TUCoPS :: Privacy :: priv_202.txt

Privacy Digest 2.02 1/8/93

PRIVACY Forum Digest     Friday, 8 January 1993     Volume 02 : Issue 02

         Moderated by Lauren Weinstein (lauren@cv.vortex.com)
                Vortex Technology, Topanga, CA, U.S.A.
                     ===== PRIVACY FORUM =====

   	  The PRIVACY Forum digest is supported in part by the 
	      ACM Committee on Computers and Public Policy.

	OECD Security Guidelines (Marc Rotenberg)
	On expectations of privacy (Jerry Leichter)
	Utility bills going to law enforcement (KitchenRN@ssd0.laafb.af.mil)
	Car Searches Require Probable Cause - Well Maybe Not in Florida
           (A. Padgett Peterson)
	Perot campaign raiding credit data? (KitchenRN@ssd0.laafb.af.mil)
	Car searches (Lynn R. Grant)
	Caller ID Integrity (Lynn R. Grant)
	CFP'93 Electronic Brochure (Bruce R. Koball)

 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

The PRIVACY Forum is a moderated digest for the discussion and analysis of
issues relating to the general topic of privacy (both personal and
collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

ALL submissions should be addressed to "privacy@cv.vortex.com" and must have
RELEVANT "Subject:" lines.  Submissions without appropriate and relevant
"Subject:" lines may be ignored.  Subscriptions are by an automatic
"listserv" system; for subscription information, please send a message
consisting of the word "help" (quotes not included) in the BODY of a message
to: "privacy-request@cv.vortex.com".  Mailing list problems should be
reported to "list-maint@cv.vortex.com".  All submissions included in this
digest represent the views of the individual authors and all submissions
will be considered to be distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "cv.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system.  Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.

For information regarding the availability of this digest via FAX, please
send an inquiry to privacy-fax@cv.vortex.com, call (310) 455-9300, or FAX
to (310) 455-2364.


   Quote for the day:

	"Seven and a half cents, 
	 Doesn't buy a heck of a lot.
	 Seven and a half cents,
	 Doesn't mean a thing.
	 But give it to me every hour,
	 Forty hours every week,
	 That's enough for me to be,
	 Living like a king!"

			-- Chorus from "The Pajama Game" (1957)


Date:    Tue, 22 Dec 1992 14:19:51 EDT
From:    Marc Rotenberg <Marc_Rotenberg@washofc.cpsr.org>
Subject: OECD Security Guidelines


        The Organization for Economic Cooperation and
Development (OECD) has adopted international Guidelines for
the Security of Information Systems.  The Guidelines are
intended to raise awareness of the risks in the use of
information systems and to establish a policy framework to
address public concerns.

        A copy of the press release and an excerpt from the
Guidelines follows.  For additional information or for a copy
of the guidelines, contact Ms. Deborah Hurley, OECD, 2, rue
Andre-Pascal, 75775 Paris Cedex 16, 33-1-45-24-93-71 (fax)
33-1-45-24-93-32 (fax).

Marc Rotenberg, Director
CPSR Washington office and Member,
OECD Expert Group on Information System Security



        "The 24 OECD Member countries on 26th November 1992
adopted Guidelines for the Security of Information Systems,
culminating almost two years' work by an OECD expert group
composed of governmental delegates, scholars in the fields of
law, mathematics and computer science, and representatives of
the private sector, including computer and communication
goods and services providers and users.

        "The term information systems includes computers,
communication facilities, computer and communication networks
and the information that they process.  These systems play an
increasingly significant and pervasive role in a multitude of
activities, including national economies, international
trade, government and business operation, health care,
energy, transport, communications and education.

        "Security of information systems means the protection of
the availability, integrity, and confidentiality of
information systems.  It is an international issue because
information systems frequently cross national boundaries.

        "While growing use of information systems has generated
many benefits, it has also shown up a widening gap between
the need to protect systems and the degree of protection
currently in place.  Society has become very dependent on
technologies that are not yet sufficiently dependable.  All
individuals and organizations have a need for proper
information system operations (e.g. in hospitals, air traffic
control and nuclear power plants).

        "Users must have confidence that information systems
will be available and operate as expected without
unanticipated failures or problems.  Otherwise, the systems
and their underlying technologies may not be used to their
full potential and further growth and innovation may be

        "The Guidelines for the Security of Information Systems
will provide the required foundation on which to construct a
framework for security of information systems.  They are
addressed to the public and private sectors and apply to all
information systems.  The framework will include policies,
laws, codes of conduct, technical measures, management and
user practices, ad public education and awareness activities
at both national and international levels.

