PRIVACY Forum Archive Document

PRIVACY Forum Home Page

PFIR - "People For Internet Responsibility" Home Page

Vortex Technology Home Page


PRIVACY Forum Digest      Saturday, 7 August 1999      Volume 08 : Issue 11

                (http://www.vortex.com/privacy/priv.08.11)

            Moderated by Lauren Weinstein (lauren@vortex.com)         
              Vortex Technology, Woodland Hills, CA, U.S.A.
                         http://www.vortex.com 
        
                       ===== PRIVACY FORUM =====              

    -------------------------------------------------------------------
                 The PRIVACY Forum is supported in part by
               the ACM (Association for Computing Machinery)     
                 Committee on Computers and Public Policy,      
                 Cable & Wireless USA, Cisco Systems, Inc., 
                           and Telos Systems.
                                 - - -
             These organizations do not operate or control the     
          PRIVACY Forum in any manner, and their support does not
           imply agreement on their part with nor responsibility   
        for any materials posted on or related to the PRIVACY Forum.
    -------------------------------------------------------------------


CONTENTS 
        Administrivia; Upcoming Article; Reality Reports 
           (Lauren Weinstein; PRIVACY Forum Moderator)
        "Bright Light" POP-based Spam Filtering: A Bad Idea 
           (Lauren Weinstein; PRIVACY Forum Moderator)
        Give Us Your Password, and Trust Us 
           (Lauren Weinstein; PRIVACY Forum Moderator)
        Cell Phones Become Instant Bugs! 
           (Lauren Weinstein; PRIVACY Forum Moderator)
        Citibank Privacy Issues (Monty Solomon)
        CFP2000 CFP (Susan Evoy)


 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are via an automatic list server system;
for subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to
"list-maint@vortex.com". 

All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the list server system.  Please follow the instructions above
for getting the list server  "help" information, which includes details
regarding the "index" and "get" list server commands, which are used to access
the PRIVACY Forum archive.  

All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "gopher.vortex.com/".  Access to PRIVACY Forum
materials is also available through the Internet World Wide Web (WWW) via
the Vortex Technology WWW server at the URL: "http://www.vortex.com";
full keyword searching of all PRIVACY Forum files is available via
WWW access.
-----------------------------------------------------------------------------

VOLUME 08, ISSUE 11

     Quote for the day:

          "Politics is a practical profession."

                -- Spartacus (Kirk Douglas)
                   "Spartacus" (Universal; 1960)

----------------------------------------------------------------------

Date:    Sat, 7 Aug 99 13:52 PDT
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Administrivia; Upcoming Article; Reality Reports 

Greetings.  I've lately been receiving increasing numbers of PRIVACY Forum
submissions which consist solely of wire service copy or various URLs
pointing at stories on web sites, whose submitters then wonder why I haven't
used their items.  While I appreciate such material as an "FYI" for my
attention, submissions for possible publication in the digest should be in
your own words, with any quotes from source material being brief and fully
attributed.  Thanks!

Coming in an upcoming future PRIVACY Forum Digest, the results of my
discussions with a firm selling software for the automatic registration
(and remote disabling) of software packages over the Internet (via recording
of IP numbers and related information).  It's an interesting case study of
how smart programmers frequently design systems with significant privacy
implications, but without even basic privacy concerns having been 
adequately considered.

On another note, the collection of my RealAudio "Vortex Daily Reality Report
& Unreality Trivia Quiz" segments concerning privacy and related issues
continues to grow.  If you haven't checked them out recently, you might
wish to take a look at the archive:

   http://www.vortex.com/reality

Thanks much.

--Lauren--
Lauren Weinstein
lauren@vortex.com
Moderator, PRIVACY Forum --- http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Host, "Vortex Daily Reality Report & Unreality Trivia Quiz"
  --- http://www.vortex.com/reality

------------------------------

Date: Sun, 25 Jul 99 16:04:56 PDT
From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: "Bright Light" POP-based Spam Filtering: A Bad Idea 

Greetings.  Bright Light Technologies (http://www.brightlight.com), which
sports an impressive list of technology partners and investors, has
introduced a new "free" service to users of POP-based e-mail (previously
Bright Light has apparently mainly worked through ISPs) that attempts to
filter out most unsolicited e-mail (SPAM) before it reaches the user.  They
do this by trying to detect spam flowing around the net and then applying
filtering rules.  Rejected messages are pushed aside and can be viewed later
if the user wishes, and lists of rejected messages are made available.

I'm a long time spam-fighter myself--I maintain a public spam blocking list
at http://www.vortex.com.  I'm more than willing to declare the concept of
trying to filter out spam (so long as there aren't many messages rejected
that *aren't* really spam) to be a good one.  Unfortunately, the method
chosen by Bright Light for end-user POP e-mail system use is a potentially
major invasion of privacy--ironic in light of Bright Light's written
statements that they want to "avoid the appearance of violating email
privacy" (exact quote).

The problem doesn't take a masters degree in Internet engineering to
understand.  To use their new POP e-mail spam filtering, you have to route
ALL of your inbound e-mail through Bright Light servers.  Your POP account
accesses Bright Light, then they login to your ISP to pick up your mail.  It
passes through Bright Light, and then to you.

Both from privacy and risks standpoints, it's hard to imagine a system
more primed for potential trouble.  Any centralization of e-mail handling
systems in this manner, funneling in e-mail from numerous ISPs, represents
an immense target for all manner of mischief--possibly even more attractive
to problems than the largest individual ISPs.  Systems failures and
overloading can happen.  Hackers can target the facilities.  And of course,
the concentration of e-mail traffic could make Bright Light the recipient of
choice for legal actions, by those seeking to track or access e-mail
messages for any number of purposes (an increasingly popular legal maneuver,
as you probably know).  The requirement to provide such information could
occur regardless of how little (or how much) of users' e-mail is "normally"
stored on disk at the service (as opposed to passing through) in the course
of routine operations.  

With this service, users now have two entities with which they have to
entrust their e-mail--their "real" ISP, and Bright Light.  And what's more,
users' unencrypted POP access passwords must traverse the wider Internet,
vulnerable to snooping, when using the Bright Light service, rather than
just over the more limited domain of the user's ISP internal network.

Bright Light has other products that send spam filtering rules directly to
ISPs with the spam blocking applied at the ISP level--such services don't
present these same concerns.  The fundamental problem with the new service,
aimed at individual POP e-mail users, is having the full text of users'
total incoming e-mail passing through a centralized third party e-mail
service outside of the users' direct control or affiliation.

This isn't rocket science--it should be obvious that this sort of
centralization of actual e-mail traffic flow is exactly the wrong
direction to be moving in.  I'd recommend thinking long and hard before
participating, as an end-user, in any third party service that asks you to
route all of your incoming e-mail through them.  Even with the best of
intentions (and I assume these on the part of Bright Light), and even with a
"free" service, the price is much too high.

My RealAudio "Vortex Daily Reality Report & Unreality Trivia Quiz" for
7/19/99 (see below for URL to the archive of segments) was devoted 
to this topic. 

--Lauren--

Lauren Weinstein
lauren@vortex.com
Moderator, PRIVACY Forum --- http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Host, "Vortex Daily Reality Report & Unreality Trivia Quiz"
  --- http://www.vortex.com/reality

------------------------------

Date:    Sat, 7 Aug 99 14:29 PDT
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Give Us Your Password, and Trust Us

Greetings.  The proliferation of Internet-based services asking users to
hand over their e-mail passwords, in exchange for benefits of sometimes
questionable utility and safety, continues by leaps and bounds.

They cover a wide range of applications--spam filtering, "free" web e-mail
accounts, and many others, including most recently a service to scan subject
headers and sent them to PCS cell phone text messaging systems.  Many of
these services ask for user e-mail passwords to be entered in the clear, via
unsecure web forms or other unencrypted channels.

In talking to the operators of various of these services, it's obvious that
the level of naivete regarding even basic privacy concerns on many of their
parts is alarming.  The standard refrain tends to fall into two categories:

  --- "Users shouldn't use our service for anything sensitive...",
      (or, I might add, of any importance?)

  --- The operators of the services say that they can be trusted not
      to do anything "wrong" with the password, your e-mail passing
      through their facilities, or what have you--in other words,
      "trust us."

Even if we continue to assume good intentions and pure motives on the part
of such operations, regular readers of the PRIVACY Forum know of the many
ways in which even the best of intentions can result in serious privacy
problems, when the infrastructure that has been created is fundamentally
not secure and subject to a complex of outside forces, and various modes of
failure, which generally cannot be controlled in any kind of systematic way.

One particularly "radical" concept I've seen recently doesn't involve e-mail,
but rather bill payments.  A service wants you to get everyone to whom you
owe money to mail their bills directly to the service, rather than to you.
The service then scans the bills, stores them, and you access and pay them
online.  Convenient?  Arguable.  Potential privacy and other problems?  I'll
leave that analysis as an exercise for the reader!  It doesn't take much of
an imagination to picture a number of troublesome scenarios...

If you're considering the use of any of these different sorts of services,
it's worth considering long and hard whether the perceived benefits are
really worth the potential for problems.  These services are popping up
everywhere like unknown wild mushrooms--some of them may be just as
unhealthy to get involved with unless you really know what you're doing,
and feel like living dangerously!

--Lauren--
Lauren Weinstein
lauren@vortex.com
Moderator, PRIVACY Forum --- http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Host, "Vortex Daily Reality Report & Unreality Trivia Quiz"
  --- http://www.vortex.com/reality

------------------------------

Date:    Sat, 7 Aug 99 16:14 PDT
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Cell Phones Become Instant Bugs!

Greetings.  A disturbing application for the new generations of digital cell
phones appears to be developing--many models can be easily used as
remote-controlled clandestine listening devices ("bugs"), often with little
or no modification.

It turns out that many current cell phone models can be set into modes where
they are completely silent (no "boops" or "beeps") and will answer incoming
calls automatically.  This latter mode is designed for use in hands-free
(headset) situations.  A cell phone left in a strategic location set in such
modes may be silently interrogated from virtually anywhere on the planet
with a simple phone call, and will happily transmit the room conversations
back to the caller.  When the caller hangs up, the cell phone resets, ready
for the next call.  

In some cases, phones can be placed into this "automatic answer" mode
without any accessories being required.  For some models, a headset connector
needs to be plugged into the phone, which may be modified to allow the phone
to continue using its built-in microphone when in its "bugging" mode, or
could trivially have a remote microphone wired via a very thin cable to the
actual cell phone some distance away.

Even without an outside source of power, many modern digital cell phones can
have standby times of a week or more, and be able to transmit conversations
for a number of hours.  With an outside power source, they could perform
their bugging functions indefinitely.

Since various commercial firms are now planning to offer a wide variety of
location-based services using cell phone location tracking capabilities,
(which were originally mandated for 911 use), it seems likely that planted
cell phones may soon be usable to track the location of persons or moving
vehicles as well.  Just picture a cell phone hidden in a car trunk with a
tiny microphone wired up behind the rear seat, for example.  The car wiring
would also provide an ideal source of continuing power for both bugging and
tracking via the cell phone.  Simple, cheap, and accessible from practically
anywhere!

With cell phones becoming smaller and the associated networks ever more
ubiquitous, this whole area has a great deal of potential for serious
privacy-invasive abuses.

--Lauren--
Lauren Weinstein
lauren@vortex.com
Moderator, PRIVACY Forum --- http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Host, "Vortex Daily Reality Report & Unreality Trivia Quiz"
  --- http://www.vortex.com/reality

------------------------------

Date:    Mon, 2 Aug 1999 21:43:08 -0400
From:    Monty Solomon <monty@roscom.com>
Subject: Citibank Privacy Issues

I noticed that Citibank and Sony are offering a credit card which earns
Sony points.  It is called the Sony Citibank Platinum Select Card.

It is interesting to note that you can only apply online.

    http://www.citibank.com/us/cards/cgi-bin/apply.cgi?card_type=sonyb

    "This application can only be submitted electronically. Printed and
    mailed/faxed applications will not be processed.
    Submit by clicking the "Submit" button at the end of this application."

Also, you can't read the whole application at once.  You have to complete
each screen before you can proceed to the next one.


Furthermore, in the "Terms, conditions, caveats and small print"

    http://www.citibank.com/citibank/disclaim.htm

SUBMISSIONS.
All information submitted to Citicorp via this site shall be deemed
and remain the property of Citicorp and Citicorp shall be free to
use, for any  purpose, any ideas, concepts, know-how or techniques
contained in information a visitor to this site provides Citicorp
through this site. Citicorp shall not be subject to any obligations
of confidentiality regarding submitted information except as agreed
by the Citicorp entity having the direct customer relationship or as
otherwise specifically agreed or required by law.


There is also a Privacy Statement at
        http://www.citibank.com/privacy/index.htm
which reads, in part,

If you do provide personal information, such as address, e-mail,
telephone and fax numbers, as well as demographic and customer
identification, we will not disclose (share, sell or divulge) it to
external organizations unless we have informed you, been authorized
by you, or are required to do so by law. We will maintain this
information, as well as your business activities and transactions,
according to our usual strict security and confidentiality standards.

By virtue of the disclaimer, above, everyone who uses the site
has been informed.

Monty
---
# Monty Solomon / PO Box 2486 / Framingham, MA  01703-2486
# monty@roscom.com

------------------------------

Date:    6 Aug 1999 23:17:32 -0000
From:    sevoy@quark.cpsr.org
Subject: CFP2000 CFP

Note: Karen Coyle of CPSR is on the Program Committee
 
[Circulate until October 15, 1999]

The Tenth Conference on Computers Freedom and Privacy
CFP2000: CHALLENGING THE ASSUMPTIONS
http://www.cfp2000.org

The Westin Harbour Castle Hotel
Toronto, Ontario, Canada
April 4-7, 2000

 
CALL FOR PARTICIPATION  

The Program Committee of the Tenth Conference on Computers, Freedom,
and Privacy (CFP2000) is seeking proposals for conference sessions and
speakers.

For the past decade, CFP has played a major role in the public debate
on the future of privacy and freedom in the online world.  The CFP
audience is as diverse as the Net itself, with attendees not only from
government, business, education, and non-profits, but also from the
community of computer professionals, hackers, crackers and engineers
who work the code of cyberspace.  The themes have been broad and
forward-looking. CFP explores what will be. It is the place where the
future is mapped.

The theme of the tenth CFP conference is 'Challenging the
Assumptions'.  After a decade of CFP conferences, it's time to examine
what we have learned. "On the Internet, nobody knows you're a dog" has
become a cliche, but we've learned that unless we take measures to
protect our identities, people can and do identify us on the Internet.
We have talked about the role of government in cyberspace, and some
have even suggested that the Net needs no government. But now that
increasing numbers of people around the world are relying on the
Internet not just as a marketplace of ideas, but the market where they
conduct their daily business, the issue of governance has come to the
forefront. And even where no rules have been imposed by governments,
some argue that standards setters and technology implementers have
imposed de facto rules. At CFP2000 we want to re-examine the
assumptions we have been making and consider which ones still make
sense as we move forward.
        
Proposals are welcomed on all aspects of computers, freedom, and
privacy. We strongly encourage proposals that challenge the future,
tackle the hard questions, look at old issues in new ways, articulate
and analyze key assumptions, and present complex issues in all their
complexity.

We are seeking proposals for tutorials, plenary sessions, workshops,
and birds-of-a-feather sessions. We are also seeking suggestions for
speakers and topics. Sessions should present a wide range of thinking
on a topic by including speakers from different viewpoints.  Complete
submission instructions appear on the CFP2000 web site at
http://www.cfp2000.org/submissions/.  All submissions must be received
by October 15, 1999.  The CFP2000 Program Committee will notify
submitters of the status of their proposals by December 3.

**************************************

Workshop on Freedom and Privacy by Design

On the first day of CFP2000 we will hold a workshop that explores
using -technology- to bring about strong protections of civil
liberties which are guaranteed by the technology itself---in short, to
get hackers, system architects, and implementors strongly involved in
CFP and its goals.  Our exploration of technology includes (a)
implemented, fielded systems, and (b) what principles and
architectures should be developed, including which open problems must
be solved, to implement and field novel systems that can be inherently
protective of civil liberties.

We aim to bring together implementors and those who have studied the
social issues of freedom and privacy in one room to generate ideas for
systems that we should field, and implementation strategies for
fielding them.

If you would like to participate, you must submit a short paper or
extended abstract on some issue related to the workshop by November
12. Complete submission instructions are available at
http://www.cfp2000.org/workshop/

**************************************

CFP Student Competition

Full time college or graduate students may compete for financial
support to attend the conference and for cash prizes. Three $500 cash
prizes will be awarded for the best paper, the best Web presentation,
and the submission that best makes use of the vast trove of papers,
audio, and video materials from the past ten years of Computers,
Freedom, and Privacy conferences. Free CFP conference registrations
and travel scholarships will be awarded to the top winners as well as
for several honorable mentions. For full submission information, see
http://www.cfp2000.org/students/.

**************************************

CFP2000 PROGRAM COMMITTEE

Chair: Lorrie Cranor, AT&T Labs-Research

Ann Cavoukian, Information and Privacy Commissioner, Ontario, Canada
Roger Clarke, The Australian National University 
Karen Coyle, California Digital Library and 
        Computer Professionals For Social Responsibility
Chuck Cranor, AT&T Labs-Research
Lenny Foner, MIT Media Lab
Wendy Grossman, Freelance writer and author of net.wars
Bruce R. Koball, Technical Consultant
Susan Landau, Sun Microsystems
Shabbir Safdar, Mindshare Internet Campaigns
Pam Samuelson, University of California Berkeley
Ari Schwartz, Center for Democracy and Technology
David Singer, IBM
Barry Steinhardt, ACLU
Bruce Umbaugh, Webster University

FOR MORE INFORMATION VISIT http://www.cfp2000.org/

  -----
Susan Evoy   *   Deputy Director                     
http://www.cpsr.org/
Computer Professionals for Social Responsibility
P.O. Box 717  *  Palo Alto  *  CA *  94302         
Phone: (650) 322-3778    *   Fax: (650) 322-4748     *   
Email: evoy@cpsr.org   
Donations online: https://swww.igc.apc.org/cpsr/sec-membership-form.html

------------------------------

End of PRIVACY Forum Digest 08.11
************************


PRIVACY Forum Home Page

Vortex Technology Home Page

Copyright © 2005 Vortex Technology. All Rights Reserved.