TUCoPS :: Privacy :: priv_102.txt

Privacy Digest 1.02 5/30/92

PRIVACY Forum Digest -- Saturday, 30 May 1992 -- Volume 1, Number 2

Moderated by Lauren Weinstein (lauren@cv.vortex.com)
	     Vortex Technology, Topanga, CA, U.S.A.

          	    ===== PRIVACY FORUM =====

CONTENTS

	Privacy BRIEFS (Moderator)
	E-mail privacy; a cheap solution? (Charlie Stross)
	Personal Data (Willie Smith)
        The Concept of Privacy (A. Padgett Peterson)
	Privacy Rights (Mark Rasch)
	Query: Search and Seizure (Mark Rasch)

*** Please include a MEANINGFUL "Subject:" line on all submissions! ***

---------------------------------------------------------------------------
The PRIVACY Forum is a moderated digest for the discussion and analysis of
issues relating to the general topic of privacy (both personal and
collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

ALL submissions should be addressed to "privacy@cv.vortex.com" and must have
MEANINGFUL "Subject:" lines.  Subscriptions are by an automatic "listserv"
system; for subscription information, please send a message consisting of
the word "help" (quotes not included) in the BODY of a message to:
"privacy-request@cv.vortex.com".  Mailing list problems should be reported
to "list-maint@cv.vortex.com".  Mechanisms for obtaining back issues will be
announced when available.  All submissions included in this digest represent
the views of the individual authors and all submissions will be considered
to be distributable without limitations. 

For information regarding the availability of this digest via FAX, please
send an inquiry to digest-fax@cv.vortex.com.
---------------------------------------------------------------------------

VOLUME 1, NUMBER 2

    -------------------------------------------------------------
        Quote for the day:

	"We are all interested in the future, because that
	 is where you and I will be spending the rest
	 of our lives."
			-- Criswell, 
			   "Plan 9 From Outer Space" (1959)

    -------------------------------------------------------------

Privacy BRIEFS (from the Moderator)

--- 

A plan is under consideration by the Justice Ministry in the Netherlands
to track all vehicles via computer technology.  This would include both
vehicular and road sensors and would be mandatory.  The plan would be to
automatically detect and report offenses ranging from speeding to parking
violations.  Some privacy concerns, particularly regarding the ability of
such a system to track the exact location of all vehicles at all times, have
been raised.  "People may view it as an invasion of privacy, like Big
Brother," said ministry researcher Gerard de Raaf.  However, he also claimed
that such fears could be eased through "restrictions" on access to the
collected data.

---

A bill is working its way through the California legislature which would
make illegal the use of "automated" speeding ticket machines.  These units,
which automatically detect speeders, take photos of the vehicular license
plate (and in some cases the driver), then automatically issue tickets, have
been undergoing considerable criticism.  Concerns about the fairness of the
system are numerous, including problems with driver identification, delay in
tickets being issued, and the lack of consideration of extenuating
circumstances.  At least one police organization plans to lobby the Governor
to veto the bill if it passes both houses.

---

A court battle is currently raging over whether or not the White House has
the right to delete backup tapes of e-mail communications that they do not
consider to be covered by the federal Records Act.  Similar messages, which
originally had been thought to be completely deleted, played a key role in
the recent Iran-Contra investigations.  The White House believes that it
should be able to decide on its own which items do or do not fall under the
Records Act (which provides for the turning over of such materials to the
National Archives).

-----------------------------------

Date:    Thu, 28 May 92 11:53:12 PDT
From:    Charlie Stross <charless@sco.COM>
Subject: e-mail privacy; a cheap solution?

I'm puzzled by the common conception on the net that e-mail is
innately insecure because organization XYZ can crack any message
encrypted using method ABC, and that it's not possible to use a
secure encryption method because such a technique is innately
expensive (both in cost and computer time) and illegal. I feel
that until we -- the public -- have cheap, easy and unbreakable
encryption facilities at our disposal, we will remain vulnerable
to both the psychological pressure of knowing that our
correspondence might be monitored and the potential danger that
this is actually the case.

I am particularly interested in the fact that no cheap and 
computationally intractible public encryption methods are in common
use. Inventing a secure, computationally inexpensive, and cheap 
encryption device for point-to-point communications doesn't look
like an obstacle. In fact, even a home-brew system should be quite 
effective. I know relatively little about cryptography but here's my
attempt at a privacy gadget costing less than #300 that's capable
of defying the governmental security agency of your choice:

Take a CD-ROM drive with a device driver for playing audio CD's
and randomly accessing audio tracks. Most multi-media kit should
already be capable of doing this. Take a random music CD off your
shelf and start playing it at a random offset; redirect the bit
stream to a file. (You need to make a note of the initial file 
offset of the data you're recording.) Now take the file you wish to
encrypt. Run-length encode it to eliminate recurring byte sequences. 
Split it into chunks -- say 64 bytes -- and split the audio file 
into similar-sized chunks. The audio file is used as a one-time 
pad for a simple cypher algorithm which is applied to the target 
file. At the start of the file, record the offset into the CD at 
which the key sequence begins; for each 64-byte chunk of the key, 
compute a CRC and append it to the corresponding chunk of the 
encrypted file.

To decode such an encrypted file takes just one thing; a copy of
the CD which was used as the key. The offset into the key disk is
obtained from the header of the encrypted file, and 64-byte
chunks are read and used to decrypt the file. If the 64-byte key
sequences do not match the CRC of the original key (interleaved
in the encrypted file) you know you've got a badly-formed key
disk. It is not possible to recover a 64-byte key from a 32-bit 
CRC.

Run-length encoding is desirable in order to stop the bit-pattern
of the key from being exposed in any sparse sections of the encrypted
document.

The point is, the widespread availability of music CD's gives us
an incredibly cheap supply of one-time pads suitable for e-mail
encryption with a high degree of integrity. The only requirement
is that the recipient and the sender agree beforehand on the
recording to use as a pad; this shouldn't be an obstacle to
point-to-point messaging. With suitable checks, such a system
should be virtually impossible to crack -- and given the ability
to take a bit-stream from a CD-ROM drive and put it in a file, an
encyphering/decyphering package should be so easy to write that
it would be virtually impossible for any government to supress it
(short of banning CD players and computers).

Even if this technique is susceptible to attack using massively
parallel systems with arrays of CD-ROM drives (which I doubt), CD
recorders are rumored to be due on the market within the near
future, and DAT drives already are; recorded atmospheric noise would 
make a suitably random key. The only proviso I should add is --
don't pay for your music CD's by traceable means! (Given a
listing of your music collection and your recipient's collection,
it would then be a trivial task to crack a message encoded using
one of the few disks you both own a copy of.)

Am I missing something? Is there some reason why all the heat and
noise about encryption seems to be concentrated on encryption algorithms 
which are subject to export restrictions and may be breakable via
chosen-plaintext attack, rather than on simple one-time pad systems? 
I think we should be told.

   [ While one-time systems are theoretically secure, this is only the
     case when the pad source is sufficiently random and *only* used once,
     and when an absolutely secure technique for pad distribution exists.
     Music CDs or CD-ROMs would be a poor choice, since they are widely
     available and are far from random data--they are in fact
     highly structured (both in their data formats and in terms of 
     the encoded audio itself).  Getting sufficiently random numbers
     is not trivial--radioactive decay rates are frequently mentioned
     as a possibility.  And you never, ever want to use the same
     pad source more than once or you've essentially thrown any 
     security completely out the window.  Given the logistical
     issues involved, use of one-time pad systems is quite reasonably
     normally restricted to the most critical of applications.  It is
     doubtful that most Internet communications fall into this category!
     Bottom line: Use of your "Sgt. Pepper's" CD as a one-time pad
     source is definitely not a great idea! -- MODERATOR ]

-----------------------------------

Date:    Thu, 28 May 92 08:35:49 PDT
From:    wpns@roadrunner.pictel.com (Willie Smith)
Subject: Personal Data [Subject field provided by Moderator]

I was struck by a thought while reading the introductory Privacy
Digest, should there be some way for each individual to keep, maintain,
and allow access to information about them?  There would need to be
some kind of authentication mechanism so people to whom I give my data
to (for credit card applications for instance) would know I hadn't
fudged the data, and there would have to be appropriate rules about the
use of such data (once I've been approved or not for the credit card
they have to dump the personal data into the bitbucket), but it seems
to me that some combination of smart-card technology with cryptographic
checksums and various levels of access might work.

Here's a question, what kinds of data about yourself do you consider
appropriate for dissemination, to whom would you release them, and
under what circumstances?  F'rinstance:

	Public data - anyone can access at any time
		Name
		Logical address (PO Box)
		Internet address
		Phone number (answering machine only?)

	'Friends&Family' data - anyone I want to tell
		Physical address (street address)
		Phone number (the one I answer)
		License plate number

	Tax data - IRS, state tax folks only
		Income from all sources
		SSN (ha!)

To some extent, this is pretty much the way it works now, except every
company I've ever done financial business with has my SSN, and someone
with the right resources can map Internet Address --> Physical Address
--> What I paid for my house.  On the other hand, maybe this is a
technological solution to a non-tech problem, and we all know those
don't work.  Besides, what would TRW et al do with themselves? 

Hey, can I get a list of the subscribers to the Privacy Digest?  :+)

Willie Smith
wpns@pictel.com

   [ While I know you meant it as a joke, it's worth pointing out
     at this juncture that the Privacy Digest subscriber list
     is considered confidential and is not available.  Natch.
     -- MODERATOR ]

-----------------------------------

Date:    Thu, 28 May 92 08:36:41 PDT
From:    padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
Subject: The Concept of Privacy [Subject field provided by Moderator]

	The concept of privacy is a transitory one and has never truely
existed outside of our thoughts (else we would not need a judicial system).
For all of recorded history there have existed cyphers and secret writings
(though not always intentional, EBCDIC is not encryption) to maintain the
privacy of those thoughts.

	Never has privacy been considered a "right" available without
effort, just until recent times, the collection of extensive data about
individuals had been a localized phenomena resricted to narrow regimes
(and even there required the cooperation of the individuals or at least
a lack of any wholesale organized resistance).

	Today, the distributed nature of information gathering, coupled 
a vested interest by governments (for taxation) and institutions (for
credit purposes) makes it nearly impossible to avoid any records. 

	However, this is not to say that a measure of privacy is 
impossible since the current records keeping is demonstrably fallable,
and while it is impossible to avoid records being made at all, it is
possible to generate conflicting ones such that determination of the
true record becomes impossible.

	For example, my true E-Mail address begins @tccslr... this is
an alias address that will always reach me, however, the mail server
does not use this when generating the return address for my mail, 
instead it pick up the system name that the mail came from, in this
case @hobbes... There are several other non-generic names that could
have been used since I could have sent the mail from any of a number
of different systems.

	I realize that this sounds more like a RISK, so I will not go
into the difficulty of making an automated system use a generic name
that is not transmitted, rather it is the multiple identities that
becomes the privacy issue: for my E-Mail, padgett@tccslr... is the
same as padgett@hobbes... is the same as ... yet to a computer each
is a different individual.

	For some time I received multiple copies of a newsletter
simply because at some point it had picked up more than one of my
addresses. In this case it took manual intervention to remove all
but one.

	In the same way, today so much information is collected for 
each individual that it is impossible to sort automatically when 
conflicts occur or the same individual is recorded more than once.
This becomes particularly bothersome when two companies consolodate
and the same individual is recorded in each slightly differently.i
	This can be used by the individual to perform his/her own 
classification much like a "canary trap". If mail comes for "Padsett"
I know that the source is one airline's data base. Another database
thinks I am "Ashley P." Yet another thinks of me as "Patrick". GIGO.

	Rather than being annoyed, for some years I have been amused
by it and over the years (this is not a short term occupation) have
been interested in the propagation of such multiple identities.


				Warmly,
					Padgett

-----------------------------------

Date:    Wed, 20 May 92 13:52:00 PDT
From:    Rasch@DOCKMASTER.NCSC.MIL
Subject: Privacy Rights [Subject field provided by Moderator]

There has been a lot of talk on the net, (and off the net) about
whether or not it is legal or proper for a system administrator
to capture keystrokes of intruders/trespassers who are using
their system to break into the systems of others.  We all
remember Cliff Stoll's expliots in "The Cookoo's Egg" where he
traced the German Hackers through LBL by keystroke capture, and
then notified downstream users that they were being attacked. 

Several people (and organizations) have taken the position that
keystroke capture both violates privacy rights and constitutes
illegal electronic surveillence.  I believe that, with respect to
*intruders* both these arguments are specious.

Fourth Amendment

The principal protection against *governmental* intrusions into
privacy rights is the Fourth Amendment to the constitution which
provides that:

     The right of the people to be secure in their persons,
     houses, papers, and effects, against unreasonable
     searches and seizures, shall not be violated, and no
     Warrants shall issue, but upon probable cause,
     supported by Oath or affirmation, and particularly
     describing the place to be searched, and the persons or
     things to be seized.

It is important to note that this only applies to searches
performed by the government. Burdeau v. McDowell, 256 U.S. 465,
475 (1921) even if the government is not acting in a law
enforcement capacity New Jersey v. T.L.O., 469 U.S. 325, 336
(1985). Thus, to the extent a sysop is not a "government agent"
the Fourth Amendment is not implicated. 

Also, in order for there to be a Fourth Amendment violation, the
individual must have exhibited an actual subjective expectation
of privacy (Katz v. U.S., 389 U.S. 347, 361 (1967) (Harlan, J.,
concurring)) and society must be prepared to recognize that
expectation as objectively reasonable.  An intruder should have
niether a subjective expectation of privacy, nor should society
recoganize any expectation of privacy as "reasonable."   Thus, if
you break into my system, I should be able not only to kick you
off, but also to monitor what you do on my system.

Finally, the general sanction for violation of the Fourth
Amendment is suppression of the illegally seized evidence and its
fruits. Weeks v. U.S., 232 U.S. 383, 398 (1914) (federal search);
Mapp v. Ohio, 367 U.S. 643, 655 (1961) (state search).  Thus, a
private keystroke capture of an intruder would not violate the
Fourth Amendment.

Electronic Surveillance

In 1986 Congress amended the Electronic Communications Privacy
Act to prohibit the unlawful interception of electronic
communications, including e-mail and the like.  In general, the
law, contained in Title 18 of the United States Code, Section
2511, prohibits the interception of wire, oral or electronic
communications.  HOWEVER, there are several provisions which
would permit keystroke monitoring in certain circumstances.

First, 18 U.S.C. 2511(2)(a)(i) notes that:

     It shall not be unlawful under this chapter for an
     operator of a switchboard, or an officer, employee, or
     agent of a provider of wire or electronic communication
     service [bbs operator] . . . to intercept, disclose or
     use that communication in the normal course of his
     employment while engaged in any activity which is
     necessarily incident to the rendition of his service or
     to the protection of the rights or property of the
     provider of that service, except that a provider of
     wire communication service to the public shall not
     utilize service observing or random monitoring except
     for mechanical or service quality control checks.

While this statute is not a model of clarity, and fails to define
key terms like what is a *provider* of electronic communication
service (the network administrator? the sysop?) it appears to
permit electronic interception and keystroke capture it this is
necessary to protect the rights and property of the provider of
the service.  If the intruder is breaking in to the computer of
*another* (not the provider) and the provider can easily
terminate this unauthorized use, then it could be argued that the
keystroke capture is not necessary to protect *his* property. 
However, the statute uses the term "necessarily incident to . ."
not "neccesary to" and, in light of the strong possibility of
downstream liability to the provider for somehow permitting the
intruder to use his system to break into another's, a strong
argument can be made that keystroke monitoring of intruders is
reasonable, prudent, and necessarily incident to the protection
of rights and property.

In addition, 18 U.S.C. 2510(13) defines a "user" of electronic
communications as:

     any person or entity who -

     (A)  uses an electronic communication service; and

     (B)  is duly authorized by the provider of such service
          to engage in such use.

Since an intruder is not authorized to use the service, he is not
a "user" entitled to protection under the statute.  Finally,
while warning banners are helpful to demonstrate a lack of
authorization to use a particular system, they are not required
to demonstrate a lack of authorization any more than "No
trespassing" signs are necessary to demonstrate a lack of
authorization for an individual to, for example, break into your
house. (a simplistic analogy admittedly)

This is, of course, only part of the story.  Many states have
privacy statutes, and their own definitions of illegal electronic
interception, and this does not address potential civil liability
to users for excessive keystroke capture.  However, I believe
that if keystroke monitoring is accomplished in a reasonable and
prudent fashion, it would not run afoul of either the
constitutional or statutory provisions.  Let the trespasser
beware!!!

Mark Rasch, Esq.
Arent Fox Kintner Plotkin & Kahn
Internet: Rasch @ catwalk.dockmaster.mil

The views expressed herein are mine, and mine alone.

-----------------------------------

Date:    Tue, 19 May 92 15:40:00 PDT
From:    Rasch@DOCKMASTER.NCSC.MIL
Subject: Search and Seizure [Subject field provided by Moderator]

My name is Mark Rasch, and I am a lawyer at the firm of Arent Fox in
Washington, D.C.  (formerly with the Department of Justice) I am
interested in participating in the privacy forum, and am especially
interested in issues pertaining to search and seizure laws as they relate
to computerized information or electronic communications.

Does anybody have any useful information on the subject?

-----------------------------------

End of PRIVACY Forum Digest
Volume 1, Number 2

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH