TUCoPS :: Privacy :: priv_113.txt

Privacy Digest 1.13 8/20/92

From privacy@cv.vortex.com Fri Aug 21 02:55:09 1992
Return-Path: <privacy@cv.vortex.com>
Received: from cv.vortex.com by csrc.ncsl.nist.gov (4.1/NIST)
	id AA17842; Fri, 21 Aug 92 02:54:15 EDT
Posted-Date: Thu, 20 Aug 92 23:54 PDT
Received-Date: Fri, 21 Aug 92 02:54:15 EDT
Received: by cv.vortex.com (/\==/\ Smail3.1.25.1 #25.21)
	id <m0mLQvr-0001sMC@cv.vortex.com>; Thu, 20 Aug 92 21:49 PDT
Message-Id: <m0mLQvr-0001sMC@cv.vortex.com>
Date: Thu, 20 Aug 92 23:54 PDT
From: privacy@cv.vortex.com (PRIVACY Forum)
To: privacy-forum@csrc.ncsl.nist.gov
Subject: PRIVACY Forum Digest V01 #13
Status: R

PRIVACY Forum Digest      Thursday, 20 August 1992      Volume 01 : Issue 13

         Moderated by Lauren Weinstein (lauren@cv.vortex.com)
                Vortex Technology, Topanga, CA, U.S.A.
	
                     ===== PRIVACY FORUM =====

   	  The PRIVACY Forum digest is supported in part by the 
	      ACM Committee on Computers and Public Policy.


CONTENTS
	DAK Catalog and PhoneDisc (Stan Quayle)
	DNA fingerprinting data (Jerry Leichter)
	Motorola 'Secure Clear' Cordless Phones (Tim Tyler)
	CPSR Letter on Crypto Policy (David Sobel)
        Undergraduate course on computers, freedom, and privacy
	   (Lance J. Hoffman)
	CPSR 1992 Annual Meeting (Nikki Draper)


 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The PRIVACY Forum is a moderated digest for the discussion and analysis of
issues relating to the general topic of privacy (both personal and
collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

ALL submissions should be addressed to "privacy@cv.vortex.com" and must have
RELEVANT "Subject:" lines.  Submissions without appropriate and relevant
"Subject:" lines may be ignored.  Subscriptions are by an automatic
"listserv" system; for subscription information, please send a message
consisting of the word "help" (quotes not included) in the BODY of a message
to: "privacy-request@cv.vortex.com".  Mailing list problems should be
reported to "list-maint@cv.vortex.com".  All submissions included in this
digest represent the views of the individual authors and all submissions
will be considered to be distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "cv.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system.  Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.

For information regarding the availability of this digest via FAX, please
send an inquiry to privacy-fax@cv.vortex.com, call (310) 455-9300, or FAX
to (310) 455-2364.
-----------------------------------------------------------------------------

VOLUME 01, ISSUE 13

    Quote for the day:

	"My first public appearance in years, and 
	 it's all straight lines."

			-- Closing comment by Woody Allen at a press
			   conference the week of August 16, 1992,
			   discussing allegations made against him by
			   former companion Mia Farrow.

----------------------------------------------------------------------

Date:    Wed, 12 Aug 1992 09:04:28 EDT
From:    Stan Quayle <QUAYLE@engclu.doh.square-d.com>
Subject: DAK Catalog and PhoneDisc

>	[ DAK has their warehouse, offices, and walk-in store about 20
>	  minutes from my area.  I've been down there a number of times to
>	  *very carefully* buy various items.  The important thing to keep
>	  in mind about DAK is that much of their merchandise consists of
>	  closeouts or "old versions" of items that have already been
>	  supersceded by later versions.  One would have to wonder about the
>	  degree of data "staleness" in a DAK CD-ROM nationwide white pages
>	  (which is what I believe this item to be). -- MODERATOR ]

I called the PhoneDisc company, which makes DAK's disk.  The DAK version is
the "retail" version of PhoneDisc, which has last year's data, and leaves out
10,000,000 households.  The "commercial" PhoneDisc is available with
quarterly updates.  Of course, it's $1850 per year.

DAK's disk would be sufficient for my purposes, but I don't want to buy an
old, slow, CD-ROM drive first.  Drop by the walk-in store and see if you can
buy me one without the drive, would you?

-----------------
Stan Quayle  N8SQ  +1 614 764-4212
Internet:  quayle@engclu.doh.square-d.com  UUCP:  osu-cis!squared!quayle
Square-D Company, 5160 Blazer Parkway, Dublin, OH  43017

------------------------------

Date:    Thu, 20 Aug 92 15:45:56 EDT
From:    Jerry Leichter <leichter@lrw.com>
Subject: DNA fingerprinting data

In a recent PRIVACY, I noted that the data used for identification by "DNA
fingerprints" was different from that used to identify diseases.  I've since
had the chance to talk to someone who does molecular biology, and he confirmed
this.

