PRIVACY Forum Archive Document

PRIVACY Forum Home Page

PFIR - "People For Internet Responsibility" Home Page

Vortex Technology Home Page

PRIVACY Forum Digest      Thursday, 4 May 2000      Volume 09 : Issue 14


            Moderated by Lauren Weinstein (         
              Vortex Technology, Woodland Hills, CA, U.S.A.
                       ===== PRIVACY FORUM =====              

                 The PRIVACY Forum is supported in part by
               the ACM (Association for Computing Machinery)     
                 Committee on Computers and Public Policy,      
                 Cable & Wireless USA, Cisco Systems, Inc., 
                           and Telos Systems.
                                 - - -
             These organizations do not operate or control the     
          PRIVACY Forum in any manner, and their support does not
           imply agreement on their part with nor responsibility   
        for any materials posted on or related to the PRIVACY Forum.

        Corporations Risk All Via Insecure Online Voting?
           (Lauren Weinstein; PRIVACY Forum Moderator)
        First Web Tracking, then TELEPHONE Tracking?
           (Lauren Weinstein; PRIVACY Forum Moderator)
        Privacy2000 Conference (Sol Bermann)

 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

All submissions should be addressed to "" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are via an automatic list server system;
for subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"".  Mailing list problems should be reported to

All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the list server system.  Please follow the instructions above
for getting the list server  "help" information, which includes details
regarding the "index" and "get" list server commands, which are used to access
the PRIVACY Forum archive.  

All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "".  Access to PRIVACY Forum
materials is also available through the Internet World Wide Web (WWW) via
the Vortex Technology WWW server at the URL: "";
full keyword searching of all PRIVACY Forum files is available via
WWW access.


     Quote for the day:

        "I never explain anything."

                -- Mary Poppins (Julie Andrews)
                   "Mary Poppins" (Disney; 1964)


Date:    Thu, 4 May 2000 10:17 PDT
From: (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Corporations Risk All Via Insecure Online Voting?

Greetings.  This is going to be one of those unfortunate "so sad it's 
almost funny" cases.  Hold on to your beanies.

In a recent "People For Internet Responsibility" statement relating to
Internet Voting (, I pointed out a
large number of difficult problems relating to voting over the
Internet/World Wide Web.  While that document mainly was discussing online
voting in the traditional sense of political elections (which is in its
infancy), there are other aspects of online voting which have taken off
bigtime over the last couple of years.  One of these is voting of corporate
stock (proxy voting) via the Web.

Now, even if many people don't seem to care who is elected to any given
office, one would think they'd at least care about their money.  And it's
reasonable to assume that corporations would wish to at least pay lip
service to the idea that the votes of their stockholders are meaningful in
some way.

So it's ironic that a major firm involved in hosting such proxy
votes over the Web, American Stock Transfer & Trust Company, located
on Wall Street in New York City, would operate a proxy voting
Web site most charitably described as laughable (

My attention was originally attracted to this situation by James Hughes (who
gave his permission for his name to be used in this report) who had wanted
to vote his shares of Storage Technology Corp.  When he went to the
designated voteproxy site mentioned above, he was quite surprised
at what he found.  My investigation confirmed his concerns.

First off, the site isn't even accessible without javascript being
enabled--an increasing security concern, especially in the light
of newly announced javascript security bugs in major Web browsers.
Any attempt to access the site without javascript yields the infamous
blank page.  (I'm planning a special report on the widespread nature
of this problem and its implications, for both commercial and government
Web sites, in the very near future.)

All right, you reluctantly turn on javascript, and what did you get from  You saw a page telling you that you could vote your stock
"SECURELY" (bold, uppercase) and a slot to enter your 11 digit "control
number" for your stock.  No links to additional information, help, or
contacts were apparent.

Oh--about the use of the term "SECURELY" on that page.  It was completely
false.  The page (and all subsequent pages) were completely in the clear and
did not use Secure Sockets Layer (SSL).  Nor was any SSL server even
apparently running at the site.  So it would be relatively trivial for a
nefarious individual with the proper resources to gather up these voting
control numbers as they streamed by.  But it gets worse!

When the control number is voted, the voter has the option of entering an
e-mail address to receive a confirmation.  So far, so good.  But what
happens if you decide to vote the same control a second time (or if someone
who had surreptitiously obtained such numbers from the unencrypted Web
transmissions tried such a vote?)  Answer: Apparently the new vote replaces
the old one.  Sometimes such a duplicate vote would yield a message
informing you that your new vote had replaced the old one.  Other times the
vote would just be accepted without any warning at all.  And (as you have
probably guessed by now) no attempt is made to notify the original voter
that their vote has been replaced.

I ultimately had a chat with the person in charge of the voteproxy Web site,
by going through their domain registration phone number.  Her initial
response was that their ISP handling the system had assured them that it was
operating properly, and she claimed that their voting system was more secure
than using the U.S. mail.  When I pointed out what I perceived to be the
inaccuracies of her statement, she changed her tone somewhat, launching into
a diatribe against their ISP.  "We wanted to switch to SSL but our ISP
ignores us."  "Our ISP won't call us back."  "We plan to switch to another
ISP but we're waiting until July after the busy proxy voting season." 
"Can you recommend a good ISP?"  And so on.  Definitely one of those 
moments to make me suspect that I'm living in a Fellini movie.

