dave@oldcolo.UUCP (Dave Hughes) (05/17/89)
May 16th, 1989 Senator Patrick Leahy Senate Judicial Subcommittee on Technology and Law 815 Hart Office Building Washington, DC, 20510 Honorable Chairman Leahy: I listened late tonight (1 to 2 AM MST, May 16th, CSPAN) to the entire one hour testimony of Clifford Stoll and your questions and comments on the issue of computer viruses. And I noted your statement that the Hearing was only recessed so that people could comment officially on the topic for a period of two weeks. Thus I request that this letter be considered input to your Hearings on Computer Viruses. I first want to commend you for the line of questioning and your closing remarks in which you expressed your view (in my words) that although we need to be able to deal with the problem of computer vandals that we must not be so afraid of the future that we curtail the flow of information - both scientific, business, and political -and the linking up of human genius to networks and each other. I agree completely with your balanced view of the issue, with your stress on the need for continued access and free information flow. This is important, not just for the flourishing of the 'geniuses' you refer to, and the unimpeded functioning of business and government, but also - and this is very important to the future of our society - for giving the general public - ordinary people - no matter where they are, from our smallest towns, farms and ranches to the largest cities, the greatest possible, and lowest cost access to public computer networks for purposes of employment or the pursuit of their own businesses, education and training, enjoyment of and contribution to culture, and better access to their own government and the political process. If this nation is to avoid becoming a polarized society of the 'information rich and information poor' and 'computer strong and computer weak,' laws and administrative measures aimed at preventing computer crime must not intensify the natural tendencies for institutions to put their problems before the long term interests of the public at large, for which, presumably those institutions exist. I agree generally with Clifford Stoll's testimony in which he accurately described the functioning and values of computer 'communities' at the rarified scientific level of research. But he really did not answer your question very well of "What would you do if you were in my place" for he seemed torn between wanting to trust the ethical standards of the computer community but having lost time away from his science because of a few irresponsible people, he was ready to admit there might be a need for new laws. I would like to focus the thoughts of your committee more sharply on the way I believe the general problem of legally dealing with human behavior via computer networks needs to be approached. I am neither one of the 'young geniuses' you refer to, nor a computer scientist per se, though I now enjoy an international reputation for my 10 years on hands-on-computer and modem work (4 hours a day) exploring, developing, ways at the very grass roots community and individual (not institutional) level ordinary people (not just exceptional professionals) can use computer (modem, fax, voice mail) communications to discuss and debate, online, public issues and engage in the political process, pursue both formal and informal education remotely, undertake successful small entrepenurial enterprises, enjoy cultural experiences, and all made possible by the economics, convenience of modem communications. I am a 60 year old retired military professional officer who has served in high policy, management and sensitive positions (to include Washington) so I am fully aware of the importance of dealing with the problems arising from this new medium. However, partly because I forsaw the broad and potentially beneficial impact of small digital devices linked together globally by advances in telecomunications I determined in 1977 to personally master and apply the rvolutionary new 'individual' digital tools at the grass roots community level of our society rather than at the large business, scientific, or government level. I did so on the grounds that if we learn how to make the Information Age work in middle America on main street, in small neighborhoods and schools, and for general local community purposes, not just advanced business, government, or scientific needs, or for computer elites, we will not have to fear for our future as a nation. For our strong political traditions of individual responsibility, reliance as much on community ethics and peer actions as government imposed standards, freedom of speech and of assembly, and our willingness to 'risk' the abberant behavior of some, so that the freedoms of many will not be impaired - all these have their direct counterpart in computer communications - which some have come to call, rather accurately 'virtual communities.' I have operated four 'local' dial up systems in the Old Colorado City neighborhood (population 12,000) of Colorado Springs over the past 8 years, from one line free bulletin boards to multi- user unix subscription systems (which are networked and accessible precisely the same way Mr Stoll's computers are). My 'community level' systems have been dialed into over 125,000 times, by over 12,000 different individuals. I have also spent an average of 4 hours a day online for the past 7 years - both tending my own systems and accessing other national, and international systems. In both my small business, educational and community volunteer computers, I am just as vulnerable to technical crime, vandalism, computer viruses as larger systems. I find I have been able (precisely because some societal problems are more easily dealt with at the local small scale community level than at the large, abstract, national level) to handle the abberant behavior of the few without recourse to extreme measures or the calling on law enforcement. I believe you must think very carefully and reflect in legislation the profound difference between treating 'information' on computer systems as (1) property (2) premises, or (3) speech before acting. ELECTRONIC PROPERTY - it is obvious that some data on a computer system may be property which can be stolen, destroyed or damaged. Laws designed to prevent theft, destruction, or damage to computer information are indicated here. But we understand pretty clearly in this society the concept of 'property' and applying our knowledge to computer 'property' is not difficult and the laws that are on the books and coming out seem balanced in this regard. ELECTRONIC PREMISES - a computer can be regarded as a place, which if intentionally protected by passwords or other devices intended to keep out those not authorized, can be protected by extention of laws that are designed to prevent tresspass, breaking and entering, or breach of privacy. (The Computer Privacy Act of 1976 does a pretty good job here). ELECTRONIC SPEECH - the area that is very poorly understood by those who have not used modem 'communciations' capabilities of computer systems is the activity of 'free speech' on computer systems. People become de facto members of 'virtual communities' - whether in associations of scientists such as Mr. Goddard an Astronomer with his colleages on scientific computers, or groups of local individuals who have no other institutional relationships but dial into local free 'bulletin-boards' where they socialize, debate local political issues, bypass the media to share information, conduct business or pursue personal interests and hobbies. Their activity on these systems far more can be legally defined as the practice of 'free assembly' and 'public speech' than as dealing with data as 'property' or the computer as a 'premises.' Freedom of Electronic Speech must be as jealously protected as non-electronic forms of speech are in society at large. And I urge your committe to think very carefully about the consequences of limiting such speech by laws aimed at curbing computer viruses. A piece of 'data' (as technically defined) on a computer system can be any one of the three catagories above. What makes it one or the other is less its technical description in computer terms than its relationship to the individuals who put it there, the owner/operator of the system it resides on or moves through, and either the contractual or 'understood' rules for its uses and the behavior of those who deal with it. When a dozen people dial into either a free and open local computer bulletin-board, or the 'computer conferencing' sections of a national, commercial, password-protected information service for the purpose of exchanging comments on a subject, they are engaged in a form of 'electronic assembly' and they are practicing 'electronic speech.' Speech and assembly forms , the freedom to pursue which MUST be forever protected by extension, if necessary, of appropriate Constitutional guarantees into this new medium. And this use of computer systems should not be confused with issues of 'property' or 'premise'. When a person dials into a computer system and places 'information' there which by its prior ownership, his actions to identify it as such (such as a copyright notice) or by either the specifically spelled out by the system managers or 'understood' rules that whatever he places there is private or insitutional 'intellectual property' then the laws pertaining to its protection may apply. But one must look at much more than just the 'data' to determine if it is property, or speech. There is a burden on the users of systems, and the operators of systems, to make clear what the status of (1) access to the system and (2) ownership of the data thereon is if they expect to be protected at law. Various system operators make very different rules on such matters, and they should be free to do so. Compuserve, for example, chooses to bind its users to an agreement that specifies that anything posted in its computers by subscribers becomes the property of Compuserve, and its disposal must be dealt with accordingly. I choose to state that anything posted on my dial up subscription system remains the property of those who post it there - with all the obligations and rights flowing from that. The difference is not the data, but the agreements made between system operators and their users before the users are given access. Obviously - and the application of the Electronic Privacy Act of 1986 turns on this key criteria - the question of what legal responsibility must be borne for 'breaking and entering' a computer, or transmitting a virus through a system, or stealing of data from a computer has to do with whether the operators of systems take steps to prevent access to a system unless specific permission is granted - using in the form of an assigned (not self generated) password giving access. And that the potential user of a system knows that permission is required. A system which permits uncontrolled access to its ports, or self-assigned passwords is not even covered under the Electronic Privacy Act. Nor need it be. Such computer systems are 'public' as far as privacy is concerned. Even if the system is privately owned. What makes this matter more complex however, that 'parts' of a computer system, or network may be open to the outside public, or closed. In my own case, so that no person in the community is denied access by reasons of cost, to our discussions about public issues, I permit one port (719-632-3391) of our 'Old Colorado City Electronic Cottage' to be free, with self-assigned access to the 'Roger's Electronic Bar' political debate section. Regular subscribers to my service use other ports (and phone numbers) have to be issued a password specifically by us before gaining access, and are responsible for security of their passwords, They also have e-mail, (and access to the global network which was affected by the virus in November), private file spaces, and other conferences which cannot be accessed by the public. But they can go inside the 'Rogers Bar' section too, on the same computer. But when they do they understand that their remarks are not private, what they post there, unless they specifically designate it by copyright notice or other statement, is free to be copied and used by others, and the Electronic Privacy Act does not apply. Law enforcement agencies are as welcome to that section as anyone else. Thus inside one system the rules - and laws are different depending on rights of access. If a person stole or guessed a password on my system, and then used it to propegate a virus throughout the Internet, by his acts of illegal entry into the system in the first place he could be prosecuted. He 'broke and entered.' If he already is a legitimate subscriber, and promulgated a virus through the system, whether or not he did anything illegal depends as much on whether he further breached security whose intentions are to prevent access, or whether he used a feature which he had no reason to believe was prohibited, and of course whether what he did caused damage to others on other systems. Thus you must constantly struggle to craft any laws in terms that recognizes that individual computers and networks are themselves multi-faceted and you cannot simply deal with a computer as one legal entity for these purposes. I have found that when the focus shifts from the 'computer' and 'network' itself as physical entities and more deals with the 'computer communities' and behavior, intentions, prudent actions of the adminstrators and users to protect themselves, inform others of the status of access, data, users, and groups of users that it is far easier - by extention - to apply the laws and precedences of the past with respect to property, premises, and speech. Another extremely important fact to keep in mind is that access to computers and information networks will have to be supplied by the same institutions which historically we have created to give people 'access' to knowledge - schools and libraries. Not everyone will own their own personal computers, modems, or even phones. But we can insure that all have access if schools,. libraries and other public agencies (possibly even the Post Offices of the future) own computers and terminals and give the public free, or lowest possible shared cost access. Your laws must be sensitive to the different circumstances of this sector of 'public' computers and public access too. I am extremely sensitive to the potential for 'Electronic Democracy' in making it at once easier, cheaper, and more effective for individuals to participate in the political process than currently. We have made great progress here in Colorado Springs in the serious practice of Electronic Democracy - and both private, and public dial up systems participate vigerously. Many of us want to see no law which suffocates that promising potential. For we have serious problems in America with the costs and complexities of public participation in the political process. Mass media has introduced as many problems as it has solved. These new personal tools can help, so long as the public Highways of the Mind are not turned into highly restrictive or closed routes. My start point when thinking about freedoms and restrictive laws pertaining to computers is to realize that if we turned the clock back 200 years, Benjamin Franklin would have been the first owner of a microcompter, probably an Apple, and would have been considered a hacker. Thomas Jefferson would have written the Declaration of Independence on a wordprocessor, probably a corporate IBM PC. But Thom Paine would have first published 'Common Sense' on a pirate bulletin board. And I for one do not want the corporate or government Kings George to tread on my cursor. We must preserve Freedom of Electronic Speech. I have a request to make. And a suggestion. In answer to your question of Clifford Stoll "What would you do if you were me." One method of dealing with the growing problem of computer crimes and mischief, some of it not fully intended by its perpetrators, is the education of computer communications users to these issues. Clifford Stoll admitted he never really thought about the problem until he was affected by it. In my very extensive experience online (I calculate I have read over 13,000,000 words on hundreds of systems, and produced probably 1,000,000 words of my own online) I find that there is little knowledge of even the appropriate laws and regulations which apply. A direct, simple, timely and cheap method for assisting in the progressive sensitization and education of computer network users is to put transcripts of applicable hearings and Federal debate over these issues out over the Network! And to make it far easier and cheaper for the computer-modem owning public to dial up central systems which contain the applicable laws and regulations that everyone is supposed to know! Relying solely on mass media and press, or the Congressional Record to convey this information, is no longer necessary. And given the nature of the culture of computer networkers, it would be far more to the point to 'publish' electronically these laws, and make it cheap and easy for any modem-owing citizen to access them, and even hold online discussions about them in forums hosted by knowledgable public officials. I suggest that the Congress initiate by law and funding - perhaps through the Library of Congress - a dial-up network which carries the full text of all laws pertaining to computer crime and associated matters. Ideally the access should be free to the public. Secondarily, however, a transcript of the hearings you are holding on the specific issue of Computer Viruses, could be put out over Usenet (Internet, Usenet, and academic Bitnet) for reading by the online population. I believe, for example, that the excellent and informative one-hour interchange between you and Clifford Stoll at the Monday, May 15th Hearing would be widely read on the network - which at least one half million persons on 14,000 computers use regularly. Since the rate of 'information exchange' at your oral hearings was approximately 120 oral words per minute, about 7,200 words were uttered. In an online Ascii form that entire hour can be scanned at 1200 baud in 6 minutes, read carefully and completely in 15 minutes, and occupy less that 24k of file space on any computer. In terms of Usenet in which over 5 megabytes of information is generated daily, that is a drop in the bucket. If your staff does not know how to do this, I would gladly volunteer to take a floppy disk with the transcript in ascii form and disemminate it over the network myself from my local system from Colorado Springs. It would take little effort and practically no cost. But in any case I do request that your staff send me a floppy disk in msdos form, of a transcript of the hearing, and any amplifying comments, so that I may post it on my own local computer system for the free education and enlightenment of those thousands of local callers to local systems where such issues are discussed every day. Many of us who use and administer public systemd can do our part in this important task of education/sensitizing the online culture to the issues. We might as well use the networks where the problems are to disseminate the general societal solutions, as well as technical ones. The Federal government could be doing a lot more than it is now in using the new technologies to both publicize its deliberations, solicit public input, and disseminate its decisions. When the computer-using public has had a chance by the means I have outlined above to learn about, discuss and debate, and take their own 'virtual community' actions to prevent and deal with computer crimes, and that method proves insufficent, then the time for new legislation may be at hand. But until they have had such a chance, informed by the valuable content of your hearings, I for one am reluctant to lead with new laws. By the way, I am posting this letter to you on several networks, urging readers to consider airing their views to your committee before you terminate the hearings. Thank you David R Hughes 6 N 24th Street Colorado Springs, Colorado 80904 719-636-2040 (voice) 719-632-3391 (modem) -- Dave Hughes Old Colorado City Communications "It is better to light one screen than cursor the darkness" hp-lsd!oldcolo!dave Bill Robinson
peter@ficc.uu.net (Peter da Silva) (05/20/89)
In article <154@oldcolo.UUCP>, dave@oldcolo.UUCP (Dave Hughes) writes: > A system > which permits uncontrolled access to its ports, or self-assigned ^^^^^^^^^^^^^ > passwords is not even covered under the Electronic Privacy Act. ^^^^^^^^^ > Nor need it be. Such computer systems are 'public' as far as > privacy is concerned. Even if the system is privately owned. What possible relationship does this have to do with coverage under the Electronic Privacy Act? Every UNIX system on the net permits users to assign their own passwords. It is ludicrous to presume that the existence of a "Password" command should have anything to do with the public nature of a system. Either you're confusing passwords with accounts, or the EPA is grossly misdesigned, or you're misinterpreting it. -- Peter da Silva, Xenix Support, Ferranti International Controls Corporation. Business: uunet.uu.net!ficc!peter, peter@ficc.uu.net, +1 713 274 5180. Personal: ...!texbell!sugar!peter, peter@sugar.hackercorp.com.