In fact, he pointed out that genes useful for identification are almost
certain to be useless for purposes like denying insurance.  The reasoning
is simple.  Suppose you want to identify people with a 1 in 10^6 chance of
error.  If you choose a gene that only occurs in 1 in 10^6 people, for that
one person, you are done - but for everyone else, you have no information.
You'd need almost 10^6 genes to stand a good chance of identifying a random
member of the population.

On the other hand, if you can find 20 genes each of which occurs in the
population independently with about 50% probability, any given combination
will only occur once in 2^20 times, or about 1 in 10^6.  A MUCH better
approach.

In general, to be useful for identification, genes have to be quite common,
hence unlikely to be of significant use in predicting disease.

My contact points out a related issue:  As we learn more about the genetics of
various diseases, we also learn more about their inheritance charateristics.
(In fact, often we learn about the latter first.)  Given enough information
of this sort, which should be available in perhaps 10 to 20 years, you won't
really need to analyze someone's DNA to make all sorts of medically signifi-
cant predictions:  All you'll need is data about the medical status of their
parents and relatives.  And, of course, the insurance companies already HAVE
extremely complete data of exactly this sort about just about everyone who's
lived in the past 30 years, if not longer.  It will be much more difficult to
control their use of such data.
							-- Jerry

------------------------------

Date:    Thu, 20 Aug 92 19:42:40 EDT
From:    tim@ais.org (Tim Tyler)
Subject: Motorola 'Secure Clear' Cordless Phones

          "Why A Motorola Cordless Phone?"   

     "Cordless phone eavesdroppers are everywhere" says pro golfer
Lee Turino, spokesman for Motorola.  "But with my Motorola Secure
Clear~ Cordless Phone, my private conversations stay private."

     So says a glossy brochure (# BA-81) that Motorola's Consumer
Products Division (telephone # 800/331-6456) distributes to promote
their new 'secure' cordless phone product line.   When I first read
the cover of the brochure, I said to myself, "Wow, I wonder what
sophisticated technology it must use?"   Motorola has been
developing and selling secure voice & data systems, from DVP & DES
up to the current 'FASCINATOR' algorithm for classified military &
federal government secure voice for many years.

 Page Two of the slick brochure provides some rhetorical questions
and answers:

*****************************************************************
          Why Motorola Cordless Phones?

     Q. What is meant by Secure Clear?

     Secure Clear is an exclusive technology that assures you no
eavesdroppers will be able to use another cordless phone, scanner
or baby monitor to listen in to your cordless conversations.

     Q. How difficult is it to eavesdrop on someone's cordless
conversation?

     It's not difficult at all. Simply by operating a cordless
phone, scanner or baby monitor on the same channel as you're on, an
eavesdropper can listen in.  Security codes alone DO NOT prevent
eavesdropping.

     Q. What are security codes and what do they do?

     Security codes allow the handset and base to communicate with
each other. With the Secure Clear cordless phone, one of 65,000
possible codes are randomly assigned every time you set the handset
in the base.  This means that a neighbor cannot use his handset to
link with your base and have phone calls charged to your phone
number.

     Q. Describe the basic difference between Secure Clear and
security codes.

     Secure Clear protects against eavesdropping.  Security codes
prevent the unauthorized use of your phone line. Usually all
cordless phones have security codes, but not both.

     Q. What is the purpose of the Secure Clear demo?

     The Secure Clear demo is a unique feature of Motorola phones
that allows you to actually experience what an eavesdropper would
hear when trying to listen to your conversation.  By pressing the
SECURE DEMO button on the Motorola phone, you and the person on the
other end will hear the same scrambled noise an eavesdropper would
hear.

*****************************************************************
     
     Hmmm...  I went to the Motorola Secure Clear cordless phone
display at a Sears store, took a deep breath, & hit the demo button
in order to hear what the "scrambled noise" which would protect a
conversation from eavesdropping sounded like.  
     White-noise like that of a digital data stream? Rapid analog
time-domain scrambling?  No, the scrambled "noise" sounded like
inverted analog voice.  That's right, they're using the 40 or 50
year old (3kHz baseband) speech inversion system --the same one
which they stopped marketing for their commercial two-way radio
gear about a decade ago-- to make Lee Turino & other ignorant
people's "private conversations stay private."
     
     For those of you not familiar with speech inversion, it simply
flip-flops the voice spectrum so that high pitched sounds are low,
& vice versa.  It sounds a lot like Single Side Band (SSB)
transmissions, although an SSB receiver will not decode speech-
inversion scrambling.  Prior to 1986, several companies -- Don
Nobles, Capri Electronics, etc. sold inexpensive kits or scanner
add-ons which could be used to decode speech inversion.  Several
electronics magazines also published schematics for making your own
from scratch, at a cost of about $5.    After the Electronic
Communications Privacy Act of 1986, it became illegal to decode or
decipher encrypted communications which you weren't a legitimate
party to, so the standard practice of selling these quasi-legal
products as 'experimental kits' or 'for educational purposes only'
became common.  Today, some companies will not specifically sell a
'speech-inversion descrambler,' but instead market a 'speech
inversion scrambling system' which means the kit will encode as
well as decode speech inversion, although most people buy them
simply to hook up to their scanners & monitor the few public safety
agencies and business that (still) use speech-inversion scrambling.

