Human-Nets-Request%rutgers@brl-bmd.UUCP (Human-Nets-Request@rutgers) (02/14/84)
HUMAN-NETS Digest Monday, 13 Feb 1984 Volume 7 : Issue 19
Today's Topics:
Computers and the Law - California Access Bill (2 msgs) &
Swedish "Person Numbers" &
Notification of Database Entries,
Computer Security - `Scary Article in InfoWorld',
Computers and the Media - Re: Hackers,
Computers and People - Collaboration Simulation
----------------------------------------------------------------------
Date: Sat, 11 Feb 84 03:04:13 pst
From: fair%ucbarpa@Berkeley (Erik E. Fair)
To: CAULKINS@USC-ECL.ARPA
Subject: HN V7 #18, California AB251
Cc: matt@UCLA-LOCUS
Maybe I missing a fine point of law, but if no one presses charges
of misdemeanor unauthorized computer access, how does the proposed
bill shut down public BBS's?
Out of fear to access? Or is there automatic prosecution by the
state? (if the latter, how in the name of Von Neumann do they
catch them all?)
One way to view this bill is that it makes it easier to scare off
a system crasher (by charging him with a misdemeanor), and not
really have him hauled away in irons.
Erik E. Fair ucbvax!fair fair@ucb-arpa.ARPA
------------------------------
Date: 11 Feb 1984 0720-PST
From: CAULKINS at USC-ECL.ARPA
Subject: Re: HN V7 #18, California AB251
To: fair%ucbarpa at BERKELEY
Cc: matt at UCLA-LOCUS,
In response to your message sent Sat, 11 Feb 84 03:04:13 pst
My objections to AB2551 (the proposed CA law making any
unauthorized access to a computer a misdemeanor) is its
shotgun nature. It is fairly clear that the Attorney General
is having trouble proving 'malicious intent', and wants to
broaden law enforcement's power to proceed against computer
crackers.
I think you're right about how hard it will be to enforce;
unfortunately it is sure to have a chilling effect on BBSs
and their users. As a BBS SYSOP, I sure as hell don't need
the hassle of some gung ho prosecutor subpoena'ing all my
backup disks because he thinks some crackers he's after
for other reasons have accessed my system without my
permission.
Dave C
PS - I had a mildly paranoia-inducing experience on my BBS
recently; a person left a message identifying himself as connected
with law enforcement, and asked people to call or msg him if they
had questions about law enforcement. I left a message for him
asking if he had accessed my BBS in hisofficial capacity. He
never responded, nor was there any further messages to
or from him.
------------------------------
Date: Sunday, 12 Feb 1984 23:48-PST
Subject: Swedish "Person Numbers" (260731-1640, Where Are You?)
From: lauren@Rand-Unix (Lauren_Weinstein)
a223 1304 12 Feb 84
AM-Person Numbers, Bjt,590
Sweden's Person Numbers Come Under Fire
AP News Special
By BIRGIT LOFGREN
Associated Press Writer
STOCKHOLM, Sweden (AP) - A recent announcement in the Engagements
column of the newspaper Svenska Dagbladet said:
220324-0532
+
260731-1640
1-1 1984.
Someone - authorities can find out if they want to - was spoofing
Sweden's Person Numbers, a 10-digit figure that tells who you are,
where and when you were born and your sex.
In the Swedish government's computers, each citizen is a number.
Every computer file in Sweden is based on the Person Number,
whether it's at a bank, a hospital, an employer, the social welfare
office or the tax authorities. Whatever a person does is in somebody's
computer.
The system recently has come under fire, however, from Swedes who
contend that a computerized society ultimately could infringe on the
integrity of individuals.
In mid-January, conservative opposition leader Ulf Adelsohn
presented a 50-page ''Freedom Bill'' aimed at abolishing nearly 50
laws enacted by the Social Democratic government of Prime Minister
Olof Palme, many of them designed to prevent tax evasion.
Adelsohn assailed what he called ''the abuse of Person Numbers''
and demanded legislation to limit their use.
The Person Numbers, which went into effect Jan. 1, 1947, and were
computerized 20 years later, follow the 8.3 million Swedes from cradle
to grave and are as integrated in a Swede's personality as any trait
of character.
One reason for giving everyone a number is that many Swedes have
the same name. There are hundreds of thousands of Carlssons, Svenssons
and Jacobssons, for example.
Fueling Adelsohn's argument was a recent government study
suggesting a streamlined super databank, integrating up to 150
computer files with all kinds of data on citizens - all based on the
Person Number.