gdhour@well.UUCP (Grateful Dead Hour) (05/22/89)
May 22, 1989 Senator Patrick Leahy Senate Judicial Subcommittee on Technology and Law 815 Hart Office Building Washington, DC, 20510 Honorable Chairman Leahy: As a participant in several computer-mediated "online communities" and a concerned observer of our government's efforts to deal with the impact of advancing technology on the lives of the citizens, I watched with interest your conversation Clifford Stoll last week. (I should note that I got word of C-SPAN's live broadcast immediately after it began, via a message on a public computer system.) I am writing to voice a hearty "amen" to a May 16 letter to you from David Hughes of Old Colorado City Communications (a copy of which is enclosed in case it eluded your attention). Hughes posted a copy of the letter on a public- access computer system to which we both subscribe. Dave Hughes' assessment of the issues raised by improvements in connectivity - particularly the three distinct states of online information environments to which he refers ("property," "premises," and "speech") - makes an eloquent case for the importance of these new media in amplifying the voice of the private citizen, so often drowned out in the political arena by the roar of business, government and the military. I am impressed by the open-mindedness you evinced in the hearing. I am not at all sure, though, that the government at large will be so reasonable as these matters progress toward legislation. Over the years I have observed the steady degradation of long-standing concepts of the rights of individuals (and thus the rights of small communities); for example, we may soon find ourselves incarcerating an alarming percentage of our population over the contents of their bloodstreams, which (to my mind and heart) the constitution ostensibly protects under the umbrella of privacy. Having failed to harness the outlaw economy of drugs, the government seems willing, even determined, to sacrifice what it purports to hold in highest esteem: liberty, and privacy - the primacy of citizen over establishment. To which I ask, gamely: cui bono? Culturally, and politically and geographically, Dave Hughes and I are half a continent apart. We have never met face to face, but we have engaged in constructive discourse on many subjects and I have immense respect for his leadership in the quest to re-empower our citizens by promoting communication among ourselves and between the government and the governed. The electronic highways used by Dave Hughes, Clifford Stoll and their colleagues (and myself) are a bloodstream of another sort, vital to this new collective organism and vulnerable to misbegotten regulation. Overzealous regulation of the computer nets could be very costly in the long run. It is entirely possible that our next Edison will be not one person but three or four or five "isolated" individuals who never meet in the flesh but share effort and inspiration in a virtual laboratory that exists only when their computers connect over those phone lines. Sincerely, David Gans encl. -- Grateful Dead Hour well!gdhour@lll-lcc.arpa David Gans {pacbell,hplabs,lll-crg,apple}!well!gdhour Truth and Fun, Inc. 484 Lake Park Ave #102, Oakland CA 94610
dave@well.UUCP (Dave Hughes) (05/24/89)
In article <4246@ficc.uu.net>, peter@ficc.uu.net (Peter da Silva) writes: > In article <154@oldcolo.UUCP>, dave@oldcolo.UUCP (Dave Hughes) writes: > > A system > > which permits uncontrolled access to its ports, or self-assigned > ^^^^^^^^^^^^^ > > passwords is not even covered under the Electronic Privacy Act. > ^^^^^^^^^ > > Nor need it be. Such computer systems are 'public' as far as > > privacy is concerned. Even if the system is privately owned. > > What possible relationship does this have to do with coverage under the > Electronic Privacy Act? Every UNIX system on the net permits users > to assign their own passwords. It is ludicrous to presume that the > existence of a "Password" command should have anything to do with the > public nature of a system. > > Either you're confusing passwords with accounts, or the EPA is grossly > misdesigned, or you're misinterpreting it. > -- Well, what I was trying to put into layman language was the fact that, according to the Electronic Privacy Act, the managers of systems have to prevent 'ready access' to their system for it to be considered a 'private' system. i.e. if one can just dial a numebr, get a modem connect, having never dialed it before, and get into the system without anybody's permission the system is not a closed system. One typical way is to have either no passwords required, or to permit the first time caller to assign himself an id and a password and then to have full access. Without a sysop individually approving his access (or giving him an 'account'). Which means that anyone can log on. Which then makes it public, not private. Thus not covered under the Electronic Privacy Act. There was a major debate over just what electronic forms could be covered under the act. Radio was a major debate. No matter what the 'intent' of the broadcaster, the broadcast was public unless is was scrambled in some way, so there was a physical effort to deny access without deliberate permission. Maybe you have some fancier words for all that - ones that Congressmen will understand who don't 'do modems'?
peter@ficc.uu.net (Peter da Silva) (05/24/89)
In article <11813@well.UUCP>, dave@well.UUCP (Dave Hughes) writes: > In article <4246@ficc.uu.net>, peter@ficc.uu.net (Peter da Silva) writes: > > In article <154@oldcolo.UUCP>, dave@oldcolo.UUCP (Dave Hughes) writes: > > > A system > > > which permits uncontrolled access to its ports, or self-assigned > > ^^^^^^^^^^^^^ > > > passwords is not even covered under the Electronic Privacy Act. > > ^^^^^^^^^ > > Either you're confusing passwords with accounts, or the EPA is grossly > > misdesigned, or you're misinterpreting it. > If one can just dial a numebr, get a modem > connect, having never dialed it before, and get into the system > without anybody's permission the system is not a closed system. Well, I hope the act uses language that reflects that meaning instead of talking about self-assigned passwords. > One > typical way is to have either no passwords required, or to permit > the first time caller to assign himself an id and a password and > then to have full access. Exactly. Assign himself an ID and a password. We don't let people set up their own ids, but forcing them to use system-assigned passwords would reduce security, not enhance it. The password by itself is not a key. You need a password and a valid account id. And you need the old password to change the new one. > Maybe you have some fancier words for all that - ones that > Congressmen will understand who don't 'do modems'? "User id and password"? "Self-assigned accounts"? "Automatically assigned accounts?" Just what precisely does the act say about this? -- Peter da Silva, Xenix Support, Ferranti International Controls Corporation. Business: uunet.uu.net!ficc!peter, peter@ficc.uu.net, +1 713 274 5180. Personal: ...!texbell!sugar!peter, peter@sugar.hackercorp.com.
