Pleasant@Rutgers.ARPA (04/04/83)
HUMAN-NETS Digest Saturday, 2 Apr 1983 Volume 6 : Issue 18
Today's Topics:
Technology - EFT (9 msgs)
----------------------------------------------------------------------
Date: 31 Mar 1983 1332-EST
From: ZALESKI@RUTGERS (Mike Zaleski)
Subject: EFT Security
In view of the recent discussion on Human-Nets regarding the privacy
and security of Electronic Funds Transfer (EFT) and Electronic
Banking in general, the following, from the February 1983 issue of
The Communications of the ACM, "Regulation of Electronic Funds
Transfer: Impact and Legal Issues", pages 112-118, might be of
interest:
"The United States Supreme Court in U.S. vs. Miller in 1976
ruled that the notion that an individual's expectation of
confidentiality in his bank is not legally enforceable or
even warranted. Further, the Court ruled that the records
are property of the bank, not the depositor [4].
[4] Colton, K. W. and Kraemer, K. L., "Computers and
Banking", Plenum Press, New York, 1980."
Although these notions might be distressing, consider the other side
of the issue. Is it desirable that individuals with bad credit
ratings be allowed to hide in a maze of confidentiality laws?
People who pay their bills must also shoulder the responsibility of
those bad risks.
Perhaps the biggest concerns of pro-EFT forces should be directed
toward security from criminal intervention and toward consumer
convenience. I would use EFT today even if there were no privacy
safeguards, but not it there were no safeguards against outright
criminal misuse of the system.
-- Mike^Z
------------------------------
Date: 1 April 1983 05:30 EST
From: Robert Elton Maas <REM @ MIT-MC>
Subject: EFT, etc. - another strawman idea below...
Under my ideal system, you wouldn't have to show your thumbprint (or
tongueprint; ugh, unless the sensor tastes nice; gee what a 1984ish
way to entice people to use the system, addictive tongueprint
sensors!) twenty times a day.
There are three kinds of transactions:
(1) You physically travel to a store where a human checks you out;
(2) You physically travel to a bank where you interact with a
device;
(3) You sit at home and call up your orders directly from your
workstation without having to physically travel anywhere.
Type (2) will die as soon as everybody has workstations. The whole
idea of having to travel downtown just to press buttons on a machine
is stupid. We do it now only because the "dumb" banks haven't yet
made it possible for us to do everything from home. So let's discuss
(1) and (3).
In the case of (1), you insert your ID card or punch your username,
the computer calls up a picture of you, and the storeclerk compares
you with your picture to verify your identity. Just like showing an
ID with picture, except it's harder to forge the ID.
In the case of (3), you identify yourself when you wake up and start
using the system or when you return home. If anybody visits you (or
breaks in) your automated home automatically cancels your password
unless you have authorized the visitor to be present while the
password is active. When the unauthorized visitor leaves you
re-identify yourself. Unless you have lots of unauthorized visitors,
you don't have to identify yourself often.
Thus you may never need your thumbprint (or tongueprint) except for
coroner's files in case you die and somebody needs to identify your
body.
------------------------------
Date: 1 Apr 1983 0916-CST
Subject: Re: EFT, etc.
From: CS.TEMIN at UTEXAS-20
I would like to voice agreement with Lauren, that any EFT system
will be \\designed// with the potential for misuse explicitly
embedded in it. And it seems that no contributors to this digest
who advocate EFT would put up with such an EFT system.
A comprehensive EFT system would put more information in one place
than there is currently. For example, the IRS keeps tax returns
privileged from criminal prosecutors in general. EFT could
undermine all the laws that currently exist regarding freedom (and
secrecy) of information.
I enjoy the luxury of having several different ways to pay for a
transaction -- cash, bank card, store-specific credit card, check.
Integrated EFT sounds like it would do away with such methods.
I think that EFT is a case of the public falling in love with
technology. There is no real need for this. EFT works fine for
transactions between financial institutions. And if the current
methods for detecting fraudulent checks and credit cards were a bit
more reliable, the current system for making personal monetary
transactions should be acceptable to everyone (vendors and
purchasers).
/aaron temin
------------------------------
Date: Fri 1 Apr 83 09:29:18-PST
From: LAWS@SRI-AI.ARPA
Subject: Statute of Limitations
I disagree with Lynn Gold about the statute of limitations providing
protection from misuse of old data. It currently offers some
protection from prosecution, although that can be revoked at any
time (e.g., to allow us to get at Nazi war criminals). Much more
common, however, is persecution outside the legal system. The
Commie witchhunt/blacklist history is an example. Anyone who
declares bankruptcy, is convicted of a major crime, or is even
acquitted of a morals charge may be similarly branded by his past.
(We still remember Charles Dodgson/Lewis Carroll's interest in nude
little girls, don't we?)
Sixty Minutes has reported that police (near St. Louis?) have
allowed landlords to screen prospective tenants via on-line
databanks. These records often show fugitive warrants that have not
been purged after the suspect has already been found and released.
Neither the statute of limitations nor uninforced laws against
misuse are of any help in these situations. Data that are not
purged may become part of your public identity, either now or for
future generations.
-- Ken Laws
------------------------------
Date: Fri 1 Apr 83 11:28:42-PST
From: Paul Martin <PMARTIN@SRI-AI.ARPA>
Subject: Re: HUMAN-NETS Digest V6 #17
Re Lauren's view of the political nature of EFT implementations: I
believe he is right. The current efforts to keep track of the
transfer of funds inside this country include so many restrictions
and record-keeping (and, at least with a court order,
record-supplying) that only the biggest crooks can afford the
privacy provided by "offshore" banking. The popular perception of
the balance of privacy vs. ease of law enforcement is such that the
mere ownership of a numbered Swiss account is considered "proof" of
financial wrongdoing (at least tax evasion; probably laundering of
mob money too!).
Until the electorate recognizes the need to legislate privacy even
in cases when it could be potentially inconvenient to some finger of
the long arm of the law, we can expect the outlawing of any private
form of EFT.
Re Lynn Gould's reference to the statute of limitations: The Mustang
Ranch example was a case where no law was broken; the problem for a
Moron Majority leader having the old wild weekend surface goes way
beyond any restriction on the time limits for broken laws. The
example of Tom Eagleton being kicked off the Democratic ticket for
having sought the aid of a shrink in the distant past gives us a
clue as to how the mere record of payment transfers can become a
liability if it is obtainable by the wrong folks....
Paul (SSN-is-none-of-your-business) Martin
------------------------------
Date: 1 April 1983 14:36 est
From: Dehn.DEHN at MIT-MULTICS
Subject: Realism of EFT Proposals
It is not at all unreasonable to consider "perfectly secure" EFT
systems. I agree that the current trend is not very encouraging;
the more information gets into computer-readable form, the more
reasons the politicians think of for using it. We can see where
this will lead, but can the politicians see any alternative?
One reason for discussing and building secure systems is to see if
they do provide an alternative. If the nation were presented with a
choice between the current trend and a situation where everyone was
safe (in this domain) from both criminals and the government, it
might at least give a little consideration to the latter
possibility.
Yes, "perfectly secure" EFT is inconsistent with today's practices,
but that doesn't have to stop it. New technology often requires
changes in practices. A change in human nature is not required, but
rather a change in people's conception of their rights. History
provides many examples of such changes. For documentation of a few
examples, see our Constitution. In this case, we may not even need
a new idea, but rather simply a recognition that a right that people
thought they had is being threatened in a new way, and that there is
an alternative to simply watching it vanish entirely.
The government activities that pose the threat are not some sort of
fixed environmental specs that technical solutions must comply with.
The political process provides mechanisms for change, and technical
demonstrations can be part of that political process. They may even
change in a favorable direction for other reasons. For example, in
the tax area, there is currently interest in alternative forms of
taxation (flat tax, VAT, etc.) that might require less information
collection for enforcement. There may also be technical ways of
reducing the danger even more, such as by building some aspects of
the tax system into the EFT system itself, making it unnecessary to
make detailed information available to anyone.
-jwd3
------------------------------
Date: Friday, 1 April 1983, 11:49-PST
From: Richard Lamson <rsl%SPA-Nimbus@MIT-XX>
Subject: HUMAN-NETS Digest V6 #17
From: Lynn Gold <FIGMO at KESTREL>
Subject: ATMs and records
No matter whether or not they keep old records around, aren't
there statutes of limitation which take effect after a certain
period of time after a crime is committed (seven years or so)?
If this is the case, it wouldn't matter if someone had a
college-days fling that was discovered fifteen years after they
finished college, since it would be too late to prosecute.
Yes. Remember Chappaquiddick? How about when Teddy Kennedy was
found to be cheating on an undergraduate test (or whatever -- I
don't remember the actual scandal, just that it gets publicity every
time EMK runs for office...)?
There are ways to persecute without prosecuting.
-- Richard
------------------------------
Date: Fri, 1 Apr 83 13:49:58 EST
From: Jerry Leichter <Leichter@YALE>
Subject: EFTS, Privacy, etc.
Lauren's fears about possible abuse of EFTS systems - and his
reminders about the political elements of the decisions involved -
are well taken. The history of technology clearly indicates that
political arrangements drive and control technology at least as much
as technology drives such arrangements. The United States has
maintained the greatest degree of separation between the two
spheres; as a result, the connections, probably as powerful here as
elsewhere, are hidden and non-obvious. The US is just about the
only country in the world that allows private enterprise to run the
phone system; it's almost universally a function of the local post
office. An example of where this can lead is in France: The Paris
phone system as originally designed included a simple method for the
police to tap in to any conversation. No inconvenient physical taps
to install, no court orders; it was understood that control over
this new communication medium would have to be maintained. Today,
the PTT's (Post, Telephone, and Telegraph) are trying to control all
computer networking as well. Consider that in just about all of the
world, TV is a state-provided, state-controlled enterprise.
In Fred Hoyle's "Fifth Planet" - an interesting but not particularly
memorable book otherwise - one of the characters starts speculating
about devices that would allow a central computer to keep track of
where you are. He sees the introduction of such devices as
proceeding from high-status positions - "I'm so important that I
must be reachable & protectable immediately at all times" - on
gradually downward, to the point where everyone is required to wear
the things at all times. No one objects because at each point in
the evolution of the system it looks like the new class of people
who have to wear the things are being awarded higher status. This
was written about 15 years ago; I find it fascinating to compare to
the evolution of "beepers" - devices I would absolutely refuse to
accept.
Finally, on a positive note: EFTS will not TOTALLY displace cash in
the forseeable future. Reason: It costs way too much per
transaction. Take a look at the December 1979 CACM - a special
issue on EFTS. Here is a table:
Transactions/year Total cost Cost/transaction
(billions) ($billions) ($)
Cash 264 3.274 .012
Check 32 17.048 .53
Credit card 5 2.580 .52
(1976 data)
Most cash transactions are small (75% <$1, 95% <= $10). It's
difficult to imagine the EFTS cost coming even close to the cash
cost on a per-transaction basis. (Unfortunately, there is - or was
in 1979 - no good data on EFTS costs.) Clearly, the big win is in
taking over for checks, at least for quite a while to come.
-- Jerry
decvax!yale-comix!leichter
leichter @ yale
------------------------------
Date: 1 April 1983 23:59-EST (Friday)
From: _Bob <Carter @ RUTGERS>
Subject: Question: EFT and Fingerprints
Hi,
Several recent messages to HN have assumed, without describing,
reliable fingerprint recognition as part of an EFT scheme. Just
what do the best fingerprint recognition programs do, exactly, and
how well do they do it?
I've had occasion to read the testimony of human fingerprint
experts, and I'm not sure it is stuff you'd want to trust your money
to. In the examples I have seen the expert looks for between 10 and
15 'points of correspondence,' arches whorles and the like, between
the candidate and exemplar prints. Correspondence is a judgment
call, else the fellow wouldn't have to be an expert.
The humans seem to be trying for unique identification from a 15-bit
word, with an error-checking algorithm that is far from obvious.
Maybe some AI construct could handle this task. But, something
written in bankers' COBOL?
_Bob
------------------------------
End of HUMAN-NETS Digest
************************