        "Several OECD Member countries have been forerunners in
the field of security of information systems.  Certain laws
and organizational and technical rules are already in place.
Most other countries are much farther behind in their
efforts.  The Guidelines will play a normative role and
assist governments and the private sector in meeting the
challenges of these worldwide systems.  The Guidelines bring
guidance and a  real value-added to work in this area, from a
national and international perspective."


"1. Accountability Principle

        The responsibilities and accountability of owners,
providers and users of information systems and other parties
concerned with the security of information systems should be

"2.  Awareness Principle

        "In order to foster confidence in information systems,
owners, providers and users of information systems and other
parties should readily be able, consistent with maintaining
security, to gain appropriate knowledge of and be informed
about the existence and general extent of measures, practices
and procedures for the security of information systems.

"3. Ethics Principle

        "Information systems and the security of information
systems should be provided and used in such a  manner that
the rights and legitimate interests of others are respected.

"4. Multidisciplinary Principle

        "Measures practices and procedures for the security of
information systems should take into account of and address
all relevant consideration and viewpoints, including
technical, administrative, organizational, operational,
commercial, educational and legal.

"5.  Proportionality Principle

        "Security levels, costs, measures, practices and
procedures should be appropriate and proportionate to the
value of and degree of reliance on the information systems
and to the severity, probability and extent of potential
harm, as the requirements for security vary depending upon
the particular information systems.

"6. Integration Principle

        "Measures, practices and procedures for the security of
information systems should be co-ordinated and integrated
with each other and with other measures, practices and
procedures of the organization so as to create a coherent
system of security.

"7. Timeliness Principle

        "Public and private parties, at both national and
international levels, should act in a timely co-ordinated
manner to prevent and to respond to breaches of information

"8.  Reassessment Principle

        "The security information systems should be reassessed
periodically, as information systems and the requirements for
their security vary over time.

"9. Democracy Principle

        "The security of information systems should be
compatible with the legitimate use and flow of data ad
information in a democratic society."

[Source: OECD Guidelines for the Security of Information
Systems (1992)]


Date:    Tue, 29 Dec 92 08:53:44 EDT
From:    Jerry Leichter <leichter@lrw.com>
Subject: On expectations of privacy

Banks today are required to report large cash transactions.  One hears talk of
using either specific computer-readable markers on new currency, or just OCR
to read the serial numbers on old currency, as a near-future mechanism that
will make it possible to track what happens to money.  This is viewed with
universal shock and horror as a new intrusion on our obvious traditional right
to complete anonymity in cash transactions.

But is there really any such traditional right?  Anyone who studies a bit of
history quickly discovers that for something to be widely believed to be
inevitable, it really need only have been widespread for a relatively short

I recently read "Natural Death", a Dorothy Sayers "Lord Peter Wimsy" mystery
written, and set, in mid-1920's England.  A woman is found murdered; on her
person is a (new?) five-pound note.  The police are able to use the serial
number of the note to locate the bank that issued it, the bank finds the
appropriate teller, and the teller recalls the person to whom she issued that
note (along with two other fivers).  A bit of a stretch of memory perhaps, but
Sayers's writing was intended to be realistic and essentially believable.
Clearly, neither Sayers nor her readers found this particular bit of police
work unreasonable - or disturbing.

It's easy to forget how much of what we think of as "privacy" is simply the
annonymity of large-scale civilization.  Sayers's bank teller could remember
her customer because she didn't deal with hundreds of people she didn't know
every day; in the 1920's, banks were used by the wealthy.

BTW, my guess is that in modern terms that five-pound note would be worth
somewhere around $100 or so.  I doubt Sayers would have expected a one-pound
note to be so easily traceable.
							-- Jerry


Date:    Tue, 29 Dec 92 11:28:00
From:    <KitchenRN@ssd0.laafb.af.mil>
Subject: Utility bills going to law enforcement

>Reports out of the San Jose, California area are expressing concern over the
>apparent practice of some utility companies of routinely turning over
>"unusual" utility bills to law enforcement agencies.  It seems that above
>average (that is, above the norm for the customer class) use of water and/or
>power may be considered to be a possible indication of illegal drug
>activities.  At least some utility companies apparently consider consumer
>utility bills to be public information and not subject to privacy

There was an AP article in yesterday's newspaper (the Torrance, CA "Daily 
Breeze") which addressed this subject, quoting the "San Jose Mercury News".  
The article mentioned that the utilities were not only giving out usage 
information about water and electricity, but were also including Social 
Security number, place of employment, and driver's license number.  In 
addition, the utilities were also giving out information about *the 
neighbors* of the people under surveillance, "for comparative purposes."

