Subject: RISKS DIGEST 16.45 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Monday 10 October 1994 Volume 16 : Issue 45 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for information on RISKS (comp.risks) ***** Contents: [Only issue this week.] Anonymity and the Stock Markets... (Peter Wayner) ICL loses 1.3m pounds poll-tax case (Jonathan Bowen) AOL sells its subscriber list (David L. Gehrt) Twins out of luck in Brazil (Debora Weber-Wulff) Confidential information passed on (Nik Clayton) Privacy Digests -- and Digital Telephony (PGN) CFP for CFP'95 (Computers, Freedom, and Privacy) (Carey Heckman) CALL for PAPERS: EUROCRYPT '95 (Jean-Jacques Quisquater) Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. ---------------------------------------------------------------------- Date: Fri, 7 Oct 1994 22:59:20 -0500 From: pcw@access.digex.net (Peter Wayner) Subject: Anonymity and the Stock Markets... People embroiled in the debate over anonymity on the networks might want to check out an article entitled "Reuter's Instinet is Biting Off Chunks of Nasdaq's Territory" in October 4th edition of the Wall Street Journal (p. C1). The article doesn't deal directly with anonymity-- it just charts the success of Reuter's Instinet, a computer network that matches up buyers and sellers of large blocks of stock. The article mentions that many clients selling large blocks of stock turn to the Instinet because it is anonymous. It's main competitors are not. It reads, "Large investors, who wish to keep their long or short positions confidential, especially want to avoid tipping other investors off about their bets in the volatile, mostly small-capitalization over-the-counter market." Ideally, this feature allows the market to be more efficient and more fair. People who just happen to be selling, say, Apple Computer Company stock to say, Motorola, won't be able to use their casually acquired knowledge. (Just a hypothetical example.) Another chance for "insider" like trading is gone. This anonymity, though, is almost certainly not absolute. The SEC would probably be able to unwind the trades if they needed to do so. But I'm just guessing about this. ------------------------------ Date: Mon, 10 Oct 94 09:58:46 BST From: Jonathan.Bowen@comlab.oxford.ac.uk Subject: ICL loses 1.3m pounds poll-tax case Front page news in "Computing", 6 October 1994: Headline: ICL loses 1.3m pounds poll tax case In a landmark award, St Albans City Council has won a 1.3m pounds High Court judgement against ICL for supplying flawed poll tax software, precipitating a flood of similar claims against the supplier. Monday's judgement has industry-wide implications because the judge in the case, Mr Justice Scott Baker, ruled that a clause in ICL's standard contract limiting the supplier's liability if problems arose did not apply under the Unfair Contract Terms Act 1977. Notes: 1. "Computing" is a UK computing industry weekly newspaper. 2. ICL is a Japanese owned UK based computer company. 3. 1.3m UK pounds is approximately $2 US million. 4. The "poll tax" was the abortive uniform local tax on individuals introduced by the Conservative government under Mrs Thatcher, but now replaced due to public resistance. Jonathan Bowen, Oxford University Computing Laboratory, Programming Research, Wolfson Building, Parks Road, Oxford OX1 3QD UK Jonathan.Bowen@comlab.ox.ac.uk ------------------------------ Date: Wed, 05 Oct 1994 10:03:16 -0700 From: "David L. Gehrt - RIACS" Subject: AOL sells its subscriber list On the front page of the buiness section of the San Jose Mercury today (5 Oct 1994) is an article describing one of the most egregious privacy violations I have heard of. America Online, described in the article as the fastest growing on-line service providers, has or appears to be ready to peddle subscriber information. The kind of information by AOL collected upon sign up is (IMHO) excessive. My wife signed up and I nearly told her to find another service provider and if she had known about the possibility that the info would be sold I am sure that she would have not signed up. According to the article the information which might be included in the sale of AOL subscriber info includes: "...name, gender, address, income, family, type of computer equipment, and payments to the company." My hope is that other subscribers will rise up in anger and convince AOL that this invasion of their privacy will cost them more $$$ in lost subscribers than they can hope to gain via the sale of the info. David L. Gehrt ------------------------------ Date: 