36 Years of the Digest ... founded August 21, 1981
Copyright © 2017 E. William Horne. All Rights Reserved.

The Telecom Digest for Tue, 02 Jan 2018
Volume 37 : Issue 1 : "text" format

Table of contents
Happy New YearBill Horne
5 New Year's Resolutions to Protect Your TechnologyMonty Solomon
Exfiltration of personal data by session-replay scripts Monty Solomon
Re: Medical information leakage and junk phone callsGordon Burditt
---------------------------------------------------------------------- Message-ID: <20180101215945.GA15926@telecom.csail.mit.edu> Date: Mon, 1 Jan 2018 16:59:45 -0500 From: Bill Horne <bill@horneQRM.net> Subject: Happy New Year Happy New Year! It's 2018! As in years past, I'd like to have the readers' opinions on ways to make The Telecom Digest a better publication and a better source for information and telecom advice. Please write to me here at the usual digest address, or at my private email address, which is "bill at horne dot net." If you write to the digest address, but would rather not have your remarks posted, add the Not For Publication glyph to your Subject line - [nfp] - instead of the usual . The first question I'll ask is this: "What future do you see for The Telecom Digest?" This isn't a rhetorical question, because the Network Neutrality rules have been sacked and that will mean dramatic changes for *ALL* non-profit outlets, not just the Digest. Consider the players and the pressures: * ISP's might limit Access to Usenet servers, either by demanding tribute from places like eternal-september.org, or by gouging their subscribers for more money. Some will do both, but few are likely to do neither. * Universities have already set up "Internet 2" connections to carry their traffic without censorship or pay-per-byte charges, but the Internet's "ordinary" users aren't likely to be offered such options unless they have the means to buy them wholesale. * Other bypass networks will be rare: the orginal idea of FidoNet was to allow wide-area message transport without requiring long-distance call from one Bulletin Board to another, and although I'd like to see the paradigm revivied, it's unlikely that the ILECs or CLECs would tolerate modem traffic again: they only allow '14.4' traffic now because it's almost always between fax machines, and not even a Republican Congress would dare to order every business to abandon fax machines. * Usenet seems to be in a death spiral, and the changes I suggested while I was on the Big-8 Board aren't likely to come about. At some point, comp.dcom.telecom might cease to exist: that would leave the mailing list, of course, but only a fraction of my readers subscribe to it. * The ISPs - and the backbone providers - will all want a lot more of the advertising revenue that sites like facebook now receive, and they will take the easy route and demand extra fees for "social media" tiers of service, plus the ability to substitute their own ads for the ones users would normally receive. There will be a wild-west game for a few months or even years, but then the advertisers will demand better control and accounting, and there will be a new compromise that leaves the ISPs with a lot more money - and the ISPs' users will a lot more hidden charges on their bills. It's a dreary world I'm forecasting, isn't it? Nothing lasts forever, including the innocence and community spirit of Usenet or the Internet outside of the "point and drool" world of the big web-based providers. In a way, I hope they get bigger, or at least big enough that Verizontal and Comcrap and the other petty dictators will leave Usenet alone in their rush to squeeze FaceYaGoogTube for more and more. The second qustion is even more important: What are *YOUR* feelings, and what do *YOU* forecast? Bill -- Bill Horne (Remove QRM from my email address to write to me directly) ------------------------------ Message-ID: <E8ED0289-F16E-413D-810F-71515C248EFB@roscom.com> Date: Mon, 1 Jan 2018 00:08:29 -0500 From: Monty Solomon <monty@roscom.com> Subject: 5 New Year's Resolutions to Protect Your Technology 5 New Year's Resolutions to Protect Your Technology The cybersecurity nightmares of 2017 highlight the need to protect yourself. Here are some resolutions for living a safer digital life this new year. By Brian X. Chen If 2017 taught you anything about personal technology, it's that the onus is on you to protect your personal data and devices. Tech companies aren't going to do that for you. (In fact, they are generally the ones failing you.) So why not make protecting yourself your New Year's resolution? Last year, I recommended some resolutions for making your tech less frustrating, like doing regular maintenance on your devices, being a strategic shopper and purging the e-waste sitting around your home. https://www.nytimes.com/2017/12/27/technology/personaltech/new-years-resolutions-technology.html ------------------------------ Message-ID: <B268930C-3294-408F-8768-5B64C4AF1190@roscom.com> Date: Sun, 31 Dec 2017 07:32:34 -0500 From: Monty Solomon <monty@roscom.com> Subject: Exfiltration of personal data by session-replay scripts Exfiltration of personal data by session-replay scripts You may know that most websites have third-party analytics scripts that record which pages you visit and the searches you make. But lately, more and more sites use "session replay" scripts. These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and send them to third-party servers. Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder. The stated purpose of this data collection includes gathering insights into how users interact with websites and discovering broken or confusing pages. However the extent of data collected by these services far exceeds user expectations [1]; text typed into forms is collected before the user submits the form, and precise mouse movements are saved, all without any visual indication to the user. This data can't reasonably be expected to be kept anonymous. In fact, some companies allow publishers to explicitly link recordings to a user's real identity. https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/ ------------------------------ Message-ID: <7_SdnQEOWYN-zNrHnZ2dnUU7-UnNnZ2d@posted.internetamerica> Date: Sat, 30 Dec 2017 02:44:19 -0600 From: gordonb.p1868@burditt.org (Gordon Burditt) Subject: Re: Medical information leakage and junk phone calls > You know doctors and dentists make a big thing about privacy - > they won't tell you anything about a patient unless that patient has > signed a form saying they can release the information, and to whom. They legally have to. Whether they treat it as more than a joke is less obvious. I have seen signs that they do pay some attention to it. This does not mean that they will do a good job detecting scumbags who know the name of one of my relatives who IS on the list and call the doctor pretending to be that person. Scumbags might get a lot of info for male patients by claiming to be "Mrs. <Man's First Name> <Man's Last Name>" and calling in a female voice, even if he's not married. > Yet this kind of information gets leaked to telemarketers all > the time. Some years ago I had borderline high blood sugar, and > I started getting telemarketing calls from companies dealing in > diabetic supplies. Were you prescribed a diabetic drug? Asked to monitor your blood sugar? Had additional lab tests usually requested for diabetics? These could identify you as a diabetic to the insurance company and any spies there. > More recently I gave my phone number to another person's > doctor, because she was having trouble keeping up with her > appointments. One of her complaints is chronic pain, and > now I'm getting telemarketing calls from companies dealing > with that kind of ailment. Here's an idea of how the leaks might work: Doctor writes prescription and gives it to patient (who brings it to a pharmacy) or sends it directly to pharmacy. Pharmacy files insurance claim with health insurance company using online system they use for that. On many drugs, the name of the drug strongly suggests what condition the patient is being treated for. Insurance company has contracts with healthcare providers, including pharma manufacturers, which they like to brag about because it supposedly saves patients money. They make it LOOK like it does (e.g lab tests: $200, contracted price: $30. I'm not sure anyone pays $200). This may require turning over names of patients to verify the terms of the contract (and I'm not sure whether this is illegal under HIPAA. All of the HIPAA stuff allows transfer of information to process insurance claims). Big Drugco's marketing department has a mole in Big Drugco's sales department, who steals the info and passes it on to the telemarketers that Big Drugco hires. Also, if you have a discount card for a particular expensive drug, (which typically requires an income test to get the card) you probably gave your info (at least name and address) directly to the drug company. This does not explain how your name got attached to your friend's ailment, unless perhaps YOUR phone number got put down as HER phone number (or perhaps as her caretaker's phone number). That sounds like a leak at the doctor or his electronic records system. Did they call YOUR number and ask for HER? Health insurance companies would also be a great place to put a mole. > So it seems your best friend can't get the info without your > permission, but the telemarketers are getting it without permission. > I wonder who in the medical chain of people is getting paid to leak > that information to the scumbags. At least it hasn't got so bad that I receive calls from Petco about my hare (some doctors can't spell) loss problem trying to sell me an automatic rabbit cage door closer. I hope that doctors pay attention to requests that some permissions are TEMPORARY and LIMITED IN SCOPE. Hospital forms typically have these ("may we discuss your condition and care with the person who came with you?"). For example, I might allow a neighbor or hired stranger who is going to drive me home from the hospital to have information about caring for me right now ("He'll be out of surgery in about an hour, he may not be able to walk straight, and he'll sleep a lot but wake him up for his medication on time, and if you can't wake him up call the doctor.") but the stuff last year about an eye infection is irrelevant, and they shouldn't be asking for more information a month later. Medical information is NOT protected once it gets leaked. Scumbags can sell info to other scumbags. If your relatives on the list have big mouths, they can get away with blabbing the information to anyone else. Local TV news have occasionally reported about huge piles of medical records found in trash dumpsters. Apparently it would be legal for me to take that and sell it (unless there's a law against "stealing trash" or "trespassing" involved.) ------------------------------ ********************************************* End of telecom Digest Tue, 02 Jan 2018

Telecom Digest Archives