Obviously, there is a great deal to be concerned about regarding that site,
and the proxy votes cast through it.  With so many other aspects of the site
in disarray, it would be natural to also be concerned about the accuracy of
the vote counting itself.

But they did make one immediate change in reaction to my call!  They've
removed the text from their site that had claimed the voting was secure!

"Cut!  Print."

Lauren Weinstein or
Co-Founder, PFIR: People for Internet Responsibility -
Moderator, PRIVACY Forum -
Member, ACM Committee on Computers and Public Policy


Date:    Thu, 4 May 2000 09:25 PDT
From: (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: First Web Tracking, then TELEPHONE Tracking?

Greetings.  The following text may be of interest:

  "As your local telephone company, we're always interested in offering you
   services that will enhance your communications is new and exciting ways.
   That's why we're offering you a new innovation in calling, our 
   "Getting to Know You" program!  

   You'll receive either free basic monthly telephone service, or a
   substantial discount on your phone service, for being a member of this
   fantastic program, which has been developed in response to the rapid
   pace of innovations on the World Wide Web.  By joining this landmark
   service, you'll be giving us permission to keep track (for commercial
   purposes) of the phone numbers and names, business types, etc. of all
   parties that you call, and to listen in on your calls to find out what
   topics most interest you.  

   You can trust us!  We'll keep track of all this information using our
   (patent-pending) "Digital-Shadow" anonymous ID system, and we'll only use
   your dialing and conversation information to target you with advertising
   for special offers we know you'll appreciate!  Our studies have shown
   that people simply often don't tell the truth when asked what products
   they're interested in--"Getting to Know You" bypasses that problem and
   delivers better value to our loyal advertisers and business partners.
   You can read our privacy policy which describes all of the details.
   (Please note that the privacy policy and the manner in which we handle,
   sell, distribute, combine, or otherwise use the information we gather
   about you is subject to change at any time.) 

   We think you'll find that "Getting to Know You" will change the way that
   you think about your telephone!  Sign up now!  
   (Offer void where prohibited by law.)"

OK, it should be obvious by now that the above is a completely fictional
scenario--for the moment, anyway.  Under current law, this scheme would
likely face numerous legal problems.  It seems unlikely to occur
in the near future, I hope!

I suspect that if such a plan were announced that there'd probably be some
takers (after all, there's someone to go along with just about anything).
But it seems reasonable to assume that the overall reaction to this plan
would be indignation and shock.  Most people would consider it a major
violation of privacy, even if "only" the dialed phone numbers were being 
used for this purpose and no actual call content monitoring were involved.
The claim that the system did its tracking through "anonymous" profiles
would be unlikely to calm many concerns--polls have shown that
most people are increasingly distrustful of the claims firms make
about the handling of personal information.

Internet Service Providers (ISPs) are to the Internet and Web what telephone
companies are to phone service.  In fact, we'll see a merging of all of
these facets over time--it's already begun.  The Web addresses (URLs) that we
enter to access Web sites are not only analogous to telephone numbers, but
through their inclusion of keywords and their accessing of specific content
on sites, are also not unlike the content of telephone calls in many

I do not see a great deal of difference between the growing practices of
tracking on the Web and the fictional scenario above, other than the fact
that such tracking and the potential for widespread information abuse is
legal with the Web.  As the Web becomes an increasingly primary
communications vehicle in people's lives, many Web firms' apparent
unwillingness to "play by the rules" of the rest of society in the
non-cyberspace world is increasingly untenable and unacceptable.  

Lauren Weinstein or
Co-Founder, PFIR: People for Internet Responsibility -
Moderator, PRIVACY Forum -
Member, ACM Committee on Computers and Public Policy


Date:    Tue, 02 May 2000 12:43:28 -0400
From:    Sol Bermann <>
Subject: Privacy2000 Conference

Privacy is a critical national issue for both the private and public
sectors.  In order to ensure the broadest possible participation by speakers
and attendees, the Technology Policy Group's Privacy2000 conference will now
take place Tuesday, Oct. 31-Wednesday Nov. 1, 2000.  Please adjust your
calendars accordingly.

Below are some specifics for Privacy2000: 

Title: Privacy2000: Information, Security & Ethics in the Digital Age 
Date: Tuesday, Oct. 31-Wednesday, Nov. 1, 2000 
Location: Columbus, Ohio

For information on the program and registration, please visit our website at:

Or contact:

Sol Bermann
Legal Project Manager
Technology Policy Group
The Ohio Supercomputer Center
1224 Kinnear Road
Columbus, OH 43212-1163
614-292-1992 (Fax)


End of PRIVACY Forum Digest 09.14

PRIVACY Forum Home Page

Vortex Technology Home Page

Copyright © 2005 Vortex Technology. All Rights Reserved.