PRIVACY Forum Digest Saturday, 23 March 1996 Volume 05 : Issue 07 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. ===== PRIVACY FORUM ===== ------------------------------------------------------------------- The PRIVACY Forum is supported in part by the ACM (Association for Computing Machinery) Committee on Computers and Public Policy, "internetMCI" (a service of the Data Services Division of MCI Telecommunications Corporation), and Cisco Systems, Inc. - - - These organizations do not operate or control the PRIVACY Forum in any manner, and their support does not imply agreement on their part with nor responsibility for any materials posted on or related to the PRIVACY Forum. ------------------------------------------------------------------- CONTENTS Privacy Briefs (Lauren Weinstein; PRIVACY Forum Moderator) Re: Flying the friendly skies anonymously (Colin Rafferty) Code grabbers for garage door openers (bartdoug@cts.com) Re: Garage Door Openers (Tad Cook) Re: Garage Door Openers (Phil Karn) Privay on the Internet: A Survey (Martina Schollmeyer) Credit Card Info Via the Web? (Stephen Satchell) Netscape's magic cookie (Andrew Hagen) Doctors Group Criticizes Senate Medical Bill [From EPIC Alert] (Marc Rotenberg) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com"; full keyword searching of all PRIVACY Forum files is available via WWW access. ----------------------------------------------------------------------------- VOLUME 05, ISSUE 07 Quote for the day: "If Thomas Edison had had you helping him, we'd all be watching gas television." -- Grandpa ("The Count") Munster (Al Lewis), to Herman Munster (Fred Gwynne) "The Munsters" (CBS, 1964-1966) ---------------------------------------------------------------------- Privacy Briefs (from the Moderator) --- The battle over sales of mailing lists has taken a new twist, with concerns that information about children, including names, ages, addresses, and other personal info, is often available from readily obtainable commercial mailing lists. Parents have been advised to think twice about including information regarding their children on the survey forms that accompany many products--the apparent source for much of this data. --- A couple who has refused to let local officials in their community inspect the *inside* of their home, part of an annual "safety" inspection mandated by their local ordinances, is facing legal action. The couple feels that such an inspection amounts to an unreasonable search. Some other residents of the community have stated that they think the inspections are a great idea, and that they feel more secure as a result. ------------------------------ Date: 12 Mar 1996 11:19:37 -0500 From: craffert@ml.com (Colin Rafferty) Subject: Re: Flying the friendly skies anonymously In talking about "Flying the friendly skies anonymously", Wulf Losee writes: > It occurs to me that the days when one could anonymously purchase a > ticket with cash are over. Actually, it has been longer than you think since you could really travel anonymously by plane. In 1986, I tried to buy a plane ticket at the airport with cash. Of course, they had to find a manager to figure out how to accept cash payments. When they asked me for ID, I asked why they needed it, since I wasn't using a credit card or check. They said it was an FAA regulation for people paying cash. Maybe that regulation was what killed People's Express (the flying bus). -- Colin Rafferty ------------------------------ Date: Tue, 12 Mar 96 22:49:55 PST From: bartdoug@cts.com (That Doug Guy) Subject: Code grabbers for garage door openers (Re: V 05-06) ----------- Begin Quoted Text ---------------------------- Date: Mon, 26 Feb 1996 14:50:33 -0500 From: Carl Minie Greetings: I have heard several "teasers" for local and/or national news programs lately which promise to tell me how a crook could get into my house "with the touch of a button". I never watch TV long enough to hear the actual program, but I assume they are referring to machines which cycle through the limited number of infrared frequencies and/or patterns used by garage door openers until they hit the one that opens your garage door. ---------- End Quotation ------------------------- While such devices do exist, the local (San Diego, California, USA) media has been all a-buzz lately over devices known as "code-grabbers" which a thief can use to steal the actual code and frequency used by your garage door opener. I am an amateur radio operator and scanner enthusiast, and see ads for these devices regularly in the equipment catalogs I'm sent. I have no personal experience with these devices, but the word is that they work