Pleasant@Rutgers.ARPA (04/04/83)
HUMAN-NETS Digest Saturday, 2 Apr 1983 Volume 6 : Issue 18 Today's Topics: Technology - EFT (9 msgs) ---------------------------------------------------------------------- Date: 31 Mar 1983 1332-EST From: ZALESKI@RUTGERS (Mike Zaleski) Subject: EFT Security In view of the recent discussion on Human-Nets regarding the privacy and security of Electronic Funds Transfer (EFT) and Electronic Banking in general, the following, from the February 1983 issue of The Communications of the ACM, "Regulation of Electronic Funds Transfer: Impact and Legal Issues", pages 112-118, might be of interest: "The United States Supreme Court in U.S. vs. Miller in 1976 ruled that the notion that an individual's expectation of confidentiality in his bank is not legally enforceable or even warranted. Further, the Court ruled that the records are property of the bank, not the depositor [4]. [4] Colton, K. W. and Kraemer, K. L., "Computers and Banking", Plenum Press, New York, 1980." Although these notions might be distressing, consider the other side of the issue. Is it desirable that individuals with bad credit ratings be allowed to hide in a maze of confidentiality laws? People who pay their bills must also shoulder the responsibility of those bad risks. Perhaps the biggest concerns of pro-EFT forces should be directed toward security from criminal intervention and toward consumer convenience. I would use EFT today even if there were no privacy safeguards, but not it there were no safeguards against outright criminal misuse of the system. -- Mike^Z ------------------------------ Date: 1 April 1983 05:30 EST From: Robert Elton Maas <REM @ MIT-MC> Subject: EFT, etc. - another strawman idea below... Under my ideal system, you wouldn't have to show your thumbprint (or tongueprint; ugh, unless the sensor tastes nice; gee what a 1984ish way to entice people to use the system, addictive tongueprint sensors!) twenty times a day. There are three kinds of transactions: (1) You physically travel to a store where a human checks you out; (2) You physically travel to a bank where you interact with a device; (3) You sit at home and call up your orders directly from your workstation without having to physically travel anywhere. Type (2) will die as soon as everybody has workstations. The whole idea of having to travel downtown just to press buttons on a machine is stupid. We do it now only because the "dumb" banks haven't yet made it possible for us to do everything from home. So let's discuss (1) and (3). In the case of (1), you insert your ID card or punch your username, the computer calls up a picture of you, and the storeclerk compares you with your picture to verify your identity. Just like showing an ID with picture, except it's harder to forge the ID. In the case of (3), you identify yourself when you wake up and start using the system or when you return home. If anybody visits you (or breaks in) your automated home automatically cancels your password unless you have authorized the visitor to be present while the password is active. When the unauthorized visitor leaves you re-identify yourself. Unless you have lots of unauthorized visitors, you don't have to identify yourself often. Thus you may never need your thumbprint (or tongueprint) except for coroner's files in case you die and somebody needs to identify your body. ------------------------------ Date: 1 Apr 1983 0916-CST Subject: Re: EFT, etc. From: CS.TEMIN at UTEXAS-20 I would like to voice agreement with Lauren, that any EFT system will be \\designed// with the potential for misuse explicitly embedded in it. And it seems that no contributors to this digest who advocate EFT would put up with such an EFT system. A comprehensive EFT system would put more information in one place than there is currently. For example, the IRS keeps tax returns privileged from criminal prosecutors in general. EFT could undermine all the laws that currently exist regarding freedom (and secrecy) of information. I enjoy the luxury of having several different ways to pay for a transaction -- cash, bank card, store-specific credit card, check. Integrated EFT sounds like it would do away with such methods. I think that EFT is a case of the public falling in love with technology. There is no real need for this. EFT works fine for transactions between financial institutions. And if the current methods for detecting fraudulent checks and credit cards were a bit more reliable, the current system for making personal monetary transactions should be acceptable to everyone (vendors and purchasers). /aaron temin ------------------------------ Date: Fri 1 Apr 83 09:29:18-PST From: LAWS@SRI-AI.ARPA Subject: Statute of Limitations I disagree with Lynn Gold about the statute of limitations providing protection from misuse of old data. It currently offers some protection from prosecution, although that can be revoked at any time (e.g., to allow us to get at Nazi war criminals). Much more common, however, is persecution outside the legal system. The Commie witchhunt/blacklist history is an example. Anyone who declares bankruptcy, is convicted of a major crime, or is even acquitted of a morals charge may be similarly branded by his past. (We still remember Charles Dodgson/Lewis Carroll's interest in nude little girls, don't we?) Sixty Minutes has reported that police (near St. Louis?) have allowed landlords to screen prospective tenants via on-line databanks. These records often show fugitive warrants that have not been purged after the suspect has already been found and released. Neither the statute of limitations nor uninforced laws against misuse are of any help in these situations. Data that are not purged may become part of your public identity, either now or for future generations. -- Ken Laws ------------------------------ Date: Fri 1 Apr 83 11:28:42-PST From: Paul Martin <PMARTIN@SRI-AI.ARPA> Subject: Re: HUMAN-NETS Digest V6 #17 Re Lauren's view of the political nature of EFT implementations: I believe he is right. The current efforts to keep track of the transfer of funds inside this country include so many restrictions and record-keeping (and, at least with a court order, record-supplying) that only the biggest crooks can afford the privacy provided by "offshore" banking. The popular perception of the balance of privacy vs. ease of law enforcement is such that the mere ownership of a numbered Swiss account is considered "proof" of financial wrongdoing (at least tax evasion; probably laundering of mob money too!). Until the electorate recognizes the need to legislate privacy even in cases when it could be potentially inconvenient to some finger of the long arm of the law, we can expect the outlawing of any private form of EFT. Re Lynn Gould's reference to the statute of limitations: The Mustang Ranch example was a case where no law was broken; the problem for a Moron Majority leader having the old wild weekend surface goes way beyond any restriction on the time limits for broken laws. The example of Tom Eagleton being kicked off the Democratic ticket for having sought the aid of a shrink in the distant past gives us a clue as to how the mere record of payment transfers can become a liability if it is obtainable by the wrong folks.... Paul (SSN-is-none-of-your-business) Martin ------------------------------ Date: 1 April 1983 14:36 est From: Dehn.DEHN at MIT-MULTICS Subject: Realism of EFT Proposals It is not at all unreasonable to consider "perfectly secure" EFT systems. I agree that the current trend is not very encouraging; the more information gets into computer-readable form, the more reasons the politicians think of for using it. We can see where this will lead, but can the politicians see any alternative? One reason for discussing and building secure systems is to see if they do provide an alternative. If the nation were presented with a choice between the current trend and a situation where everyone was safe (in this domain) from both criminals and the government, it might at least give a little consideration to the latter possibility. Yes, "perfectly secure" EFT is inconsistent with today's practices, but that doesn't have to stop it. New technology often requires changes in practices. A change in human nature is not required, but rather a change in people's conception of their rights. History provides many examples of such changes. For documentation of a few examples, see our Constitution. In this case, we may not even need a new idea, but rather simply a recognition that a right that people thought they had is being threatened in a new way, and that there is an alternative to simply watching it vanish entirely. The government activities that pose the threat are not some sort of fixed environmental specs that technical solutions must comply with. The political process provides mechanisms for change, and technical demonstrations can be part of that political process. They may even change in a favorable direction for other reasons. For example, in the tax area, there is currently interest in alternative forms of taxation (flat tax, VAT, etc.) that might require less information collection for enforcement. There may also be technical ways of reducing the danger even more, such as by building some aspects of the tax system into the EFT system itself, making it unnecessary to make detailed information available to anyone. -jwd3 ------------------------------ Date: Friday, 1 April 1983, 11:49-PST From: Richard Lamson <rsl%SPA-Nimbus@MIT-XX> Subject: HUMAN-NETS Digest V6 #17 From: Lynn Gold <FIGMO at KESTREL> Subject: ATMs and records No matter whether or not they keep old records around, aren't there statutes of limitation which take effect after a certain period of time after a crime is committed (seven years or so)? If this is the case, it wouldn't matter if someone had a college-days fling that was discovered fifteen years after they finished college, since it would be too late to prosecute. Yes. Remember Chappaquiddick? How about when Teddy Kennedy was found to be cheating on an undergraduate test (or whatever -- I don't remember the actual scandal, just that it gets publicity every time EMK runs for office...)? There are ways to persecute without prosecuting. -- Richard ------------------------------ Date: Fri, 1 Apr 83 13:49:58 EST From: Jerry Leichter <Leichter@YALE> Subject: EFTS, Privacy, etc. Lauren's fears about possible abuse of EFTS systems - and his reminders about the political elements of the decisions involved - are well taken. The history of technology clearly indicates that political arrangements drive and control technology at least as much as technology drives such arrangements. The United States has maintained the greatest degree of separation between the two spheres; as a result, the connections, probably as powerful here as elsewhere, are hidden and non-obvious. The US is just about the only country in the world that allows private enterprise to run the phone system; it's almost universally a function of the local post office. An example of where this can lead is in France: The Paris phone system as originally designed included a simple method for the police to tap in to any conversation. No inconvenient physical taps to install, no court orders; it was understood that control over this new communication medium would have to be maintained. Today, the PTT's (Post, Telephone, and Telegraph) are trying to control all computer networking as well. Consider that in just about all of the world, TV is a state-provided, state-controlled enterprise. In Fred Hoyle's "Fifth Planet" - an interesting but not particularly memorable book otherwise - one of the characters starts speculating about devices that would allow a central computer to keep track of where you are. He sees the introduction of such devices as proceeding from high-status positions - "I'm so important that I must be reachable & protectable immediately at all times" - on gradually downward, to the point where everyone is required to wear the things at all times. No one objects because at each point in the evolution of the system it looks like the new class of people who have to wear the things are being awarded higher status. This was written about 15 years ago; I find it fascinating to compare to the evolution of "beepers" - devices I would absolutely refuse to accept. Finally, on a positive note: EFTS will not TOTALLY displace cash in the forseeable future. Reason: It costs way too much per transaction. Take a look at the December 1979 CACM - a special issue on EFTS. Here is a table: Transactions/year Total cost Cost/transaction (billions) ($billions) ($) Cash 264 3.274 .012 Check 32 17.048 .53 Credit card 5 2.580 .52 (1976 data) Most cash transactions are small (75% <$1, 95% <= $10). It's difficult to imagine the EFTS cost coming even close to the cash cost on a per-transaction basis. (Unfortunately, there is - or was in 1979 - no good data on EFTS costs.) Clearly, the big win is in taking over for checks, at least for quite a while to come. -- Jerry decvax!yale-comix!leichter leichter @ yale ------------------------------ Date: 1 April 1983 23:59-EST (Friday) From: _Bob <Carter @ RUTGERS> Subject: Question: EFT and Fingerprints Hi, Several recent messages to HN have assumed, without describing, reliable fingerprint recognition as part of an EFT scheme. Just what do the best fingerprint recognition programs do, exactly, and how well do they do it? I've had occasion to read the testimony of human fingerprint experts, and I'm not sure it is stuff you'd want to trust your money to. In the examples I have seen the expert looks for between 10 and 15 'points of correspondence,' arches whorles and the like, between the candidate and exemplar prints. Correspondence is a judgment call, else the fellow wouldn't have to be an expert. The humans seem to be trying for unique identification from a 15-bit word, with an error-checking algorithm that is far from obvious. Maybe some AI construct could handle this task. But, something written in bankers' COBOL? _Bob ------------------------------ End of HUMAN-NETS Digest ************************