TUCoPS :: Privacy :: priv_105.txt

Privacy Digest 1.05 6/19/92

PRIVACY Forum Digest        Friday, 19 June 1992        Volume 01 : Issue 05

         Moderated by Lauren Weinstein (lauren@cv.vortex.com)
                Vortex Technology, Topanga, CA, U.S.A.
	
                     ===== PRIVACY FORUM =====

CONTENTS
	PRIVACY Brief (Moderator--Lauren Weinstein)
	Calling Number ID decision announced by California PUC
	   (Moderator--Lauren Weinstein)
        Bank account security (King Ables)
        Social Security numbers (hibbert@xanadu.com)
	Privacy of voter registration files (Lance J. Hoffman)
        Thoughts on the FBI wiretapping proposal (Anonymous)
        CFP'93 Call for Participation (Bruce R Koball)


 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The PRIVACY Forum is a moderated digest for the discussion and analysis of
issues relating to the general topic of privacy (both personal and
collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

ALL submissions should be addressed to "privacy@cv.vortex.com" and must have
RELEVANT "Subject:" lines.  Submissions without appropriate and relevant
"Subject:" lines may be ignored.  Subscriptions are by an automatic
"listserv" system; for subscription information, please send a message
consisting of the word "help" (quotes not included) in the BODY of a message
to:  "privacy-request@cv.vortex.com".  Mailing list problems should be
reported to "list-maint@cv.vortex.com".  Mechanisms for obtaining back
issues will be announced when available.  All submissions included in this
digest represent the views of the individual authors and all submissions
will be considered to be distributable without limitations. 

For information regarding the availability of this digest via FAX, please
send an inquiry to privacy-fax@cv.vortex.com, call (310) 455-9300, or FAX
to (310) 455-2364.
-----------------------------------------------------------------------------

VOLUME 01, ISSUE 05

    Quote for the day:

	     "I'm sorry Dave, I'm afraid I can't do that."

			   -- Hal 9000
	  	      "2001: A Space Odyssey" (1968)

----------------------------------------------------------------------

PRIVACY Brief (from the Moderator)

---

By the middle of 1993 (and in some cases starting as early as July 1, 1992),
most transactions involving the California Department of Motor Vehicles
(DMV) will be tagged to individuals' social security numbers.  This will
include vehicle registrations, driver's license renewals, and most related
activities.  The DMV will refuse to process individuals who do not make
their SS# available upon request.

The DMV says that this requirement is being imposed to allow for easier
cross-checking against outstanding traffic penalties, and to "help collect
delinquent child support payments."

------------------------------

Date:    Fri, 19 Jun 92 18:48:00 PDT
From:    lauren@cv.vortex.com (Moderator--Lauren Weinstein)
Subject: Calling Number ID decision announced by California PUC

Greetings.  The California Public Utilities Commission (PUC) this week
finally made its decision regarding the controversial Calling Number ID
(CNID) services in California.  While the headlines touted: "Caller ID
Approved", the two main telephone companies in the state, Pacific Bell and
GTE California, expressed extreme disappointment at the decision.  GTE
immediately announced that it would withdraw its proposal to provide CNID;
Pacific Bell said that it was reconsidering its proposal and might well
withdraw it in light of the decision.

This seemingly odd reaction by the telcos is the result of the range of
restrictions placed on California CNID services, restrictions which were
universally hailed by privacy advocates.

In addition to free per-call ID blocking, which had been mandated by state
law, the PUC ordered that all customers be able to optionally choose free
per-line ID blocking or per-line ID blocking with a user controllable
per-call ID enable feature (i.e., ID would be blocked on all calls unless
the caller entered a code to enable sending the ID for that particular
call).  

All subscribers would have one free choice of blocking options, after which
changes would be charged.  Subscribers with unlisted numbers who made no
other choice would default to the latter type of per-line ID blocking.  This
default is of major significance in California, where well over half the
phones are unlisted.  Between unlisted numbers and other subscribers who
could be expected to choose per-line blocking (surveys have consistently
shown consumer preference for this option), the number of lines which did
not have some form of per-line ID blocking might be comparatively quite
small.  Presumably this fact is a major component in the GTE decision and
Pacific Bell's considering dropping the service.

Other advanced services such as "call return" were also approved, but with
the requirement that blocked caller ID's must be kept secure and not be
divulged by those services.

The California telcos have expressed hope that pending federal legislation,
which has been drafted to require per-call ID blocking throughout the U.S.,
might also invalidate states' attempts at implementing more stringent (i.e.
per-line) ID blocking and force the withdrawal of the California per-line ID
blocking provisions in the future.

--Lauren--

------------------------------

Date:    Mon, 15 Jun 92 10:28:42 PDT
From:    ables@hal.com (King Ables)
Subject: Bank account security [Subject field supplied by Moderator]

> On the topic of bank account security, some banks are more with it than
> others.  My bank has a nice touch-tone account information system.  The
> user ID is your ATM card number, which is unrelated to any account number.
> After you enter the card number (actually, just the last 8 digits since
> the leading digits are the same for all of its cards) the computer voice
> randomly asks you to enter one of the digits of your PIN, e.g. "now, enter
> the, third, digit of your PIN."  This scheme seems to me fairly secure
> without being overbearing.  I seem to be the only customer who ever uses
> it because they've never advertised it.
> 

That's *awful*!  That means anyone dialing up has a 1 in 10 chance
of getting into your account at any time.  Granted, if they change
the digit, it takes more than 10 tries, but still... 1 in 10 is pretty
good odds if you're talking about my money.

I have to enter my entire 4-digit PIN... I don't see that it's any more
hassle... I have to enter it at an ATM anyway.  But then, all anybody could
do with phone access to my account is pay money out to the people on my
bill paying list, who would credit it anyway, so it wouldn't be a disaster...

---------------------------------------------------------------
King Ables                    HaL Computer Systems, Inc.
ables@hal.com                 8920 Business Park Dr., Suite 300
+1 512 794 2855               Austin, TX  78759
---------------------------------------------------------------

------------------------------

Date:    Mon, 15 Jun 92 09:06:59 PDT
From:    hibbert@xanadu.com
Subject: Social Security numbers [Subject field supplied by Moderator]

    The doctor [...] refused to [include] her own (not the patient's)
    social security [number].  [T]he patient would not receive the
    medication unless and until the DOCTOR provided the DOCTOR's SSN.

    I believe that this is illegal, but am not sure.  Any thoughts?

    Mark D. Rasch

I maintain the periodic FAQ on SSNs that appears in various Usenet
groups.  Mark's belief is incorrect.  There are no regulations that
limit the use or requirement of SSNs by private entities.  There are
some regulations, but they all cover the use by government agencies.

Chris

------------------------------

Date:    Wed, 17 Jun 92 15:58:35 PDT
From:    Lance J. Hoffman <hoffman@seas.gwu.edu>
Subject: privacy of voter registration files

Forwarded from Norman Kraft in alt.privacy:
 
An article that made the front page of the San Diego Union on Sunday,
June 7, 1992 bore the title: "Technology pits privacy vs. Information
Age". The article starts with these paragraphs:
 
++++++
 
   The morning after Bill Turner voted in last week's election, he 
picked up a copy of a local computer magazine and his jaw dropped.
 
   "This ad just jumped out and hit me in the face," said the 35-year
old La Mesa computer programmer. "It was a severe shock."
 
   There, for sale, were Turner's name, address, unlisted telephone
number, occupation, birthplace, birthdate and political affiliation.
 
   A list of San Diego County's 1.25 million registered voters 
containing the information is available for $99 in a relatively new
format [CD-ROM] that virtually anyone with a personal computer can
use. It is the first known such use of voter registration data in the
nation.
 
++++++
 
The CD-ROM is marketed by a San Diego company call Sole Source Systems,
a local computer store.
 
Lists of voter information have always been available, and political 
campaigns have had access to the information on data tapes for years.
This is, however, the first time that such information has been made
available to the public at large, in an easily accessible format 
(dBase, from what I can gather). 
 
Sole Source says that use of the CD is limited to "election purposes,
...election, scholarly or political research, or government purposes."
Sole Source says that they require ID and the completion of a form before
selling the CD.  Turner responds to this with "What is there to prevent me
from going up there and telling him I'm with the Little Old Ladies
Auxilliary 97, and I want this list to call people up and help arrange
transportation to the polls on Election Day?  It would be a bald-faced
lie, but I would get it [the CD]."
 
He may be right, as Conny McCormack, the San Diego County Registrar of
Voters says that the registrar's office does not check to make sure the
list is being used within the law, primarily because "we have no authority
in that area."
 
David Banisar, a policy analyst with Computer Professionals for Social
Responsibilities in Washington, DC, said in all likelihood the CD would
end up in the hands of direct marketers. "This is really an unanticipated
use of the data," he said, "You register to vote because you want to feel
patriotic and do your citizen's duty and try to get some good government.
You don't register to vote so that you can be solicited by every bozo out
there with a widget that he feels he should hock to you."
 
The article goes on to discuss the problems of privacy in the computer
age, and mentions two other CD-ROM databases that are publicly available:
PhoneDisc USA, from a corporation of the same name in Marblehead, Mass.,
lists 90 million names, addresses and phone numbers nation wide.
MetroScan CD, from Transamerica Information Management in Sacramento, is a
database containing housing ownership information, from deed filings, and
for a given address provides the owner's name, address, when the building
was purchased, how many bedrooms and bathrooms it has, how many square
feet it has, and it's property tax assessment.
 
In the article, Ken Smith, from Transamerica Information Magagement,
is quoted as saying: 
 
   "I'm very much in favor of making the information, if it's in the
    public domain, available to a very wide audience, rather than just
    major corporations and government agencies. It's a very, very 
    powerful tool for the little guy."
 
and further:
 
   "I don't think the privace issue has been a concern yet. I can
    see where it might be in the future, but it's not a problem now."
 
Finally the article goes back to Dante Tuccero, from PhoneDisc USA Corp.,
listing such PhoneDisc customers as "the U.S.  Drug Enforcement
Administration, the Navy, the Air Force, the Social Security
Administration, as well as local libraries and law enforcement, public
investigators, geneologists, and even high school and college reunions."
Quoting Tuccero, "There's a company in Langley, Va,. that uses it, I
believe, but wouldn't say so."
 
The last paragraphs of the article point out that "the direct-mail company
that provides PhoneDisc with most of it's data prefers to remain off other
people's lists."
 
"We're not at liberty to share that," Tuccero said, "A lot of data
providers like to be low key."
 
The saddest part of the whole article, in my opinion, is this statement
from Turner: "I have voted in every election since I was 18, and I think
(this) was the last election I'll ever vote in."
 
[For those concerned about the PhoneDisc listings, they will remove your
name from the next release of their CD if you call.  They claim that only
two people have called so far.  I imagine we can change that!  Their
number in Marblehead, Mass. as given by directory assistance, is
617-639-2900.]
 
 ----------------------------------------------------------------------------
 
Norman R. Kraft                   INET  : nkraft@bkhouse.cts.com
Senior Partner                    UUCP  : ucsd!crash!bkhouse!nkraft
Argus Computing                   GENIE : N.KRAFT3
San Diego, CA                     PORTAL: nkraft@cup.portal.com
 
- ----------------------------------------------------------------------------
 A response came in also:
In article <nkraft.03na@bkhouse.cts.com> nkraft@bkhouse.cts.com (Norman Kraft)
writes:
>
>The article goes on to discuss the problems of privacy in the computer
>age, and mentions two other CD-ROM databases that are publicly available:
>PhoneDisc USA, from a corporation of the same name in Marblehead, Mass.,
>lists 90 million names, addresses and phone numbers nation wide. 
 
...
 
>[For those concerned about the PhoneDisc listings, they will remove
>your name from the next release of their CD if you call. They claim
>that only two people have called so far. I imagine we can change 
>that! Their number in Marblehead, Mass. as given by directory assistance, 
>is 617-639-2900.]
 
I called this number to get removed from their list.  The lady who
answered the phone was polite, and told me that they got their information
from the white pages of phone books around the country, which are public
information.  I told her I wanted to be removed from their product, and
she responded that all I needed to do was to get an unlisted number from
the phone company so that I would not be in the next phone book, and that
would prevent me from getting into the next copy of their product.  They
will not remove someone from it individually.
 
Looks like more cause for concern...
 
- -- 
 Jim Gillogly |   Get a MUSH, dude.
 jim@rand.org |   - Jim Gillogly
 
-- 
Professor Lance J. Hoffman
Department of Electrical Engineering and Computer Science
The George Washington University
Washington, D. C. 20052

(202) 994-4955
fax: (202) 994-0227
hoffman@seas.gwu.edu

------------------------------

Date:    Fri, 19 Jun 92 02:21:33 XDT
From:    Anonymous
Subject: Thoughts on the FBI wiretapping proposal

The more I think about the FBI's proposal, the less I worry
specifically about "dial-a-wiretap" and the more I worry about the
other consequences of the FBI's proposal.

Don't get me wrong -- the abuse potential of dial-a-wiretap *is*
enormous, and it must be stopped. But as long as the vast majority of
residential telephone loops remain as analog signals on copper pairs,
wiretapping (legal or illegal) will remain so incredibly easy that,
quite frankly, it hardly seems to matter if dial-a-wiretap is added.
Consider that it is probably easier to add logging to a dial-a-wiretap
system that would catch at least the more unsophisticated abusers than
it is to continuously audit every cable pair and connector block in an
entire telco's loop plant.

So stopping dial-a-wiretap won't really solve the problem. The only
truly effective solution, of course, is user-provided end-to-end
encryption. I predict that effective telephone voice encryption
systems will be readily available to the average person within a few
years -- with or without the government's blessing.

Consider that two of the three main hardware elements of a secure
phone are already available as generic (i.e., uncontrollable) products
on the open market: V.32 (or faster) modems for digital transmission
and PC-class computers for executing encryption algorithms.

The third element, the high quality 8 kb/s vocoder (voice coder), is
about to become a mass consumer electronics item thanks to the
development of the digital cellular telephone.  Alternatively, with
the development of even faster dialup modems (such as V.32bis and
V.fast), older, less efficient speech coders of lower voice quality
(e.g., Motorola's 16 kb/s CVSD chips) could be used instead of the
newer vocoders.

So given the necessary hardware, you only need the right software to
tie it all together into a secure phone. When the hardware does become
widely available, the software will almost certainly appear shortly
thereafter. And the government will not be able to affect
significantly its availability, only the manner of its distribution.
That is, it would be relatively easy to close down a business that
openly sells and supports fully assembled secure telephones. But
trying to stop individuals from writing and giving away software that
turns widely available generic computer components into secure
telephones would make the "drug war" look like a rout in comparison.

So that's why I'm not quite as worried as I was at first about
"dial-a-wiretap". Or perhaps I'm even more worried about the FBI's
proposal to ban the introduction of new products services that are
harder to wiretap than the old ones.

Consider the aforementioned V.32 modem. I've heard that telco security
people have in the past recorded the keystrokes of suspect hackers by
getting a wiretap warrant and decoding both sides of the call with a
specially modified modem.  This was relatively easy with older modems
like V.22bis, because they split the audio band into originate and
receive sections. You just separate the combined signals on the
two-wire line with filters and demodulate them separately. But V.32
and newer modems (V.32bis, V.fast) use echo cancellation, not
frequency separation. The entire audio band is used simultaneously for
both directions. This must make it noticeably harder (though not
impossible) to tap a 2-wire customer line carrying such signals.  The
newer modems have even more complex signal constellations than V.32
and are undoubtedly even harder to intercept.  What if the FBI moved
to block the marketing of the new V.fast modem because it wasn't
easily tapped?

Then there's data compression. V.42bis data compression requires an
error correction protocol because both sender and receiver build a
code tree that depends on the data being sent. If an error occurs, all
of the uncompressed data past that point is garbled. But if an
eavesdropper's demodulator makes an error, he can't exactly ask the
sending party for a retransmission. What if the FBI banned modems
with compression because they're too hard to tap?

Several new radio services would also be threatened by the FBI's
rules. Digital cellular telephones are a good example.  Neither of the
proposed standards (TDMA and CDMA) include encryption per se because
of NSA pressure on a fickle industry concerned more with its export
markets than customer privacy, and an apathetic public that let them
both get away with it. But both systems use signals that are
significantly more complex than existing analog cellular, and they
will be considerably more difficult to intercept as a result.  The
primary purpose of both systems is to increase the capacity of the
cellular spectrum by allowing more calls to coexist in the same area.
This requires an increase in the allowable amount of interference, and
this could make it much harder for an eavesdropper to pick out the
signal he wants. So suppose the FBI bans the deployment of these systems
because they're too hard to intercept, thus denying customers the
benefits of greatly increased capacity?

I could think of many more examples, but the hour is late. Suffice it
to say that although none of these modern (unencrypted) systems would
pose more than a minor annoyance for the NSA, the FBI would apparently
have us believe that it has serious trouble extracting voice from T1
lines (which have been around for 30 years now).  So almost ANY modern
form of communications is likely to give them fits. Give them veto
power over us, and we might as well shut down the entire US
telecommunications R&D effort.

------------------------------

Date:    Wed, 17 Jun 92 17:42:42 PDT
From:    Bruce R Koball <bkoball@well.sf.ca.us>
Subject: CFP'93 Call for Participation


                 Call for Participation
                         CFP'93
   The Third Conference on Computers, Freedom and Privacy
         Sponsored by ACM SIGCOMM, SIGCAS & SIGSAC
                    9 - 12 March 1993
     San Francisco Airport Marriott Hotel, Burlingame, CA

INVITATION

This is an invitation to submit session and topic proposals for 
inclusion in the program of the Third Conference on Computers, 
Freedom and Privacy.  Proposals may be for individual talks, panel 
discussions, debates or other presentations in appropriate 
formats. Proposed topics should be within the general scope of the 
conference, as outlined below.

SCOPE

The advance of computer and telecommunications technologies holds 
great promise for individuals and society. From convenience for 
consumers and efficiency in commerce to improved public health and 
safety and increased participation in democratic institutions, 
these technologies can fundamentally transform our lives.

At the same time these technologies pose threats to the ideals of 
a free and open society. Personal privacy is increasingly at risk 
from invasion by high-tech surveillance and eavesdropping. The 
myriad databases containing personal information maintained in the 
public and private sectors expose private life to constant 
scrutiny. 

Technological advances also enable new forms of illegal activity, 
posing new problems for legal and law enforcement officials and 
challenging the very definitions of crime and civil liberties. But 
technologies used to combat these crimes can threaten the 
traditional barriers between the individual and the state.

Even such fundamental notions as speech, assembly and property are 
being transformed by these technologies, throwing into question 
the basic Constitutional protections that have guarded them. 
Similarly, information knows no borders; as the scope of economies 
becomes global and as networked communities transcend 
international boundaries, ways must be found to reconcile 
competing political, social and economic interests in the digital 
domain.

The Third Conference on Computers, Freedom and Privacy will 
assemble experts, advocates and interested people from a broad 
spectrum of disciplines and backgrounds in a balanced public forum 
to address the impact of computer and telecommunications 
technologies on freedom and privacy in society. Participants will 
include people from the fields of computer science, law, business, 
research, information, library science, health, public policy, 
government, law enforcement, public advocacy and many others.

Topics covered in previous CFP conferences include:

Personal Information and Privacy
International Perspectives and Impacts
Law Enforcement and Civil Liberties
Ethics, Morality and Criminality
Electronic Speech, Press and Assembly
Who Logs On (Computer & Telecom Networks)
Free Speech and the Public Telephone Network
Access to Government Information
Computer-based Surveillance of Individuals
Computers in the Workplace
Who Holds the Keys? (Cryptography)
Who's in Your Genes? (Genetic Information)
Ethics and Education
Public Policy for the 21st Century

These topics are given as examples and are not meant to exclude 
other possible topics on the general subject of Computers, Freedom 
and Privacy.

PROPOSAL SUBMISSION

All proposals should be accompanied by a position statement of at 
least one page, describing the proposed presentation, its theme 
and format. Proposals for panel discussions, debates and other 
multi-person presentations should include a list of proposed 
participants and session chair. Proposals should be sent to:

	CFP'93 Proposals
	2210 Sixth Street
	Berkeley, CA 94710

or by email to:    cfp93@well.sf.ca.us    with the word "Proposal" 
in the subject line. Proposals should be submitted as soon as 
possible to allow thorough consideration for inclusion in the 
formal program. The deadline for submissions is 15 August 1992.

STUDENT PAPER COMPETITION

Full time students are invited to enter the student paper 
competition. Winners will receive a scholarship to attend the 
conference and present their papers.

Papers should not exceed 2500 words and should address the impact 
of computer and telecommunications technologies on freedom and 
privacy in society. All papers should be submitted to Professor 
Dorothy Denning by 15 October 1992. Authors may submit their 
papers either by sending them as straight text via email to:   
denning@cs.georgetown.edu   or by sending 6 printed copies to:

	Professor Dorothy Denning
	Georgetown University
	Dept.  of Computer Science
	225 Reiss Science Bldg.
	Washington DC 20057

Submitters should include the name of their institution, degree 
program, and a signed statement affirming that they are a full-
time student at their institution and that the paper is an 
original, unpublished work of their own.

INFORMATION

For more information on the CFP'93 program and advance 
registration, as it becomes available, write to:

	CFP'93 Information
	2210 Sixth Street
	Berkeley, CA 94710

or send email to:    cfp93@well.sf.ca.us    with the word 
"Information" in the subject line.

THE ORGANIZERS

General Chair
-------------
Bruce R. Koball
CFP'93
2210 Sixth Street
Berkeley, CA 94710
510-845-1350 (voice)
510-845-3946 (fax)
bkoball@well.sf.ca.us

Steering Committee
------------------
John Baker                        Mitch Ratcliffe
Equifax                           MacWeek Magazine

Mary J. Culnan                    David D. Redell
Georgetown University             DEC Systems Research
                                   Center
Dorothy Denning
Georgetown University             Marc Rotenberg
                                  Computer Professionals
Les Earnest                        for Social Responsibility
GeoGroup, Inc.
                                  C. James Schmidt
Mike Godwin                       San Jose State University
Electronic Frontier Foundation
                                  Barbara Simons
Mark Graham                       IBM
Pandora Systems
                                  Lee Tien
Lance J. Hoffman                  Attorney
George Washington University
                                  George Trubow
Donald G. Ingraham                John Marshall Law School
Office of the District Attorney,
 Alameda County, CA               Willis Ware
                                  Rand Corp.
Simona Nass
Student - Cardozo Law School      Jim Warren
                                  MicroTimes
Peter G. Neumann                   & Autodesk, Inc.
SRI International

Affiliations are listed for identification only.

Please distribute and post this notice!

------------------------------

End of PRIVACY Forum Digest 01.05
************************

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH