TUCoPS :: Privacy :: priv_104.txt

Privacy Digest 1.04 6/12/92

PRIVACY Forum Digest        Friday 12 June 1992        Volume 01 : Issue 04

         Moderated by Lauren Weinstein (lauren@cv.vortex.com)
                Vortex Technology, Topanga, CA, U.S.A.
	
                     ===== PRIVACY FORUM =====

CONTENTS
	PRIVACY Briefs (Moderator--Lauren Weinstein)
        Re: Encryption to make government monitoring more expensive
	    (Jerry Leichter)
	Re: FBI Wiretap Proposal (Mark D. Rasch)
	Privacy Act Information (Mark D. Rasch)
        Random Encryption (John R. Levine)
	Bank Account Security (John R. Levine)

*** Please include a MEANINGFUL "Subject:" line on all submissions! ***

-----------------------------------------------------------------------------
The PRIVACY Forum is a moderated digest for the discussion and analysis of
issues relating to the general topic of privacy (both personal and
collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

ALL submissions should be addressed to "privacy@cv.vortex.com" and must have
MEANINGFUL "Subject:" lines.  Subscriptions are by an automatic "listserv"
system; for subscription information, please send a message consisting of
the word "help" (quotes not included) in the BODY of a message to:
"privacy-request@cv.vortex.com".  Mailing list problems should be reported
to "list-maint@cv.vortex.com".  Mechanisms for obtaining back issues will be
announced when available.  All submissions included in this digest represent
the views of the individual authors and all submissions will be considered
to be distributable without limitations. 

For information regarding the availability of this digest via FAX, please
send an inquiry to privacy-fax@cv.vortex.com, call (310) 455-9300, or FAX
to (310) 455-2364.
-----------------------------------------------------------------------------

VOLUME 01, ISSUE 04

    Quote for the day:

	"Pay no attention to that man behind the curtain!"
	
				-- The Wizard
			      "The Wizard of Oz" (1939)

----------------------------------------------------------------------

PRIVACY Briefs (from the Moderator)

---

At the recent Cryptography and Privacy Conference sponsored by CPSR
(Computer Professionals for Social Responsibility), the possibility was
raised by the NYNEX Legislative Counsel that the proposed FBI "wiretapping"
legislation might force telephone companies to withdraw such services as
"call forwarding", which can be viewed as impeding authorized wiretaps.  The
FBI feels that such service withdrawals should be unnecessary.

---

Privacy advocates in Vermont are concerned that their new, tough law
controlling abuses of credit records may be rendered ineffective by weaker,
pending federal legislation that could preempt state laws.

---

In South Africa, protests are beginning over a new draft law for internal
security that would permit security forces to tap telephones or open mail
whenever they suspect a "serious crime" has been committed.  This would be a
change from current law which allows such activities only when "state
security" is threatened.

---

A variety of sources now indicate that the California PUC is about to hand
down its decision (perhaps in the next week or two) regarding Calling Number
ID services within the state.  Bets are that the services will be approved,
but that some form of optional per-line ID blocking may well be required to
be available (but whether or not such blocking will have a "premium" price
is another matter).  Free per-call ID blocking has already been mandated by
the state legislature.  Telephone companies in the state have previously
been quoted as saying that it might not even be worthwhile to offer
Calling Number ID if per-line blocking were allowed.  This has generally
been considered to be a bluff by most observers.

---

The 6-month old "Computer Ethics Institute" has drawn up what
it calls the "Ten Commandments of Computer Ethics."  It says it
is circulating these for comment within the computer industry.
These include:
   I.  Thou shalt not use a computer to harm other people.
  II.  Thou shalt not interfere with other people's computer work.
 III.  Thou shalt not snoop around in other people's computer files.
  IV.  Thou shalt not use a computer to steal.
   V.  Thou shalt not use a computer to bear false witness.

... and so on.    

Charlton Heston has been unavailable for comment.

------------------------------

Date:    Sun, 07 Jun 92 22:23:07 PDT
From:    JERRY LEICHTER <leichter@lrw.com>
Subject: re: Encryption to make government monitoring more expensive

In a recent Privacy Digest, Bob Leone suggests that "there's a lot to be said
in favor of widespread use of even easily-broken encryption schemes".
Specifically, "if the majority of e-mail traffic is routinely encrypted ...
then it becomes much more expensive for the govt to engage in random
snooping."

This is a new version of the stupid "NSA cookies" that people used to use:
Signature lines with what they thought were key words the NSA computers would
look for.  I guess people got bored with those; I haven't seen any in a while.

Mr. Leone seems to believe that the world consists of "us" and "them".  "They"
are out to get "us".  OK, great conspiracy theory.  However, he seems to
forget that WE are the ones who pay THEIR bills.  If government sees the
monitoring of Internet communications as important enough, it will happen -
and taxes will rise to pay for it.

We've got to get beyond the idea that privacy can be gained only by locking
the government out.  The fact of the matter is that most people have nothing
to fear from the government when it comes to invasion of privacy - but they
have a great deal to fear from various private agencies, like mass marketers
to their neighbors.  It's only an accountable, responsible government that
can protect them (us) from such abuses.
							-- Jerry

------------------------------

Date:    Tue, 09 Jun 92 11:50:00 PDT
From:    Rasch@DOCKMASTER.NCSC.MIL
Subject: FBI Wiretap Proposal

Once it becomes technologically feasible for the FBI to engage in
the wiretaps, it doesn't matter whether it is "difficult" or
"trivial" to perform them.  Ultimately, once the technological
barriers are removed, the only effective limitations illegal
wiretaps are the threat of effective sanctions.  This points out
the distinction between the POWER to do wiretaps (which the
legislation addresses) and the AUTHORITY to do them (which is
addressed in other legislation). Of course, a further issue is
the COST of the technology employed.

Before the advent of digital telephone communications, and after
the passage of Title III (the federal wiretap law), I'm not sure
that there was a *significant* problem with the FBI engaging in
illegal electronic surveillance.  There hasn't been a lot of
litigation about this.  However, once you are willing to
recognize that, in appropriate (read court authorized)
circumstances law enforcement are permitted to engage in
electronic surveillance, you ultimately put your trust in the
government that they won't abuse this power.  This trust may
prove to be misguided at some point, and the issue may need to be
redressed at that juncture.

A more vexing problem is that of other unauthorized wiretaps. 
Once you make it technologically possible to engage in electronic
surveillance by software, you practically invite phrackers to
abuse the system.  Already we have seen instances of individuals
breaking into telephone systems to reroute or retrieve telephone
calls.  (e.g. Poulsen, Mitnick, Doucette). 

Meanwhile, market forces are encouraging companies to place a
greater premium on computer and telecommunications security.  By
imposing liability on companies for inadequate security, the law
forces companies to seek out new encryption technologies, which
ultimately will frustrate some of the purposes of the proposed
FBI legislation.  While the more advanced criminals will use this
encryption technology (it is already available in the STU -III
encrypted telephones) the vast majority will simply use the
telephones as they are. 

All in all, the FBI proposal simply attempts to preserve the
technological status quo.  If you are concerned about illegal
activity by the government, the redress is not in technology, but
in other restraints against government.  (Would you deny all
police officers guns or nightsticks because they may abuse them?)

Mark D. Rasch
Arent Fox Kintner Plotkin & Kahn
1050 Connecticut Avenue, N.W.
Washington, D.C. 20530
(202) 857-6154
Rasch@dockmaster.ncsc.mil

   [ Moderator's Note: I see no reason why *both* technological constraints
     *and* "other restraints" should not be applied in such delicate
     situations.  Even though there are laws against theft we still put
     locks on our doors.  Most people do this not because they assume that
     everyone is dishonest, nor on the (false) assumption that locks
     represent 100% security.  Rather, locks present an additional
     layer of protection that can have positive effects in many routine
     situations.  The same rationale would seem to apply to the
     issue under discussion.  --Lauren-- ]

------------------------------

Date:    Tue, 09 Jun 92 22:02:00 PDT
From:    Rasch@DOCKMASTER.NCSC.MIL
Subject: Privacy Act Information

I just got this interesting tidbit of information.  A friend of mine is
a physician who ordered medication from Eli Lilly corporation for a
patient of hers.  This was done under a special program whereby indigent
patients can receive free medication.  The doctor filled out all the
forms properly, but refused to put her own (not the patient's) social
security information on the form.  When the patient failed to get the
prescription for over a month, the doctor called to inquire why.  She was
told that the patient would not receive the medication unless and until
the DOCTOR provided the DOCTOR's SSN.  This was for internal
recordkeeping (e.g. marketing) purposes.

I believe that this is illegal, but am not sure.  Any thoughts?

Mark D. Rasch

------------------------------

Date:    Wed, 10 Jun 92 12:52:03 PDT
From:    johnl@iecc.cambridge.ma.us (John R. Levine)
Subject: random encryption

>Of course the entire question is academic since generating masses of random
>digits is one thing that computers are *really*good*at* ...

Actually, computers are really lousy at generating random digits unless
they're malfunctioning.  The pseudo-random numbers with which we are all
familiar are in fact 100% deterministic.  A credible urban legend reports
that one time some benighted PDP-11 Unix system administrator wrote a
program to generate "random" passwords and assigned them to all of his
users.  Unfortunately, the PDP-11's random number generator only had a 16
bit seed meaning that there were only 64K possible passwords, so it was
easy to break them all by exhaustive search.

Secure encrypted communication is expensive, and we need to figure out how
much we're willing to spend on it.  There are also social issues to
consider, e.g. messages sent through MCI Mail are considerably more secure
than those sent through the Internet because they use a small homogeneous
set of machines none of which are administered by college undergraduates.

------------------------------

Date:    Wed, 10 Jun 92 12:52:03 PDT
From:    johnl@iecc.cambridge.ma.us (John R. Levine)
Subject: bank account security

On the topic of bank account security, some banks are more with it than
others.  My bank has a nice touch-tone account information system.  The
user ID is your ATM card number, which is unrelated to any account number.
After you enter the card number (actually, just the last 8 digits since
the leading digits are the same for all of its cards) the computer voice
randomly asks you to enter one of the digits of your PIN, e.g. "now, enter
the, third, digit of your PIN."  This scheme seems to me fairly secure
without being overbearing.  I seem to be the only customer who ever uses
it because they've never advertised it.

------------------------------

End of PRIVACY Forum Digest 01.04
************************

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH