Computer underground Digest Wed Jun 3, 1998 Volume 10 : Issue 32 ISSN 1004-042X Editor: Jim Thomas (cudigest@sun.soci.niu.edu) News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu) Archivist: Brendan Kehoe Shadow Master: Stanton McCandlish Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Ian Dickinson Field Agent Extraordinaire: David Smith Cu Digest Homepage: http://www.soci.niu.edu/~cudigest CONTENTS, #10.32 (Wed, Jun 3, 1998) File 1--MURKOWSKI: Free Speech Chilled by Junk Email law File 2--Murkowski "Unsolicited Commercial Email Choice Act" File 3--REVIEW: "Privacy on the Line", Whitfield Diffie/Susan Landau File 4--Cu Digest Header Info (unchanged since 25 Apr, 1998) CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION ApPEARS IN THE CONCLUDING FILE AT THE END OF EACH ISSUE. --------------------------------------------------------------------- Date: Thu, 14 May 1998 11:36:32 -0400 From: "Robert A. Costner" Subject: File 1--MURKOWSKI: Free Speech Chilled by Junk Email law Source -- Fight-Censorship List I would like to write something detailed about the recently passed (in the Senate) spam law, but I don't have time today. So here are some quick comments. The proposed will * Restricts speech of normal email communications * Is vague in that "Unsolicited" is not defined * Has a trigger threshold of one email to one person * Attempts to legislate a particular technology for removals * Legitimizes spam, and does not effect many categories of spam What follows are some random notes I have on this. --------------------------- On May 12, 1998, the U.S. Senate adopted S. 1618 by a vote of 99-0. This was Senator Murkowski's attempt at stopping email spam. The text of the bill can be found at http://www.efga.org/netabuse/ An article in wired about this is located at http://www.wired.com/news/news/politics/story/12289.html The CAUCE web site, which no doubt has info on this is http://www.cauce.org/ THIS EMAIL MESSAGE YOU ARE READING IS A COMMERCIAL MESSAGE Yes. Under the proposed bill, this is a commercial message. Why? Because I have the wired link above, and wired is a site that by definition (C) promotes the use of or contains a list of one or more Internet sites that contain an advertisement Guess what? Wired has advertisements. So do a lot of other sites. Please correct me if I am wrong, but apparently sending one copy of this one message to any one email address may place a $15,000 fine on me. Some other info I found in the bill. For background. Section 306 makes it illegal when any intervening interactive computer service provider knowingly and intentionally retransmits any electronic mail in violation of Sections 301 or 306 This only seems to apply to commercial advertising, or more specifically email that contains commercial advertising, whether or not the intent was to advertise. It is unclear if this about to become federal law (in the US) would hold a remailer or mail list liable for mail passing thru it. (1) COMMERCIAL ELECTRONIC MAIL.- The term "commercial electronic mail means any electronic mail that- (A) contains an advertisement for the sale of a product or service; (B) contains a solicitation for the use of a telephone number, the use of which connects the user to a person or service that advertises the sale of or sells a product or service; or (C) promotes the use of or contains a list of one or more Internet sites that contain an advertisement referred to in subparagraph (A) or a solicitation referred to in subparagraph (B). The bill is specific about removing headers. You may not alter headers to make the message appear to not come from the original sender. (b) ROUTING INFORMATION-All internet routing information contained within or accompanying an electronic mail message described in subsection (a) must be accurate, valid according to the prevailing standards for Internet protocols, and accurately reflect message routing. It should be noted that the $15,000 fine does not apply to bulk email, but to a single message sent to a single person. Therefore, it would appear that this message is covered under the bill. If this was sent by an anonymous remailer, it would seem the remailer operator may be liable as well. ---------------------- Because this law effect all communications, not just bulk communications, it requires that all email users maintain removal databases that are triggered by the use of the keyword "remove" in the subject line. As in Subject --Remove me from your stupid list Subject --Re: Remove Subject --Can you suggest how I remove ants from my yard? Software will interpret all above cases as a remove request, which under the law, they in fact are. The law really seems to have a lot of free speech implications. Once I get a chance, I'll read through it some more. -- Robert Costner