A spokesdrone for Pacific Gas & Electric (PG&E), the Northern California 
utility, said that the practice was just their way of being "a good corporate 
citizen and caring about the community.  Nobody regarded it as a particular 

The article also quoted a PG&E memo which stated corporate policy of honoring 
all requests from law enforcement personnel, whether they have a search 
warrant or not.


Date:    Tue, 29 Dec 92 22:13:34 -0500
From:    padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
Subject: "Car Searches Require Probable Cause" - Well Maybe Not in Florida

>From:    mbeckman@mbeckman.mbeckman.com (Mel Beckman)

>I'm certain many will respond to this. The answer is that no, the officer
>may not search your car without a warrant, and he can't get a warrant
>unless he has probable cause. Probable cause has been specifically determined
>to exclude such logic as "anyone who won't consent is hiding something"
>or "he looks guilty". It requires specific evidence that a crime may have
>been committed (e.g. bullet holes in the trunk). 

Well I live less than 50 miles from Volusia County (Daytona) where this
seems to have had some interesting interpretations. According to the 
Orlando Sentinel (newspaper), on stops of "suspected couriers" a request
was made to search the vehicle. If refused a "drug sniffing" dog was summoned
who often seems to bark or wag his tail or whatever. Apparently this
constitutes "probable cause" and a search was then performed.

Interestingly, one of the courier "profiles" mentioned as suspect was driving
*under* the speed limit (65 mph on I-95 in most places).


Date:    Mon, 04 Jan 93 10:11:00
From:    <KitchenRN@ssd0.laafb.af.mil>
Subject: Perot campaign raiding credit data?

Over the weekend, several news reports announced that the FBI is 
investigating the Ross Perot campaign for illegally using stolen computer 
codes to obtain credit reports on campaign workers.  Former Perot workers, 
Equifax (the credit reporting company), and Orix Consumer Leasing in 
Secaucus, NJ have admitted to reporters' questions that they have spoken to 
the FBI, but the FBI refuses to discuss the matter.  There are also reports 
that the Secret Service and the Federal Trade Commission are also involved in 
the investigation.

Equifax said that at least seventeen credit files of former Perot campaign 
workers may have been accessed, using the security code of Orix Consumer 
Leasing.  Orix says that they never requested the reports, and they believe 
that their security codes had been stolen.


Date:    Mon, 4 Jan 93 12:41 EST
From:    Lynn R Grant <Grant@DOCKMASTER.NCSC.MIL>
Subject: Car searches

The other day I got stopped by a State Trooper (for very mildly speeding),
and he asked me if I would open my briefcase, which was lying on the
seat next to me.  I asked him what he was looking for.  He said, "I just
want to make sure you don't have a gun in there, so you don't shoot me
while I'm walking back to my car."

Although he may not have been able to force me to open it without a
warrent. I did not feel too bad about opening it
for him, especially considering the number
of cops that have been getting shot on routine stops lately.  And anyway,
a cop who isn't nervous about you shooting him is less likely to
accidently shoot you.

I don't know what I would have done if I had been carrying something
illegal in my bag.

Lynn Grant


Date:    Mon, 4 Jan 93 13:22 EST
From:    Lynn R Grant <Grant@DOCKMASTER.NCSC.MIL>
Subject: Caller ID Integrity

Much has been written about the pros and cons of the loss of privacy
caused by caller ID, but I haven't seen anything about how much you
can trust the information provided by caller ID.

This could be important when billing systems are connected with caller ID.
For example, my local cable TV system connects the two for requesting
pay-per-view movies.  If you want to see the movie that is showing
on channel 51, you dial a special 800 number that ends in -5151.  The
system gets your phone number from caller ID and uses it to look up
your account.  It then sends something over the TV cable to unlock your
descrambler for that channel, and adds $4.95 to your cable TV bill (not
your phone bill).

If it were possible to send out a fake phone number, it would be possible
to harrass someone by charging a bunch of movies to his bill.  If this
scheme was used for billings for larger-ticket items, the consequenses
could be much greater.

My understanding is that caller ID sends the number information as a
burst of 1200 baud information between the first and second rings.
I also understand that caller and callee are connected between rings,
though I don't know if they are connected during the data burst.
(I base this second assumption on an article I saw in a 1983 phone
phreak newsletter about avoiding toll charges by not answering the
phone and talking between the rings.)

Would it be possible for a caller to send his own 1200 baud data burst,
which would garble the phone company's data so that no number was
recognized?  Or could he send a burst right after the phone company's,
so that the number changed before it was read by the callee?

