TUCoPS :: Privacy :: priv_106.txt

Privacy Digest 1.06 6/26/92

PRIVACY Forum Digest        Friday, 26 June 1992        Volume 01 : Issue 06

         Moderated by Lauren Weinstein (lauren@cv.vortex.com)
                Vortex Technology, Topanga, CA, U.S.A.
	
                     ===== PRIVACY FORUM =====

CONTENTS
	PRIVACY Briefs (Moderator--Lauren Weinstein)
	PRIVACY Forum back issues now available via listserv system
	   (Moderator--Lauren Weinstein)
	FBI Digital Telephony Proposal now in PRIVACY Forum archive
	   (Moderator--Lauren Weinstein)
        Govt & Corp Sysops Monitoring Users & Email (Jim Warren)
	Rental applications and privacy (Susie Hirsch)
	Monitoring of public information sources 
	   (Moderator--Lauren Weinstein)
        Chronicle Crypto Article (Joe Abernathy)

 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The PRIVACY Forum is a moderated digest for the discussion and analysis of
issues relating to the general topic of privacy (both personal and
collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

ALL submissions should be addressed to "privacy@cv.vortex.com" and must have
RELEVANT "Subject:" lines.  Submissions without appropriate and relevant
"Subject:" lines may be ignored.  Subscriptions are by an automatic
"listserv" system; for subscription information, please send a message
consisting of the word "help" (quotes not included) in the BODY of a message
to:  "privacy-request@cv.vortex.com".  Mailing list problems should be
reported to "list-maint@cv.vortex.com".  Mechanisms for obtaining back
issues will be announced when available.  All submissions included in this
digest represent the views of the individual authors and all submissions
will be considered to be distributable without limitations. 

Back issues of PRIVACY Forum digests (and other related material) are now
archived and may be obtained automatically through the listserv system.
Please follow the instructions above for getting the listserv "help"
information, which now includes details regarding the "index" and "get"
listserv commands, which are used to access the PRIVACY Forum archive.

For information regarding the availability of this digest via FAX, please
send an inquiry to privacy-fax@cv.vortex.com, call (310) 455-9300, or FAX
to (310) 455-2364.
-----------------------------------------------------------------------------

VOLUME 01, ISSUE 06

    Quote for the day:

	       "I am not a number!  I am a free man!"

		    -- Number 6
	            "The Prisoner" television series (1968-1969)

----------------------------------------------------------------------

Date:    Fri, 26 Jun 92 18:25 PDT
From:    lauren@cv.vortex.com (Moderator--Lauren Weinstein)
Subject: PRIVACY Briefs

---

Concerns have been raised in Los Angeles over the recent revelations that
the District Attorney's office has been "secretly" videotaping the
spectators attending certain ongoing court cases.  The cases in question
involve the defendants charged in the beating of a truck driver at the start
of the recent L.A. area civil unrest.  The tapes have apparently been used
in an effort to determine if any of the court spectators could be matched up
with unidentified persons taped during the actual disturbances.

---

An Iowa couple has been awarded $4.3 million (with 25% going to them, and
75% going to a victims' reparations fund) after winning a privacy suit
against a motel.  While having sex in a motel room, they heard a creaking
noise behind a wall, and discovered that what they had thought was a
conventional mirror was actually a "two-way" type with an 8 inch peephole
behind it, leading to an attic crawlspace.  Though the motel operator said he
had not known about the mirror, and even though it was never proven that
anybody had actually been behind the mirror, the judge told the jury that
the mere existence of such an arrangement could be sufficient for conviction.

------------------------------

Date:    Fri, 26 Jun 92 18:17 PDT
From:    lauren@cv.vortex.com (Moderator--Lauren Weinstein)
Subject: PRIVACY Forum back issues now available via listserv system

Greetings.  I'm pleased to announce that all PRIVACY Forum back issues, and
related privacy materials, are now available via the cv.vortex.com listserv
system.  All future issues will be added to the archive as well.  This
system allows you to request particular items from the archive automatically
via mail messages.

To get an index of available materials, you should send a message to:

   privacy-request@cv.vortex.com

or

   listserv@cv.vortex.com

with the command:

   index privacy

in the BODY of your message (as the first text in your message body).

To retrieve a particular item, follow the same procedure as above,
but use the command:

   get privacy <file>

where <file> is replaced by the desired file name.
For example, to retrieve PRIVACY Forum digest Volume 01, Issue 04:

   get privacy priv.01.04

As always with the listserv system, only one request may be included in a
message; any subsequent requests in a single message will be ignored. 

To avoid unnecessary net traffic, please only retrieve materials that you
really need.

Thanks much.

--Lauren--

------------------------------

Date:    Fri, 26 Jun 92 21:45 PDT
From:    lauren@cv.vortex.com (Moderator--Lauren Weinstein)
Subject: FBI Digital Telephony Proposal now in PRIVACY Forum archive

A complete copy of the latest revision (May, 1992) of the FBI
Digital Telephony Proposal is now in the PRIVACY Forum archive,
under the name "fbi-tel.1".

This is the legislative proposal to require direct interception capability
in virtually all U.S. telecommunications networks and related equipment, the
transferring of telecommunications certification control from the FCC to the
Attorney General, and the explicit ability to establish a remote government
monitoring facility.

There have been comments regarding this proposal in previous issues
of the PRIVACY Forum digest.

--Lauren--

------------------------------

Date:    Sun, 21 Jun 92 17:46:26 PDT
From:    jwarren@autodesk.com (Jim Warren)
Subject: Govt & Corp Sysops Monitoring Users & Email

Last month, I gave a morning talk to an all-day meeting of an organization
of systems administrators of mini-class, mostly-shared systems -- most of
them employed by Fortune 500 companies and government agencies.

Initially titled, "Dodging Pitfalls in the Electronic Frontier," by mutual
agreement with the organizers, we re-titled it, "Government Impacts on
Privacy and Security." However, it was the same talk.  :-)  It was based on
information and perspectives aired during recent California Senate Judiciary
privacy hearings, and those presented at the 1991 and 1992 conferences on
Computers, Freedom & Privacy. (I organized and chaired the first CFP and
co-authored its transcripts, available from the IEEE Computer Society Press,
714-821-8380, Order #2565.)

The talk was long; the audience attentive; the questions and discussion
extensive.  The attendees were clearly and actively interested in the issues.

At one point, I asked "How many have *NOT* been asked by their management or
superiors to monitor their users and/or examine or monitor users' email."
  Only about 20% held up their hands -- even though I emphasized that I was
phrasing the question in a way that those who would be proud to hold up
their hands, could to do so.

--jim
Jim Warren, jwarren@well.sf.ca.us  -or-  jwarren@autodesk.com
MicroTimes "futures" columnist; Autodesk, Inc., Board of Directors' member
InfoWorld founder; PBS' "Computer Chronicles" founding host, blah blah blah

------------------------------

Date:    Fri, 26 Jun 92 13:46 PDT
From:    susie@cv.vortex.com (Susie Hirsch)
Subject: Rental applications and privacy

I recently have been looking for a house to rent, and have completed rental
applications that contain a variety of personal information (social
security number, address, phone number, credit information). The market is
very competitive for rental houses in the area, so I am required to provide
a completed rental application to even be considered as the potential renter.
Submitting incomplete applications on privacy grounds will most certainly 
result in the landlord simply renting the property to another applicant
who provides all the requested personal information.

Given the nature of this personal information, I wonder about the security
issues concerning rental applications.  What if an application is turned
down by the property owner, and then carelessly tossed away where anyone
could find it?  What recourse does an applicant have if personal information
has been misused as a result of completing a rental application?  Or is this 
another situation where you simply hope you won't be victimized?

How can a balance be struck between the privacy rights of the applicant,
and the owner's need to check the background and credit history of a
potential renter?

::: Susie :::

------------------------------

Date:    Fri, 26 Jun 92 19:49 PDT
From:    lauren@cv.vortex.com (Moderator--Lauren Weinstein)
Subject: Monitoring of public information sources

Greetings.  Every so often on the networks, we hear of a case where a person
sent a message (to public distribution lists or public newsgroups) which
might be interpreted as threatening to particular groups or individuals, or
discussing information that might potentially have been of a classified
nature.  Sometimes the result of such a message is a visit to that author by
law enforcement officials, with a copy of the message in hand.