5 Oct 1994 15:42:41 GMT From: weberwu@tfh-berlin.de (Prof Weber-Wulff) Subject: Twins out of luck in Brazil The German daily newspaper "Tagespiegel" notes this past weekend that for any set of twins (or triplets, etc.), in Brazil, only one may register to vote for the upcoming election. Seems the unique key for the voter registration form consists of the names of the parents and the birthdate. It was noted that the problem could not be corrected in time for the election, presumably there will a number of people contesting the election. Debora Weber-Wulff, Technische Fachhochschule Berlin, FB Informatik, Luxemburger Str. 10, 13353 Berlin, Germany email: weberwu@tfh-berlin.de ------------------------------ Date: Wed, 28 Sep 94 12:57:09 +0100 From: Nik Clayton Subject: Confidential information passed on "Watchdog", a consumer affairs television program shown on the BBC, Monday 26th September, reported on the experiences of a customer of Dixons (a computer and other electrical goods retailer). The customer had bought a PC from them, and had used it extensively, writing letters, doing business and accounts and so on. The PC started to malfunction, the symptoms being wrong characters generated by the keyboard. For example, "w" translated to an "f" and so on. Dixons said that they couldn't fix it, but would charge UKP 250 for an upgrade to a new machine. The customer agreed to this, and told them, before he gave the computer back, that he had confidential information stored on it, and would they remove it for him. Dixons agreed to this. 6 months later, he received a phone call from a family who had purchased his old computer from Dixons, saying that they had found his data still on the computer. RISKS: Obviously, the retention of the data is a large risk. But in addition, I think there are several others. Most obvious is the fact that the customer, while storing important information on the machine had made no efforts to make it secure. The situation could have been much worse if the computer had been stolen, or if his children had access to the data to change it. Other risks include believing what the retailer tells you. We weren't told any more technical information about the problem with the machine, but it looked very much as though either the keyboard was faulty, or, more likely, that one of the keyboard drivers had become corrupted. Certainly not something that should UKP 250 to fix. Also, the second owners of the machine believed that what they were getting was brand new, with the caveat that it had been used a display machine. Obviously, it wasn't. But even if it had been a display machine, it should be a trivial matter to walk into one of the stores and put a virus on many of the machines available. This could cause havoc for first time buyers. Nik ------------------------------ Date: Mon, 10 Oct 94 09:00:10 EDT From: Neumann@csl.sri.com (Peter G. Neumann) Subject: Privacy Digests -- and Digital Telephony Periodically I remind you of TWO useful digests related to privacy, both of which are siphoning off some of the material that would otherwise appear in RISKS, but which should be read by those of you vitally interested in privacy problems. RISKS continues to carry general discussions in which risks to privacy are a concern. The most recent issues of PFD and CPD include extensive material on the newly passed Digital Telephony Bill that now awaits Presidential signature. Because the of the extraordinary volume of that material, we do not attempt to cover the issues here. If you are seriously interested in the discussions on privacy, I recommend you try BOTH digests for a while (free trial subscriptions are terrific, but especially when the long-term subscriptions are also free AND, perhaps more important, you don't wind up on anyone ELSE's mailing list!). * The PRIVACY Forum Digest (PFD) is run by Lauren Weinstein. He manages it as a rather selectively moderated digest, somewhat akin to RISKS; it spans the full range of both technological and non-technological privacy-related issues (with an emphasis on the former). For information regarding the PRIVACY Forum, please send the exact line: information privacy as the BODY of a message to "privacy-request@vortex.com"; you will receive a response from an automated listserv system. To submit contributions, send to "privacy@vortex.com". * The Computer PRIVACY Digest (CPD) (formerly the Telecom Privacy digest) is run by Leonard P. Levine. It is gatewayed to the USENET newsgroup comp.society.privacy. It is a relatively open (i.e., less tightly