Human-Nets-Request%rutgers@brl-bmd.UUCP (Human-Nets-Request@rutgers) (02/14/84)
HUMAN-NETS Digest Monday, 13 Feb 1984 Volume 7 : Issue 19 Today's Topics: Computers and the Law - California Access Bill (2 msgs) & Swedish "Person Numbers" & Notification of Database Entries, Computer Security - `Scary Article in InfoWorld', Computers and the Media - Re: Hackers, Computers and People - Collaboration Simulation ---------------------------------------------------------------------- Date: Sat, 11 Feb 84 03:04:13 pst From: fair%ucbarpa@Berkeley (Erik E. Fair) To: CAULKINS@USC-ECL.ARPA Subject: HN V7 #18, California AB251 Cc: matt@UCLA-LOCUS Maybe I missing a fine point of law, but if no one presses charges of misdemeanor unauthorized computer access, how does the proposed bill shut down public BBS's? Out of fear to access? Or is there automatic prosecution by the state? (if the latter, how in the name of Von Neumann do they catch them all?) One way to view this bill is that it makes it easier to scare off a system crasher (by charging him with a misdemeanor), and not really have him hauled away in irons. Erik E. Fair ucbvax!fair fair@ucb-arpa.ARPA ------------------------------ Date: 11 Feb 1984 0720-PST From: CAULKINS at USC-ECL.ARPA Subject: Re: HN V7 #18, California AB251 To: fair%ucbarpa at BERKELEY Cc: matt at UCLA-LOCUS, In response to your message sent Sat, 11 Feb 84 03:04:13 pst My objections to AB2551 (the proposed CA law making any unauthorized access to a computer a misdemeanor) is its shotgun nature. It is fairly clear that the Attorney General is having trouble proving 'malicious intent', and wants to broaden law enforcement's power to proceed against computer crackers. I think you're right about how hard it will be to enforce; unfortunately it is sure to have a chilling effect on BBSs and their users. As a BBS SYSOP, I sure as hell don't need the hassle of some gung ho prosecutor subpoena'ing all my backup disks because he thinks some crackers he's after for other reasons have accessed my system without my permission. Dave C PS - I had a mildly paranoia-inducing experience on my BBS recently; a person left a message identifying himself as connected with law enforcement, and asked people to call or msg him if they had questions about law enforcement. I left a message for him asking if he had accessed my BBS in hisofficial capacity. He never responded, nor was there any further messages to or from him. ------------------------------ Date: Sunday, 12 Feb 1984 23:48-PST Subject: Swedish "Person Numbers" (260731-1640, Where Are You?) From: lauren@Rand-Unix (Lauren_Weinstein) a223 1304 12 Feb 84 AM-Person Numbers, Bjt,590 Sweden's Person Numbers Come Under Fire AP News Special By BIRGIT LOFGREN Associated Press Writer STOCKHOLM, Sweden (AP) - A recent announcement in the Engagements column of the newspaper Svenska Dagbladet said: 220324-0532 + 260731-1640 1-1 1984. Someone - authorities can find out if they want to - was spoofing Sweden's Person Numbers, a 10-digit figure that tells who you are, where and when you were born and your sex. In the Swedish government's computers, each citizen is a number. Every computer file in Sweden is based on the Person Number, whether it's at a bank, a hospital, an employer, the social welfare office or the tax authorities. Whatever a person does is in somebody's computer. The system recently has come under fire, however, from Swedes who contend that a computerized society ultimately could infringe on the integrity of individuals. In mid-January, conservative opposition leader Ulf Adelsohn presented a 50-page ''Freedom Bill'' aimed at abolishing nearly 50 laws enacted by the Social Democratic government of Prime Minister Olof Palme, many of them designed to prevent tax evasion. Adelsohn assailed what he called ''the abuse of Person Numbers'' and demanded legislation to limit their use. The Person Numbers, which went into effect Jan. 1, 1947, and were computerized 20 years later, follow the 8.3 million Swedes from cradle to grave and are as integrated in a Swede's personality as any trait of character. One reason for giving everyone a number is that many Swedes have the same name. There are hundreds of thousands of Carlssons, Svenssons and Jacobssons, for example. Fueling Adelsohn's argument was a recent government study suggesting a streamlined super databank, integrating up to 150 computer files with all kinds of data on citizens - all based on the Person Number. The study proposed that the Central Bureau of Statistics be allowed to use files without permission from Data Inspection, a government department that guards against abuse of computerized information. The statistics bureau would be allowed to combine into the super databank the files of everyone from practically everywhere - including people's files from banks, hospitals, employers, the social welfare office and the tax collector, for example. By calling up a Person Number on a computer, the bureau would be able to find out details ranging from a Swede's illnesses and criminal record to