Lynn Grant
Grant @ dockmaster.ncsc.mil

  [ Since technical followups to the above message would tend to move
    outside the charter of this digest, your moderator will insert himself
    into the flow at this point with some brief answers to the questions
    posed above, in hopes of making such followups unnecessary!

    As a practical matter, "spoofing" of caller ID (CNID) systems should not
    be a significant problem in modern, properly implemented systems.  The ID
    information is indeed transmitted between the first and second rings
    (using standard Bell 202 modem tones at 1200 bps).  However, modern
    switching systems (e.g. ESS/digital) do not normally establish a voice
    path from the caller to the callee until the callee has gone
    "off-hook"--that is, answered the phone.  Prior to such systems, (e.g.
    "step-by-step" and "crossbar" switching) there were indeed situations
    where 2-way voice paths were in place before the call was answered.  It
    was such situations that made the infamous "black box" toll fraud device
    possible when used in conjunction with those pre-ESS/digital
    switches--but normally not usable with modern switching systems.

    Most CNID decoders are based on ICs which are implemented with circuits
    that specifically look for data between the appropriate rings.  The
    ring signal is a particular voltage reference, not just an audio tone
    that could be easily spoofed, even if a voice path *did* exist prior
    to call answer, so a properly designed CNID box will not pay any attention
    to audio on the line after the call has been answered.

    The bottom line is that CNID boxes should be safe from remote spoofing
    of the sort you discuss when connected to modern, properly designed
    switching equipment--assuming that a spoofer didn't have direct
    *physical* access to the actual wire pairs leading to the customer (if
    they did have such access, they could not only wreak havoc with CNID
    but also monitor and intercept communications, of course).

    Finally, it's worth noting that most billing systems based on caller
    number (e.g. cable company ordering, pizza delivery, etc.) do *not* use
    the CNID system at all, but rather rely on a different system called ANI
    (Automatic Number Identification) which almost always involves passing
    the caller number over a special dedicated circuit--not "in-band" with
    the voice call setup in the manner of CNID.
    -- MODERATOR ]


Date:    Thu, 7 Jan 1993 17:05:04 -0800
From:    Bruce R Koball <bkoball@well.sf.ca.us>
Subject: CFP'93 Electronic Brochure

The Third Conference on Computers, Freedom and Privacy
                 9-12 March 1993
 San Francisco Airport Marriott Hotel, Burlingame, CA

The CFP'93 will assemble experts, advocates and interested 
people from a broad spectrum of disciplines and backgrounds in 
a balanced public forum to address the impact of computer and 
telecommunications technologies on freedom and privacy in society. 

Participants will include people from the fields of computer 
science, law, business, research, information, library science, 
health, public policy, government, law enforcement, public 
advocacy and many others. Some of the topics in the wide-ranging 
CFP'93 program will include:

ELECTRONIC DEMOCRACY - looking at how computers and networks 
are changing democratic institutions and processes.

ELECTRONIC VOTING - addressing the security, reliability, 
practicality and legality of automated vote tallying systems 
and their increasing use.

problems of maintaining freedom of electronic speech across 
communities and cultures.

PORTRAIT OF THE ARTIST ON THE NET - probing the problems and 
potential of new forms of artistic expression enabled by 
computers and networks.

technology to protect the privacy of personal communications 
versus the needs of law enforcement and government agencies 
to tap in.

HEALTH RECORDS AND CONFIDENTIALITY - examining the threats to 
the privacy of medical records as health care reform moves 
towards increasing automation.

THE MANY FACES OF PRIVACY - evaluating the benefits and costs 
of the use of personal information by business and 

THE DIGITAL INDIVIDUAL - exploring the increasing 
capabilities of technology to track and profile us.

the issues surrounding gender and online interaction.

THE HAND THAT WIELDS THE GAVEL - a moot court dealing with 
legal liability, responsibility, security and ethics of 
computer and network use.

the development of networking infrastructures, domestically 
and worldwide.

INTERNATIONAL DATA FLOW - analyzing the  issues in the flow 
of information over the global matrix of computer networks 
and attempts to regulate it.

The conference will also offer a number of in-depth tutorials 
on subjects including:

* Information use in the private sector
* Constitutional law and civil liberties
* Investigating telecom fraud
* Practical data inferencing
* Privacy in the public and private workplace
* Legal issues for sysops
* Access to government information
* Navigating the Internet 

For more information on the CFP'93 program and advance 
registration call, write or email to:

(510) 845-1350

A complete electronic version of the conference brochure
with more detailed descriptions of the sessions, tutorials,
and registration information is also available via anonymous
ftp from  sail.stanford.edu  in the file:  pub/les/cfp-93


End of PRIVACY Forum Digest 02.02

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2023 AOH