arossite@oracle.uucp (Bruce Rossiter) (05/24/89)
! sittetetuce Me{{{|<1<1<}s ininiiy-CCpsfnomomo: R +iri000DsiitN666e@ess 2W=||si666plplpDA< DADAeenBrueTTTH@o16sBruT e DAFp>. DA DA @fYYVYYVYL DAle.omp13e@q8ororoDAivsiGsiGs
sparks@corpane.UUCP (John Sparks) (05/25/89)
In article <4246@ficc.uu.net> peter@ficc.uu.net (Peter da Silva) writes: >In article <154@oldcolo.UUCP>, dave@oldcolo.UUCP (Dave Hughes) writes: >> A system >> which permits uncontrolled access to its ports, or self-assigned > ^^^^^^^^^^^^^ >> passwords is not even covered under the Electronic Privacy Act. > ^^^^^^^^^ >> Nor need it be. Such computer systems are 'public' as far as >> privacy is concerned. Even if the system is privately owned. > >What possible relationship does this have to do with coverage under the >Electronic Privacy Act? Every UNIX system on the net permits users >to assign their own passwords. It is ludicrous to presume that the >existence of a "Password" command should have anything to do with the >public nature of a system. > >Either you're confusing passwords with accounts, or the EPA is grossly >misdesigned, or you're misinterpreting it. >-- >Peter da Silva, Xenix Support, Ferranti International Controls Corporation. > >Business: uunet.uu.net!ficc!peter, peter@ficc.uu.net, +1 713 274 5180. >Personal: ...!texbell!sugar!peter, peter@sugar.hackercorp.com. Peter, By self-Assigned Passwords I think he is refering to those BBS's that when you first log into them they tell you to "enter your name or type New" And when you type New, they give you a password for future logins and then give you full access to their system, without doing a security check on you. In other words: The BBS creates the account for you without checking you out. These systems can be considered completly public because the passwords are only to provide a means of separating users and not as a means of keeping people off of the system in general. Anyone can get on just by typing 'New' and get a password. Many BBS's will not do this anymore. They will allow you to log into a temporary account and read about the BBS and leave your name and phone number. The Sysop then decides whether to let you on or not. Most times he will call you up and verify your phone number and then give you your password. -- John Sparks | {rutgers|uunet}!ukma!corpane!sparks | D.I.S.K. 24hrs 1200bps [not for RHF] | sparks@corpane.UUCP | 502/968-5401 thru -5406 I fear explanations explanatory of things explained.
peter@ficc.uu.net (Peter da Silva) (05/27/89)
In article <675@corpane.UUCP>, sparks@corpane.UUCP (John Sparks) writes: > In article <4246@ficc.uu.net> peter@ficc.uu.net (Peter da Silva) writes: > >In article <154@oldcolo.UUCP>, dave@oldcolo.UUCP (Dave Hughes) writes: > >>[system with self-assigned passwords not covered under ECPA] > >Either you're confusing passwords with accounts, or the ECPA is grossly > >misdesigned, or you're misinterpreting it. > Peter, > By self-Assigned Passwords I think he is refering to those BBS's that when you > first log into them they tell you to > "enter your name or type New" > And when you type New, they give you a password for future logins... I'm familiar with this scheme. TBBS still uses it... I recall that a local religious-oriented board had a bit of trouble a few years back when a bunch of self-styled satanists guessed passwords like "jesus" and "mary". This is the problem with confusing passwords and accounts. Anyway, what you're saying here is that he is confusing passwords and accounts. Or the ECPA is written so it confuses passwords and accounts. If the latter, the ECPA is grossly misdesigned. -- Peter da Silva, Xenix Support, Ferranti International Controls Corporation. Business: uunet.uu.net!ficc!peter, peter@ficc.uu.net, +1 713 274 5180. Personal: ...!texbell!sugar!peter, peter@sugar.hackercorp.com.
dave@well.UUCP (Dave Hughes) (05/27/89)
You may flip off th eElectronic Privacy Act as 'badly designed' but it sure is better than the total vacuum which preceeded it. One woman lawyer in the midwest was a user of a bulletin-board. She got into a dispute witht he Sysop, via private mail to him. He made their private correspondence public online. She sued him under the EPCA for $50,000. The betting is she will win. The EPCA is quite enforcable on computer systems. And it *ALSO* insures that the local police deaprtment cannot call me up and say "hey we suspect this guy of doing bad things. Turn over your tapes to us." They would, according to the terms of the law, go to court, show probable cause, and depend on whether a judge agreed with them enough to approve a warrant. Which is the only instument I have to honor. It also says that, as a sysop, I *may*, if I detect illegal activites online, turn that over to law enforcement. I am not compelled to. I say that is pretty sensible start on electronic privacy. As for cordless phones - pretty tough to 'include' them when they can be intercepted and there is no encrptian of the traffic. Which means it is public by definition. Anybody *accidentally* can intercept it. (which means, if they were included, the accidental interception would be illegal. *That* is pretty stupid.) Dave Hughes dave@oldcolo.uucp
peter@ficc.uu.net (Peter da Silva) (05/29/89)
In article <11853@well.UUCP>, dave@well.UUCP (Dave Hughes) writes: > As for cordless phones - pretty tough to 'include' them when > they can be intercepted and there is no encrptian of the traffic. The same is true of Cellular, I believe, and they *are* included. I heard that the whole cellular/cordless stuff was an attempt to head off an alternate mobile phone system. -- Peter da Silva, Xenix Support, Ferranti International Controls Corporation. Business: uunet.uu.net!ficc!peter, peter@ficc.uu.net, +1 713 274 5180. Personal: ...!texbell!sugar!peter, peter@sugar.hackercorp.com.
