes questionable utility and safety, continues by leaps and bounds. They cover a wide range of applications--spam filtering, "free" web e-mail accounts, and many others, including most recently a service to scan subject headers and sent them to PCS cell phone text messaging systems. Many of these services ask for user e-mail passwords to be entered in the clear, via unsecure web forms or other unencrypted channels. In talking to the operators of various of these services, it's obvious that the level of naivete regarding even basic privacy concerns on many of their parts is alarming. The standard refrain tends to fall into two categories: --- "Users shouldn't use our service for anything sensitive...", (or, I might add, of any importance?) --- The operators of the services say that they can be trusted not to do anything "wrong" with the password, your e-mail passing through their facilities, or what have you--in other words, "trust us." Even if we continue to assume good intentions and pure motives on the part of such operations, regular readers of the PRIVACY Forum know of the many ways in which even the best of intentions can result in serious privacy problems, when the infrastructure that has been created is fundamentally not secure and subject to a complex of outside forces, and various modes of failure, which generally cannot be controlled in any kind of systematic way. One particularly "radical" concept I've seen recently doesn't involve e-mail, but rather bill payments. A service wants you to get everyone to whom you owe money to mail their bills directly to the service, rather than to you. The service then scans the bills, stores them, and you access and pay them online. Convenient? Arguable. Potential privacy and other problems? I'll leave that analysis as an exercise for the reader! It doesn't take much of an imagination to picture a number of troublesome scenarios... If you're considering the use of any of these different sorts of services, it's worth considering long and hard whether the perceived benefits are really worth the potential for problems. These services are popping up everywhere like unknown wild mushrooms--some of them may be just as unhealthy to get involved with unless you really know what you're doing, and feel like living dangerously! --Lauren-- Lauren Weinstein firstname.lastname@example.org Moderator, PRIVACY Forum --- http://www.vortex.com Member, ACM Committee on Computers and Public Policy Host, "Vortex Daily Reality Report & Unreality Trivia Quiz" --- http://www.vortex.com/reality ------------------------------ Date: Sat, 7 Aug 99 16:14 PDT From: email@example.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Cell Phones Become Instant Bugs! Greetings. A disturbing application for the new generations of digital cell phones appears to be developing--many models can be easily used as remote-controlled clandestine listening devices ("bugs"), often with little or no modification. It turns out that many current cell phone models can be set into modes where they are completely silent (no "boops" or "beeps") and will answer incoming calls automatically. This latter mode is designed for use in hands-free (headset) situations. A cell phone left in a strategic location set in such modes may be silently interrogated from virtually anywhere on the planet with a simple phone call, and will happily transmit the room conversations back to the caller. When the caller hangs up, the cell phone resets, ready for the next call. In some cases, phones can be placed into this "automatic answer" mode without any accessories being required. For some models, a headset connector needs to be plugged into the phone, which may be modified to allow the phone to continue using its built-in microphone when in its "bugging" mode, or could trivially have a remote microphone wired via a very thin cable to the actual cell phone some distance away. Even without an outside source of power, many modern digital cell phones can have standby times of a week or more, and be able to transmit conversations for a number of hours. With an outside power source, they could perform their bugging functions indefinitely. Since various commercial firms are now planning to offer a wide variety of location-based services using cell phone location tracking capabilities, (which were originally mandated for 911 use), it seems likely that planted cell phones may soon be usable to track the location of persons or moving vehicles as well. Just picture a cell phone hidden in a car trunk with a tiny microphone wired up behind the rear seat, for example. The car wiring would also provide an ideal source of continuing power for both bugging and tracking via the cell phone. Simple, cheap, and accessible from practically anywhere! With cell phones becoming smaller and the associated networks ever more ubiquitous, this whole area has a great deal of potential for serious privacy-invasive abuses. --Lauren-- Lauren Weinstein firstname.lastname@example.org Moderator, PRIVACY Forum --- http://www.vortex.com Member, ACM Committee on Computers and Public Policy Host, "Vortex Daily Reality Report & Unreality Trivia Quiz" --- http://www.vortex.com/reality ------------------------------ Date: Mon, 2 Aug 1999 21:43:08 -0400 From: Monty Solomon <email@example.com> Subject: Citibank Privacy Issues I noticed that Citibank and Sony are offering a credit card which earns Sony points. It is called the Sony Citibank Platinum Select Card. It is interesting to note that you can only apply online. http://www.citibank.com/us/cards/cgi-bin/apply.cgi?card_type=sonyb "This application can only be submitted electronically. Printed and mailed/faxed applications will not be processed. Submit by clicking the "Submit" button at the end of this application." Also, you can't read the whole application at once. You have to complete each screen before you can proceed to the next one. Furthermore, in the "Terms, conditions, caveats and small print" http://www.citibank.com/citibank/disclaim.htm SUBMISSIONS. All information submitted to Citicorp via this site shall be deemed and remain the property of Citicorp and Citicorp shall be free to use, for any purpose, any ideas, concepts, know-how or techniques contained in information a visitor to this site provides Citicorp through this site. Citicorp shall not be subject to any obligations of confidentiality regarding submitted information except as agreed by the Citicorp entity having the direct customer relationship or as otherwise specifically agreed or