Phone: (770) 512-8746 Electronic Frontiers Georgia mailto:pooh@efga.org http://www.efga.org/ run PGP 5.0 for my public key ------------------------------ Date: Fri, 15 May 1998 22:54:30 -0500 From: jthomas3@SUN.SOCI.NIU.EDU(Jim Thomas) Subject: File 2--Murkowski "Unsolicited Commercial Email Choice Act" ((MODERATORS' NOTE: For those who missed it, here is a reprint of the Murowski Act)) From: http://www.senate.gov/~murkowski/commercialemail (Senator Frank Murkowski homepage) Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the ``Unsolicited Commercial Electronic Mail Choice Act of 1997''. SEC. 2. FINDINGS. Congress makes the following findings: (1) The Internet is a worldwide network of information that growing numbers of Americans use on a regular basis for educational and personal activities. (2) Electronic mail messages transmitted on the Internet constitute an increasing percentage of communications in the United States. (3) Solicited commercial electronic mail is a useful and cost-effective means for Americans to receive information about a business and its products. (4) The number of transmissions of unsolicited commercial electronic mail advertisements has grown exponentially over the past several years as the technology for creating and transmitting such advertisements in bulk has made the costs of distribution of such advertisements minimal. (5) Individuals have available no effective means of differentiating between unsolicited commercial electronic mail advertisements and other Internet communications. (6) The transmitters of unsolicited commercial electronic mail advertisements can easily move from State to State. (7) Individuals and businesses that receive unsolicited commercial electronic mail advertisements often pay for the costs of such receipt ,including the costs of Internet access and long distance telephone charges. (8) Unsolicited commercial electronic mail can be used to advertise legitimate services and goods but is also used for fraudulent and deceptive purposes in violation of Federal and State law. (9) Individuals and companies that use unsolicited commercial electronic mail for fraudulent and deceptive purposes often use fraudulent identification information in such electronic mail, making it impossible for a recipient to request to be removed from the mailing list or for law enforcement authorities to identify the sender. (10) The inability of recipients of unsolicited commercial electronic mail to identify the senders of such electronic mail or to prevent its receipt impedes the flow of commerce and communication on the Internet and threatens the integrity of commerce on the Internet. (11) Internet service providers are burdened by the cost of equipment necessary to process unsolicited commercial electronic mail. (12) To facilitate the development of commerce and communication on the Internet, unsolicited commercial electronic mail should be readily identifiable and filterable by individuals and Internet service providers. SEC. 3. REQUIREMENTS RELATING TO TRANSMISSIONS OF UNSOLICITED COMMERCIAL ELECTRONIC MAIL. (a) Information on Advertisement. (1) Requirement. Unless otherwise authorized pursuant to a provision of section 7, a person who transmits an electronic mail message as part of the transmission of unsolicited commercial electronic mail shall cause to appear in each electronic mail message transmitted as part of such transmission the information specified in paragraph (3). (2) Placement. (A) Advertisement. The information specified in subparagraph (A) of paragraph (3) shall appear as the first word of the subject line of the electronic mail message without any prior text or symbol. (B) Other information._The information specified in subparagraph (B) of that paragraph shall appear prominently in the body of the message. (3) Covered information. The following information shall appear in an electronic mail message under paragraph (1): (A) The term ``advertisement''. (B) The name, physical address, electronic mail address, and telephone number of the person who initiates transmission of the message. (b) Routing Information. All Internet routing information contained within or accompanying an electronic mail message described in subsection (a) shall be valid according to the prevailing standards for Internet protocols. (c) Effective Date. The requirements in this section shall take effect 30 days after the date of enactment of this Act. SEC. 4. FEDERAL REGULATION OF UNSOLICITED COMMERCIAL ELECTRONIC MAIL. (a) Transmissions. (1) In general. Upon notice from a person of the person's receipt of electronic mail in violation of a provision of section 3 or 7, the Commission (A) may conduct an investigation to determine whether or not the electronic mail was transmitted in violation of the provision; and (B) if the Commission determines that the electronic mail was transmitted in violation of the provision, may (i) impose upon the person initiating the transmission a civil fine in an amount not to exceed $11,000; (ii) commence in a district court of the United States a civil action to recover a civil penalty in an amount not to exceed $11,000 against the person initiating the transmission; or (iii) both impose a fine under clause (i) and commence an action under clause (ii). (2) Deadline. The Commission may not take action under paragraph (1)(B) with respect to a transmission of electronic mail more than 2 years after the date of the transmission. (b) Administration. (1) Notice by electronic means. The Commission shall establish an Internet web site with an electronic mail address for the receipt of notices under subsection (a). (2) Information on enforcement. The Commission shall make available through the Internet web site established under paragraph (2) information on the actions taken by the Commission under subsection (a)(1)(B). (3) Assistance of federal communications commission. The Federal Communications Commission may assist the Commission in carrying out its duties this section. SEC. 5. ACTIONS BY STATES. (a) In General. Whenever an attorney general of any State has reason to believe that the interests of the residents of that State have been or are being threatened or adversely affected because any person is engaging in a pattern or practice of the transmission of electronic mail in violation of a provision of section 3 or 7, the State, as parens patriae, may bring a civil action on behalf of its residents to enjoin such transmission, to enforce compliance with the provision, to obtain damages or other compensation on behalf of its residents, or to obtain such further and other relief as the court considers appropriate. (b) Notice to Commission. (1) Notice. The State shall serve prior written notice of any civil action under this section upon the Commission and provide the Commission with a copy of its complaint, except that if it is not feasible for the State to provide such prior notice, the State shall serve written notice immediately upon instituting such action. (2) Rights of commission. Upon receiving a notice with respect to a civil action under paragraph (1), the Commission shall have the right (A) to intervene in the action; (B) upon so intervening, to be heard in all matters arising therein; and (C) to file petitions for appeal. (c) Actions by Commission. Whenever a civil action has been instituted by or on behalf of the Commission for violation of a provision of section 3 or 7, no State may, during the pendency of such action, institute a civil action under this section against any defendant named in the complaint in such action for violation of any provision as alleged in the complaint. (d) Construction. For purposes of bringing a civil action under subsection(a), nothing in this section shall prevent an attorney general from exercising the powers conferred on the attorney general by the laws of the State concerned to conduct investigations or to administer oaths or affirmations or to compel the attendance of witnesses or the production of documentary or other evidence. (e) Venue; Service of Process. Any civil action brought under subsection (a)in a district court of the United States may be brought in the district in which the defendant is found, is an inhabitant, or transacts business or wherever venue is proper under section 1391 of title 28, United States Code. Process in such an action may be served in any district in which the defendant is an inhabitant or in which the defendant may be found. (f) Actions by Other State Officials. Nothing in this section may be construed to prohibit an authorized State official from proceeding in State court on the basis of an alleged violation of any civil or criminal statute of the State concerned. (g) Definition. In this section, the term ``attorney general'' means the chief legal officer of a State. SEC. 6. INTERNET SERVICE PROVIDERS. (a) Exemption for Certain Transmissions. The provisions of this Act shall not apply to a transmission of electronic mail by an interactive computer service provider unless the provider initiates the transmission. (b) Notice of Transmissions from Commission. Not later than 72 hours after receipt from the Commission of notice that its computer equipment may have been used by another person to initiate a transmission of electronic mail in violation of a provision of section 3 or 7, an interactive computer service provider shall (1) provide the Commission such information as the Commission requires in order to determine whether or not the computer equipment of the provider was used to initiate the transmission; and (2) if the Commission determines that the computer equipment of the provider was used to initiate the transmission, take appropriate actions to terminate the use of its computer equipment by that person. (c) Notice of Transmissions from Private Individuals. (1) In general. Subject to paragraph (2), not later than 14 days after receipt from a private person of notice that its computer equipment may have been used by another person to initiate a transmission of electronic mail in violation of a provision of section 3 or 7, an interactive computer service provider shall (A) transmit the notice to the Commission together with such information as the Commission requires in order to determine whether or not the computer equipment of the provider was used to initiate the transmission; and (B) if the Commission determines that the computer equipment of the provider was used to initiate the transmission, take appropriate actions to terminate the use of its computer equipment by that person. (2) Minimum notice requirement. An interactive computer service provider shall transmit a notice under paragraph (1) with respect to a particular transmission of electronic mail only if the provider receives notice with respect to the transmission from more than 100 private persons. (d) Blocking Systems. (1) Requirement. Each interactive computer service provider shall make available to subscribers to such service a system permitting such subscribers, upon the affirmative electronic request of such subscribers, to block the receipt through such service of any electronic mail that contains the term``advertisement'' in its subject line. (2) Notice of availability. Upon the applicability of this subsection to an interactive computer service provider, the provider shall (A) notify each current subscriber, if any, to the service of the blocking system provided for under paragraph (1); and (B) notify any new subscribers to the service of the blocking system. (3) Blocking by provider. An interactive computer service provider may, upon its own initiative, block the receipt through its service of any electronic mail that contains the term ``advertisement'' in its subject line. (4) Applicability. The requirements in paragraphs (1) and (2) shall apply (A) beginning 1 year after the date of enactment of this Act, in the case of an interactive computer service provider having more than 25,000 or more subscribers; and (B) beginning 2 years after that date, in the case of an interactive computer service provider having less than 25,000 subscribers. (e) Records. An interactive computer service provider shall retain records of any action taken on a notice received under this section for not less than 2 years after the date of receipt of the notice. (f) Construction. Nothing in this section may be construed to require an interactive computer service provider to transmit or otherwise deliver any electronic mail message containing the term ``advertisement'' in its subject line. (g) Definition. In this section, the term ``interactive computer service provider'' has the meaning given that term in section 230(e)(2) of the Communications Act of 1934 (47 U.S.C. 230(e)(2)). SEC. 7. RECEIPT OF TRANSMISSIONS BY PRIVATE PERSONS. (a) Termination of Transmissions. (1) Request. A person who receives a transmission of unsolicited commercial electronic mail not otherwise authorized under this section may request, by electronic mail to the same electronic mail address from which the transmission originated, the termination of transmissions of such mail by the person initiating the transmission. (2) Deadline. A person receiving a request for the termination of transmissions of electronic mail under this subsection shall cease initiating transmissions of electronic mail to the person submitting the request not later than 48 hours after receipt of the request. (b) Affirmative Authorization of Transmissions Without Information. (1) In general. Subject to paragraph (2), a person may authorize another person to initiate transmissions to the person of unsolicited commercial electronic mail without inclusion in such transmissions of the information required by section 3. (2) Termination. (A) Notice. A person initiating transmissions of electronic mail under paragraph (1) shall include, with each transmission of such mail to a person authorizing the transmission under that paragraph, notice that the person authorizing the transmission may request at any time the recommencement of the inclusion in such transmissions of the information required by section 3. (B) Deadline. A person receiving a request under this paragraph shall include the information required by section 3 in all transmissions of unsolicited commercial electronic mail to the person making the request beginning not