From caf-talk Caf Aug 24 04:32:23 1992
Newsgroups: alt.comp.acad-freedom.talk
From: eda816a@monu1.cc.monash.edu.au (H. Nguyen)
Subject: IF_ONLY_OUR_PARENTS_TAUGHT_US_DIFFERRENTLY
Message-ID: <1992Aug24.070708.2529@monu1.cc.monash.edu.au>
Date: Mon, 24 Aug 1992 07:07:08 GMT
To allll of my dear earth friends....
I have heard of the death of the Vietnamese student, Luyen' as the result of
racial discrimination. I feel so disgrace as a human being myself. So I decided
to raise this article, which I never intended to do, because I don't want to
feel like a preacher.
According to sociology and psychology, we human beings tend to interprete the
world and react under certain circumstances accordingly to our experiences. In
another word, we behave according to the data within our skulls (the natural
computers), we reason upon the data installed in our heads and carry out
actions accordingly,
So, what is it in your skulls ?
what have your parents, teachers...etc been teaching you ?
IF ONLY OUR PARENTS TAUGHT US DIFFERENTLY !!!!!
"If only our parents taught us differrently", that is my subject of this
little article. If only our parents taught us differrently so that we could be
friends, so that we could all be friends. Instead, our parents taught us
wrongly. They taught us to be differrent from each other -therefore the cause
of racism, and that goes with my parents as well, I have to admit. That 's
what happens to all of us ever since of the foundation of civilisations.
I was a misery refugee when I left my family at the age of 13, and it was
horrible time of my life. Life was very hard and I had to grow up early or
abnormal as some may see. When I came to Australia, I felt really isolated,
because it was a differrent culture for me. I knew that it was time for me to
abdapt to this newly culture.
"Abdapt" is abdapt which takes times, education, insight..etc. It just doesn't
happen a day or two. All the open-minded understand this things. Any way my
point is that, we should teach our chidren that we are of the same kind. The
only different between us is our cultures. Which means our ways of thinking
and seeing things that are different. These differrences is the result of the
nature of the environments we 're in. Therefore in term of psychology and
sociology, we see things different from each other. Just because of that, it
's not enough to make us different from each other and to violate the term
Human Kind.
The term Human Kind reprents all of us. It makes us the same. If we work
together base on this term "Human Kind". I can be certain that there can
never be anything wromg.
I do not want to be a preacher. But if I sound like one, please be tolerated,
- It is time for us to teach our chidren that we are the same, based on the
term Human-Kind, not on the bacgrounds, cultures...etc. So for, together we be
friends, together we work, to gether we live, together we love, just like the
way it was intended to be at the time of the creation ot the world.
so friendship to all and with you always.
By the way -do you like the song IMAGINE. That song will make me dream all
my file......Dream ! is that all. Make it a reality. Don't you think it's
possible....
NOTE...If you have any feed back for my articles, plese put it under subject
named Human Kind. I take the bad and the good, I take what ever you've got..
Bye all....
From caf-talk Caf Aug 24 17:14:04 1992
Newsgroups: alt.comp.acad-freedom.talk
From: evansmp@uhura.aston.ac.uk (Mark Evans)
Subject: Re: [alt.censorship] Searching for computer porn at UBC
Message-ID: <1992Aug24.101458.1175@aston.ac.uk>
Date: Mon, 24 Aug 1992 10:14:58 GMT
kadie@cs.uiuc.edu (Carl M. Kadie) writes:
:
: Regardless of the legal and technical facts (for instance, that bitnet
: mail may be logged, that store-and-forward mail may be backed up on tape,
: etc.), users have come to believe that electronic mail has the same
: confidentiality as letter mail or telephone converstions.
Maybe it is time for users to lobby their governments, to extend legislation
protecting paper mail and telephone communications, to give the same protection
to electronic mail
:
: I believe that the possibilities for abuse of privacy are numerous, if system
: operators are effectively directed to search their systems for 'offensive
: material'.
:
:
: A.Daviel, Vancouver BC
--
-------------------------------------------------------------------------
Mark Evans |evansmp@uhura.aston.ac.uk
+(44) 21 565 1979 (Home) |evansmp@cs.aston.ac.uk
+(44) 21 359 6531 x4039 (Office) |
From caf-talk Caf Aug 24 18:00:26 1992
Newsgroups: alt.comp.acad-freedom.talk
From: kadie@cs.uiuc.edu (Carl M. Kadie)
Subject: [comp.society.privacy] Court Ruling on SocSec# at Rutgers, info needed
Message-ID: <9208242202.AA25513@m.cs.uiuc.edu>
Date: Mon, 24 Aug 1992 12:02:19 GMT
From: peterson@CS.ColoState.EDU (james peterson)
Newsgroups: comp.society.privacy
Subject: Court Ruling on SocSec# at Rutgers, info needed
Message-ID:
Date: 6 Aug 92 17:28:08 GMT
I just read a short article in the 5 August issue of the Chronicle
of Higher Education that a US District Judge (H. Lee Sarokin) had ruled
against Rutgers in a suit brought by present and former students, who
claimed that the institution had violated their privacy rights by
misusing their social security numbers.
Evidently, the judge did not order Rutgers to stop using the numbers
for routine administrative use (that would be too much of a hardship,
I guess) but rather to stop allowing distribution of the numbers (as in
rosters, etc.) cited as a practice which "allows any student to decode
another student's grades, obtain credit report, etc."
Does anyone know the details of this case, and exactly what is prohibited
by it? For example, does this ruling prohibit the the posting of grades
and social security numbers without names (a fairly wide-spread practice),
or merely the posting of rosters containing both names and SS#'s?
james sends
--
james lee peterson peterson@CS.ColoState.edu
dept. of computer science
colorado state university "Some ignorance is invincible."
ft. collins, colorado (voice:303/491-7137; fax:303/491-6639)
From caf-talk Caf Aug 25 02:51:53 1992
Newsgroups: news.admin,alt.censorship,alt.comp.acad-freedom.talk
From: greeny@top.cis.syr.edu (J. S. Greenfield)
Subject: Re: Limiting religious speech
Message-ID: <1992Aug24.201110.7481@newstand.syr.edu>
Date: Mon, 24 Aug 92 20:11:10 EDT
In article <1992Aug23.000939.2789@wolves.uucp> news@wolves.uucp (The Wolfe of the Den) writes:
>>>If you want to pray at graduation, feel free. Nobody's stopping it.
>>>The
>>>decision was to prevent _organized_ prayer. e.g. Valedictorian says
>>>"Let us now thank the Lord who enabled us to graduate" type of thing.
>>
>> I thought the decision prevents SCHOOL OFFICIALS from
>>promoting prayer. A school official cannot ask that a prayer
>>be said.
>>
>>[...]
>>
>>Since the valedictorian is not a school official
>>(he or she not on the government's payroll) it would not be
>>a case of "government" promoting religion.
>
> The Valedictorian and other speakers at a public school function
>are "acting under color of authority" and have been approved and guided
>by the school officials to do what is being done.
Please demonstrate that this is the case.
> What is getting ridiculous is the extent to which speech is
>being restricted in the attempt to prevent any mention of "religion" in
>the public schools. When a student speaker is prohibited from
>mentioning the strong influence of religion in their own life, without
>attempting to impose any expectations on the others, or a student
>privately bowing their head to pray silently in a non-disturbing way
>gets pulled from the assembly, then things have gone too far.
Please provide references to/summaries of the specific portions of this
case (or any other SC case) that support your contention.
> There is a disturbing trend to suppressing individual
>perogatives in the attempt to apply the law "equally." All this does is
>enforce the tyranny of the majority even more.
Perhaps--but you have yet to demonstrate that the case at hand has anything
to do with this thesis.
--
J. S. Greenfield greeny@top.cis.syr.edu
(I like to put 'greeny' here,
but my d*mn system wants a
*real* name!) "What's the difference between an orange?"
From caf-talk Caf Aug 25 08:04:15 1992
Newsgroups: alt.comp.acad-freedom.talk
From: kadie@cs.uiuc.edu (Carl M. Kadie)
Subject: [alt.sex] Censorship Update
Message-ID: <9208251206.AA25515@m.cs.uiuc.edu>
Date: Tue, 25 Aug 1992 02:06:06 GMT
From caf-talk Caf Aug 25 08:04:15 1992
Newsgroups: alt.sex
From: Dronon Brassmane
Subject: Censorship Update
Date: Mon, 24 Aug 1992 20:57:12 GMT
Message-ID: <1992Aug24.205712.7453@zooid.guild.org>
Some time ago you'll recall the "Congratulations! You've made the
evening news!" subject header and a couple of other subjects involving an
article in Toronto's Globe & Mail newspaper and a broadcast about alt.sex
and related uucp newsgroups on City-TV... in today's Globe & Mail there is a
letter in the editorials page, A14, reproduced like this:
Avoid censorship
Re Computers Graphic When It Comes To Porn (July 20):
Computer newsgroups offer a forum for the exchange of information and ideas
to hundreds of thousands of people. It is an important and growing new
resource, which may eventually supplant much of the traditional written media.
Among the most popular discussion groups are those dealing with sex. Some
of the posted material is extremely valuable, some of it juvenile, some of it
may be offensive to some people, and a tiny fraction of it may be illegal
under Canada's definition of obscenity. Unfortunately, the latter has drawn
the most media attention. Discussions about AIDS, birth control, sexual
lifestyles, and common misperceptions about sex have received little or no
attention.
Following some unfavourable publicity, the University of Manitoba banned all
newsgroups dealing with sex. This kind of heavy-handed reaction is
deplorable. It can be likened to using a sledgehammer to kill a fly. If a
university feels obliged to screen illegal material, this can be accomplished
automatically based on the content or origin of an article. Anything more
than that is censorship, and is against the academic tradition of intellectual
freedom.
An enlightened policy would treat electronic media in the same way that
libraries treat written material. Library acquisition policies have a strong
history of ensuring access to all materials legally obtainable, and of not
unjustly excluding material on the grounds that it might be offensive to some
people. The ultimate choice of what to read can and should rest with the
readers themselves.
P.G. Blunden, Winnipeg
(When the July 20 article came out, I kept a watch of articles in response to
it... when none came in the following week or so, I gave up, but I luckily
stumbled across the above article accidentaly this morning during breakfast.
Has anyone else heard of other reactions to the TV and newspaper coverage?)
Tom Turrittin / Dronon Brassmane
tthomas@vm1.yorku.ca / dronon@zooid.guild.org
"He never said anything, but he always managed to say too much. And that's
what counts."
From caf-talk Caf Aug 25 15:46:43 1992
Newsgroups: alt.comp.acad-freedom.talk
From: kadie@dante.cs.uiuc.edu (Carl M. Kadie)
Subject: [alt.censorship] Re: Public posting of private e-mail.
Message-ID: <199208251942.AA03083@dante.cs.uiuc.edu>
Date: Tue, 25 Aug 1992 09:42:44 GMT
From caf-talk Caf Aug 25 15:46:43 1992
Newsgroups: alt.censorship
From: morgan@ms.uky.edu (Wes Morgan)
Subject: Re: Public posting of private e-mail.
Message-ID: <1992Aug24.92353.3596@ms.uky.edu>
Date: Mon, 24 Aug 1992 13:23:53 GMT
sbradley@scic.intel.com (Seth Bradley) writes:
>I agree that one should be able to stop offending e-mail.
Sure! There are several "mail filtering" programs available; one of the
best of these is "procmail", which is availabel from many FTP sites. Get
procmail and install it; you can then filter your mail to your heart's
content.
>However, before
>one posts private e-mail, there is another step that can be taken, namely
>mailing to the offender's sysadmin. From (second hand) personal experience,
>this is often effective.
> [ ... ]
>The main point is, talking to a sysadmin is likely to be far more
>effective than posting e-mail.
The effectiveness of "talking to a sysadmin" varies greatly. If the site
is commercial, you may very well succeed. If, however, the site is aca-
demic, your chances are "not so good".
I'm the sysadmin for the UK College of Engineering (engr.uky.edu, NOT
ms.uky.edu (from which this posting originates)), and I routinely receive
messages such as "your user XXXX called me a YYYYY on the mailing list!
Terminate his email NOW!". I usually get a chuckle from this. I've never
rescinded a user's email privileges; with the exception of illegal activi-
ties (emailing pirate software after repeated warnings, for example), I
doubt that I ever will.
One must accept the good with the bad. If you enjoy full communications
privileges (and wish them extended to others), you WILL, eventually, be
offended. It's part of the virtual territory.
--Wes
--
MORGAN@UKCC | Wes Morgan | ...!ukma!ukecc!morgan
morgan@ms.uky.edu | Engineering Computing | morgan@wuarchive.wustl.edu
morgan@engr.uky.edu | University of Kentucky | JWMorgan@dockmaster.ncsc.mil
Mailing list for AT&T StarServer S/E - starserver-request@engr.uky.edu
From caf-talk Caf Aug 26 09:23:32 1992
Newsgroups: alt.comp.acad-freedom.talk,news.admin,alt.censorship
From: pjs269@tijc02.uucp (Paul Schmidt)
Subject: Re: Limiting religious speech
Message-ID: <1992Aug26.130454.7249@tijc02.uucp>
Date: Wed, 26 Aug 92 13:04:54 GMT
news@wolves.uucp (The Wolfe of the Den) writes:
:
: What is getting ridiculous is the extent to which speech is
: being restricted in the attempt to prevent any mention of "religion" in
: the public schools. When a student speaker is prohibited from
: mentioning the strong influence of religion in their own life, without
: attempting to impose any expectations on the others, or a student
: privately bowing their head to pray silently in a non-disturbing way
: gets pulled from the assembly, then things have gone too far.
This action as you describe it was probably done illegally. This is
very similar to the case where a student was reading the bible in the
bus to school and was told not to. It was resolved that the
administration was wrong in doing such an action.
--
Paul Schmidt: Advocates for Self-Government, Davy Crockett Chapter President
706 Judith Drive, Johnson City, TN 37604, (615)283-0084, uunet!tijc02!pjs269
"Freedom seems to have unleashed the creative energies of the people -- and
leads to ever higher levels of income and social progress." -- U.N. report
From caf-talk Caf Aug 26 12:29:05 1992
Newsgroups: alt.comp.acad-freedom.talk
From: kadie@cs.uiuc.edu (Carl M. Kadie)
Subject: [comp.admin.policy] Policy regarding Crack
Message-ID: <9208261628.AA06633@herodotus.cs.uiuc.edu>
Date: Wed, 26 Aug 1992 06:28:47 GMT
Newsgroups: comp.admin.policy
From: dan@cubmol.bio.columbia.edu (Daniel Zabetakis)
Subject: Policy regarding Crack
Message-ID: <1992Aug26.150855.20714@news.columbia.edu>
Date: Wed, 26 Aug 1992 15:08:55 GMT
Does anyone have in thier usage policy mention of Crack, or COPS,
or other programs that could be used for unnacceptable purposes?
Does anyone not allow possesion of Crack? How about running it?
DanZ
--
This article is for entertainment purposes only. Any facts, opinions,
narratives or ideas contained herein are not necessarily true, and do
not necessarily represent the views of any particular person.
From caf-talk Caf Aug 26 13:11:02 1992
Newsgroups: comp.admin.policy,alt.comp.acad-freedom.talk
From: kadie@herodotus.cs.uiuc.edu (Carl M. Kadie)
Subject: Re: Policy regarding Crack
Message-ID: <1992Aug26.170825.29391@m.cs.uiuc.edu>
Date: Wed, 26 Aug 1992 17:08:25 GMT
dan@cubmol.bio.columbia.edu (Daniel Zabetakis) writes:
> Does anyone have in thier usage policy mention of Crack, or COPS,
>or other programs that could be used for unnacceptable purposes?
> Does anyone not allow possesion of Crack? How about running it?
[...]
I would think that it would violate the general free expression and
privacy policies of most universities to ban possession of legal
material. I assume Columbia doesn't ban student and professor
possession of legal books?
Banning the running of such programs doesn't seem so bad. But any
such ban should have an authorization mechanism.
I'm enclosing relevant information from the Computer and Academic
Freedom archive.
- Carl
ANNOTATED REFERENCES
(All these documents are available on-line. Access information follows.)
=================
news/cafv02n23: Message-Id: <1992Apr30.164835.1816@opac.osl.or.gov>
=================
An article from the Computers and Academic Freedom News 02.23
Notes 8-9 are about cracking program and email privacy policy.
8. "I have a problem with outlawing cracking programs: ... Would it be
illegal to possess a paper on access security that contained the
source code for a cracking program? Where do they draw the line
between intellectual discourse and intent to break into someones
account?"
=================
news/cafv02n11: Message-Id: <9202161945.AA24863@bsu-cs.bsu.edu>
=================
An article from the Computers and Academic Freedom News 02.11
Notes 5-7 are about privacy.
5. A user on this system was apparently running a password cracking
program. An administer searched my files and found I had a copy of
the newest version of Crack. I have legitimate reasons for having
this program. I have received mail from the Chairman of the
Department "inviting" me to discuss my account privileges. "It really
bothers me that I'm going to get in a lot of trouble (probably anyway)
just for the mere possession of a program."
=================
news/cafv02n29: Message-Id: <1992Jun18.200126.486@newshost.lanl.gov>
=================
An article from the Computers and Academic Freedom News 02.29
Notes 7 and 8 concern the rights of system administrators to access
users' accounts.
7. "You are given an account with the understanding that you will not
use it to attempt to crack the system. But if you use that account to
learn the passwords of other users, then you are abusing the trust
placed in you by the system administrator, and he can remove your
access for it."
=================
news/cafv01n03: Message-Id: <9104212213.AA25432@usenet.INS.CWRU.Edu>
=================
An article from the Computers and Academic Freedom News 01.03
Netnews censorship of a posted program at Case Western is discussed.
=================
news/cafv01n20: Message-Id: <1991Jul30.013420.19111@eff.org>
=================
An article from the Computers and Academic Freedom News 01.20
A report of a student of the University of Georgia being suspended for
knowingly aiding crackers by supplying them with an encrypted password
file. (The student seems to have received due processes.)
=================
academic/student.freedoms.aaup
=================
Joint Statement on Rights and Freedoms of Students -- This is the main
U.S. statement on student academic freedom.
=================
policies/uiuc.edu
=================
This is the University of Illinois's Interim E-Mail and Computer File
Privacy Policy. It says that "network and system administrators are
expected to treat the contents of electronic files as private and
confidential." and "Any inspection of electronic files, and any action
based upon such inspection, will be governed by all applicable U. S.
and Illinois laws and by University policies."
=================
policies/ctr.columbia.edu
=================
"CTR Rules and Regulations Reguarding the Use of Computing
Facilities". CTR is the Center for Telecommunications Research at
Columbia University. The policy was sent in by Seth Robertson
.
=================
policies/cc.columbia.edu
=================
The old policy for Columbia University's Center for Computing
Activities. They are working on a new policy.
=================
faq/policy
=================
q: What guidance is there for creating or evaluating a computer policy?
=================
faq/email.policies
=================
q: Do any universities treat email and computer files as private?
=================
faq/email.privacy
=================
q: Can (should) my university monitor my email (and files)?
=================
faq/netnews.writing
=================
q: Should my university allow students to post to Netnews?
(also talks about freedom of expression in the context of computers)
=================
caf
=================
A description to the comp-academic-freedom-talk mailing list. It is a
free-forum for the discussion of questions such as: How should general
principles of academic freedom (such as freedom of expression, freedom
to read, due process, and privacy) be applied to university computers
and networks? How are these principles actually being applied? How can
the principles of academic freedom as applied to computers and
networks be defended?
=================
=================
These document(s) are available by anonymous ftp (the preferred
method) and by email. To get the file(s) via ftp, do an anonymous ftp
to ftp.eff.org (192.88.144.4), and get file(s):
pub/academic/news/cafv02n23
pub/academic/news/cafv02n11
pub/academic/news/cafv02n29
pub/academic/news/cafv01n03
pub/academic/news/cafv01n20
pub/academic/academic/student.freedoms.aaup
pub/academic/policies/uiuc.edu
pub/academic/policies/ctr.columbia.edu
pub/academic/policies/cc.columbia.edu
pub/academic/faq/policy
pub/academic/faq/email.policies
pub/academic/faq/email.privacy
pub/academic/faq/netnews.writing
pub/academic/caf
To get the file(s) by email, send email to archive-server@eff.org.
Include the line(s) (be sure to include the space before the file
name):
send acad-freedom/news cafv02n23
send acad-freedom/news cafv02n11
send acad-freedom/news cafv02n29
send acad-freedom/news cafv01n03
send acad-freedom/news cafv01n20
send acad-freedom/academic student.freedoms.aaup
send acad-freedom/policies uiuc.edu
send acad-freedom/policies ctr.columbia.edu
send acad-freedom/policies cc.columbia.edu
send acad-freedom/faq policy
send acad-freedom/faq email.policies
send acad-freedom/faq email.privacy
send acad-freedom/faq netnews.reading
send acad-freedom caf
--
Carl Kadie -- kadie@cs.uiuc.edu -- University of Illinois at Urbana-Champaign
From caf-talk Caf Aug 26 17:44:52 1992
Newsgroups: comp.admin.policy,alt.comp.acad-freedom.talk
From: morgan@ms.uky.edu (Wes Morgan)
Subject: Re: Policy regarding Crack
Message-ID: <1992Aug26.174017.1077@ms.uky.edu>
Date: Wed, 26 Aug 1992 21:40:17 GMT
kadie@herodotus.cs.uiuc.edu (Carl M. Kadie) writes:
>dan@cubmol.bio.columbia.edu (Daniel Zabetakis) writes:
>
>> Does anyone have in thier usage policy mention of Crack, or COPS,
>>or other programs that could be used for unnacceptable purposes?
>> Does anyone not allow possesion of Crack? How about running it?
>[...]
>
>I would think that it would violate the general free expression and
>privacy policies of most universities to ban possession of legal
>material. I assume Columbia doesn't ban student and professor
>possession of legal books?
>
>Banning the running of such programs doesn't seem so bad. But any
>such ban should have an authorization mechanism.
A simple question:
If I allow source code for cracking programs, but ban the running of
such programs, how will I know that the programs have been run? After
all, I don't live in front of a terminal! 8)
Seriously, let's look at the possibilities:
- I could (as the admin) sweep through all the user files,
looking for Crack source/binaries. This is unacceptable.
- I could check the monthly accounting reports and examine
every program that burned more than X minutes of CPU time.
This, too, is unacceptable.
- I could remove (or place a lock upon) /usr/dict/words (the most
commonly used word file for Crack). This would conflict with
other system programs, so it's unacceptable as well.
- I could write an automated shell script that examines every
text file on the system, reporting the names of any files which
are in /etc/passwd format (i.e. Crack food). This borders on the
unacceptable.
- I could just cease to care about it, and wait for something to happen.
This, too, is unacceptable; we've already had several cracking inci-
dents, and I don't need those headaches.
OR.......
- I can set a simple policy that says "this system is not to be used
for the development or use of password cracking software". My users
are Engineering students; they have no curricular need to develop
such software on our systems.
This approach benefits everyone (in theory). The users don't have
to worry about admins (or Crack users) rooting through their files,
and I don't have to worry about Crack fanciers.......
(If I were running systems for a Computer Science or Mathematics department,
I might set aside a particular machine for use by cryptography enthusiasts;
perhaps this could serve as the 'authentication mechanism' Carl mentioned.)
It's important to realize that "academic freedom" does not imply automatic
organizational support of any endeavor a student (or faculty member) may
wish to undertake.
For example, I doubt that an Engineering faculty member would receive
university support for work in clay sculpture or political science. At
most universities, the faculty/staff/student communities work within a
(fairly) well-defined conceptual framework for their area of interest.
Computing resources are usually assigned/allocated within this framework.
However, assignments/allocations of these resources for purposes outside
of the framework can (and should) be limited. A Mechanical Engineering
student may wish to write a Japanese text parser; while that is a laudable
project, can we justify the allocation of Engineering resources to that
goal?
"Academic freedom" is not equivalent to "a blank check".
--
MORGAN@UKCC | Wes Morgan | ...!ukma!ukecc!morgan
morgan@ms.uky.edu | Engineering Computing | morgan@wuarchive.wustl.edu
morgan@engr.uky.edu | University of Kentucky | JWMorgan@dockmaster.ncsc.mil
Mailing list for AT&T StarServer S/E - starserver-request@engr.uky.edu
From caf-talk Caf Aug 26 20:13:45 1992
Newsgroups: alt.comp.acad-freedom.talk
From: kadie@cs.uiuc.edu (Carl M. Kadie)
Subject: [comp.admin.policy] Re: Policy regarding Crack
Message-ID: <9208270013.AA11345@herodotus.cs.uiuc.edu>
Date: Wed, 26 Aug 1992 14:13:09 GMT
From caf-talk Caf Aug 26 20:13:45 1992
From: jaw@owlnet.rice.edu (Joseph A. Watters)
Newsgroups: comp.admin.policy
Subject: Re: Policy regarding Crack
Message-ID:
Date: 26 Aug 1992 21:19:34 GMT
In article , dan@cubmol.bio.columbia.edu (Daniel Zabetakis) writes:
|>
|> Does anyone have in thier usage policy mention of Crack, or COPS,
|> or other programs that could be used for unnacceptable purposes?
|> Does anyone not allow possesion of Crack? How about running it?
At Rice, we do not explicitly disallow the possession or running of
either of these programs. If we caught someone using them for
unacceptable purposes, we could take action against them for trying to
break in to systems that they are not authorized to use. Our policies
prohibit unacceptable actions, regardless of the mechanism or
technology used to perform them. For some systems here, our defense is
to run them ourselves regularly, and strongly encourage/force users
whose accounts are vulnerable according to these programs to close the
vulnerabilities. In the case of crack, if it guesses a password, we
have the user change to an unguessable (by crack) password. We use
COPS regularly to audit for its list of security holes, such as world
readable/writable .rhosts files, and have the users close those too.
There are many different groups managing computers here on campus, and
not all of them use these methods, to my knowledge. The systems that
do use these methods comprise the largest networks on campus, with by
far the largest number of users. The good thing about using COPS is
that it protects the networks that use it from some of the weaknesses
of the other networks on campus.
--
Joseph A. Watters, Jr. jaw@owlnet.rice.edu
Deputy Director, Owlnet
Rice University
Houston, Texas
From caf-talk Caf Aug 26 22:17:49 1992
Newsgroups: comp.admin.policy,alt.comp.acad-freedom.talk
From: ckd@eff.org (Christopher Davis)
Subject: Re: Policy regarding Crack
Message-ID:
Date: Thu, 27 Aug 1992 02:17:46 GMT
Wes> == Wes Morgan
Wes> Seriously, let's look at the possibilities:
Wes> - I can set a simple policy that says "this system is not to be used
Wes> for the development or use of password cracking software". My users
Wes> are Engineering students; they have no curricular need to develop
Wes> such software on our systems.
Wes> This approach benefits everyone (in theory). The users don't have
Wes> to worry about admins (or Crack users) rooting through their files,
Wes> and I don't have to worry about Crack fanciers.......
Or you could run shadow passwords, and run Crack yourself, and have a
proactive password checker.
This also benefits everyone, because it means that people are less
likely to have their accounts broken into, you don't get into problems
with people being duped into giving out your /etc/passwd for Joe Cracker
to run through Crack on his 486/50 (or on the SS2 he broke into last
week), and even if someone does get your shadow file, your passwords
will have some degree of strength.
I realize that this isn't always doable, but it's a big improvement.
--
Christopher Davis * ckd@eff.org * System Administrator, EFF * +1 617 864 0665
``Ed Gruberman, you fail to grasp Ti Kwan Leep.
Approach me that you might see.'' -- The Master
From caf-talk Caf Aug 27 07:27:59 1992
Newsgroups: alt.comp.acad-freedom.talk
From: dalton@mantle.Geop.UBC.CA (David Dalton)
Subject: Fabrikant pre-murder E-mail
Message-ID:
Date: Thu, 27 Aug 1992 10:44:29 GMT
V.I. Fabrikant, a professor in Mechanical Engineering at Concordia
University, recently murdered three colleagues and injured more.
This followed a long battle with the university over tenure and
authorship, during which he E-mailed information to a large mailing list.
Prior to the murders, the university threatened to charge Fabrikant
with contempt of court, probably for spreading the accusations and
information over the net before the court date. The E-mail eventually
made its way to an even larger audience through network news. The
E-mail and news will probably be brought forward as evidence in
Fabrikant's hearing against the university, which is going on now,
and possibly in his murder trial later.
If anyone is interested, Fabrikant's original E-mailings have been
posted to sci.research and sci.research.careers by Dov Bai
(bai@msiadmin.cit.cornell.edu). There are 13 parts, titled
Fraud and extortion at Concordia University (Canada)
Fraud and extortion at Concordia University (Canada) (part II--XIII)
If they have expired at your site, E-mail me and I will send them to you.
I will post them here if I get a lot of requests, but would prefer not to
since the file is quite large.
A fairly lively discussion has been going on in sci.research
and sci.research.careers as a result of Fabrikant's postings.