moderated) forum, and was established to provide a forum for discussion on the effect of technology on privacy. All too often technology is way ahead of the law and society as it presents us with new devices and applications. Technology can enhance and detract from privacy. Submissions should go to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. There is clearly much potential for overlap between the two digests, although contributions tend not to appear in both places. If you are very short of time and can scan only one, you might want to try the former. If you are interested in ongoing detailed discussions, try the latter. Otherwise, it may well be appropriate for you to read both, depending on the strength of your interests and time available. PGN ------------------------------ Date: Thu, 6 Oct 1994 06:12:05 -0700 (PDT) From: Carey Heckman Subject: CFP for CFP'95! (Computers, Freedom, and Privacy) Call for Participation - CFP'95 The Fifth Conference on Computers, Freedom and Privacy Sponsored by the ACM SIGCOMM, SIGCAS, SIGSAC and Stanford Law School 28 - 31 March 1995 San Francisco Airport Marriott Hotel, Burlingame, California INVITATION This is an invitation to submit session and topic proposals for inclusion in the program of the Fifth Conference on Computers, Freedom and Privacy. Proposals may be for individual talks, panel discussions, debates, or other presentations in appropriate formats. Proposed topics should be within the general scope of the conference, as outlined below. SCOPE The advance of computer and telecommunications technologies holds great promise for individuals and society. From convenience for consumers and efficiency in commerce to improved public health and safety and increased participation in democratic institutions, these technologies can fundamentally transform our lives. New computer and telecommunications technologies are bringing new meanings to our freedoms to speak, associate, be left alone, learn, and exercise political power. At the same time these technologies pose threats to the ideals of a just, free, and open society. Personal privacy is increasingly at risk from invasion by high-tech surveillance and eavesdropping. The myriad databases containing personal information maintained in the public and private sectors expose private life to constant scrutiny. Political, social, and economic fairness may hinge on ensuring equal access to these technologies, but how, at what cost, and who will pay? Technological advances also enable new forms of illegal activity, posing new problems for legal and law enforcement officials and challenging the very definitions of crime and civil liberties. But technologies used to combat these crimes can threaten the traditional barriers between the individual and the state. Even such fundamental notions as speech, assembly and property are being transformed by these technologies, throwing into question the basic Constitutional protections that have guarded them. Similarly, information knows no borders; as the scope of economies becomes global and as networked communities transcend international boundaries, ways must be found to reconcile competing political, social, and economic interests in the digital domain. The Fifth Conference on Computers, Freedom and Privacy will assemble experts, advocates and interested people from a broad spectrum of disciplines and backgrounds in a balanced public forum to explore and better understand how computer and telecommunications technologies are affecting freedom and privacy in society. Participants will include people from the fields of computer science, law, business, research, information, library science, health, public policy, government, law enforcement, public advocacy, and many others. Topics covered in previous CFP conferences include: Personal Information and Privacy Access to Government Information Computers in the Workplace Electronic Speech, Press and Assembly Governance of Cyberspace Role of Libraries on the Information Superhighway Law Enforcement and Civil Liberties Privacy and Cryptography Free Speech and the Public Communications Network We are also actively seeking proposals with respect to other possible topics on the general subject of computers, freedom and privacy. Some new topics we are considering include: Telecommuting: Liberation or Exploitation? Courtesy, and the Freedom to be Obnoxious Commercial Life on the Net How Does the Net Threaten Government Power? Universal Access to Network Services The Meaning of Freedom in the Computer Age Online Interaction and Communities