his income and debts. The bureau insists it would do this only for ''statistical research'' and that people would not be identified by name. Critics, among them Data Inspection chief Jan Freese, contend that an integrated system could lead to an erosion of civil liberties. ''The files will collect more information on a person than he can remember himself,'' Freese commented. Sten Johansson, head of the Central Bureau of Statistics, defended the system as necessary ''for democracy and public opinion.'' He said his files are intended strictly for scientific use. Police Superintendent Hans Wranghult has reported a rise in computer crime in Stockholm, but there has been no evidence of computer whizzes trying to tap into the statistics bureau's computers to see the files of individuals. It technically is possible for people to withhold information from their Person Number file, but it would be disadvantageous. Failure to register a newborn child would mean that the child didn't exist as far as Sweden was concerned. He or she couldn't get into schools, would be outside the medical system or couldn't open a bank account, for example. ap-ny-02-12 1602EDT *************** ------------------------------ Date: 13 Feb 1984 1401-PST Subject: Notification of individuals re database entries From: WMartin at Office-3 (Will Martin) Why not restrict the requirement of notification to the private sector alone? I think a good case for this could be made. First off, you might as well assume that there are government files about you. If you have ever paid taxes, received a student loan, registered for selective service, registered a motor vehicle or a firearm (in states so requiring), received a passport, been arrested, fined for a traffic offense, or held in custody, or in any other fashion interacted with a municipal, state, or federal government agency or department, there WILL be a record, and these days it is practically inevitable that it is in an automated "system of records", as the Privacy Act puts it. With the current emphasis on reducing the costs of government, it is not likely that it can be shown to be cost-effective for all these government agencies to notify everyone of what they already know -- I certainly don't want to pay for it! On the other hand, I don't know what private agencies, credit bureaus, or corporation data banks hold about me. I am MORE interested in that than I am in what the FBI has. (As a federal employee, I do KNOW that the FBI has something about me -- it can't be too bad, or I wouldn't have received a security clearance!) However, it is of immediate interest what a credit bureau might have in my file. I resent that the Fair Credit Reporting Act was so manipulated by business interests that it does not force all credit bureaus to provide me a copy of all data they have about me at no cost -- I can get it but I have to pay for it! (You can get the info free only if you were denied credit on the basis of the info given by the cited source.) As far as I know, the info in records associated with me is good. But maybe there's some false info in there, but the good data outweighs the bad, and if more bad data gets in, the balance might tip. It is not likely, but it is possible. So I would support a privacy act directed at the private or commercial sector, that would require them to notify me that they have information about me, and to compell them to provide me with a copy of all information about me AT NO COST to me, upon presentation of some standard indentification that will insure that only the individual gets to see his/her own file(s). I could accept that this would be allowable only once a year or even less often, so an individual could not harass a compnay by demanding his data every day. Credit-extending organizations (like department stores or bank card offices) should be required to include a summary of the info they have on file with the statement once a year -- thus this would be NO added mailing cost. Insurance companies (life, home, auto, health) should also be required to notify policyholders with such a summary once a year, again along with the mailings they already make -- billings or whatever -- so these too would be at NO mailing cost. There would be a cost for mailing to individuals who are in the data banks but are not current customers or policyholders. This would give the organizations an incentive to purge their files. For the changed-address problem, a regulation that allowed the record to be marked for "no mailing" after a letter to the last address of record is returned as undeliverable would be acceptable. Independent credit reference bureaus should be compelled to notify either directly or through the previously-discussed method of pooling or contracting through a central site. These WOULD incur a mailing cost, but they could recover the increased costs by raising their fees. Since it is just another deductible business expense anyway, it might mean that it costs the department stores 25 cents more for a standard credit check. Big deal. It will