Many of the posters think there may be something to Fabrikant's
accusations and think there should be an investigation. Of
course, none of them agree with his methods. There is also
some discussion on can.general and soc.culture.canada
The relevant headers generally have "Fraud and Extortion"
or "Fabrikant" or "Concordia" in the headers. The discussion
is starting to get around to the status of the E-mail as evidence.
David
From caf-talk Caf Aug 27 10:24:04 1992
Newsgroups: alt.comp.acad-freedom.talk
From: MYGDALW@baylor.ccis.baylor.edu (William Mygdal)
Subject: (none)
Message-ID: <01GO2KO2RN849JD9MJ@BAYLOR.EDU>
Date: Thu, 27 Aug 1992 14:22:00 GMT
Hi, I'm new on the list and relatively new to internet. I joined
because, in my attempts to familiarize myself with the mailing lists
and newsgroups, I discovered that Baylor (1) screens out all alt. and
rec. groups and who knows what else - we have 1213 newsgroups listed, and (2)
censors individual messages within newsgroups that are available. For
example, in looking through the Jewish culture newsgroup I found that
messages on the topic of Woody Allen and Mia Farrow were listed in the
group, but when I tried to read one I got a message stating that that item
could not be accessed. So of course I tried every other item on the topic,
and was able to access only one - and that one consisted entirely of
quotation from the Bible on the sin of slander. I can only assume, the
Baylor environment being what it is, that sexual content or obscenity is
being censored, along with who knows what else. I am not a student or
faculty member (or employee) at Baylor, and have been thinking for myself
for years. Thus, I am very upset and deeply offended by this censorship.
I doubt there's anything I can do about it, but I am completely ignorant
of the current state of thinking/practice/regulation of how computer
communication does/should work, and the related issues of academic
freedom and first amendment rights (neither of which Baylor has any
interest in upholding). How common is this kind of censorship? What,
if anything, can be done about it? What reactions or words of wisdom
do those of you on this list have for me? Help!!! --Thanks, Debbie Ader
From caf-talk Caf Aug 27 11:07:58 1992
Newsgroups: alt.comp.acad-freedom.talk
From: kadie@eff.org (Carl M. Kadie)
Subject: Re: (none)
Message-ID: <1992Aug27.150751.11322@eff.org>
Date: Thu, 27 Aug 1992 15:07:51 GMT
MYGDALW@baylor.ccis.baylor.edu (William Mygdal) writes:
>I discovered that Baylor (1) screens out all alt. and
>rec. groups and who knows what else - we have 1213 newsgroups listed, and (2)
>censors individual messages within newsgroups that are available. For
>example, in looking through the Jewish culture newsgroup I found that
>messages on the topic of Woody Allen and Mia Farrow were listed in the
>group, but when I tried to read one I got a message stating that that item
>could not be accessed.
It's unlikely that Baylor is screening articles one-by-one; such an
undertaking would be very expensive. On the other hand, it is not
unlikely that Baylor excludes newsgroups based on the school's religious
doctrine.
_The Insider's Guide to the Golleges 1991_ says:
"Don't come to Baylor expecting a party school. Not much has changed
at Baylor University since its Baptist founding in 1845. While other
shcools are only now starting to reinstate the _in locl parentis_
polices of thirty years ago, Baylor is proud to say that it never lost
them. The School continues to provide a not-notch education accompied
by strict ascetic regulations."
The school's written policy isn't bad:
It says that
5. Electronic communications facilities (such as MAIL) are for
university related activities only. Fraudulent, harassing or
obscene messages and/or materials are not to be sent or
stored.
Contrast this with the broader and vaguer policy of the Computer
Scienece department of Univerity of Texas (which, unlike Baylor, is
bound by the U.S. Constitution).
Users of electronic mail and bulletin boards should avoid sending
messages that are libelous, patently offensive, or that intimidate, threaten,
demean, or harass individuals or groups, or that would otherwise bring
discredit to the University or the Department.
The Baylor policy is better but could be improved by allowing
"personal use."
The Baylor policy also provides for some due process, although the
"due process" begins by temporarily suspending a user from the
computer. The policy also treats programs and files as confidential.
I'm enclosing a reference to an FAQ on newsgroup selection and
censorship. I think one key is that computer media be treated like
traditional media (e.g. the library and the newspaper). As far as I
know, Baylor does this.
- Carl
ANNOTATED REFERENCES
(All these documents are available on-line. Access information follows.)
=================
faq/netnews.reading
=================
q: Should my university remove (or restrict) Netnews newsgroups
because some people find them offensive? If it doesn't have the
resources to carry all newsgroups, how should newsgroups be selected?
=================
widener/baylor.policy
=================
=================
policies/cs.utexas.edu
=================
Computer Use Policy of the Department of Computer Science at the
University of Texas.
(Critiqued)
=================
=================
These document(s) are available by anonymous ftp (the preferred
method) and by email. To get the file(s) via ftp, do an anonymous ftp
to ftp.eff.org (192.88.144.4), and get file(s):
pub/academic/faq/netnews.reading
pub/academic/widener/baylor.policy
pub/academic/policies/cs.utexas.edu
To get the file(s) by email, send email to archive-server@eff.org.
Include the line(s) (be sure to include the space before the file
name):
send acad-freedom/faq netnews.reading
send acad-freedom/widener baylor.policy
send acad-freedom/policies cs.utexas.edu
--
Carl Kadie -- I do not represent EFF; this is just me.
=kadie@eff.org, kadie@cs.uiuc.edu =
From caf-talk Caf Aug 27 11:30:57 1992
Newsgroups: alt.comp.acad-freedom.talk
From: kadie@cs.uiuc.edu (Carl M. Kadie)
Subject: [comp.admin.policy] Re: Policy regarding Crack
Message-ID: <9208271530.AA15830@herodotus.cs.uiuc.edu>
Date: Thu, 27 Aug 1992 05:30:43 GMT
From: S_TITZ@iravcl.ira.uka.de (Olaf Titz)
Newsgroups: comp.admin.policy
Subject: Re: Policy regarding Crack
Message-ID: <1992Aug27.123808.29166@rz.uni-karlsruhe.de>
Date: 27 Aug 92 12:38:08 GMT
In <1992Aug26.174017.1077@ms.uky.edu> morgan@ms.uky.edu writes:
> Seriously, let's look at the possibilities:
>
> - I could (as the admin) sweep through all the user files,
> looking for Crack source/binaries. This is unacceptable.
>...
> - I could write an automated shell script that examines every
> text file on the system, reporting the names of any files which
> are in /etc/passwd format (i.e. Crack food). This borders on the
> unacceptable.
It *is* unacceptable, IMHO - the same thing of searching user files.
> OR.......
>
> - I can set a simple policy that says "this system is not to be used
> for the development or use of password cracking software". My users
> are Engineering students; they have no curricular need to develop
> such software on our systems.
>
> This approach benefits everyone (in theory). The users don't have
> to worry about admins (or Crack users) rooting through their files,
> and I don't have to worry about Crack fanciers.......
Are you sure that setting a policy will *prevent* your system from
being Crack'ed? ;;-)
>...
> Computing resources are usually assigned/allocated within this framework.
> However, assignments/allocations of these resources for purposes outside
> of the framework can (and should) be limited. A Mechanical Engineering
> student may wish to write a Japanese text parser; while that is a laudable
> project, can we justify the allocation of Engineering resources to that
> goal?
>
> "Academic freedom" is not equivalent to "a blank check".
Right, but... be VERY careful about that.
The step from your Japanese parser to general restrictions like 'we
don't carry alt* and rec* newsgroups' is dangerously short. Take
another example: When I want books from my university library, nobody
cares about the importance of, say, a book on music history for my
computer science studies. Not a blank check, but the provision of
CERTAIN resources for own use (as opposed to the provision of
resources for CERTAIN use - understood?)
I don't know about your engineering department, and I know that this
is a heatedly debated issue since computers exist (are games allowed?
and so on) but I think universities should provide the resources they
are able to (technically, financially,...) and place no restrictions
on their use unless there are justifiable reasons to do so, e.g.
outright abuse (what this is, however, should not be stated par ordre
du mufti but established, ideally, by a board of staff AND students).
MfG,
Olaf
--
Olaf Titz - comp.sc.student - Univ of Karlsruhe - s_titz@iravcl.ira.uka.de -
uknf@dkauni2.bitnet - praetorius@irc - +49-721-60439 - did i forget something?
One frequently hears horror expressed that a 2M byte machine may have 400K
devoted to its operating system. - Fred Brooks (1975)
From caf-talk Caf Aug 27 12:13:53 1992
Newsgroups: comp.admin.policy,alt.comp.acad-freedom.talk
Subject: Re: Policy regarding Crack
Message-ID: <1992Aug27.115813.28741@ms.uky.edu>
From: morgan@ms.uky.edu (Wes Morgan)
Date: 27 Aug 92 15:58:13 GMT
ckd@eff.org (Christopher Davis) writes:
>
> Wes> - I can set a simple policy that says "this system is not to be used
> Wes> for the development or use of password cracking software". My users
> Wes> are Engineering students; they have no curricular need to develop
> Wes> such software on our systems.
>
>
>Or you could run shadow passwords, and run Crack yourself, and have a
>proactive password checker.
I run Crack and COPS on a regular basis; a real-time password checker
is in the works. 8)
>This also benefits everyone, because it means that people are less
>likely to have their accounts broken into, you don't get into problems
>with people being duped into giving out your /etc/passwd for Joe Cracker
>to run through Crack on his 486/50 (or on the SS2 he broke into last
>week), and even if someone does get your shadow file, your passwords
>will have some degree of strength.
>
>I realize that this isn't always doable, but it's a big improvement.
There are external factors to be considered........
Here's a "real world" problem:
Earlier this year, I received a call from an admin at another university.