later than 48 hours after receipt of the request. (c) Constructive Authorization of Transmissions Without Information. (1) In general. Subject to paragraph (2), a person who secures a good or service from, or otherwise responds electronically to, an offer in a transmission of unsolicited commercial electronic mail shall be deemed to have authorized transmissions of such mail without inclusion of the information required under section 3 from the person who initiates the transmission providing the basis for such authorization. (2) Termination. (A) Request. A person deemed to have authorized the transmissions of electronic mail under paragraph (1) may request at any time the recommencement of the inclusion in such transmissions of the information required by section 3. (B) Deadline. A person receiving a request under this paragraph shall include the information required by section 3 in all transmissions of unsolicited commercial electronic mail to the person making the request beginning not later than 48 hours after receipt of the request. (d) Effective Date of Termination Requirements. Subsections (a), (b)(2), and(c)(2) shall take effect 30 days after the date of enactment of this Act. SEC. 8. ACTIONS BY PRIVATE PERSONS. (a) In General. Any person adversely affected by a violation of a provision of section 3 or 7, or an authorized person acting on such person's behalf, may, within 1 year after discovery of the violation, bring a civil action in a district court of the United States against a person who has violated the provision. Such an action may be brought to enjoin the violation, to enforce compliance with the provision, to obtain damages, or to obtain such further and other relief as the court considers appropriate. (b) Damages. (1) In general. The amount of damages in an action under this section for a violation specified in subsection (a) may not exceed $5,000 per violation. (2) Relationship to other damages. Damages awarded for a violation under this subsection are in addition to any other damages awardable for the violation under any other provision of law. (c) Cost and Fees. The court, in issuing any final order in any action brought under subsection (a), may award costs of suit and reasonable attorney fees and expert witness fees for the prevailing party. (d) Venue; Service of Process. Any civil action brought under subsection (a)in a district court of the United States may be brought in the district in which the defendant is found, is an inhabitant, or transacts business or wherever venue is proper under section 1391 of title 28, United States Code. Process in such an action may be served in any district in which the defendant is an inhabitant or in which the defendant may be found. SEC. 9. RELATION TO STATE LAWS. (a) State Law Applicable Unless Inconsistent. The provisions of this Act do not annul, alter, or affect the applicability to any person, or otherwise exempt from the applicability to any person, of the laws of any State with respect to the transmission of unsolicited commercial electronic, except to the extent that those laws are inconsistent with any provision of this Act,and then only to the extent of the inconsistency. (b) Requirement Relating to Determination of Inconsistency. The Commission may not determine that a State law is inconsistent with a provision of this Act if the Commission determines that such law places greater restrictions on the transmission of unsolicited commercial electronic mail than are provided for under such provision. SEC. 10. DEFINITIONS. In this Act: (1) Commercial electronic mail. The term ``commercial electronic mail''means any electronic mail that (A) contains an advertisement for the sale of a product or service; (B) contains a solicitation for the use of a toll-free telephone number or a telephone number with a 900 prefix the use of which connects the user to a person or service that advertises the sale of or sells a product or service; or (C) contains a list of one or more Internet sites that contain an advertisement referred to in subparagraph (A) or a solicitation referred to in subparagraph (B). (2) Commission. The term ``Commission'' means the Federal Trade Commission. (3) State. The term ``State'' means any State of the United States, the District of Columbia, Puerto Rico, Guam, American Samoa, the United States Virgin Islands, the Commonwealth of the Northern Mariana Islands, the Republic of the Marshall Islands, the Federated States of Micronesia, the Republic of Palau, and any possession of the United States. ------------------------------ Date: Tue, 5 May 1998 08:35:39 -0800 From: "Rob Slade, doting grandpa of Ryan and Trevor" Subject: File 3--REVIEW: "Privacy on the Line", Whitfield Diffie/Susan Landau BKPRIVLN.RVW 980301 "Privacy on the Line", Whitfield Diffie/Susan Landau, 1998, 0-262-04167-7, U$25.00 %A Whitfield Diffie %A Susan Landau %C 55 Hayward Street, Cambridge, MA 02142-1399 %D 1998 %G 0-262-04167-7 %I MIT Press %O U$25.00 +1-800-356-0343 fax: +1-617-625-6660 manak@mit.edu %P 342 p. %T "Privacy on the Line: The Politics of Wiretapping and Encryption" This seems to be the year for privacy. Hard on the heels of "Technology and Privacy" (cf. BKTCHPRV.RVW), "The Electronic Privacy Papers" (cf. BKELPRPA.RVW), and the related "Borders in Cyberspace" (cf. BKBRDCYB.RVW) comes this volume. Given the emotional content with which the encryption debate has been loaded in recent years, it is important that the introduction, in chapter one, is a neutral and even-handed look at the background of the discussion, presenting the issues on both sides, although little of the case for either. Specific references may be from the United States, but the arguments made are generic enough to be considered by all audiences. Chapter two gives an overview of cryptography, which is, of course, excellent. Not only does it explain the importance of keys and cryptographic strength, but it also gives insightful analysis into business and social factors in the development of the field. Cryptography and public policy, in chapter three, is restricted to developments within (and related to) the US, but looks at all types of issues, both technical and not. Chapter four discusses national security with a quick but clear and thorough overview of the various aspects of intelligence gathering, particularly communications intelligence. There is also brief mention of information warfare. Much of the heat in the current debate about encryption restrictions involves law enforcement. (References are frequently made to drug and child pornography rings.) Therefore, the brevity of chapter five is disappointing. The content, however, is not. It builds a solid framework for the topic, and notes an instructive difference in effectiveness between wiretaps and other electronic bugs. Chapter six is again specific to US history, reviewing activities both in support, and destructive, of privacy. Chapter seven deals specifically with wiretapping technology, activities, and legality in the US. Much of the material in the chapter has been at least touched on previously, and there is noticeable duplication. There is less duplication in chapter eight's discussion of the current communications scene, although little new material. The same is not the case with current cryptography in chapter nine, providing brief backgrounds of the myriad efforts being made to disseminate and suppress encryption capabilities. The conclusion, in chapter ten, seems to come down on the side of opening encryption development and distribution. An extensive, possibly exhaustive, bibliography is a major resource in the book. The thorough research, even tone, and informed analysis make this work an excellent foundation for discussion. It does not, however, provide much in the way of direction. That the authors should tend to support the dropping of restrictions on cryptography is not surprising, but such support is neither strong nor impassioned. copyright Robert M. Slade, 1998 BKPRIVLN.RVW 980301 ------------------------------ Date: Thu, 25 Apr 1998 22:51:01 CST From: CuD Moderators Subject: File 4--Cu Digest Header Info (unchanged since 25 Apr, 1998) Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost electronically. CuD is available as a Usenet newsgroup: comp.society.cu-digest Or, to subscribe, send post with this in the "Subject:: line: SUBSCRIBE CU-DIGEST Send the message to: cu-digest-request@weber.ucsd.edu DO NOT SEND SUBSCRIPTIONS TO THE MODERATORS. The editors may be contacted by voice (815-753-6436), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115, USA. To UNSUB, send a one-line message: UNSUB CU-DIGEST Send it to CU-DIGEST-REQUEST@WEBER.UCSD.EDU (NOTE: The address you unsub must correspond to your From: line) CuD is readily accessible from the Net: UNITED STATES: ftp.etext.org (206.252.8.100) in /pub/CuD/CuD Web-accessible from: http://www.etext.org/CuD/CuD/ ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/ aql.gatech.edu (128.61.10.53) in /pub/eff/cud/ world.std.com in /src/wuarchive/doc/EFF/Publications/CuD/ wuarchive.wustl.edu in /doc/EFF/Publications/CuD/ EUROPE: nic.funet.fi in pub/doc/CuD/CuD/ (Finland) ftp.warwick.ac.uk in pub/cud/ (United Kingdom) The most recent issues of CuD can be obtained from the Cu Digest WWW site at: URL: http://www.soci.niu.edu/~cudigest/ COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Authors hold a presumptive copyright, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ------------------------------ End of Computer Underground Digest #10.32 ************************************