get buried in the usual inflationary rise in the costs of doing business, and I'll pay for it by spending a nickel more for a tube of toothpaste in the drug department or something. Note that I am envisioning more than a simple "we know about you" notification. There should be a summary statement of what the organization knows. These could easily be standardized like sweepstakes letters: For a good credit rating: Our records show that Mr. JOHN Q. PUBLIC has an annual income of $30,000, an outstanding mortgage on OWNER-OCCUPIED PROPERTY at 1212 MUDSLIDE DRIVE, SAN DIABLO, CA, of $85,000, and owns a RED 1983 TOYOTA STATION WAGON on which there is NO outstanding indebtedness. etc, etc. For a bad credit rating: Our records show that Mr. OBVIOUS PSEUDONYM has an annual income of $0, no real property owned, outsanding indebtedness as follows: VISA (Third National Bank of Las Nadas) = $507.85 GRUBB's Department Stores = $398.65 etc. Court-ordered judgements unfulfilled as follows (etc., etc.) [End example] In addition, there should be a method for submission of corrections and some sort of administrative appeals board for resolving disputed data entries. So the idea is that you get a combination notification & summary automatically, and can then request the full data if you want, for only the cost of writing for it or showing up at a local office. Once you have the full data, you could contest any false entries, or leave it alone if it wasn't too important. You could also provide current info if you feel it is in your best interest to update those records. (For example, you haven't bought anything on credit in the past two years because you won the Irish Sweepstakes and pay cash for everything...) The company would have the option of verifying and incorporating the data if they thought that it was important enough. Disputes here could be appealed to the review organization mentioned earlier. This would be a meaningful and useful Privacy Act. This means that it never will come to pass, of course... Will Martin ------------------------------ Date: Sat, 11 Feb 84 03:22:44 pst From: fair%ucbarpa@Berkeley (Erik E. Fair) To: g.zeep@mit-eecs@mit-mc Subject: HN V7 #18: `Scary Article in InfoWorld' There are two immediate problems with this: 1) How in hades do you make such a device, and keep it and its contents secure from the prying fingers of precocious teenagers? I can see a burning curiousity on the part of the system holder to know the contents (not unlike the curiousity a child might have about a note that the Principal wrote home to mommy in a sealed envelope). 2) How can this plan be a success if the immediate reaction of any significant portion of the populace is that `This is a scary idea'? I must confess that I feel a certain revulsion toward the idea, but on a purely practical basis, the idea has merit; how better to transmit transcripts around in a presumaby standard and secure fashion? There might be some problems with transmitting multiple copies around. (I applied to more than one college, didn't you?) Did the InfoWorld article mention which think tank was thinking these thoughts? (RAND? MITRE?) Erik E. Fair ucbvax!fair fair@ucb-arpa.ARPA ------------------------------ Date: Sun, 12 Feb 84 15:23:09 CST From: Scott Comer <wert@rice> Subject: Re: HUMAN-NETS Digest V7 #18 Re: A Hacker by Any Other Name ... How about Bashers? That is also a very descriptive term: I was up till six bashing on the Unix kernel... scott ------------------------------ Date: 11-Feb-84 13:04 PST From: Kirk Kelley <KIRK.TYM@OFFICE-2> Subject: requirements for collaborated simulation language This refers to the model for&of the world-wide telecollaborated simulation in HN #14 and #17. Gaining and maintaining the interest of "students" may depend on the existance of an interesting extended metaphor or allegory for the simulation motivating its use, such as an adventure with the simulation running in the background, like the Gaia Adventure or the Survive 1984 adventure. Such adventures would also teach students how to be modelers. The available time of modelers may depend greatly on the ability of modelers to earn a living as a modeler. This could mean the ability to get paid something, no matter how small, every time a piece they wrote was accessed or in the case of an equation in the model, computed. Such reasoning, in the context of the whole project, imply the following requirements for a language to implement the simulation. 1. Arbitrary complex systems must be simulated. 2. The model must be modifiable / extendable by several people while the simulation runs. 2. Simple programming in the language must be teachable via the simulations. 3. The use of portions of a model must be capable of generating revenue for the author of that portion. 4. Portions of the model written and maintained by different people, on different computers, must communicate with each other. Where would you get a language to fill those requirements? -- kirk ------------------------------ End of HUMAN-NETS Digest ************************