He found a user cracking his (and other) systems, and proceeded to follow
the normal procedures for disciplinary proceedings. During the ensuing
investigation, it was discovered that this individual had copies of password
files from many sites; system accounting records revealed that he had also
been running Crack. During the auditing of his files, electronic mail
archives indicated that some of those password files may have come from my
university; the admin requested my assistance in tracking down the (possibly)
compromised systems.
Thankfully, none of the systems here were compromised (or even attacked).
However, I discovered that this cracker had accumulated password files
from at least 10 different systems in 5 states.
{ Enter philosophical mode }
Many people have spoken of the "cooperative spirit" of networking. We've
discussed policies, shared code, and helped each other through problems.
I've been a sysadmin for 4 years, and I've used Unix for 11 years. However,
many sites' admins are inexperienced; indeed, many of them become sysadmins
by default. (How many times have we seen postings such as "I've just been
told that I'm going to be administering our Sun workstations, so....."?) Many
of those novice sysadmins depend on the assistance of their more experienced
colleagues.
In some ways, we *are* our 'brother's keeper'.
Why, then, should our assistance be restricted to reactive functions?
If I can take steps to prevent potential problems WITHOUT affecting
my core mission (Engineering education, in my case), why *shouldn't*
I do so?
[As I mentioned in an earlier posting, some sites may have a curricular
(or professional) obligation to provide facilities for cryptographic
work. Were I in such a situation, I would find some means of isolating
them from 'live' systems. This university recently offered a CompSci class
entitled "Computer Security"; in the course of instruction, the students
were given a copy of Crack. At the request of the instuctor, I created a
dummy /etc/passwd file which was completely devoid of "real world" informa-
tion. The appropriate warnings against extracurricular use of the program
were issued, the course proceeded, and everyone was satisfied.]
I believe that I, as a sysadmin, have a certain obligation to the other
systems using our common network(s). Why should I allow my system to be
used as a 'forward base' from which to attack other systems? Should I
adopt an attitude such as "well, he's not cracking MY password file, so
I don't care"? If I found someone attempting to crack the password file
for kragar.eff.org, wouldn't you want me to notify you? If so, why shouldn't
I prevent it in the first place, if such a goal is (relatively) attaniable?
{ Exit philosophical mode }
--
MORGAN@UKCC | Wes Morgan | ...!ukma!ukecc!morgan
morgan@ms.uky.edu | Engineering Computing | morgan@wuarchive.wustl.edu
morgan@engr.uky.edu | University of Kentucky | JWMorgan@dockmaster.ncsc.mil
Mailing list for AT&T StarServer S/E - starserver-request@engr.uky.edu
From caf-talk Caf Aug 27 19:29:13 1992
Newsgroups: comp.admin.policy,alt.comp.acad-freedom.talk
From: ckd@eff.org (Christopher Davis)
Subject: Re: Policy regarding Crack
Message-ID:
Date: Thu, 27 Aug 1992 23:29:10 GMT
Wes> == Wes Morgan
First, I think we're in violent agreement, just talking past each other
a bit. My main point was that preventing Crack use on your systems
doesn't stop the Evil Ones from taking your file elsewhere (not
something I think you'd argue against ;-) and that to protect *your*
systems, the only real method is to protect your passwords through
proactive (npasswd, etc), reactive (Crack), and preventative (shadow)
methods.
Wes> Why, then, should our assistance be restricted to reactive
Wes> functions? If I can take steps to prevent potential problems
Wes> WITHOUT affecting my core mission (Engineering education, in my
Wes> case), why *shouldn't* I do so?
No reason at all.
Wes> I believe that I, as a sysadmin, have a certain obligation to the
Wes> other systems using our common network(s). Why should I allow my
Wes> system to be used as a 'forward base' from which to attack other
Wes> systems? Should I adopt an attitude such as "well, he's not
Wes> cracking MY password file, so I don't care"? If I found someone
Wes> attempting to crack the password file for kragar.eff.org, wouldn't
Wes> you want me to notify you? If so, why shouldn't I prevent it in
Wes> the first place, if such a goal is (relatively) attaniable?
I agree that preventing this behavior is important, just that it's not
sufficient. One of the rules on our systems is that using them to
attack other systems is prohibited, and certainly I'd notify you if I
found someone cracking your password file, as much as I'd like you to
notify me if someone were cracking one of mine.
Again, however, if they take it off to their quiet corner of the
computing world to crack it, neither of us will ever know, so it
behooves us to take advantage of various protective methods...
(Hopefully this thread will give some of the novice system
administrators you referred to in the sections I deleted a chance to
learn more about what they can do to protect their machines.)
--
Christopher Davis * ckd@eff.org * System Administrator, EFF * +1 617 864 0665
``Ed Gruberman, you fail to grasp Ti Kwan Leep.
Approach me that you might see.'' -- The Master
From caf-talk Caf Aug 27 22:36:24 1992
Newsgroups: comp.admin.policy,alt.comp.acad-freedom.talk
From: lfoard@Turing.ORG (Lawrence C. Foard)
Subject: Re: Policy regarding Crack
Message-ID: <1992Aug28.022923.2859@murdoch.acc.Virginia.EDU>
Date: Fri, 28 Aug 1992 02:29:23 GMT
Or you could run crack yourself and fix the holes...
--
>>Unix/C Contract worker available 5 years C/unix work experience<< ______
Available for Telecommuting/Travel and contracts on the T Line \ /
in the Boston MA area. Send me e-mail for a copy of my Resume. \ /
-- VWIS 508-793-9568 (2400 baud), Linux support BBS.-- \/
From caf-talk Caf Aug 28 11:54:11 1992
Newsgroups: alt.comp.acad-freedom.talk,comp.org.eff.talk,comp.admin.policy,alt.censorship,soc.college
From: kadie@eff.org (Carl M. Kadie)
Subject: Abstract of CAF-News 02.37
Message-ID: <1992Aug28.155400.574@eff.org>
Date: Fri, 28 Aug 1992 15:54:00 GMT
This is an abstract for the most recent "Computers and Academic
Freedom News" (CAF-News). Information about CAF-News follows the
abstract. The full CAF-News is available via anonymous ftp or by
email. For ftp access, do an anonymous ftp to ftp.eff.org
(192.88.144.4). Get file "pub/academic/news/cafv02n37".
The full CAF-News is also available via email. Send email to
archive-server@eff.org. Include the line:
send caf-news cafv02n37
--- begin abstract ---
[Week ending August 2nd, 1992
[Issues #28, #33, #34, #35, and #36 in production - Carl]
========================== KEY ================================
The words after the numbers are a short PARAPHRASES of the
articles, or QUOTES from them, NOT AN OBJECTIVE SUMMARY and
not necessarily my opinion.
===============================================================
Notes 1 to 3 concern whether or not to grant access to a deceased
user's account to the user's family.
1. "Today we [had] a very interesting and sensitive situation arise --
a user passed away and now the user's parents would like access to the
user's account." Given that I feel a user's account to be private,
and that the account "may contain information that could be considered
`sensitive' or `revealing'" what should I do?
<1992Jul23.215931.13522@menudo.uh.edu>
2. The executor of the user's estate should have the legal right - and
obligation - to inspect the user's account, along with all his or her
other effects.
<1992Jul29.100142.21482@ms.uky.edu>
3. I doubt that the user's heirs or executors have the right to *use*
the account. Whether they have a right to a copy of the files held in
the account is more difficult to determine. Some of the files might
be the property of the owners of the machine. It might be difficult
to decide which files were the user's personal property and which were
not.
<1992Jul29.215819.15965@news.iastate.edu>
Notes 4 to 6 are part of a debate on censorship which has arisen in
the wake of the refusal of some Canadian universities to carry
alt.sex.* groups, and the publication of an article entitled
"Computers Graphic When it Comes to Porn" in the Canadian newspaper
_The Globe and Mail_.
4. "There are three main questions here:... (1) Is there erotic
material that, if it were readily available, would make some people
more prone to commit acts of rape and child sexual abuse?... (2) Is
the risk (in terms of infringement of general human rights) of
censoring such material so high that we should allow it to be
available anyway?... [and] (3) Where do you draw the line?"
<1992Jul31.235725.25121@cs.sfu.ca>
5. "Don't shut people out of information, the more information we have
the wiser we become... I propose that the elimination of a.s.b. was an
elimination of a group comitted to the dissemination of information
with regards to a consensual activity, that sought to avoid any damage
to the psyche or body of it's practitioners.
6. This article, which seeks to correct the view of the Internet as a
public medium for the dissemination of "sleazy" material, has been
sent to the editor of the _Globe & Mail_.
Articles 7 to 9 are on miscellaneous subjects.
7. "You have every right, as the administrator, representing the owner
of the machine, to make certain restrictions. Having Freedom of
Speech doesn't obligate anyone to Provide the Soap Box. But it won't
do you a whole lot of good in the long run."
<18937@fritz.filenet.com>
8. [Forwarded from the Computer Underground Digest] At a hearing this
week before the National Commission on Library and Information
Science, Computer Professionals for Social Responsibility (CPSR)
recommended a privacy policy for the National Research and Education
Network or `NREN.'
<9207281913.AA11355@herodotus.cs.uiuc.edu>
9. The policy of the University of Kentucky's Engineering Computing
Centre will be that "The installation of recreational network
resources, such as MUD, Netrek, or IRC clients/servers, are explicitly
prohibited UNLESS these programs include use restrictions based on
time of day and number of users. The installation of these resources
may only be performed by ECC staff."
<1992Jul30.94721.2490@ms.uky.edu>
- Elizabeth]
--- end abstract ---
CAF-News is a weekly digest of notes from CAF-talk.
CAF-News is available as newsgroup alt.comp.acad-freedom.news or via
email. If you read newsgroups but your site doesn't get
alt.comp.acad-freedom.news, (politely) ask your sys admin to
subscribe. For info on email delivery, send email to
archive-server@eff.org. Include the line
send acad-freedom caf
Back issues of CAF-News are available via anonymous ftp or via email.
Ftp to ftp.eff.org. The directory is pub/academic/news. For
information about email access to the archive, send an email note to
archive-server@eff.org. Include the lines:
send acad-freedom README
help
index
Disclaimer: This CAF-News abstract was compiled by a guest editor or a
regular editor (Paul Joslin, Elizabeth M. Reid, Adam C. Gross, Mark C.
Sheehan or Carl M. Kadie). It is not an EFF publication. The views an
editor expresses and editorial decisions he or she makes are his or
her own.
--
Carl Kadie -- I do not represent EFF; this is just me.
=kadie@eff.org, kadie@cs.uiuc.edu =
From caf-talk Caf Aug 28 12:19:21 1992
Newsgroups: alt.comp.acad-freedom.talk
From: kadie@cs.uiuc.edu (Carl M. Kadie)
Subject: [comp.admin.policy] Re: Policy regarding Crack
Message-ID: <9208281619.AA20965@herodotus.cs.uiuc.edu>
Date: Fri, 28 Aug 1992 06:19:00 GMT
From caf-talk Caf Aug 28 12:19:21 1992
From: S_TITZ@iravcl.ira.uka.de (Olaf Titz)
Newsgroups: comp.admin.policy
Subject: Re: Policy regarding Crack
Message-ID: <1992Aug28.153108.2829@rz.uni-karlsruhe.de>
Date: 28 Aug 92 15:31:08 GMT
In <1992Aug27.143847.5244@ms.uky.edu> morgan@ms.uky.edu writes:
> This approach borders on acceptability for one reason only -- I'm not
> looking at the files myself. If such a script reports that "file
> /users/booga/foo/blast is in /etc/passwd format", I would simply dis-
> cuss the matter with the owner of the file. I don't examine user files.
Two ways to answer this come to my mind:
1. 'The sysadmin should mind his own f*g business and care the hell
about user files, these are MINE.' (This is NOT my opinion but
common among users who feel harrassed enough by admins; see below.)
or:
2. 'OK, agreed.' (Under the provision that admin's reaction is, for
instance, writing user a mail telling about it and inviting him for a
discussion of the matter. Not an immediate account revocation without
prior notice as is unfortunately common...)
>...
> >> "Academic freedom" is not equivalent to "a blank check".
> >
> >Right, but... be VERY careful about that.
> >
> >The step from your Japanese parser to general restrictions like 'we
> >don't carry alt* and rec* newsgroups' is dangerously short.
>
> Excuse me, but the two concepts are NOT as similar as you claim them to be.
> In my example, I suggest a policy that would prevent the use of a
> particular facility by an individual user (namely, the future use of
> my system for cracking programs). Your counter-example, the revocation
> of alt.* and rec.* newsgroup access, suggests the revocation of current
> use by all users. The two cases are markedly different; you're comparing
> apples and oranges.
I knew this was a bad example ;-) but an example of what does happen,
being justified by the same arguments: alledged non-academic or
non-study-related use, therefore considered abuse. But I agree that
your thing is a different issue.
> >Take
> >another example: When I want books from my university library, nobody
> >cares about the importance of, say, a book on music history for my
> >computer science studies.
>
> This example is irrelevant. The university libraries are, by definition,
> open to all students of the University. My systems, on the other hand,
> are open only to Engineering students/faculty/staff.
O.K.
>...
> >Not a blank check, but the provision of
> >CERTAIN resources for own use (as opposed to the provision of
> >resources for CERTAIN use - understood?)
>
> I agree; however, when that use begins to approach illegal activity
> (or activity prohibited by University policy), then actions must be
> taken. Would you agree?
Agreed. (A definition of what is prohibited is needed, and it should
be ensured that users are aware of it, but at least the latter can
easily be done.)
> >but I think universities should provide the resources they
> >are able to (technically, financially,...) and place no restrictions
> >on their use unless there are justifiable reasons to do so,
>
> Yup, but who determines the justification? There are those who argue
> that playing games is justifiable 'educational use'; there are others
> who argue that diskspace quotas are a violation of their 'academic
> freedom'. You want to use it, and I have to manage it for all users;
> sooner or later, we may butt heads.
Here we come to the heart of the issue: a collision of interests of
users and admins. Is that necessary?
Diskspace quotas are simply a technical need. Space is limited and
will be filled up, sooner or later. If, however, you have 50 users and
a 500MB user disk and give each user 1MB of quota, then users may well
question the setting of the quota *that low*. (I wouldn't call that a
violation of academic freedom, though.)
Take another example: The machine I am currently on prohibits access
from 9pm to 8am, and there are simply no technical reasons for it, but
when asking you'll get the answer that it has been introduced because
of 'hacker' problems (alledgedly 'hackers' have been operating from
here cracking machines in America, some 3 years ago now). Now,
'hackers' OF COURSE are only students not employed at some institute
(those who are have accounts with no restrictions) and OF COURSE do
only work at night. (To prevent terminology discussions: I know these
'hackers' are really crackers but at our department nobody knows the
distinction - that is how they told me.) This is a completely silly
restriction placed upon users for political reasons only, if for
reasons at all. NOBODY sees any admin interest contradicting the
users' interest of doing their work when they want to. (Another
argument was the possibility of machines (workstations, in that case,
which do not provide any central services) crashing and having to be
rebooted. Besides from this being able to be done the next morning,
again crashing of machines OF COURSE can be done only by ordinary
students. Another 'justification' out of the air.)
Playing games is a sensitive issue. Prohibiting that special use (and
what is a game? Some people think of IRC being a game too) is not
justified but plaing games on university machines is IMO (!!) not
justified either. I know of examples of settling the issue by stating
that playing is not allowed, but will be tolerated unless persons with
real work want the machines. Given the problems mentioned above, this
systems works astonishingly well here.
> >e.g.
> >outright abuse (what this is, however, should not be stated par ordre
> >du mufti but established, ideally, by a board of staff AND students).
>
> The other problem with the definition of offenses comes here. I've
> been trying to write a polcy for almost a year, and I keep hearing
> that "it's not specific enough". One student even complained about
> the sentence "Forgery, or attempted forgery, of electronic mail messages
> is prohibited."; he said that it was "too general".
It may be considered too general as long it is not stated what
constitutes a forgery *attempt*. At many sites, all network
connections are logged, and an admin sweeping through the log files
(yes, there are people who do that) may see the dreaded '25' and
conclude immediately an email forgery (where this could have been a
simple verify as well).
But there are always the radical people who will not tolerate anything
that might interfere with their life in one way or another, and these
can IMHO be peacefully ignored when the issue is settled with the
majority. I simply prefer a democratic approach over the 'admin
dictatorship'. (Not intended as a personal insult, of course :-)
> We will NOT be able to develop a written policy that covers every possible
> offense. Some discretion must be left with the administrators.
Really? I would like to reformulate the last sentence to: ...must be
left for case-by-case resolution by the admins *in cooperation with
the users*. No ordre du mufti, please.
> I repeat: "academic freedom" does not equal "a blank check".
Agreed again :-) but what DOES constitute academic freedom should be
more clearly stated. I think of it as that all restrictions have to be
justified in the first place and this justification be stated by
consensus of the people involved. Real clashes of interests are rare
and most cases can be settled without too much headache on either
side, IMHO, but cooperation is the necessary precondition.
MfG,
Olaf
--
Olaf Titz - comp.sc.student - Univ of Karlsruhe - s_titz@iravcl.ira.uka.de -
uknf@dkauni2.bitnet - praetorius@irc - +49-721-60439 - did i forget something?
OS/360 devotes 26 bytes of the permanently resident date-turnover routine
to the proper handling of Dec.31 on leap years. That might have been
left to the operator. - Fred Brooks (1975)
From caf-talk Caf Aug 28 14:13:09 1992
Newsgroups: comp.admin.policy,alt.comp.acad-freedom.talk
From: morgan@ms.uky.edu (Wes Morgan)
Subject: Re: Policy regarding Crack
Message-ID: <1992Aug28.140932.657@ms.uky.edu>
Date: Fri, 28 Aug 1992 18:09:32 GMT
S_TITZ@iravcl.ira.uka.de (Olaf Titz) writes:
>2. 'OK, agreed.' (Under the provision that admin's reaction is, for
>instance, writing user a mail telling about it and inviting him for a
>discussion of the matter. Not an immediate account revocation without
>prior notice as is unfortunately common...)
Kneejerk reactions are far too common among admins. My working policy
(whose approval date keeps changing...8( ) explictly disallows immediate
revocation in all but the most dire circumstances (active cracking, for
instance).
>I knew this was a bad example ;-) but an example of what does happen,
>being justified by the same arguments: alledged non-academic or
>non-study-related use, therefore considered abuse. But I agree that
>your thing is a different issue.
I think that the distinction can be made between "supported non-academic
use" and "individual non-academic use". Here's two examples:
I install restricted games for all users -> "supported non-academic"
A user builds an unrestricted game for himself -> "individual non-academic"
(Keep in mind that I do NOT examine user files; a user who built such a
game would probably go unnoticed UNLESS the system accounting reports
indicate a significant/unexplained drain on system resources.)
>Here we come to the heart of the issue: a collision of interests of
>users and admins. Is that necessary?
>
>Diskspace quotas are simply a technical need. Space is limited and
>will be filled up, sooner or later. If, however, you have 50 users and
>a 500MB user disk and give each user 1MB of quota, then users may well
>question the setting of the quota *that low*. (I wouldn't call that a
>violation of academic freedom, though.)
If every one of my users went to the limits of their quota, I'd need
about 2 Gb of extra disk......8(
>Take another example: The machine I am currently on prohibits access
>from 9pm to 8am, and there are simply no technical reasons for it, but
>when asking you'll get the answer that it has been introduced because
>of 'hacker' problems (alledgedly 'hackers' have been operating from
>here cracking machines in America, some 3 years ago now).
Whew....that's rough.
>Playing games is a sensitive issue. Prohibiting that special use (and
>what is a game? Some people think of IRC being a game too) is not
>justified but plaing games on university machines is IMO (!!) not
>justified either. I know of examples of settling the issue by stating
>that playing is not allowed, but will be tolerated unless persons with
>real work want the machines. Given the problems mentioned above, this
>systems works astonishingly well here.
We tried that here, but the results were disastrous; game players refused
to surrender their terminals to academic users, and game playing started
sucking up about 45% of the system's resources.
I think that the time/number-of-users restrictions will work well. As I
mentioned in earlier postings, I'm going to implement something along the
lines of "If its between 7pm and 7am AND there are fewer than XX users,
you can access these games/MUD clients/IRC clients/etc.".
>It may be considered too general as long it is not stated what
>constitutes a forgery *attempt*. At many sites, all network
>connections are logged, and an admin sweeping through the log files
>(yes, there are people who do that)
I'm one of those people who reads log files regularly. Actually, I've
written shell scripts that ignore the 'commonplace' stuff and only
display the 'interesting' entries.
>may see the dreaded '25' and
>conclude immediately an email forgery (where this could have been a
>simple verify as well).
Well, I'd working from the assumption that an actual message (be it
an email message or a Usenet posting) that indicates tampering would
be required. For instance, we've all seen attempted Usenet forgeries
in which the would-be forger didn't remove every reference to himself.
>I simply prefer a democratic approach over the 'admin
>dictatorship'. (Not intended as a personal insult, of course :-)
No offense was taken; I'm an easygoing guy. 8)
I prefer the notion of a 'leveraged democracy'.
If a majority of my users desire a particular service, AND if that
service can be provided within the resources (and obligations) of
the system(s), then, by all means, let's do it! However, the question
"can it be provided within the resources?" can only be answered by
the admin; he's the one with the 'global view' of the system.
>> We will NOT be able to develop a written policy that covers every possible
>> offense. Some discretion must be left with the administrators.
>
>Really? I would like to reformulate the last sentence to: ...must be
>left for case-by-case resolution by the admins *in cooperation with
>the users*. No ordre du mufti, please.
The users should certainly have their chance to address a problem; however,
the admins really should have a "reasonable veto". I've found that most
of my users accept the rationale behind my decisions, once I've explained
that rationale. Of course, there are always those who insist that I'm a
moron. 8)
--Wes
--
MORGAN@UKCC | Wes Morgan | ...!ukma!ukecc!morgan
morgan@ms.uky.edu | Engineering Computing | morgan@wuarchive.wustl.edu
morgan@engr.uky.edu | University of Kentucky | JWMorgan@dockmaster.ncsc.mil
Mailing list for AT&T StarServer S/E - starserver-request@engr.uky.edu
From caf-talk Caf Aug 30 10:06:11 1992
Newsgroups: alt.comp.acad-freedom.talk
From: alawrenc@sobeco.com (a.lawrence)
Subject: Re: Fabrikant pre-murder E-mail
Date: Sun, 30 Aug 92 13:46:35 GMT
Message-ID: <1992Aug30.134635.3821@sobeco.com>
In dalton@mantle.Geop.UBC.CA (David Dalton) writes:
>V.I. Fabrikant, a professor in Mechanical Engineering at Concordia
>University, recently murdered three colleagues and injured more.
..... text deleted .....
>A fairly lively discussion has been going on in sci.research
>and sci.research.careers as a result of Fabrikant's postings.
>Many of the posters think there may be something to Fabrikant's
>accusations and think there should be an investigation.
It should also be noted take Fabrikant took all of his acusations
to the Montreal Gazatte (the cities on English language daily) in the
spring and that after extensive investigation they refused to publish
anything because none of his charges could be substansiated.
For those who have not had the opportunity to read the daily reports
published in Montreal, it is established that a) Fabrikant was extremely
litigeous (dozens of law-suits against everyone he had dealings with),
b) abusive and threatening to anyone who disagreed with him.
My feeling and intution concerning this case are that our traditions
of freedom of expression and fair play (due process) have failed us here.
It is evident that Fabrikant was a madman who used the system to harass
and coerce others into giving him what he wanted. When he failed to
achieve instant tenure, even thought he was on a tenure track, he bought
three hand-guns (requiring considerable persistence on his part because
his orginal applications for a gun permit were refused by the police) and
shot his colleagues.
Today, everyone is asking how withins the bounds of our systems could
this tragedy been averted. The answers are NOT easy.
--
On a clear disk you can seek forever.
-------------------------------------------------------------------------
Andrew Lawrence, Informaticien Conseil | alawrenc@sobeco.com
3605 St-Urbain, #1605 | uunet!sobeco!alawrenc
From caf-talk Caf Aug 30 16:24:39 1992
Newsgroups: alt.comp.acad-freedom.talk
From: kadie@eff.org (Carl M. Kadie)
Subject: NREN Privacy Policy Proposal by CSPR
Message-ID: <1992Aug30.202432.22763@eff.org>
Date: Sun, 30 Aug 1992 20:24:32 GMT
====== ftp.eff.org:pub/academic/statements/nren.privacy.cpsr ======
"Proposed Privacy Guidelines for the NREN"
Statement of Marc Rotenberg,
Washington Director
Computer Professionals for Social Responsibility (CPSR)
Open Forum on Library and Information Service's Roles in the
National Research and Education Network (NREN)
National Commission on Libraries and
Information Science (NCLIS)
Washington, DC
July 21, 1992
Thank you for the opportunity to testify today before
the National Commission on Library and Information Science
(NCLIS). My name is Marc Rotenberg and I am the Director of
the Washington Office of Computer Professionals for Social
Responsibility (CPSR). CPSR is a national organization of
professionals in the computing field.
I would like to speak with you about privacy protection
and the future of the NREN. This is item 6 identified in the
NREN research agenda. Richard Civille will speak with you
next about CPSR's work to promote Local Civic Networks.
During the past few years CPSR has coordinated several
national efforts to promote privacy protection for network
communication. From cryptography to Caller ID, we have
sought to ensure that the rapid developments in the
communications infrastructure do not diminish the privacy we
all value. We believe that the future of network
communications depends largely on the ability to make certain
that sufficient privacy protection is available for all users
of the network.
In this effort we have worked closely with the library
community. It became clear to us that library organizations
have a special appreciation for the importance of privacy
protection. For many, privacy is the critical safeguard that
protects intellectual freedom and promotes the open exchange
of information. The American Library Association, the
Association of Research and other library organizations have
all shown their support for privacy protection through codes
of conduct, policy statements, and research conferences.
We have also worked closely with telecommunication
policy makers in the United States and around the world.
The New York state Public Service Commission issued a policy
on telecommunication privacy which set out several principles
for network communications. These recommendations have been
followed in several states. More recently, the Minister of
Communications in Canada issued a series of principles on
communications policy. Meanwhile, the Commission of the
European Communities has put forward a draft directive on
Data Protection in Telecommunications.
The European Commission made a critical point about
future network development. It said that "the effective
protection of personal data and privacy is developing into an
essential precondition for social acceptance of new digital
networks and services." This view is shared by agencies in
other countries that have looked at the implications of
advanced networking services. For example, the Ministry of
Posts and Telecommunications in Japan recently concluded a
study on the protection of personal data in the
telecommunications business and recommended a series of
privacy guidelines to accompany the introduction of new
network services.
In the United States, however, we find ourselves in the
midst of the greatest privacy debate in a generation. In the
absence of a coherent federal policy to protect privacy,
consumers have been left to fend for themselves, and the
response is not encouraging. From Pennsylvania to
California, telephone companies now face widespread and well-
founded consumer opposition to new telephone services. Part
of the reason for this is that there has been little effort
in the United States at the federal level to develop privacy
principles for new network services.
CPSR would like to see an agency in the United States
take on the task of developing and promulgating privacy
principles for network services. We have already recommended
the creation of a data protection board which could, among
other tasks, develop appropriate principles for network
communications. There is a proposal before Congress to
establish such an agency, but is unclear whether it will be
enacted this year.
Meanwhile, the Federal Communications Commission (FCC)
has been unwilling to address the privacy implications of new
network services. We are also somewhat disappointed that
neither the Computer Science and Technology Board (CSTB) of
the National Research Council or the Office of Technology
Assessment (OTA) has addressed privacy concerns for network
users. Both the CSTB and the OTA are well qualified to
tackle this problem.
In the interim, NCLIS could take a leadership role, and
help develop and promulgate privacy principles for the
emerging communications infrastructure. It is clearly in the
interest of the library and information science community to
ensure adequate privacy protection, but unless some agency
takes on this responsibility it appears unlikely that the
work will be undertaken.
CPSR believes that it is in the long-term interest of
our country and of computer users around the world to ensure
protection for networked communication. The failure to
develop such policy may impose very high costs on all network
users, and may ultimately reduce greatly the value of the
network to users.
Speaking academically, the absence of adequate
protection for electronic communication is a substantial gap
in NREN policy that should soon be addressed if the full
potential of the infrastructure is to be realized. Speaking
practically, if we don't get some good policy soon, we may
all be buried in a blizzard of electronic junkmail the likes
of which we have never known.
I would like now to make three points about the current
state of privacy protection for NREN, and then propose a
series of principles for privacy protection. These
principles may help "get the ball rolling" and encourage the
development of other initiatives. I hope that NCLIS will
recommend that the Office of Science and Technology Policy
(OSTP) give these principles full consideration.
FINDING 1:
Commercialization of the NREN will exacerbate
existing privacy problems. Without a clear mechanism
to protect privacy, user concerns will increase.
Much of the discussion surrounding the NREN today
focuses on the opportunity to develop commercial services and
to provide network access for private carriers. We do not
oppose efforts to provide commercial services. Clearly, there
is an important opportunity to develop new services and to
offer products through the network. At the same time, it is
apparent that the commercialization of the NREN will create
new pressures on privacy protection.
In the current network environment, made up primarily of
researchers and scientists, there is little incentive or
opportunity to gather personal data, to compile lists, or to
sell personal information. This is likely to change. Once
commercial transactions begin to take place on the net, the
information environment will resemble a hybrid of credit card
and telephone call transactions. Records of individual
purchases will be available and will possess commercial
value. The NREN community will face a whole new set of
privacy issues.
We anticipate that there will be three different types
of privacy problems as the NREN continues to evolve. First,
as commercial organizations become users of the network, they
will gather personal data, and wish to sell lists. The
address files for list servers could be sold, and users may
find themselves "subscribed" to lists they have no interest
in. These activities will raise traditional privacy concerns
about the restrictions on disclosure and secondary use, the
opportunity for users to obtain information held by others,
and the need to minimize the collection of personal
information.
Second, efforts to promote competitiveness in the
delivery of network services may also lead to the disclosure
of network data which will compromise user privacy.
This problem is already apparent in the current rules
for the operation of the telephone network. The Federal
Communication Commission requires telephone companies to
provide records of customer phone calls to other companies so
that competing companies may analyze calling patterns and
sell their services. Large companies objected to the
disclosure of this sensitive information. As a result the
FCC required that telephone companies obtain authorization
before releasing these numbers. But this restriction only
applies to telephone customers with more than 20 lines.
The disclosure of Customer Proprietary Network
Information (CPNI) has already surprised many telephone
customers who now receive calls from companies with whom they
have no prior relationship. These companies are able to
describe the customer's telephone calling habits in great
detail. Users of NREN services are also likely to object to
the disclosure of network information.
The third problem is that law enforcement agencies are
likely to make "greater demands" on communication service
providers to turn over records of electronic communications
to the government and to provide assistance in the execution
of warrants. I say "greater demands" with some reservation
since the recent proposal from the Federal Bureau of
Investigation to require that all communications equipment in
the United States be capable of wiretapping seems about the
greatest demand conceivable. Still, we should anticipate
that the government demands for access to the contents and
records of NREN communications are likely to increase.
FINDING 2:
Current privacy protections are inadequate
Electronic communications are provided some protection
against unlawful interception by the Electronic
Communications Privacy Act (ECPA) of 1986. This law extends
the very important guarantees contained within the 1968
wiretap statute to digital communication and stored
electronic mail. But this protection now appears inadequate.
As a general matter, the wiretap law protects the contents of
an electronic message against unlawful disclosure; it does
not protect the record of the transaction against disclosure.
ECPA also does not appear to protect critical personal
information, such as a person's telephone number, from
improper disclosure. For example, the Calling Number
Identification (CNID) service is probably a violation of the
wiretap statute and clearly a violation of the wiretap law of
several states. Nonetheless, the service has been offered
over the objection of consumer groups, technical experts, and
legal scholars.
FINDING 3:
Technical safeguards provide only a partial
solution
There are some in the network community who believe that
technology will provide a solution to these emerging privacy
problems. New techniques in cryptography provide ways to
protect the contents of an electronic message and even to
protect the identity of the message author. An article that
will appear next month in Scientific American titled
"Achieving Electronic Privacy" describes in more detail how
it may be possible through technical means to recapture some
privacy.
CPSR has supported many efforts to improve technical
means for privacy protection. In fact, CPSR has been of the
leading proponents of the widespread us of cryptography to
protect electronic communications. We have opposed
restrictions by both the National Security Agency and the
Federal Bureau of Investigation on the use of cryptography.
We have also supported the development of privacy-enhancing
technologies, such as telephone cards which are widely used
in Europe and Japan, and recommended that policy makers
explore technical means to protect information.
Nonetheless, we do not believe that technical safeguards
will provide sufficient protection for networked
communications. Our right of privacy is based on
Constitutional principles and our national history, and
reflects our commitment to certain political ideals. The
protection of privacy is ultimately a policy decision that
must be resolved through our political institutions.
Clearly, technology provides useful developments that we
should incorporate into future networks, but it would be a
mistake to assume that technology alone will provide
sufficient protection.
This point was made two decades ago by former White
House Science Adviser Jerome Wiesner who also served as
president of MIT. In testimony before Congress on the privacy
implications of databanks, Professor Wiesner said:
"There are those who hope new technology can redress
these invasions of personal autonomy that information
technology now makes possible, but I don't share this
hope. To be sure, it is possible and desirable to
provide technical safeguards against unauthorized
access. It is even conceivable that computers could be
programmed to to have their memories fade with time and
to eliminate specific identity. Such safeguards are
highly desirable, but the basic safeguards cannot be
provided by new inventions. They must be provided by
the legislative and legal systems of this country. We
must face the need to provide adequate guarantees for
individual privacy."
We believe that the development of NREN privacy policy
should be conducted in this spirit: looking for opportunities
to incorporate technical safeguards while recognizing that
the ultimate decisions are policy-based.
PRIVACY GUIDELINES
Before discussing the proposed privacy principles, I
would like to say a few words about the desirability of
developing these principles. Privacy protection in
electronic environments is a particularly complex policy
problem. There is legal jargon and technical jargon. There
are rapid changes. And there are certainly a wide range of
opinions about how best to achieve privacy, even about what
privacy means.
Privacy principles have helped to clarify goals and to
convey objectives in non-technical terms. Well developed
polices are "technology neutral" and are adaptable as new
technologies emerge. Professional organizations have made
widespread use of such principles for codes of ethics and for
public education.
There are a number of such polices in the privacy realm.
Some of these polices have been extremely influential in the
development of public policy, national law, and international
agreements. For example, the Code of Fair Information
Practices was the basis for the Privacy Act of 1974, the most
extensive privacy law in the United States. The Code was
developed by a special task force created by the Secretary of
Health, Education, and Welfare in 1973. Other codes have
formed the basis for data protection law in Great Britain.
All of these codes seek to establish certain
responsibilities for organizations that collect personal
information, and to create certain rights for individuals.
In developing these telecommunication privacy
guidelines, we examined existing codes and particularly the
principles developed by the Organization for Economic and
Cooperative Development (OECD) in 1981. We also incorporated
several additional principles that we believe are necessary
to protect personal information in communication
environments.
Taken as a whole, the principles are intended to improve
privacy protection for network communications as the NREN
continues to evolve.
RECOMMENDATION 1:
The confidentiality of electronic communications
should be protected.
The primary purpose of a communication network is to
ensure that information can travel between two points without
alteration, interception, or disclosure. A network that
fails to achieve this goal will not serve as a reliable
conduit for information. Therefore the primary goal should
be to guarantee the confidentiality of electronic
communications.
RECOMMENDATION 2:
Privacy considerations must be recognized
explicitly in the provision, use and regulation of
telecommunication services.
The addition of new services to a communications
infrastructure will necessarily raise privacy concerns.
Users should be fully informed about the privacy implications
of these services so that they are able to make appropriate
decisions about the use of services.
RECOMMENDATION 3:
The collection of personal data for
telecommunication services should be limited to the
extent necessary to provide the service.
Users should not be required to disclose personal data
which is not necessary for the rendering of the service. In
particular, the use of the Social Security number should be
avoided. In no instance, should it be used as both an
identifier and authenticator.
RECOMMENDATION 4:
Service providers should not disclose information
without the explicit consent of service users.
Service providers should be required to make known
their data collection practices to service users.
Service providers have a responsibility to inform users
about the collection of personal information and to protect
the information against unlawful disclosure. Personally
identifiable information should not be disclosed without the
affirmative consent of the user.
RECOMMENDATION 5:
Users should not be required to pay for routine
privacy protection. Additional costs for privacy
should only be imposed for extraordinary protection.
The premise of the federal wiretap statue is that all
users of the public network are entitled to the same degree
of legal protection against the unlawful disclosure of
electronic communications. This principle should be carried
forward into the emerging network environment. Segmented
levels of privacy protection are also likely to introduce new
transaction costs and create inefficiencies. Where special
charges are imposed for privacy, it should be for "armored
car" service.
RECOMMENDATION 6:
Service providers should be encouraged to explore
technical means to protect privacy.
Service providers should pursue technical means to
protect privacy, particularly where such means may improve
the delivery of service and reduce the risk of privacy loss.
RECOMMENDATION 7:
Appropriate security polices should be developed
to protect network communications
Security is an element of privacy protection but it is
not synonymous with privacy protection. Appropriate security
policies should be put in place to protect privacy. However,
it should be recognized that some security measures may
compromise privacy protection. Network monitoring, for
example, or the collection of detailed audit trail
information will raise substantial privacy concerns.
Therefore, security policies should be designed to serve the
larger goal of privacy protection.
RECOMMENDATION 8:
A mechanism should be established to ensure the
observance of these principles.
Good principles without appropriate oversight and
enforcement are insufficient to protect privacy. This has
been the experience of the United States with the Privacy Act
of 1974 and of the European countries with the OECD
principles of 1981. In both instances, fine principles
lacked sufficient oversight and enforcement mechanisms.
Additional principles may be appropriate and these
principles may well need modification. But we hope that they
will provide a good starting point for a discussion on
communications privacy for the NREN.
[Attachments: "Protecting Privacy," Communications of the
ACM, April 1992; "Communications Privacy: Implications for
Network Design," Proceedings of INET '92, Kobe, Japan)]
=============================================================
CPSR Washington Office, 666 Pennsylvania Ave., SE, Suite 303
Washington, DC 20003 202-544-9240 (tel) 202-547-5481 (fax)
rotenberg@washofc.cpsr.org
=============================================================
--
Carl Kadie -- I do not represent EFF; this is just me.
=kadie@eff.org, kadie@cs.uiuc.edu =