quite well. As the moderator noted, there are high-tech garage door openers on the market that use a pseudo-random code generation scheme that allows the door and the opener to agree on the next code in line, preventing the possibility of using the same code twice in a row. This issue is discussed occasionaly in the newsgroups alt.radio.scanner and rec.radio.scanner for those interested in further information. Blessings, Doug ------------------------------ Date: Wed, 13 Mar 1996 10:10:08 -0800 (PST) From: Tad Cook Subject: Re: Garage Door Openers Carl Minie asked about the TV news stories on opening garage doors, and suspected that there was some kind of hi tech method of scanning through available combinations. Actually what these TV news stories were showing was that many (or most?) owners of garage door openers don't bother to change the combination on the unit when they install it. Since there are so many that are out there with the default factory code, its a simple matter to drive around with a remote from one of these units and watch the doors open. A friend of mine discovered this a few years ago, and was even opening the doors on commercial buildings and condos. tad@ssc.com | Tad Cook | Seattle, WA | KT7H ------------------------------ Date: Wed, 13 Mar 1996 00:42:51 -0800 (PST) From: Phil Karn Subject: Re: Garage Door Openers Regarding garage-door openers and RF sniffers for same, somewhere I have a newspaper clipping of this attack actually being done in California within the past few years. If you have an alarm system, put a switch on the garage door itself and wire it up on its own zone with an entry delay, just like you'd alarm any other exterior door. After you open the door with the remote control, you have so many seconds to disarm the alarm or it sounds. My system has a "secondary entrance loop" that's ideal for this purpose as it lets me set its entrance delay separately from the front door. This seemed like an obvious configuration to me, but my local alarm dealer tried to sell me a bypass relay that simply shunted the garage door alarm switch whenever the light on the door opener was on -- as it would be whenever the door is opened with the remote control. The big problem here is that someone who steals or spoofs your remote control could enter your garage and close the door behind him without ever tripping the alarm. I was rather surprised that a "security professional" would suggest such a configuration, and I fear that may mean it is common. Another safeguard, of course, is to unplug your garage door opener when you're away on an extended trip. Phil [ I received a number of other submissions on this topic. The bottom line is that as with most other security issues, there is a range of protection available, from weak to strong, depending upon your needs and desires. -- MODERATOR ] ------------------------------ Date: Wed, 13 Mar 1996 15:54:50 +0100 From: Martina Schollmeyer Subject: Privay on the Internet: A Survey SECURITY, PRIVACY, COSTS AND MARKETING ON THE INTERNET: A SURVEY Once again, the Centre for Technology Studies (University of Lethbridge, Lethbridge, Canada) is embarking on an Internet venture to shed some light on various issues affecting our privacy and the electronic media. Current attempts by U.S. Congress and the House of Representatives, Compuserve in Bavaria, the European Union and many others to censor our information and/or limit our freedom of speech through regulation and the gathering of data make this privacy survey a timely issue. The Centre for Technology Studies is conducting this research in collaboration with a team of researchers from the University of the German Federal Armed Forces at Hamburg and Texas A&M-Corpus Christi. The study is strictly confidential and only aggregate results will be used. The study runs from March 15 through May 15, 1996. We would appreciate if you could help us in disseminating this information as widely as possible. For ease of access to the survey, please point your browser to either of the two sites listed below: http://www.unibw-hamburg.de/WWEB/bwl/urs/intro.html OR http://www.sci.tamucc.edu/~martinas/Survey/intro.html We would appreciate also if you could let your friends and colleagues know about this project. If you have any questions or comments, please contact Dr. Urs Gattiker (urs.gattiker@unibw-hamburg.de) or, for questions about the page itself, Martina Schollmeyer (martina@unibw-hamburg.de). Sincerely, Urs E. Gattiker University of the German Federal Armed Forces at Hamburg phone: (+49)(40) 6541-2889 FB WOW fax: (+49)(40) 6541-2780 Holstenhofweg 85 22039 Hamburg/Germany ------------------------------ Date: Sat, 16 Mar 96 05:05:28 EST From: ssatchell@BIX.com Subject: Credit Card Info Via the Web? When talking to a billing agent at one of the Visa issuer, I was told that the particular Visa provider was going to make information on credit cards and transactions available via the Web. With the history of banks, with their phone-in account systems using SSNs (or pieces of SSNs) as PINs, what can we expect from the credit card people in the way of security? Anyone know the details? Is this something that will be dumped out, or does a credit card user have to subscribe before all the info is available via the World Wide Web? Stephen Satchell Incline Village, NV ssatchell@bix.com [ Many entities (e.g. banks) providing financial transaction history information and related data over the net have (at least so far) typically required the customer to explictly request that their data be made available in that manner. This leaves open the questions of how secure the mechanisms are for making this request, exactly what data will be made available, and whether or not a given customer would want such financial transaction history information flowing over the net at all. -- MODERATOR ] ------------------------------ Date: Sat, 16 Mar 96 13:53:28 0600 From: ah@rrnet.com (Andrew Hagen, symbolic analyst) Subject: Netscape's magic cookie Recently Netscape Communications Corp. CEO James Clark revealed in a speech that the Netscape home page sends a "magic cookie" in the form of a unique identification number to each Netscape Navigator browser the first time it visits. Apparently the ID number is tied to demographic information and other items of interest to companies who are trying to sell their products to Internet users. My question is whether this ID number can be accessed by home pages of other companies seeking additional information about who browses their site. For example, can Widgets-R-Us buy a database from Netscape that links the 20 million Navigator users to information about every individuals' income, social security number, credit history, habits, likes & dislikes, medical records, educational achievements, address, phone number and anything else that Widgets-R-Us might want? We must assume that this is the case. In my opinion this constitutes a grievous threat to privacy on the Internet. -- Andrew Hagen, symbolic analyst e-mail ah@rrnet.com http://rrnet.com/~ah/ [ I don't think it's justified to *assume* that Netscape makes any particular data available, so we shouldn't simply assume a threat exists. However, it would certainly be useful if Netscape would publicly explain any data collection practices, and let us know how that info is used, to which outside entities (if any) it is made available, and in what form (e.g. summary aggregated data, detailed data, etc.) it is reported. I would welcome a statement from Netscape on these issues here in the Forum. -- MODERATOR ] ------------------------------ Date: 18 Mar 1996 16:46:11 -0500 From: "Marc Rotenberg" Subject: Doctors Group Criticizes Senate Medical Bill [From EPIC Alert] [ From EPIC Alert 3.06; March 18, 1996 ] The American Medical Association has written to Sen. Nancy Kassenbaum (R-KS) urging the Senate to revise S. 1360, the Medical Records Confidentiality Act of 1995, before enacting it into law. The AMA cited inadequate privacy safeguards as the primary problem. The AMA called for substantial changes to the bill: "The bill as introduced does not assure adequate confidentiality protections for personally identifiable medical information, and the AMA would discourage the Senate Labor and Human Resources Committee from reporting such language without significant reexamination and modification." The AMA recommended several changes to the bill, including limiting disclosures of personally identifiable information, requiring law enforcement to obtain a warrant based on a "probable cause" showing that the particular information is needed for an immediate law enforcement purpose, preventing the use of personally identifiable information for research without the consent of the patient, and limiting federal pre-emption to allow states to enact stronger laws. The committee is expected to consider the comments of the AMA as well as the proposal of the Medical Privacy Coalition, a group that includes the Coalition for Patient Rights, the Justice Research Institute, EPIC, the Consumer Project on Technology, the ACLU, and others, and mark-up the bill in early May. More information on medical privacy is available at: http://www.epic.org/privacy/medical/ ------------------------------ End of PRIVACY Forum Digest 05.07 ************************