Government-Mandated Databases PROPOSAL SUBMISSION All proposals should be accompanied by a position statement of at least one page, describing the proposed topic. Proposals for panel discussions, debates and other multi-person presentations should include a list of proposed participants and session chair. Proposals should be sent to: CFP'95 Proposals Stanford Law and Technology Policy Center Stanford Law School Stanford, California 94305-8610 or by email to: cfp95@forsythe.stanford.edu with the word RProposalS in the subject line. Proposals should be submitted as soon as possible to allow thorough consideration for inclusion in the formal program. The deadline for submissions is 1 November 1994. STUDENT PAPER COMPETITION Full time students are invited to enter the student paper competition. Winners will receive a scholarship to attend the conference and present their papers. Papers should not exceed 2,500 words and should examine how computer and telecommunications technologies are affecting freedom and privacy in society. All papers should be submitted to Professor Gary T. Marx by 20 November 1994. Authors may submit their papers either by sending them as straight text via email to: Gary.Marx@colorado.edu or by sending six printed copies to: Professor Gary T. Marx University of Colorado Campus Box 327 Boulder, Colorado 80309-0327 (303) 492-1697 Submitters should include the name of their institution, degree program, and a signed statement affirming that they are a full-time student at their institution and that the paper is an original, unpublished work of their own. INFORMATION For more information on the CFP'95 program and advance registration, as it becomes available, write to: CFP'95 Information Stanford Law and Technology Policy Center Stanford Law School Stanford, California 94305-8610 or send email to: cfp95@forsythe.stanford.edu with the word "Information" in the subject line. THE ORGANIZERS General Chair Carey Heckman Stanford Law School Stanford Law & Technology Policy Center Stanford, CA 94305-8610 415-725-7788 (voice) 415-725-1861 (fax) ceh@leland.stanford.edu To discuss potential CFP'95 speakers, topics, and formats, and to receive additional CFP'95 information, subscribe to the CFP95 list. Send to cfp95@lists.stanford.edu a plain text message consisting of subscribe cfp95. Program Committee Sheri Alpert, Internal Revenue Service Judi Clark, ManyMedia Kaye Caldwell, Software Industry Coalition Esther Dyson, EDventure Holdings Mike Godwin, Electronic Frontier Foundation Peter Harter, National Public Telecommuting Network Lance J. Hoffman, George Washington University Ellen Kirsh, America OnLine Bruce R. Koball, Motion West Gary T. Marx, University of Colorado Mitch Ratcliffe, Digital Week Marc Rotenberg, Electronic Privacy Information Center Deborah Runkle, American Association for the Advancement of Science Barbara Simons, USACM Ross Stapleton-Gray, Georgetown University Glenn Tenney, Fantasia Systems Jeff Ubois, Author and Consultant J. Kent Walker, Jr., Department of Justice [Affiliations are listed for identification only.] ------------------------------ Date: 29 Sep 1994 14:47:11 GMT From: jjq@dice.ucl.ac.be (Jean-Jacques Quisquater) Subject: CALL for PAPERS: EUROCRYPT '95 EUROCRYPT '95 May 21 - 25, 1995, Saint-Malo, France FINAL CALL FOR PAPERS General information Eurocrypt '95 continues the tradition of European IACR conferences dedicated to the theory and applications of cryptologic techniques. Original papers are solicited on all aspects of cryptology. Topics of interest The topics of interest include but are not limited to: . Applications . Authentication . Combinatorial aspects . Computational complexity aspects . Computer security aspects . Conventional cryptosystems . Cryptanalysis . Cryptographic hash functions . Digital signatures . Electronic money . Foundation and theory . Implementation aspects . Information theoretical aspects . Key distribution . Number theoretical aspects . Practical aspects . Protocols . Pseudo randomness . Public key . Secret sharing . Standards . Voting systems . Zero knowledge Instructions for authors Send a cover letter, one title page and 18 copies of an extended abstract to be received by November 21, 1994, (or postmarked by November 10, 1994 and sent via airmail). The title page should contain the title, the name of the authors, their phone and fax numbers, their postal and e-mail address and the abstract. The extended abstract should start with the title and the abstract, but should be anonymous (Please, reserve the acknowledgments for the final version of the paper). This should be followed by a succinct statement appropriate for a non-specialist reader specifying the subject addressed, its background, the main achievements, and their significance to cryptology. Technical details directed to the specialist should then follow. A limit of 10 single-spaced pages of 12pt type (not counting the bibliography and clearly marked appendices) is placed on all submissions. Since referees are not required to read the appendices, the paper should be intelligible without them. Abstracts that have been or will be submitted in parallel to other conferences or workshops that have proceedings are not eligible for submission to Eurocrypt. The authors must state compliance to this rule in their cover letter. A LaTex style file and an example of a cover letter will be available. Conference proceedings Eurocrypt '95 will be the first Eurocrypt conference where proceedings will be available at the meeting. The proceedings will be published in the Springer-Verlag's Lecture Notes in Computer Science. Clear instructions about the final copy will be sent to the authors. The final copies of the accepted papers will be due on March 6, 1995. Authors of accepted papers must guarantee that their paper will be presented at the conference. A limited number of stipends are available to those unable to obtain funding to attend the conference. Students whose papers are accepted and who will present themselves are encouraged to apply if such an assistance is needed. Requests for stipends should be addressed to the general chairperson. Program Committee Chaired by Louis Guillou, the following persons are the Members of the Program Committee: Mihir Bellare Johannes Buchmann Mike Burmester Paul Camion Donald W. Davies Amos Fiat Hideki Imai Lars Knudsen Ueli Maurer Birgit Pfitzmann Jean-Jacques Quisquater Ronald Rivest Jacques Stern Douglas Stinson Moti Yung Gideon Yuval Important information Submission receipt deadline: November 21 (or postmarked airmail: November 10) Notification sent to authors: January 23 Final copies due: March 6 Send submissions to: Louis Guillou, Program Chair CCETT (Eurocrypt '95) 4, rue du Clos Courtel F-35512 Cesson-Se'vigne' Cedex FRANCE Tel: +33 99 12 42 47 Fax: +33 99 84 56 00 Email: iacr95@ccett.fr For other information, contact: Franc,oise Scarabin, General Chair CCETT (Eurocrypt '95) 4, rue du Clos Courtel F-35512 Cesson-Se'vigne' Cedex FRANCE Tel: +33 99 12 41 98 Fax: +33 99 12 40 98 Email: iacr95@ccett.fr ------------------------------ Date: 31 May 1994 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. Undigestifiers are available throughout the Internet, but not from RISKS. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. U.S. users on .mil or .gov domains should contact (Dennis Rears ). UK subscribers please contact . Local redistribution services are provided at many other sites as well. Check FIRST with your local system or netnews wizards. If that does not work, THEN please send requests to (which is not automated). CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. PLEASE DO NOT INCLUDE ENTIRE PREVIOUS MESSAGES in responses to them. Contributions will not be ACKed; the load is too great. **PLEASE** include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. All other reuses of RISKS material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using RISKS material should obtain permission from the contributors. ARCHIVES: "ftp crvax.sri.comlogin anonymousYourName cd risks: Issue j of volume 16 is in that directory: "get risks-16.j". For issues of earlier volumes, "get [.i]risks-i.j" (where i=1 to 15, j always TWO digits) for Vol i Issue j. Vol i summaries in j=00, in both main directory and [.i] subdirectory; "dir" (or "dir [.i]") lists (sub)directory; "bye" logs out. CRVAX.SRI.COM = [128.18.30.65]; =CarriageReturn; FTPs may differ; UNIX prompts for username, password; bitftp@pucc.Princeton.EDU and WAIS are alternative repositories. See risks-15.75 for WAIS info. To search back issues with WAIS, use risks-digest.src. With Mosaic, use http://www.wais.com/wais-dbs/risks-digest.html. FAX: ONLY IF YOU CANNOT GET RISKS ON-LINE, you may be interested in receiving it via fax; phone +1 (818) 225-2800, or fax +1 (818) 225-7203 for info regarding fax delivery. PLEASE DO NOT USE THOSE NUMBERS FOR GENERAL RISKS COMMUNICATIONS; as a last resort you may try phone PGN at +1 (415) 859-2375 if you cannot E-mail risks-request@CSL.SRI.COM . ------------------------------ End of RISKS-FORUM Digest 16.45 ************************