The study proposed that the Central Bureau of Statistics be
allowed to use files without permission from Data Inspection, a
government department that guards against abuse of computerized
information.
The statistics bureau would be allowed to combine into the super
databank the files of everyone from practically everywhere - including
people's files from banks, hospitals, employers, the social welfare
office and the tax collector, for example. By calling up a Person
Number on a computer, the bureau would be able to find out details
ranging from a Swede's illnesses and criminal record to his income and
debts.
The bureau insists it would do this only for ''statistical
research'' and that people would not be identified by name.
Critics, among them Data Inspection chief Jan Freese, contend that
an integrated system could lead to an erosion of civil liberties.
''The files will collect more information on a person than he can
remember himself,'' Freese commented.
Sten Johansson, head of the Central Bureau of Statistics, defended
the system as necessary ''for democracy and public opinion.'' He said
his files are intended strictly for scientific use.
Police Superintendent Hans Wranghult has reported a rise in
computer crime in Stockholm, but there has been no evidence of
computer whizzes trying to tap into the statistics bureau's computers
to see the files of individuals.
It technically is possible for people to withhold information from
their Person Number file, but it would be disadvantageous.
Failure to register a newborn child would mean that the child
didn't exist as far as Sweden was concerned. He or she couldn't get
into schools, would be outside the medical system or couldn't open a
bank account, for example.
ap-ny-02-12 1602EDT
***************
------------------------------
Date: 13 Feb 1984 1401-PST
Subject: Notification of individuals re database entries
From: WMartin at Office-3 (Will Martin)
Why not restrict the requirement of notification to the private
sector alone? I think a good case for this could be made. First
off, you might as well assume that there are government files
about you. If you have ever paid taxes, received a student loan,
registered for selective service, registered a motor vehicle or a
firearm (in states so requiring), received a passport, been
arrested, fined for a traffic offense, or held in custody, or in
any other fashion interacted with a municipal, state, or federal
government agency or department, there WILL be a record, and
these days it is practically inevitable that it is in an
automated "system of records", as the Privacy Act puts it. With
the current emphasis on reducing the costs of government, it is
not likely that it can be shown to be cost-effective for all
these government agencies to notify everyone of what they already
know -- I certainly don't want to pay for it!
On the other hand, I don't know what private agencies, credit
bureaus, or corporation data banks hold about me. I am MORE
interested in that than I am in what the FBI has. (As a federal
employee, I do KNOW that the FBI has something about me -- it
can't be too bad, or I wouldn't have received a security
clearance!) However, it is of immediate interest what a credit
bureau might have in my file. I resent that the Fair Credit
Reporting Act was so manipulated by business interests that it
does not force all credit bureaus to provide me a copy of all
data they have about me at no cost -- I can get it but I have to
pay for it! (You can get the info free only if you were denied
credit on the basis of the info given by the cited source.)
As far as I know, the info in records associated with me is good.
But maybe there's some false info in there, but the good data
outweighs the bad, and if more bad data gets in, the balance
might tip. It is not likely, but it is possible. So I would
support a privacy act directed at the private or commercial
sector, that would require them to notify me that they have
information about me, and to compell them to provide me with a
copy of all information about me AT NO COST to me, upon
presentation of some standard indentification that will insure
that only the individual gets to see his/her own file(s). I
could accept that this would be allowable only once a year or
even less often, so an individual could not harass a compnay by
demanding his data every day. Credit-extending organizations
(like department stores or bank card offices) should be required
to include a summary of the info they have on file with the
statement once a year -- thus this would be NO added mailing
cost. Insurance companies (life, home, auto, health) should also
be required to notify policyholders with such a summary once a
year, again along with the mailings they already make -- billings
or whatever -- so these too would be at NO mailing cost.
There would be a cost for mailing to individuals who are in the
data banks but are not current customers or policyholders. This
would give the organizations an incentive to purge their files.
For the changed-address problem, a regulation that allowed the
record to be marked for "no mailing" after a letter to the last
address of record is returned as undeliverable would be
acceptable.
Independent credit reference bureaus should be compelled to
notify either directly or through the previously-discussed method
of pooling or contracting through a central site. These WOULD
incur a mailing cost, but they could recover the increased costs
by raising their fees. Since it is just another deductible
business expense anyway, it might mean that it costs the
department stores 25 cents more for a standard credit check. Big
deal. It will get buried in the usual inflationary rise in the
costs of doing business, and I'll pay for it by spending a nickel
more for a tube of toothpaste in the drug department or
something.
Note that I am envisioning more than a simple "we know about you"
notification. There should be a summary statement of what the
organization knows. These could easily be standardized like
sweepstakes letters:
For a good credit rating:
Our records show that Mr. JOHN Q. PUBLIC has an annual income of
$30,000, an outstanding mortgage on OWNER-OCCUPIED PROPERTY at
1212 MUDSLIDE DRIVE, SAN DIABLO, CA, of $85,000, and owns a RED
1983 TOYOTA STATION WAGON on which there is NO outstanding
indebtedness. etc, etc.
For a bad credit rating:
Our records show that Mr. OBVIOUS PSEUDONYM has an annual income
of $0, no real property owned, outsanding indebtedness as
follows:
VISA (Third National Bank of Las Nadas) = $507.85
GRUBB's Department Stores = $398.65
etc.
Court-ordered judgements unfulfilled as follows (etc., etc.)
[End example]
In addition, there should be a method for submission of
corrections and some sort of administrative appeals board for
resolving disputed data entries.
So the idea is that you get a combination notification & summary
automatically, and can then request the full data if you want,
for only the cost of writing for it or showing up at a local
office. Once you have the full data, you could contest any false
entries, or leave it alone if it wasn't too important. You could
also provide current info if you feel it is in your best interest
to update those records. (For example, you haven't bought
anything on credit in the past two years because you won the
Irish Sweepstakes and pay cash for everything...) The company
would have the option of verifying and incorporating the data if
they thought that it was important enough. Disputes here could
be appealed to the review organization mentioned earlier.
This would be a meaningful and useful Privacy Act. This means
that it never will come to pass, of course...
Will Martin
------------------------------
Date: Sat, 11 Feb 84 03:22:44 pst
From: fair%ucbarpa@Berkeley (Erik E. Fair)
To: g.zeep@mit-eecs@mit-mc
Subject: HN V7 #18: `Scary Article in InfoWorld'
There are two immediate problems with this:
1) How in hades do you make such a device, and keep it
and its contents secure from the prying fingers of precocious
teenagers? I can see a burning curiousity on the part of the
system holder to know the contents (not unlike the curiousity
a child might have about a note that the Principal wrote home
to mommy in a sealed envelope).
2) How can this plan be a success if the immediate reaction
of any significant portion of the populace is that `This is a
scary idea'? I must confess that I feel a certain revulsion
toward the idea, but on a purely practical basis, the idea has
merit; how better to transmit transcripts around in a
presumaby standard and secure fashion? There might be some
problems with transmitting multiple copies around. (I applied
to more than one college, didn't you?)
Did the InfoWorld article mention which think tank was thinking
these thoughts? (RAND? MITRE?)
Erik E. Fair ucbvax!fair fair@ucb-arpa.ARPA
------------------------------
Date: Sun, 12 Feb 84 15:23:09 CST
From: Scott Comer <wert@rice>
Subject: Re: HUMAN-NETS Digest V7 #18
Re: A Hacker by Any Other Name ...
How about Bashers? That is also a very descriptive term:
I was up till six bashing on the Unix kernel...
scott
------------------------------
Date: 11-Feb-84 13:04 PST
From: Kirk Kelley <KIRK.TYM@OFFICE-2>
Subject: requirements for collaborated simulation language
This refers to the model for&of the world-wide telecollaborated
simulation in HN #14 and #17.
Gaining and maintaining the interest of "students" may depend on the
existance of an interesting extended metaphor or allegory for the
simulation motivating its use, such as an adventure with the
simulation running in the background, like the Gaia Adventure or the
Survive 1984 adventure. Such adventures would also teach students how
to be modelers.
The available time of modelers may depend greatly on the ability of
modelers to earn a living as a modeler. This could mean the ability
to get paid something, no matter how small, every time a piece they
wrote was accessed or in the case of an equation in the model,
computed.
Such reasoning, in the context of the whole project, imply the
following requirements for a language to implement the simulation.
1. Arbitrary complex systems must be simulated.
2. The model must be modifiable / extendable by several people
while the simulation runs.
2. Simple programming in the language must be teachable via the
simulations.
3. The use of portions of a model must be capable of generating
revenue for the author of that portion.
4. Portions of the model written and maintained by different
people, on different computers, must communicate with each
other.
Where would you get a language to fill those requirements?
-- kirk
------------------------------
End of HUMAN-NETS Digest
************************