Usually it has turned out that the perceived threats weren't serious, or that
the information in question wasn't classified, but there was no reasonable
way to make such determinations until after some investigation.

When such events occur, there is sometimes incredulity expressed by some
segments of the network community that law enforcement officials even knew
that such public messages had been posted, and the argument is raised that
it is wrong for such "monitoring" of public information sources to be taking
place by such agencies.  Some argue that law enforcement should be
restrained from making use of those kinds of information channels, even
though others can use that information freely.

I personally disagree.  While obviously it is very important that such
agencies react responsibly, I believe that information openly posted to
public lists and other public forums should be available to law
enforcement officials and agencies, just as it's available to everyone
else.  In fact, I'd be concerned if law enforcement didn't pay attention to
such widely available public information and public discussions.  

Note that I'm talking here about *public* postings and *public*
information.  The issues surrounding *private* communications 
(e.g. *private* e-mail) are completely different, of course.

Some discussion of the "monitoring of public information" issues here 
in the PRIVACY Forum might prove interesting.

--Lauren--

------------------------------

Date:    Wed, 24 Jun 92 18:14:42 CDT
From:    Joe.Abernathy@houston.chron.com (Joe Abernathy)
Subject: Chronicle Crypto Article

This cryptography article appeared Sunday, June 21. It
is being forwarded to Risks as a way of giving back
something to the many thoughtful participants here who
helped give shape to the questions and the article.

In a companion submission, I include the scanned text of
the NSA's 13-page response to my interview request, which
appears to be the most substantial response they've
provided to date. I would like to invite feedback
and discussion on the article and the NSA document.

   [ Moderator's Note: The entire NSA response document referred
     to above has been placed in the PRIVACY Forum archive under
     the name "nsa-chron.1".  --Lauren-- ]

Please send comments to edtjda@chron.com

Promising technology alarms government

/ Use of super-secret codes would block
  legal phone taps in FBI's crime work

By JOE ABERNATHY
Copyright 1992, Houston Chronicle
	
   Government police and spy agencies are trying to thwart 
new technology that allows conversations the feds can't tap.

   A form of cryptography _ the science of writing and 
deciphering codes _ this technology holds the promise of 
guaranteeing true privacy for transactions and communications.

   But an array of federal agencies is seeking to either 
outlaw or severely restrict its use, pointing out the potency 
of truly secret communications as a criminal tool.

   "Cryptography offers or appears to offer something that is 
unprecedented,'' said Whitfield Diffie, who with a Stanford 
University colleague devised public key cryptography,'' an 
easily used cryptography that is at the center of the fight. "It 
looks as though an individual might be able to protect 
information in such a way that the concerted efforts of 
society are not going to be able to get at it.

   "No safe you can procure has that property; the strongest 
safes won't stand an hour against oxygen lances. But 
cryptography may be different. I kind of understand why the 
police don't like it.''

   The National Security Agency, whose mission is to 
conduct espionage against foreign governments and diplomats,
sets policy for the government on matters regarding 
cryptography.

   But the FBI is taking the most visible role. It is backing 
legislation that would address police fears by simply 
outlawing any use of secure cryptography in electronic 
communications.

   The ban would apply to cellular phones, computer 
networks, and the newer standard telephone equipment _ 
already in place in parts of Houston's phone system and 
expected to gain wider use nationwide. 

   "Law enforcement needs to keep up with technology,'' said 
Steve Markardt, a spokesman for the FBI in Washington. 
"Basically what we're trying to do is just keep the status 
quo. We're not asking for anything more intrusive than we 
already have.''

   He said the FBI uses electronic eavesdropping only on 
complex investigations involving counterterrorism, foreign 
intelligence, organized crime, and drugs. "In many of those,'' 
he said, we would not be able to succeed without the ability 
to lawfully intercept.''

   The State and Commerce departments are limiting 
cryptography's spread through the use of export reviews, 
although many of these reviews actually are conducted by 
the NSA. The National Institute of Standards and Technology,
meanwhile, is attempting to impose a government 
cryptographic standard that critics charge is flawed, although
the NSA defends the standard as adequate for its 
intended, limited use.

   "It's clear that the government is unilaterally trying to 
implement a policy that it's developed,'' said Jim Bidzos, 
president of RSA Data Security, which holds a key cryptography
patent. "Whose policy is it, and whose interest does it 
serve? Don't we have a right to know what policy they're 
pursuing?''

   Bidzos and a growing industry action group charge that 
the policy is crippling American business at a critical 
moment.

   The White House, Commerce Department, and NIST 
refused to comment. 

   The NSA, however, agreed to answer questions posed in 
writing by the Houston Chronicle. Its purpose in granting the 
rare, if limited, access, a spokesman said, was "to give a true 
reflection'' of the policy being implemented by the agency.

   "Our feeling is that cryptography is like nitroglycerin: Use 
it sparingly then put it back under trusted care,'' the 
spokesman said.

   Companies ranging from telephone service providers to 
computer manufacturers and bankers are poised to introduce 
new services and products including cryptography. 
Users of electronic mail and computer networks can expect 
to see cryptography-based privacy enhancements later this 
year.

   The technology could allow electronic voting, electronic 
cash transactions, and a range of geographically separated 
_ but secure _ business and social interactions. Not since 
the days before the telephone could the individual claim 
such a level of privacy.

   But law enforcement and intelligence interests fear a 
world in which it would be impossible to execute a wiretap 
or conduct espionage.

   "Secure cryptography widely available outside the United 
States clearly has an impact on national security,'' said the 
NSA in its 13-page response to the Chronicle. "Secure 
cryptography within the United States may impact law 
enforcement interests.''

   Although Congress is now evaluating the dispute, a call by 
a congressional advisory panel for an open public policy 
debate has not yet been heeded, or even acknowledged, by 
the administration.

   The FBI nearly won the fight before anyone knew that war 
had been declared. Its proposal to outlaw electronic 
cryptography was slipped into another bill as an amendment
and nearly became law by default last year before 
civil liberties watchdogs exposed the move.

   "It's kind of scary really, the FBI proposal being considered
as an amendment by just a few people in the 
Commerce Committee without really understanding the 
basis for it,'' said a congressional source, who requested 
anonymity. "For them, I'm sure it seemed innocuous, but 
what it represented was a fairly profound public policy 
position giving the government rights to basically spy on 
anybody and prevent people from stopping privacy infringements.''

   This year, the FBI proposal is back in bolder, stand-alone 
legislation that has created a battle line with law enforce
ment on one side and the technology industry and privacy 
advocates on the other.

   "It says right on its face that they want a remote 
government monitoring facility'' through which agents in 
Virginia, for instance, could just flip a switch to tap a 
conversation in Houston, said Dave Banisar of the Washington 
office of Computer Professionals for Social Responsibility.

   Though the bill would not change existing legal restraints 
on phone-tapping, it would significantly decrease the practical
difficulty of tapping phones _ an ominous development 
to those who fear official assaults on personal and corporate 
privacy.

   And the proposed ban would defuse emerging technical 
protection against those assaults.

   CPSR, the point group for many issues addressing the way 
computers affect peoples' lives, is helping lend focus to a 
cryptographic counterinsurgency that has slowly grown in 
recent months to include such heavyweights as AT&T, DEC, 
GTE, IBM, Lotus, Microsoft, Southwestern Bell, and other 
computer and communications companies.

   The proposed law would ban the use of secure cryptography 
on any message handled by a computerized communications
network. It would further force service providers to 
build access points into their equipment through which the 
FBI _ and conceivably, any police officer at any level _ 
could eavesdrop on any conversation without ever leaving 
the comfort of headquarters.
	
   "It's an open-ended and very broad set of provisions that 
says the FBI can demand that standards be set that industry 
has to follow to ensure that (the FBI) gets access,'' said 
a congressional source. "Those are all code words for if they
can't break in, they're going to make (cryptography) illegal.
	
   "This is one of the biggest domestic policy issues facing
the country. If you make the wrong decisions, it's going to
have a profound effect on privacy and security.''
	
   The matter is being considered by the House Judiciary 
Committee, chaired by Rep. Jack Brooks, D-Texas, who is 
writing a revision to the Computer Security Act of 1987, the 
government's first pass at secure computing.
	
   The recent hearings on the matter produced a notable 
irony, when FBI Director William Sessions was forced to 
justify his stance against cryptography after giving opening 
remarks in which he called for stepped-up action to combat 
a rising tide of industrial espionage. Secure cryptography 
was designed to address such concerns.
	
   The emergence of the international marketplace is 
shaping much of the debate on cryptography. American 
firms say they can't compete under current policy, and that 
in fact, overseas firms are allowed to sell technology in 
America that American firms cannot export.
	
   "We have decided to do all further cryptographic develop
ment overseas,'' said Fred B. Cohen, a noted computer 
scientist. "This is because if we do it here, it's against the law 
to export it, but if we do it there, we can still import it and 
sell it here. What this seems to say is that they can have it, 
but I can't sell it to them _ or in other words _ they get the 
money from our research.''
	
   A spokeswoman for the the Software Publishers Association
said that such export controls will cost $3-$5 billion in 
direct revenue if left in place over the next five years. She 
noted the Commerce Department estimate that each $1 
billion in direct revenue supports 20,000 jobs.
	
   The NSA denied any role in limiting the power of 
cryptographic schemes used by the domestic public, and 
said it approves 90 percent of cryptographic products 
referred to NSA by the Department of State for export 
licenses. The Commerce Department conducts its own 
reviews.
	
   But the agency conceded that its export approval figures 
refer only to products that use cryptology to authenticate a 
communication _ the electronic form of a signed business 
document _ rather than to provide privacy.
	
   The NSA, a Defense Department agency created by order 
of President Harry Truman to intercept and decode foreign 
communications, employs an army of 40,000 code-breakers. 
All of its work is done in secret, and it seldom responds to 
questions about its activities, so a large reserve of distrust 
exists in the technology community.
	
   NSA funding is drawn from the so-called "black budget,'' 
which the Defense Budget Project, a watchdog group, 
estimates at $16.3 billion for 1993.
	
   While the agency has always focused primarily on foreign 
espionage, its massive eavesdropping operation often pulls 
in innocent Americans, according to James Bamford, author 
of "The Puzzle Palace," a book focusing on the NSA's 
activities. Significant invasions of privacy occurred in the 
1960s and 1970s, Bamford said. 
	
   Much more recently, several computer network managers 
have acknowledged privately to the Chronicle that NSA has 
been given access to data transmitted on their networks _ 
without the knowledge of network users who may view the 
communications as private electronic mail.
	
   Electronic cryptology could block such interceptions of 
material circulating on regional networks or on Internet _ 
the massive international computer link.
	
   While proponents of the new technology concede the need 
for effective law enforcement, some question whether the 
espionage needs of the post-Cold War world justify the 
government's push to limit these electronic safeguards on 
privacy.
	
   "The real challenge is to get the people who can show 
harm to our national security by freeing up this technology 
to speak up and tell us what this harm is,'' said John 
Gillmore, one of the founders of Sun Microsystems. 
	
   "When the privacy of millions of people who have cellular 
telephones, when the integrity of our computer networks 
and our PCs against viruses are up for grabs here, I think the 
battleground is going to be counting up the harm and in the 
public policy debate trying to strike a balance.''
	
   But Vinton Cerf, one of the leading figures of the Internet 
community, urged that those criticizing national policy 
maintain perspective.
	
   "I want to ask you all to think a little bit before you totally 
damn parts of the United States government,'' he said. 
"Before you decide that some of the policies that in fact go 
against our grain and our natural desire for openness, before 
you decide those are completely wrong and unacceptable, I 
hope you'll give a little thought to the people who go out 
there and defend us in secret and do so at great risk.''

------------------------------

End of PRIVACY Forum Digest 01.06
************************

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH