University of Bielefeld -  Faculty of technology
Networks and distributed Systems
Research group of Prof. Peter B. Ladkin, Ph.D.
Back to Abstracts of References and Incidents Back to Root
This page was copied from:

Previous Issue Index Next Issue Info Searching Submit Article

The Risks Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 16, Issue 15

Weds 15 June 1994

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator


o Privacy: Your Secrets For Sale
Les Earnest
o Life imitates Bart Simpson
Jeffrey S. Sorensen
o "Computer Ethics" by Deborah Johnson
Rob Slade
o Re: More Chunnel vision
Philip H. Smith III
o Re: Airbus
Mary Shafer
Robert Dorsett
Phil Overy
Wesley Kaplow
o Re: Risks of speed enforcement
Jonathan Clark
Clive D.W. Feather
o Re: RISKS in UK Election Voting Process
Doug Tooley
Kent J Quirk
John C Sager
Sean Matthews
Peter Robinson
John Gray
o Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc.

Privacy: Your Secrets For Sale

Les Earnest <>
Sun, 12 Jun 94 17:39:31 -0700
     ABC's Nightline programs on June 9 & 10 focussed on invasions of privacy that
     are facilitated by computers and other electronic media.  The program mainly
     covered things that we are familiar with but performed a valuable service, I
     believe, by bringing some important privacy issues to the attention of the
     general public in a fairly clear and direct way.
     The program began with Ted Koppel presenting results of a public opinion poll
     on two questions:
       Is the sale of records to mail order companies an invasion of privacy?
         YES - 73%  NO - 27%
       Are you concerned about threats to your privacy?
         YES - 85%  NO - 15%
     Koppel went on to assert that the amount of personal information that is
     available online is currently quadrupling each year.  An interview followed
     with an information broker named Al Schweitzer, who they mentioned is
     currently on probation for bribery in connection with information gathering.
     They gave him names and social security numbers of a couple of people and he
     showed that in less than 24 hours he could get a great deal of information
     about them from legal sources, including their residential addresses going
     back a number of years, the amounts of all outstanding loans and credit card
     debts and terms of a divorce settlement.
     Schweitzer could not resist mentioning that he could get additional
     information, including detailed phone bills and lists of credit card purchases
     through illicit but readily accessible channels and could get the person's
     income through another such channel at a cost of $50.  He showed a list of
     kinds of information, both legal and illegal, that are available and the
     schedule of fees for these services.
     There was a discussion of the fact that state and local governments sell a
     great deal of information to direct marketers, including voter registration,
     property owners lists, court records, and (in many states) motor vehicle and
     drivers license registrations.  These agencies derive a great deal of income
     from selling this information, which has assisted direct marketers to keep
     track of 80 million Americans.  Thus they have a mutually beneficial
     relationship, arguably at the expense of the public.
     It was mentioned that Barbara Boxer's bill, which has passed the U.S.  Senate,
     would restrict dissemination of information by all state departments of motor
     They interviewed a "reformed hacker" named Ian Murphy who is now a security
     consultant.  Murphy pointed out that all calls to 800 or 900 numbers make the
     caller's phone number available and that with a computer and an available
     database this can be mapped into the subscriber's name and address.  He also
     discussed how it was possible to intercept a telephone conversation from a
     specific cellular phone.  He noted that this is illegal but that it is almost
     impossible to catch anyone who does it.  He concluded that "Laws can't keep up
     with technology."
     In a discussion of the Clipper Chip there was a short interview with John
     Perry Barlow in which he remarked that with it "The government can sit in your
     living room and hear everything you say."
     A woman from Houston, Texas, named Carol Gibbs told her horror story about
     having her credit usurped by another person and the fact that it has taken her
     two years to get her life back together.
     It was pointed out that even though it is now illegal to sell video rental
     records, it is perfectly legal to sell personal medical records!
     The second program concluded with a discussion between Koppel, Schweitzer,
     Sally Katzen of the "Clinton Privacy Group" and Representative Ed Markey, who
     discussed his proposed "Privacy Bill of Rights."  Markey said that this bill
     would impose two requirements:
     (1) That individuals must be given knowledge that information is being
         gathered about them electronically;
     (2) Individuals must be given notice when information that has been
         gathered is proposed to for a use other than the one for which it
         was gathered.
     Katzen mentioned that it has been over 20 years since the Code of Fair
     Information Practices was developed and that technology has changed
     substantially: in 1973-74 most records were paper-based but computer-based
     records now dominate.  She asserted that the law has to catch up.
     In parting it was mentioned that a representative of one of the "big three"
     credit information houses had originally agreed to participate in the
     discussion but decided not to come after learning who else would be there.
     	-Les Earnest

Life imitates Bart Simpson

"Jeffrey S. Sorensen" <>
Mon, 13 Jun 1994 23:14:34 -0400
     This is a Risk only fans of The Simpsons will appreciate:
     (Paraphrased from New Haven Register Sunday, June 12, 1994 [With my comments!])
     Northeast Utilities reported that it had failed to follow proper safety
     procedures on 2 occasions in April at its Millstone 2 plant in Waterford.
     On April 23, an indicator showed that some of the control rods were stuck.
     The crew concluded that the problem must have been with the indicator and left
     for the day.  When the new crew arrived, they discovered the rods were indeed
     stuck but failed to shutdown the reactor as quickly as they should have and
     underclassified the seriousness of the event.
     [See stdrisks.h sections on incredulous operators ignoring unexpected
     warnings.  Also see section on It's Not MY Problem/It's Miller Time
     (After a HOT day at work, everyone's _dying_ to get home)]
     After the incident, some of the plant's operators failed a Northeast
     Utilities test on reactor theory and were removed from duty for training.
     The utility's report blamed the problem in part on the operators'
     failure to understand reactor theory and a failure of plant
     management to "fully appreciate the implications" of the safety-related
     event and to provide sufficient oversight.
     [sound clip of Homer: Dough!]
     [sound clip of Mr. Burns: Excellent...]
     The other incident involved a coolant leak from the plant's reactor.
     In this case, the operators again underclassified the seriousness of
     the event.  Notification of federal authorities was delayed by 16
     [Guess they were just letting off a little steam after failing their tests...]
     [sound clip of Bart: Aye Carumba!]
     Jeffrey Sorensen

<"Rob Slade, Ed. DECrypt & ComNet, VARUG rep, 604-984-4067">
Tue, 14 Jun 1994 11:55:07 -0600 (MDT)
     Subject: "Computer Ethics" by Deborah Johnson
     BKCMPETH.RVW  940322
     Prentice Hall
     113 Sylvan Avenue
     Englewood Cliffs, NJ   07632
     (515) 284-6751
     FAX (515) 284-2607 
     70621.2737@CompuServe.COM Alan Apt
     Beth Mullen-Hespe
     "Computer Ethics", Johnson, 1994, 0-13-290339-3
     Unlike the famous quote about life in the state of nature being nasty, dull,
     brutish and short, Johnson's examination of the state of ethics in computing is
     readable, interesting, discerning--and short.
     Unlike the usual treatment of ethics as proof by exhaustion, Johnson does a
     complete and reasonable job.  Without recourse to mounds of collected work (of
     dubious merit), the major points of professionalism, property rights, privacy,
     crime, and responsibility are addressed.  Even in this brief space, ethics are
     studied more rigorously than in more weighty tomes.  Not content with the usual
     reliance on relativism and utilitarianism, Johnson points out the flaws in
     "Complete" is, I suppose, an overstatement.  Although it is difficult to
     imagine a scenario that the book does not touch upon at some point, ultimately
     this book is a good primer and discussion starter.  Although possibly the
     definitive work in the field to date, it does not, in the final analysis, get
     us much closer to a computer ethic.
     Recommended.  Should be required reading for all computer science students. 
     Exposure wouldn't hurt any number of professionals and executives, either.
     copyright Robert M. Slade, 1994   BKCMPETH.RVW  940322
     DECUS Canada Communications, Desktop, Education and Security group newsletters
     Editor and/or reviewer,, Rob Slade at 1:153/733
     BCVAXLUG ConVAXtion, Vancouver, BC, Oct. 13 & 14, 1994 contact

More Chunnel vision

703) 506-0500 <PHILS@RELAY.RELAY.COM (Philip H. Smith III, >
Tue, 14 Jun 94 06:46:18 EDT
     I had always hoped the Chunnel would allow auto traffic, with HOV
     restrictions, thus enabling the dreaded "Carpool Tunnel Syndrome".

Airbus A3(0?)0 deductions (Overy, RISKS-16.14)

Mary Shafer < >
Tue, 14 Jun 94 07:51:24 PDT
     Phil> 1) Boeing sell similar automation to the A320 - they also caused
     Phil> the second- worst Japanese crash and in this case much more
     Phil> directly (the fuselage broke).
     Not true--Boeing does not have any fly-by-wire aircraft in operational status.
     They have flown precisely ONE fly-by-wire aircraft, the prototype 777.  And it
     made its first flight last week.
     Phil> 2) whether you se sidestick or yoke, a modern airliner has no
     Phil> direct "cables" to the rudders - it relies on multiple links
     Phil> either electrical or hydraulic which would work equally well
     Phil> with sidesticks. A300s have been around for 20 years - this was an A320.
     Not entirely true, as the Douglas DC-11 and DC-12 have cables that run from
     the pilot controls (yoke and rudder) all the way back to the wing and tail,
     for ailerons or elevators and rudders respectively.  The control surfaces are
     hydraulically actuated, it's true, but most of the control run is cables.  I
     think that the 747 also has similar cables.
     Phil> 5) Since several A320s have crashed when silly things have been
     Phil> happening, perhaps the automation, like the "watertight" hull of
     Phil> the Titanic, is creating a too-complacent pilot. As a
     Phil> far-too-complacent pilot myself in the past, I can understand this.
     Well, no doubt, but wasn't this accident a 300, not a 320?  The 300 has a
     conventional FCS, not fly-by-wire.  Just because they both start with 3's
     doesn't make them the same aircraft.  That's like saying that an A-10 and a
     KC-10 are identical because they both have 10 in the designator.
     Mary Shafer  SR-71 Chief Engineer         NASA Dryden Flight Research Center, 
     Edwards, CA                

Re: How to feel safer in an Airbus Ladkin, RISKS-16.14

Robert Dorsett < >
Mon, 13 Jun 1994 19:41:40 -0700
     >His speculation on the A320, that Airbus were forced to use modes
     >because they chose a sidestick design, is incorrect. Fly-by-wire
     >aircraft use modes because they have to. 
     This is not true.  Early FBW aircraft were essentially open-loop analog
     systems.  They were reactive, very simple, providing very simple feedback and
     control loops.  They were not anywhere near as modal as modern systems.  Keep
     in mind that Airbus' position is that fly-by-wire systems have to provide a
     supermarket of user features.  In reality, the primary operational benefit is
     to be simplicity and weight savings.  What a manufacturer does from that point
     onwards is totally arbitrary and subject to market forces.
     The Airbus design has long struck me as a being in support of an interface
     which, in turn, was probably the result of a marketing decision.  Certainly,
     the decision to use sidesticks--which provide no active feedback, and which 
     are not interlinked--ran contrary to the preferences of many pilots.  The
     lack of said characteristics has resulted in more modes (and the necessity
     of protections) and a variety of rather impressive kludges (such as the 
     "take-over" arrows which point to the other pilot when he pushes his "take-
     over" button).
     From what I've read of the Boeing 777 design, it's much less modal than
     the Airbus design, providing unified and conventional flight characteristics
     from takeoff roll through landing roll.
     >A further comment about the Nagoya accident is appropriate. Current
     >knowledge is that the pilots failed to follow normal, explicit
     >procedure for control of the aircraft, 
     Really?  I've not seen that anywhere.  "Explicit" suggests that the systems'
     characteristics were clear and well-understood.  Such is not the case here.
     In fact, given that Airbus control philosophies tend to be rather subtle
     in their feedback and invocation procedures, I'd certainly not suggest
     that "pilot error" was a likely or trivial error in this case, at least not 
     at this point.
     >and secondly that they had both
     >been drinking alcohol, which is illegal for good reason.  
     This has also not been substantiated.  The investigators will not comment,
     and it is not clear whether the presence of alcohol in the corpses was a 
     result of ingestion or decomposition of tissues.  In any event, the 
     *presence* of alcohol is not illegal.  The illegality is determined by
     the *amount* of alcohol present.
     >senior management of China Airlines has resigned because of this accident.  
     Because of the fifth major accident in as many years, was the way I understood
     And Phil Overy RAL <> writes:
     > re: Mark Terribile's posting:-
     > 1) Boeing sell similar automation to the A320 - they also caused the second-
     > worst Japanese crash and in this case much more directly (the fuselage broke).
     I do not understand this paragraph.  To the naive reader, it could appear
     that you're claiming a Boeing automation issue was responsible for the struc-
     tural failure of an airplane.  This is clearly false.
     Nor was the JAL crash the simple result of structural failure: it was
     primarily the result of a faulty repair, which destroyed the tail, taking
     the airplane's hydraulic systems along with it.
     Moreover, Boeing automation is significantly different from AI automation,
     from the ground up.  The 777 flight control system (assuming you're referring
     to flight control systems) uses a different machine architecture and has a
     fundamentally different mission requirement, governed by the use of a
     different interface.
     If you're referring to more conventional functions, such as cockpit auto-
     mation and the navigation systems, again, Boeing philosophy is demonstrably
     different from Airbus philosophy.  It's debatable whether either is "better,"
     but to even a casual observer, they are sufficiently different to cause
     at least a few customers to scratch their heads when it comes to running
     fleets with airplanes from multiple vendors.  In many cases, the differences
     are not trivial.
     > 2) whether you use sidestick or yoke, a modern airliner has no direct 
     > "cables" to the rudders - it relies on multiple links either electrical or 
     > hydraulic which would work equally well with sidesticks. 
     In point of fact, the hydraulic actuators are controlled via cables.  And
     in a few airplanes (727, DC-9 derivatives) the pilots still retain aircraft
     control via control tabs in the event of complete hydraulic failure.
     > 4) as for mode-switching and elevators etc - the senior pilot seems to have
     > tried to recover without switching off the auto-pilot, the junior pilot seems
     > to have flown as if the auto-pilot wasn't on. Reports will not say this as
     > it's a conclusion, not a fact - it does however sound like the explanation.
     And reports also claim a 15-year-old boy crashed an A310-600 when he nudged
     against the control column.  Hmm.  I wonder why two airline pilots couldn't
     figure THAT one out.
     Robert Dorsett

Correction of my post on "A-THREE-HUNDRED" crash at Nagoya

Phil Overy <>
Wed, 15 Jun 94 08:38:51 BST
     After a mail from Peter Ladkin I am now sure of my ground and wish to write
     what I wanted to write in the first place - despite your correspondent (and a
     newspaper report I unfortunately used to check my memory, not my Independent
     or Peter Ladkin's Herald Tribune which got it right), the worst crash in Japan
     was AN A300 (ie an "old", un-computerised type NOT with sidesticks).
     The Taiwanese plane did not crash after any kind of automation or airframe
     failure, but when the auto-pilot was left on until too late.  Peter Ladkin
     tells me that the president of the airline resigned after the crash, so it
     doesn't sound as if they are trying to transfer responsibility to the
     The crash at Nagoya was not like Japan's second-worst disaster when a Super
     747 (high-altitude model) crashed when the pressure bulkhead at the rear
     collapsed; on that occasion the makers were Boeing, however I leave
     accusations to lawyers -- there are plenty of these around and I may have
     flown on one (and lived :-) ).    [lawyers?] 
     I could have phrased it better, but I would point out that Boeing also now use
     fly-by-wire (on the brand new 777), so the earlier correspondent was misguided
     in thinking that Boeing were staying away from fly-by-wire. The 777 is also a
     much bigger plane than the A320...
     Phil Overy

Does it matter why A3??'s have a poor record?

Wesley Kaplow <>
Tue, 14 Jun 1994 09:51:48 -0400
     The average persons response to all of the A3?? technical discussion would
     probably be that it frankly it does not matter why these planes crash!.  To
     me, if we play only on the statistics, I want a airplane with a good safety
     record.  Already, Airbus Industry has lost more planes per delivered plane
     than other major aircraft manufacturer in the past 3 decades (Lockheed,
     Boeing, MD).  To the average person, who for example reads in Consumer Reports
     that XYZ product can burst into flames after extended use, does not care why!.
     The same is true for airline equipment.
     It is also reassuring to note that some committee decided (or individual)
     decided that an A320 does not think it has landed until the wheels
     spin up to something like 90 kts.  How reassuring to think that all of
     the possible consequences of this decision have been carefully thought
     out and that a full fault-effect analysis has been performed.
     Wesley K. Kaplow, AT&T Bell Laboratories, Rensselaer Polytechnic Institute

Re: risks of speed enforcement (Cunningham, RISKS-16.14)

Jonathan Clark < >
Tue, 14 Jun 94 12:13 EDT
     Andy Cunningham mentions some possible risks of over-zealous speed
     enforcement, with (presumably) a radar gun linked to a video camera and some
     automatic licence-plate recognition software.
     Such a system was until last year under test in New Jersey.  A law was then
     passed banning it after it was found that there was no way to let people off
     after they had been ticketed, so that politicians, off-duty police officers
     and other members of the nomenklatura would then have to conform to the same
     rules of the road as the rest of the populace. I guess the risk here is that
     of trying to apply rules to people they obviously weren't meant for!
     Designers take note - you always have to leave *some* way to circumvent the
     system :-)
     I should note that in the U.S. speeding tickets are frequently (many
     would say primarily) used to generate revenue, rather than for
     any considerations of safety or traffic management.
     On the other hand, I understand that photo-radar systems work in the
     infra-red. This is preferable to an experience I had some years ago while
     driving late at night at high speed on an autoroute in Belgium - I drove under
     a bridge and was dazzled by a *powerful* flash going off behind me. Now
     there's an unexpected risk of driving too fast...

RISKS of real-time image processing (Cunningham, RISKS-16.14)

"Clive D.W. Feather" <>
Tue, 14 Jun 1994 11:10:07 +0100 (BST)
     > ...actually send out tickets (camera/radar systems which produce photographic
     I don't think this is a likely problem. The current camera/radar systems
     don't work like that. The radar is used to detect likely speeders, and
     then the camera takes two pictures a known time apart; the position of
     the car in each is used to determine whether the car was speeding.
     Clive D.W. Feather, Santa Cruz Operation, Croxley Centre, Hatters Lane, Watford
     WD1 8YN, United Kingdom        Phone: +44 923 816 344 

Re: RISKS in UK Election Voting Process

Doug Tooley <>
Tue, 14 Jun 1994 12:44:41 -0400
     The UK is not alone in their lack of voting security.
     In Canada, as "proof of identification" all we had to do to identify 
     ourselves at the registration station was to bring an envelope mailed
     to our address (with our name on it) with a second piece of identification.
     Sounds straightforward... The people are nice and accommodating too: A
     roommate of mine couldn't make it to the registration, so we were able to
     register for him *very* easily.
     Given the (lack of) care being put into actually checking the
     identification (to test this, I deliberately didn't show them the address
     on my envelope, I merely waved it at him, and that was sufficient)
     literally anyone could have registered to vote.
     The registration process was optimized for speed (we had to wait 30-40
     mins) and for friendliness, (they were very willing to accept my word at
     face value) but no REAL effort was made to authenticate the participants.
     Doug Tooley      4C Co-Op CS/C&O student at U of Waterloo, Ontario, Canada  

Re: Voting Systems - UK, US

Kent J Quirk < >
Tue, 14 Jun 1994 03:22:40 GMT
     In the two towns I've lived in here in Massachusetts, they have a similar 
     voting system to that mentioned in England, except that no voter card is 
     required.  They ask for a street address and a house number, but anyone 
     who can read upside down could simply pick a name out of a hat.  
     The risks to the would-be fraudulent voter is that even in our relatively 
     large town of 25,000 people there is a decent chance that the person 
     behind the counter knows the person you are naming, or that the person 
     will later attempt to vote and uncover the fraud (not that there's much 
     that could be done about it at that point).
     The news media, in covering questionable elections around the world, often
     speak of "massive election fraud".  It seems to me that since massive fraud is
     really the only kind that has any predictable benefit, spoofing the
     blue-haired volunteers behind the desk is not really all that much of a worry.
        [Similar comment regarding Mass. from .]

Re: RISKS in UK Election Voting Process (Rushton, RISKS-16.14)

John C Sager <>
Tue, 14 Jun 94 09:17:49 BST
     This is not uncommon - I did exactly the same thing. Admittedly there
     is a RISK, but you also have to consider cultural factors. Accusations
     of ballot-rigging in UK elections are rare. If someone picked an
     address at random and voted as a resident there, as suggested, then
     there would be major investigations & lots of publicity when the real
     voter turned up with a valid poll card. Yet this does not happen.
     There is no culture of ballot-rigging in the UK (except long ago
     in Northern Ireland, but that was done a different way).
     John C Sager B67 G18, BT Labs, Martlesham Heath, IPSWICH  IP5 7RE England			 +44 473 642623

Re: RISKS in UK Election Voting Process

Sean Matthews < >
Tue, 14 Jun 94 10:32:18 +0200
     > Question: Should the UK update its voting system? 
     Answer: No.
     Actually, at least, in Northern Ireland, the election procedure has been
     tightened: because there is a real, as opposed to theoretical, problem with
     impersonation (vote early, vote often) they insist that you now have to have
     some form of ID with you (or at least did, I haven't voted there for some
     years, but I don't imagine that it has changed). Traditionally, polling
     stations in Britain have someone local who is familar with the people of the
     area, a doctor or vicar or something, around as an informal check for
     impersonation (this would probably work better in rural, than urban areas
     I don't think there is much of a problem really, with the UK procedure.  If
     they need to be careful (like in NI) they can make things much better, just by
     always asking for ID, or to see the registration card.  But since they don't
     actually need to at the moment, why bother.  After all, a problem with voter
     impersonation would be obvious if it happened on any sort of scale and if it
     does happen there are separate procedures for dealing with it.
     There is the risk here of fixing something that is not obviously broken,
     by assuming a purely theoretical worst case.
     Sean Matthews <>   Max-Planck-Institut fuer Informatik
     Im Stadtwald, D-66123 Saarbruecken, Germany     +49 681 302 5363
        [Further similar comments from Peter Robinson <>]
     Date: Tue, 14 Jun 94 11:33:31 BST
     From: grayjw <>
     Subject: Re: Risks in UK Election Voting Process (Rushton, RISKS 16-14)
     Thomas Rushton is correct to identify this problem (of getting names from the
     electoral roll. There are two points to make.
     1) You don't need ID to vote in the UK. Instead you must satisfactorily 
     answer two "statutory questions" having given the name and address:
        a) Are you XY, resident at (address)       (yes)
        b) Have you already voted in this election  (no)
     2) The problem is worst in the case where the "real" turnout is low, because
     it would be possible, in disguise, to vote several times under different names.
     However, in a high turnout election, it's more likely that the person whose ID
     you have used will turn up to vote. They are *not* denied a vote.
     If you turn up at the polling station, and give your name, and it's already
     marked on the register, then you will be asked the questions, and given a 
     different colour of ballot paper, which you complete in the same way. If the
     final result is close enough for these papers to matter, then the election may
     have to be resolved in court.
     I agree that for low-turnout elections there is a problem with the system.
     This strikes me as a common risk in any democratic system: if you don't use
     your influence, someone else will.
     John Gray

Previous Issue Index Next Issue Info Searching Submit Article

Report problems with the web pages to
This page was copied from:
Last modification on 1999-06-15
by Michael Blume