required by law. There is also a Privacy Statement at http://www.citibank.com/privacy/index.htm which reads, in part, If you do provide personal information, such as address, e-mail, telephone and fax numbers, as well as demographic and customer identification, we will not disclose (share, sell or divulge) it to external organizations unless we have informed you, been authorized by you, or are required to do so by law. We will maintain this information, as well as your business activities and transactions, according to our usual strict security and confidentiality standards. By virtue of the disclaimer, above, everyone who uses the site has been informed. Monty --- # Monty Solomon / PO Box 2486 / Framingham, MA 01703-2486 # firstname.lastname@example.org ------------------------------ Date: 6 Aug 1999 23:17:32 -0000 From: email@example.com Subject: CFP2000 CFP Note: Karen Coyle of CPSR is on the Program Committee [Circulate until October 15, 1999] The Tenth Conference on Computers Freedom and Privacy CFP2000: CHALLENGING THE ASSUMPTIONS http://www.cfp2000.org The Westin Harbour Castle Hotel Toronto, Ontario, Canada April 4-7, 2000 CALL FOR PARTICIPATION The Program Committee of the Tenth Conference on Computers, Freedom, and Privacy (CFP2000) is seeking proposals for conference sessions and speakers. For the past decade, CFP has played a major role in the public debate on the future of privacy and freedom in the online world. The CFP audience is as diverse as the Net itself, with attendees not only from government, business, education, and non-profits, but also from the community of computer professionals, hackers, crackers and engineers who work the code of cyberspace. The themes have been broad and forward-looking. CFP explores what will be. It is the place where the future is mapped. The theme of the tenth CFP conference is 'Challenging the Assumptions'. After a decade of CFP conferences, it's time to examine what we have learned. "On the Internet, nobody knows you're a dog" has become a cliche, but we've learned that unless we take measures to protect our identities, people can and do identify us on the Internet. We have talked about the role of government in cyberspace, and some have even suggested that the Net needs no government. But now that increasing numbers of people around the world are relying on the Internet not just as a marketplace of ideas, but the market where they conduct their daily business, the issue of governance has come to the forefront. And even where no rules have been imposed by governments, some argue that standards setters and technology implementers have imposed de facto rules. At CFP2000 we want to re-examine the assumptions we have been making and consider which ones still make sense as we move forward. Proposals are welcomed on all aspects of computers, freedom, and privacy. We strongly encourage proposals that challenge the future, tackle the hard questions, look at old issues in new ways, articulate and analyze key assumptions, and present complex issues in all their complexity. We are seeking proposals for tutorials, plenary sessions, workshops, and birds-of-a-feather sessions. We are also seeking suggestions for speakers and topics. Sessions should present a wide range of thinking on a topic by including speakers from different viewpoints. Complete submission instructions appear on the CFP2000 web site at http://www.cfp2000.org/submissions/. All submissions must be received by October 15, 1999. The CFP2000 Program Committee will notify submitters of the status of their proposals by December 3. ************************************** Workshop on Freedom and Privacy by Design On the first day of CFP2000 we will hold a workshop that explores using -technology- to bring about strong protections of civil liberties which are guaranteed by the technology itself---in short, to get hackers, system architects, and implementors strongly involved in CFP and its goals. Our exploration of technology includes (a) implemented, fielded systems, and (b) what principles and architectures should be developed, including which open problems must be solved, to implement and field novel systems that can be inherently protective of civil liberties. We aim to bring together implementors and those who have studied the social issues of freedom and privacy in one room to generate ideas for systems that we should field, and implementation strategies for fielding them. If you would like to participate, you must submit a short paper or extended abstract on some issue related to the workshop by November 12. Complete submission instructions are available at http://www.cfp2000.org/workshop/ ************************************** CFP Student Competition Full time college or graduate students may compete for financial support to attend the conference and for cash prizes. Three $500 cash prizes will be awarded for the best paper, the best Web presentation, and the submission that best makes use of the vast trove of papers, audio, and video materials from the past ten years of Computers, Freedom, and Privacy conferences. Free CFP conference registrations and travel scholarships will be awarded to the top winners as well as for several honorable mentions. For full submission information, see http://www.cfp2000.org/students/. ************************************** CFP2000 PROGRAM COMMITTEE Chair: Lorrie Cranor, AT&T Labs-Research Ann Cavoukian, Information and Privacy Commissioner, Ontario, Canada Roger Clarke, The Australian National University Karen Coyle, California Digital Library and Computer Professionals For Social Responsibility Chuck Cranor, AT&T Labs-Research Lenny Foner, MIT Media Lab Wendy Grossman, Freelance writer and author of net.wars Bruce R. Koball, Technical Consultant Susan Landau, Sun Microsystems Shabbir Safdar, Mindshare Internet Campaigns Pam Samuelson, University of California Berkeley Ari Schwartz, Center for Democracy and Technology David Singer, IBM Barry Steinhardt, ACLU Bruce Umbaugh, Webster University FOR MORE INFORMATION VISIT http://www.cfp2000.org/ ----- Susan Evoy * Deputy Director http://www.cpsr.org/ Computer Professionals for Social Responsibility P.O. Box 717 * Palo Alto * CA * 94302 Phone: (650) 322-3778 * Fax: (650) 322-4748 * Email: firstname.lastname@example.org Donations online: https://swww.igc.apc.org/cpsr/sec-membership-form.html ------------------------------ End of PRIVACY Forum Digest 08.11 ************************
Vortex Technology Home Page
Copyright © 2005 Vortex Technology. All Rights Reserved.