PRIVACY Forum Digest Monday, 30 August 1993 Volume 02 : Issue 30 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Topanga, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy. CONTENTS Newton (David W. Crawford) Child-Prodigy or Prodigy-Child? 14-year-old triggers alarms (Dan Wing) Oh, let *us* do it for you... (Alan Wexelblat) Lapses of Consciousness in California (Henry Unger) Re: DMV vs Fainting (Mel Beckman) CheckFree's answer to SSN inquiry (Bob Stratton) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. ALL submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All submissions included in this digest represent the views of the individual authors and all submissions will be considered to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are also available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". For information regarding the availability of this digest via FAX, please send an inquiry to privacy-fax@vortex.com, call (310) 455-9300, or FAX to (310) 455-2364. ----------------------------------------------------------------------------- VOLUME 02, ISSUE 30 Quote for the day: "Six drops of the Essence of Terror, Five Drops of Sinister Sauce..." "When the stirring's done, May I lick the spoon?" "Of course! Ah ha! Of course!" -- Professor Weirdo and Count Kook "Milton the Monster" (1965-1968) ---------------------------------------------------------------------- Date: Mon, 23 Aug 1993 00:29:14 -0700 (MST) From: crawford@fido.econlab.arizona.edu (David W. Crawford) Subject: Newton I was wondering about the security features of the Newton. For those of you reading on comp.risks or comp.privacy, the Newton is Apple Computer's latest toy. The first model is a PIM called "Message Pad". Message Pad weights one pound and can communicate via modem,fax, radio, pager, infared remote control beam and serial port. I don't expect the standard issue message pad makes it up to C2 snuff (Mitre Orange Book), has or Kerberotic file synchronization, but ... What security features does Apple build in ? What have security hardware or software have third parties announced ? I'm quite satisfied with the security of my powerbook using third party software. I'm looking for the same capability in a Newton before I depend on one. I have a notebook Apple Macintosh (PowerBook 165c) and use a program called Citadel made by Datawatch. Citadel offers: * Encryption by up to full DES on a file by file basis. The password to unencrypt a file is used as a basis for the encryption key, and must be a string of 8 to 12 case sensitive characters. * A Shredder program that writes over deleted files at the time of deletion to prevent file recovery using a program like Norton Unerase or Datawatch Complete Undelete. * A Disk Cleaner program that writes over all unused disk space at any time to prevent file recovery of deleted but unshredded files. How I use Citadel: I keep a PIM generated database document with my bank account numbers on my PowerBook's hard drive. I keep this data file encrypted unless I need immediate access to this database. When I need it, I unencrypt the datafile and load it into Aldus TouchBase, look up what I need, close the data file, and re-encrypt the data file and shred the unencypted data file. Is there a similarly secure way to maintain access to sensitive data on a Newton ? Citadel also * Locks any harddisk or partition thereof, and also locks floppy drives * Provides both a user and administrator password feature so that I can grant access to other users by telling them the user password. But to change the user password, the administrator password is needed. This administrator / user differentiation prevents me from being locked out of my machine by some who either knows the user password or finds the machine in an unlocked state. The lack of permission layers is a major weakness of the security offered by Norton Essentials for Powerbook. If someone finds you PB unlocked they can make up a password and lock it and walk away. Citadel builds in a master administrator's password at the time of installation. * A "screenlocking option which is really a keyboard locking feature which can be invoked by a programmable idle time cue or by hot key. Screenlocking optionally erases the screen before running an AfterDark compatible module. Citadel's shortcoming: there's no efficient way to protect the system folder [directory] while allowing multiple users. Encrypting the system I need to boot up with won't work. I need to assign user partitions and duplicate the system so there's one copy of my 17 megabyte system folder in each user's partition. FolderBold by Kent Marsh offers such a feature. Is there a way to lock a Newton so nobody else can use it ? Is there a way to hide sensitive files ? Is there a way to allow read access but not allow write access to files ? Well, there's something to think about before you put your calling card numbers into autodial. David Crawford crawford@fido.econlab.Arizona.EDU ------------------------------ Date: Mon, 23 Aug 1993 14:38:44 MDT From: Dan Wing Subject: Child-Prodigy or Prodigy-Child? 14-year-old triggers alarms Something from RISKS 14.85 that might be interesting to readers of PRIVACY digest -- Prodigy's censorship taken further than normal. ----- Date: Fri, 20 Aug 93 12:49:36 -0700 From: harrison@cs.ubc.ca Subject: Child-Prodigy or Prodigy-Child? 14-year-old triggers alarms As a supposed joke, a 14-year-old Seattle-area girl sent a Prodigy message to her boyfriend in New Jersey containing a phony death threat against Baltimore Orioles' shortstop Cal Ripkin, Jr., who is getting ever closer to Lou Gehrig's record for consecutive games. Seattle and Baltimore were playing in the Kingdome in Seattle, and her boyfriend is an avid Orioles' fan. Known for its monitoring of messages, Prodigy alerted the police --- who tightened security at the Kingdome and also camped out waiting for the girl to return home. They apparently reprimanded the girl, but she was not charged. Police said she was ``very embarrassed and apologetic'' and added, ``By the time her [28-year-old] sister got done chewing her out, that was enough.'' [Source: A UPI item datelined Seattle, 19 Aug 93, PGN Excerpting and Extrapolating Service] [The news on 20 Aug 93 noted that Kingdome officials are planning on charging the cost of the extra security assigned to Ripkin to the girl. - Jason] ----- End of material from RISKS ----- [ It is worth noting that subsequent e-mail from a Prodigy engineer indicated that the offending message in question was *not* a private e-mail message, but was a message posted on a *public* Prodigy area. This was not clear solely from the text above, and was an important clarification. The person at Prodigy emphasized that they do not monitor private e-mail, in accordance with applicable law. -- MODERATOR ] ------------------------------ Date: Mon, 23 Aug 93 17:44:55 -0400 From: "Alan (Gesture Man) Wexelblat" Subject: Oh, let *us* do it for you... So, I called up Sprint to tell them I was moving and in addition to giving me 5,000 bonus points in their buy-our-trash club for staying with them over a move, they sent me a "We'll help you move" kit. I expected the usual sort of advice... "Don't forget to turn off your utilities" etc. UHaul already sent me one of those. Instead I got a form that I could fill out which would empower Sprint to tell all my correspondents my new address. Credit cards, magazines, clubs, services, you name it. All I have to do is list them, and sign the form saying Sprint has my permission to send them change of address forms for me. What a bargain, think I. Saves me ~$20 in stamps and postcards (I get a *lot* of magazines), not to mention hours of time. Then I start to wonder what Sprint is going to do with all that lovely info I'm supposed to give them. Bet they can sell it enough times to more than recoup the cost, not to mention how it would beef up *their* marketing database... Bargains like this I can do without. I am tempted to fill it out with bogus info and see if anyone is dumb enough to start sending me free issues of 'zines. But I probably won't. --Alan Wexelblat, Reality Hacker, Author, and Cyberspace Bard Media Lab - Advanced Human Interface Group wex@media.mit.edu Voice: 617-258-9168, Pager: 617-945-1842 wexelblat.chi@xerox.com ------------------------------ Date: Mon, 23 Aug 93 15:02:50 -0700 From: Henry Unger Subject: Lapses of Consciousness in California The complete text (as of 1992) of the section from the California Health and Safety Code relating to the recent discussion on Lapses of Consciousness is as follows. Note especially (f) below. S410. Reporting Disorders Characterized by Lapses of Consciousness. (a) Every physician and surgeon shall report immediately to the local health officer in writing, the name, date of birth, and address of every patient at least 14 years of age or older whom the physician and surgeon has diagnosed as having a case of a disorder characterized by lapses of consciousness. However, if a physician and surgeon reasonably and in good faith believes that the reporting of a patient will serve the public interest, he or she may report a patient's condition even if it may not be required under the state department's definition of disorders characterized by lapses of consciousness pursuant to subdivision (d). (b) The local health officer shall report in writing to the Department of Motor Vehicles the name, age, and address, of every person reported to it as a case of a disorder characterized by lapses of consciousness. (c) These reports shall be for the information of the Department of Motor Vehicles in enforcing the Vehicle Code, and shall be kept confidential and used solely for the purpose of determining the eligibility of any person to operate a motor vehicle on the highways of this state. (d) The state department, in cooperation with the Department of Motor Vehicles, shall define disorders characterized by lapses of consciousness based upon existing clinical standards for that definition for purposes of this section and shall include Alzheimer's disease and those related disorders which are severe enough to be likely to impair a person's ability to operate a motor vehicle in the definition. The state department, in cooperation with the Department of Motor Vehicles, shall list those circumstances which shall not require reporting pursuant to subdivision (a) because the patient is unable to ever operate a motor vehicle or is otherwise unlikely to represent a danger which requires reporting. The state department shall consult with professional medical organizations whose members have specific expertise in the diagnosis and treatment of those disorders in the development of the definition of what constitutes a disorder characterized by lapses of consciousness as well as definitions of functional severity to guide reporting so that diagnosed cases reported pursuant to this section are only those where there is reason to believe that the patients' conditions are likely to impair their ability to operate a motor vehicle. The state department shall complete the definition on or before January 1, 1992. (e) The Department of Motor Vehicles shall, in consultation with the professional medical organizations specified in subdivision (d), develop guidelines designed to enhance the monitoring of patients affected with disorders specified in this section in order to assist with the patients' compliance with restrictions imposed by the Department of Motor Vehicles on the patients' licenses to operate a motor vehicle. The guidelines shall be completed on or before January 1, 1992. (f) A physician and surgeon who reports a patient diagnosed as a case of a disorder characterized by lapses of consciousness pursuant to this section shall not be civilly or criminally liable to any patient for making any report required or authorized by this section. (Amended by Stats 1987 ch 321 S1; Stats 1990 ch 911 S2, eff. 1/1/91.) ------------------------------ Date: Thu, 26 Aug 93 13:28:18 PST From: mbeckman@mbeckman.mbeckman.com (Mel Beckman) Reply-To: mbeckman@mbeckman.com Subject: Re: DMV vs Fainting In a message dated 8/16 Brett Glass writes: > To determine whether this was true or not, I interviewed Celeste, a > physician's nurse at Kaiser Permanente's Redwood City health clinic. > (Because she fills out the forms, she needs to understand exactly what the > law requires.) She says that a report must be filed with the DMV "ANYTIME > a patient has a lapse of consciousness, or even a change in mental status > (such as disorientation)." According to Celeste, the law makes no > exceptions for lapses of consciousness whose cause is known. (Anaesthesia, > incidentally, is not considered to be a "lapse" of consciousness.) This doesn't show what the law is -- only one PN's interpretation of it. According to the DMV she is wrong, probably due to misinterpreting the phrase "disorders characterized by lapse of consciousness" as "lapse of consciousness". I have reviewed the specific text of the statute (S410) with the DMV's Driver Control Division. According to them, it is _unexplained_ lapse of conciousness and _recurrable_ LOCs that they're interested in, not simply "any" LOC. They also said that the LOC must be witnessed by a medical doctor, specifically the diagnosing physician, -- not anecdotal (e.g. an EMT remarking "I think she passed out") to be considered in the DMV's evaluation. That's for the _unexplained_ LOCs. The law only calls for reporting "disorders characterized by lapse of consciousness" -- whether or not a lapse is observed by a physician. For example, EKG-detected epilepsy, or test-detected diabetes. Note that this is the *only* thing the law asks for -- it never requires reporting of the LOC incidents themselves, only _disorders_ charactersized by LOC. So, while the DMV wants to hear about unexplained LOCs, the law does not require reporting these. Reporting is only required upon diagnosis, and then only when a specific LOC-characterized disorder is diagnosed. According to the DMV, the Department of Health Services is producing a list of conditions that are reportable. As of today, the DMV emphasized that unexplained losses are not required by law, but can be reported at the physician's option. The DMV also pointedly stated that no reporting is EVER REQUIRED OR REQUESTED for isolated episodes of LOC, such as heat prostration, etc. and that the DMV will not take any action against a driver even if a physician should choose to report such episodes. BTW, the DMV's official definition of LOC disorders is: "Persons subject to losses of conciousness or episodes of marked confusion resulting from neurological disorders, senility, diabetes melitus, cardiovascular disease, alcoholism, or excessive use of alcohol sufficient to bring about blackouts." The privacy problems reported likely is due to *some* physicians going overboard on reporting, just as *some* physicians go overboard on tests, etc. My wife, a cardiac surgical RN, says nobody on her staff knows anything about filing LOC reports with the DMV, and as virtually every patient undergoing cardiac procedures goes in and out of conciousness in the days postop, they'd have a tremendous burden filing the DMV paperwork! (The DMV, incidentally, told me that such lapses are definitely not reportable). Anytime someone makes a statement claiming "all", "every", or "any", suspect the statement (including this one ) The DMV has a legitimate need to be notified of LOC conditions, and the requirement for physicians is not onerous, as implied by other's comments here. While there may be isolated cases of abuse, as there are with most every law, the problem is not the law but individuals who overstep their authority. -mel ________________________________________________________________________ | Mel beckman | Internet: mbeckman@mbeckman.com | | Beckman Software Engineering | Compuserve: 75226,2257 | | Ventura, CA 93003 | Voice/fax: 805/647-1641 805/647-3125 | |______________________________|_______________________________________| ------------------------------ Date: Thu, 26 Aug 1993 18:00:25 -0500 From: Bob Stratton Subject: CheckFree's answer to SSN inquiry Hello all, I recently sent a note to the operators of the "CheckFree" electronic bill payment service via GEnie. In my note, I asked why they requested the SSN in their service application and whether they'd consider another choice for a unique identifier for customers. I also briefly described problems with the use of the SSN, such as the lack of a check digit mechanism, etc. Here's the reply I received. I should have learned by now, but as an engineer in the computer industry, I'm continually surprised at how complacent people are about their choices for database keys and unique identifiers. >From the almost terse tone, I can't help but wonder whether more than a few people have asked this question, and they're tired of answering it. === forwarded message follows === Item 9467013 93/07/26 12:20 From: CHECKFREE CheckFree Mall Store To: R.STRATTON32 Robert J. Stratton 3rd Sub: Customer Inquiry Reply: Item #7307514 from R.STRATTON32 on 93/07/24 at 08:19 Dear Bob, Thank you for your interest into the CheckFree bill payment service. To answer you question about SSN#'s, we ask for the SSN#, for ID purposes only. Since this number is unique to you and you alone, no one else has it, thus preventing problems on our system. Also, if a court order comes down to where we are told to pull your records ( IRS,etc...) the SSN# would be there. Basically, since we started this company in 1981, we have had no problem with using the SSN#'s. We do not have an alternative and are not going to develop one. This works just fine. thank you again, for your interest into CheckFree. Sincerely, Sales ===forwarded message ends=== Bob Stratton Engineer, InterCon Systems Corp. +1 703 709 5525 (Office) ------------------------------ End of PRIVACY Forum Digest 02.30 ************************