sparks@corpane.UUCP (John Sparks) (06/01/89)
<11853@well.UUCP> Sender: Reply-To: sparks@corpane.UUCP (John Sparks) Followup-To: Distribution: usa Organization: Corpane Industries, Inc. Keywords: In article <11853@well.UUCP> dave@well.UUCP (Dave Hughes) writes: > > As for cordless phones - pretty tough to 'include' them when >they can be intercepted and there is no encrptian of the traffic. >Which means it is public by definition. Anybody *accidentally* can >intercept it. (which means, if they were included, the accidental >interception would be illegal. *That* is pretty stupid.) >Dave Hughes >dave@oldcolo.uucp But what you call "stupid" for cordless phones is exactly the way it is now with cellular phones. There is no encription of the data and you can intercept them easily. It is said to be legal to 'accidentally' intercept cellular phones but strictly illegal to purposefully eavesdrop on them. So why aren't cordless phones included? eh? It's the same situation on a different frequency and a shorter range. Personally I think if they don't want people listening in on phones they should scramble the signal so you can't listen in. The burden should be on the phone manufacturers and the phone company, not the public. If the radio waves come into my house uninvited and unscrambled then I should have the right to listen to them. Laws shouldn't be passed to make listening illegal. That's working from the wrong end. It takes away from our freedom. I have no qualms about someone wanting to protect their information. But if they are using radio, they should take precautions to encode the information to keep it private, not make it illegal to listen. First, that doesn't stop anyone who wants to listen from listening. It just lulls them into thinking that just because it's illegal to listen in that no one will do it. The information is still unscrambled and out there for anyone to listen to. The problem with the laws that regulate electronic information is that the lawyers that write and pass the laws don't know anything about the technology they are trying to regulate. They hear horror stories and watch late night sci- fi thrillers about killer robots and computer conspiracy and decide that they are going to save the world with new laws. But what they really end up doing is limiting our freedoms. -- John Sparks | {rutgers|uunet}!ukma!corpane!sparks | D.I.S.K. 24hrs 1200bps [not for RHF] | sparks@corpane.UUCP | 502/968-5401 thru -5406 Beware of quantum ducks: Quark, Quark.
desnoyer@Apple.COM (Peter Desnoyers) (06/03/89)
In article <729@corpane.UUCP> sparks@corpane.UUCP (John Sparks) writes: > [illegality of receiving cellular phone calls] > >I have no qualms about someone wanting to protect their information. But if >they are using radio, they should take precautions to encode the information to >keep it private, not make it illegal to listen. First, that doesn't stop anyone >who wants to listen from listening. It just lulls them into thinking that just >because it's illegal to listen in that no one will do it. The information is >still unscrambled and out there for anyone to listen to. I was recently at an event billed as an "art performance" where the sound system - during idle periods - was playing a mixture of odd music such as marches and bagpipes, and telephone calls. From the instructions an operator gave at one point, I believe the calls were cellular phone calls being "illegally" tapped. Not exactly what the caller intended when they dialed... Peter Desnoyers
barmar@think.COM (Barry Margolin) (06/03/89)
In article <729@corpane.UUCP> sparks@corpane.UUCP (John Sparks) writes: Re: Electronic Communication Privacy Act >So why aren't cordless phones included? eh? It's the same situation on a >different frequency and a shorter range. I think the shorter range has a lot to do with it. Someone can't just set up a single receiver and start tapping into the cordless phone conversations of everyone in town. Were cordless phones even discussed when drafting the law? If not, then it seems to me that the reason they aren't included is that no one thought to bring the issue up, rather than that the lawmakers specifically wanted to allow cordless phone eavesdropping. >Personally I think if they don't want people listening in on phones they should >scramble the signal so you can't listen in. The burden should be on the phone >manufacturers and the phone company, not the public. If the radio waves come >into my house uninvited and unscrambled then I should have the right to listen >to them. Laws shouldn't be passed to make listening illegal. That's working >from the wrong end. It takes away from our freedom. Just because you CAN listen, doesn't mean that you have the right to listen. If I leave my door unlocked that doesn't give you the right to walk in uninvited. I'm not required to put a lock on my mailbox, yet it is still illegal for someone to look at my mail. And the phone company isn't required to scramble their signals (some of which go through microwave links, i.e. through the "public" air), yet it is illegal to put on a wire tap. The business of laws is to tell people that certain things that they are capable of doing are not considered right. Intentionally listening in on phone conversations is considered wrong, so why should it be the burden of the users to scramble their data. Also, even if the data is scrambled, it's possible for eavesdroppers to get descramblers. I hope you don't think it should be legal for them to listen and descramble. >It just lulls them into thinking that just >because it's illegal to listen in that no one will do it. Come on, give people the benefit of some intelligence. Everyone knows it's illegal to steal, but we all know that theft occurs. But we also know that if we catch someone doing it, we can send them to jail. >But what they really end up doing is >limiting our freedoms. I agree that it is a good idea for cellular phone companies to scramble their signals. But I don't think anyone has a RIGHT to listen to my phone conversation, scrambled or otherwise. Therefore, I don't think phone companies should be REQUIRED to scramble their signals. Barry Margolin Thinking Machines Corp. barmar@think.com {uunet,harvard}!think!barmar
lnewman@emdeng.Dayton.NCR.COM (Lee.A.Newman) (06/06/89)
In article <21465@news.Think.COM> barmar@kulla.think.com.UUCP (Barry Margolin) writes: >In article <729@corpane.UUCP> sparks@corpane.UUCP (John Sparks) writes: >Re: Electronic Communication Privacy Act > >>Personally I think if they don't want people listening in on phones they should >>scramble the signal so you can't listen in. The burden should be on the phone >>manufacturers and the phone company, not the public. If the radio waves come >>into my house uninvited and unscrambled then I should have the right to listen >>to them. Laws shouldn't be passed to make listening illegal. That's working >>from the wrong end. It takes away from our freedom. > >Just because you CAN listen, doesn't mean that you have the right to >listen. If I leave my door unlocked that doesn't give you the right >to walk in uninvited. Incorrect. If my car breaks down outside your house, I have the right to come up to your house and talk to you. If you do not come to the door, I can take reasonable steps to find you. If I see your wallet on the table, or your chicken in its coop, I cannot take it. Do you see the difference? I'm not required to put a lock on my mailbox, >yet it is still illegal for someone to look at my mail. Exactly correct. One is a passive activity, and the other is active. If you consciously go onto my property (or the Post Offices's property) and look at my mail, you are violating a good law. If the Post Office sends you someone else's mail, and you open it without noticing the addressee, should you be put in jail? Obviously, no, because you took no action PURPOSELY on someone elses property. the phone >company isn't required to scramble their signals (some of which go >through microwave links, i.e. through the "public" air), yet it is >illegal to put on a wire tap. It is only illegal to attach an item to the phone which records. I can put a very sensitive microphone on my cassette deck, which is sensitive enough to record phone calls, and be perfectly legal (Note I am sidestepping the problem of placing the mike on someone else's property). > >The business of laws is to tell people that certain things that they >are capable of doing are not considered right. This statement is completely wrong. [No flame intended. Explanation follows] Many people, including an awful lot of politicians, feel the way you do. Unfortunately, such a misconception of the purpose of law is becoming so widespread that many other people are also beginning to beleive it. The following definition of law vs. moral should clear the air. Law: Minimum standard of behavior. Moral: Maximum standard of behavior. Think about that for a minute or two. Maybe a little bit longer. There are millions of things that are not right to do. Only a minute percentage of them are illegal to do. Do you really want someone to be able to put you in jail, or fine you, or take away your right to vote*, if you do something which THEY consider to be wrong? Think about that. How many laws do you disagree with? Intentionally >listening in on phone conversations is considered wrong, so why should >it be the burden of the users to scramble their data. You consider it to be wrong. I consider it to be wrong. But I do not want the government able to tell me which frequencies I can have a receiver. Think about that. Right now, it seems absurd to expect the FCC Police to come into your home and verify that your receiver cannot receive certain frequencies. Such a thought, however, does not seem to be too unreasonable 30, or 50 years from now. >>It just lulls them into thinking that just >>because it's illegal to listen in that no one will do it. [Stuff about scrambling signals deleted] > >>But what they really end up doing is >>limiting our freedoms. VERY WELL SAID > >I agree that it is a good idea for cellular phone companies to >scramble their signals. But I don't think anyone has a RIGHT to >listen to my phone conversation, scrambled or otherwise. Therefore, I >don't think phone companies should be REQUIRED to scramble their >signals. If you, or your phone company sends signals onto my property, I DO HAVE THE RIGHT to receive these signals. If you don't want me to receive them, do something to prevent me from receiving the signals. * My senator, Sen. Metzenbaum, beleives that no citizen of the United States should be able to own a gun. He has stated so repeatedly. He currently is proposing a bill which would require me to submit to an FBI background check, then let some Federal bureeaucrat decide, based on that check, if I can legally own a semiautomatic gun. Then I get to pay a $200 tax, and I have to ask permission every time I cross a state line with it. If I decide that this law is one I will not obey, I will be thrown in jail, without the protections of the criminal code (such a being presumed innocent ) as the law is written as a violation of civil code, rather than criminal code. Oh, I forgot... ANY PERSON FOUND GUILTY WILL LOSE HIS RIGHT TO VOTE FOREVER. This is the basis of why I beleive the way I do. Prevent your government from thinking that they need to look (or approve) your receiving equipment . ALL receiving equipment is legal and should remain so... forever. Lee Newman lnewman@emdeng.dayton.NCR.com
childers@avsd.UUCP (Richard Childers) (06/09/89)
barmar@kulla.think.com.UUCP (Barry Margolin) writes: >sparks@corpane.UUCP (John Sparks) writes: >Re: Electronic Communication Privacy Act >>So why aren't cordless phones included? eh? It's the same situation on a >>different frequency and a shorter range. Because the government already has a well-established base of equipment for listening to such transmissions, and doesn't want to outlaw itself. Just us. >I think the shorter range has a lot to do with it. Someone can't just >set up a single receiver and start tapping into the cordless phone >conversations of everyone in town. What ever happened to those notes of Nikola Tesla ? The ones that the U. S. Government seized for reasons of national security ? You think they didn't read them ? And why haven't they been published ? I hear they've got listening to the electronic noise generated by CPUs down to such a fine art that people whom take security seriously - like the U. S. Government - place their CPUs in lead-lined safes. Why do you suppose that is ? ( Those buss lines make fine antennae, I hear ... ) >>... I think if they don't want people listening in on phones they should >>scramble the signal so you can't listen in. The burden should be on the phone >>manufacturers and the phone company, not the public. If the radio waves come >>into my house uninvited and unscrambled then I should have the right to listen >>to them. Laws shouldn't be passed to make listening illegal. That's working >>from the wrong end. It takes away from our freedom. >Just because you CAN listen, doesn't mean that you have the right to >listen. If I leave my door unlocked that doesn't give you the right >to walk in uninvited. I'm not required to put a lock on my mailbox, >yet it is still illegal for someone to look at my mail. And the phone >company isn't required to scramble their signals (some of which go >through microwave links, i.e. through the "public" air), yet it is >illegal to put on a wire tap. This is blatant sophistry. A mailbox doesn't permeate the entire ecosphere, and microwaves travel in a line of sight. You have to work hard to get into the line of sight, and you stand a good chance of getting irradiated in the process. Can we see an example more true to the circumstances, as opposed to being true to the desired outcome of the discussion ? >Also, even if the data is scrambled, it's possible for eavesdroppers >to get descramblers. I hope you don't think it should be legal for >them to listen and descramble. Right. You make it sound like a scrambler is like a modem. The whole idea of a scrambler is that it's _damned hard_ to descramble it. It takes brains and hardware even to make a start, you can't do it with pencil and paper. Which is why Uncle Slime (tm) doesn't want you scrambling your conversation. Or encrypting your files. So they can have free access to anything without fail. In many ways, this represents a power trip on the part of the government and its agents, a function of hiring people whom believe they have not only a right, but a responsibility, to invade your privacy so as to insure that you are no threat to them, under the doddering twin premises that (a) if you have nothing to hide, you have nothing to be afraid of, and (b) what you don't know won't hurt you. >Come on, give people the benefit of some intelligence. Everyone knows >it's illegal to steal, but we all know that theft occurs. But we also >know that if we catch someone doing it, we can send them to jail. Interception is separate from stealing. If you send mail to my house, I have no responsibility to deliver it, and making it a law instead of tightening the circumstances around delivery of letters is plain laziness on the part of all concerned with correct delivery of mail. If there's a line of people concerned with correct delivery of mail, the people _not_ at the address have no reason to be in that line. They'll be at the tail end, if anywhere. I read private mail several times a week. Occasionally I am amused or intrigued by what I read in bounced mail that's delivered to 'postmaster', but I don't think a law telling me I can read the header but not the contents would be helpful in guaranteeing that the mail arrived. I deliver it because it's the right thing to do, because it's my job ... and I read it because I need to decide whether it needs to be forwarded manually. To assume machiavellian tendencies without substantial proof is to engage in outrageous projections of your fears upon my person. The fact that you are able to get it encoded as a law that I must obey under penalty of imprisonment doesn't do anything to lessen the psychological abberation(s) at the heart of such an assumption on your part. No, this evaluates to coercion on the part of politically powerful people, to avoid taking responsibility for the communications they initiate, instead they abuse the system to make everyone responsible for their private doings. What a crock of feces. >>But what they really end up doing is limiting our freedoms. And thus expanding theirs. Sounds kind of like a parasitic relationship to me. >I agree that it is a good idea for cellular phone companies to >scramble their signals. But I don't think anyone has a RIGHT to >listen to my phone conversation, scrambled or otherwise. Therefore, I >don't think phone companies should be REQUIRED to scramble their >signals. I disagree. The aether is in the public domain, by the laws of nature, and any effort to make it appear otherwise will only facilitate arresting lots of talented and intelligent people. The trucks puttering around, scanning for people receiving on frequencies they aren't supposed to - a la World War II's Nazi-occupied territories and the Cold War countries we supposedly detest for their complete lack of freedoms - will be paid for by your tax dollars. Presumably the government - or selected members of it - feel their position of power will be secured if they arrest everyone who disagrees. Much like what's happened - and continues to happen - in South America. What this comes down to is a not-so-subtle attempt to convict The People without establishing guilt first. It's an old trick. They've already got it well established in traffic court, police have a ticket quota based upon the unreasonable and unproven assumption that a statistical percentage of the population is already guilty - what's known as the Napoleonic Code of Justice, you're presumed guilty until proven innocent. The Constitution is exactly as good as your intentions to stick with it, no matter how hard the going gets. Taking the easy way out is simple to do, but the long-term consequences of your unwillingness to protect the U. S. Constitution are sure to come back and haunt you, too, eventually. >Barry Margolin >Thinking Machines Corp. -- richard -- * "We must hang together, gentlemen ... else, we shall most assuredly * * hang separately." Benjamin Franklin, 1776 * * * * ..{amdahl|decwrl|octopus|pyramid|ucbvax}!avsd.UUCP!childers@tycho *
morris@jade.jpl.nasa.gov (Mike Morris) (06/13/89)
In article <32205@apple.Apple.COM> desnoyer@Apple.COM (Peter Desnoyers) writes: > >I was recently at an event billed as an "art performance" where the >sound system - during idle periods - was playing a mixture of odd >music such as marches and bagpipes, and telephone calls. From the >instructions an operator gave at one point, I believe the calls were >cellular phone calls being "illegally" tapped. Not exactly what the >caller intended when they dialed... > Probably cordless phones. Most of the cheap wireless microphones (and even some of the expensive ones) use 45-50mhz, 152mhz, or 158mhz. The cordless phones use 46 & 49mhz channels, and the older IMTS mobile phones have 6 channels in the 152-158 mhz range. Since the wireless mikes have low power and rotten antennas, and are built to a price rather than to a performance spec they need sloppy, broad and sensitive (but selectivity costs money) receivers. Hence the receivers pick up everything when the mikes are turned off between numbers (to save batteries). Somebody forgot to tell the sound man to shut off the wireless mike channel when it wasn't being used. US Snail: Mike Morris UUCP: Morris@Jade.JPL.NASA.gov P.O. Box 1130 Also: WA6ILQ Arcadia, Ca. 91006-1130 #Include disclaimer.standard | The opinions above probably do not even
desnoyer@Apple.COM (Peter Desnoyers) (06/14/89)
In article <1340@jato.Jpl.Nasa.Gov> morris@jade.Jpl.Nasa.Gov (Mike Morris) writes: >In article <32205@apple.Apple.COM> desnoyer@Apple.COM (Peter Desnoyers) writes: >> >>I was recently at an event billed as an "art performance" where the >>sound system ... [was playing music & possibly intercepted cellular calls] >> >Probably cordless phones. Most of the cheap wireless microphones (and even >some of the expensive ones) use 45-50mhz, 152mhz, or 158mhz. The cordless >phones use 46 & 49mhz channels, and the older IMTS mobile phones have 6 channels >in the 152-158 mhz range. Since the wireless mikes have low power and rotten >antennas, and are built to a price rather than to a performance spec they need >sloppy, broad and sensitive (but selectivity costs money) receivers. Hence >the receivers pick up everything when the mikes are turned off between numbers >(to save batteries). Somebody forgot to tell the sound man to shut off the >wireless mike channel when it wasn't being used. > >US Snail: Mike Morris UUCP: Morris@Jade.JPL.NASA.gov > P.O. Box 1130 Also: WA6ILQ > Arcadia, Ca. 91006-1130 >#Include disclaimer.standard | The opinions above probably do not even Nah. It was clearly intentional - the phone calls were mixed louder than the background music. When the music went away for the performance, the phone calls went away. Some of the phone calls at the end of the show had been put through a tape loop. Peter Desnoyers