     Yes, technically, it is a felony for you to use a speech-
inversion descrambler to monitor these Motorola 'Secure Clear'
cordless. Or for that matter, the new Radio Shack DUoPHONE ET-499,
cordless phone which also depends on speech-inversion for privacy
protection.  The public utility of the ECPA has been argued about
ever since before it was enacted.  It is rather obvious that the
ECPA was pushed upon the ignorant, money-hungry Congress by the
powerful (& wealthy) Cellular Telephone Industry Association (so
the CTIA could propagate misinformation to the public, but that's
another story...).  I also realize that the 46/49MHz cordless phone
channels are apparently allocated for analog-voice only.

     Despite the ECPA, it is unconscionable to me that Motorola --
who surely knows better-- would produce the slick brochure &
specifically market the 'Secure Clear' line as being invulnerable
to eavesdropping.   Their wording unequivocally gives the
impression that the 'Secure Clear' conversations are secure, not
only from other cordless phone & baby monitors, which have several
common frequencies, but also against communications hobbyists with
scanner radios.

     It is bad enough that many public safety officers still think
that by using the 'PL' ('Private Line~,' also known as CTCSS)
setting on their Motorola two-way radios, no one else can listen
in.  While the 'Private Line' fiasco might be attributable to
misconception on the part of the radio users, in my opinion,
Motorola's Consumer Products Division has to know that there are
thousands of scanner monitors who have the technical ability to
defeat the speech-inversion 'Secure Clear' system.  A Motorola
representative at the 1992 Summer Consumer Electronics Show in
Chicago confirmed this to me, with a smirk on his face.

     There's a big difference between Motorola's aforementioned
wording & that of Radio Shack's on page 3 of their 1993 catalog:

        New! Voice-Scrambling Cordless Telephone
        DUoFONE ET-499.  Cordless phones are great.
        But since they transmit over the airwaves, 
        your private conversations could be 
        monitored. Now you can enjoy cordless
        convenience with voice scrambling for
        added [emphasis theirs] privacy protection --
        frequency inversion makes transmissions 
        between the handset and base unintelligible...

     It's not "Motorola should know better."  Motorola DOES know
better.  Otherwise, they wouldn't be spending time or money on true
'secure' (based on current technology, of course) communications
and transmission security systems.

     I sure am thankful that our federal government & military
users of secure-mode communications systems don't rely on  
Motorola's marketing department to provide factual information as
to the level of security provided by Motorola equipment.  Too bad
that for the most part, the public does.

     For anyone looking for a cordless telephone that offers a
decent level of privacy, take a look at some of the new cordless
phones which use 900MHz.  Most of the new ones not only use CVSD
digital voice for the RF link, but also direct-sequence spread
spectrum.  By no means are these phones secure ('encoded,' yes, but
'encrypted,' no), & the Tropez 900 actually seems to generate a
very weak analog harmonic in the 440MHz spectrum, but you'll be a
lot better off than poor old Lee Turino.
-- 

Tim Tyler       Internet: tim@ais.org  MCI Mail: 442-5735 
P.O. Box 443    C$erve: 72571,1005  DDN: Tyler@Dockmaster.ncsc.mil
Ypsilanti MI    Packet: KA8VIR @KA8UNZ.#SEMI.MI.USA.NA
48197
 
------------------------------

Date:    Mon, 17 Aug 1992 14:48:18 EDT
From:    David Sobel <dsobel@washofc.cpsr.org>
Subject: CPSR Letter on Crypto Policy

CPSR Letter on Crypto Policy

The following is the text of a letter Computer Professionals for Social
Responsibility (CPSR) recently sent to Rep. Jack Brooks, chairman of
the House Judiciary Committee.  The letter raises several issues concerning
computer security and cryptography policy.  For additional information on
CPSR's activities in this area, contact banisar@washofc.cpsr.org.   For
information concerning CPSR generally (including membership information),
contact cpsr@csli.stanford.edu.

====================================================

August 11, 1992

Representative Jack Brooks
Chairman
House Judiciary Committee
2138 Rayburn House Office Bldg.
Washington, DC 20515-6216

Dear Mr. Chairman:

     Earlier this year, you held hearings before the Subcommittee on
Economic and Commercial Law on the threat of foreign economic espionage to
U.S. corporations.  Among the issues raised during the hearings were the
future of computer security authority and the efforts of government agencies
to restrict the use of new technologies, such as cryptography.

     As a national organization of computer professionals interested in the
policies surrounding civil liberties and privacy, including computer
security and cryptography, CPSR supports your efforts to encourage public
dialogue of these matters.  Particularly as the United States becomes more
dependent on advanced network technologies, such as cellular communications,
the long-term impact of proposed restrictions on privacy-enhancing
techniques should be carefully explored in a public forum.

     When we had the opportunity to testify before the Subcommittee on
Legislation and National Security in May 1989 on the enforcement of the
Computer Security Act of 1987, we raised a number of these issues.  We write
to you now to provide new information about the role of the National
Security Agency in the development of the Digital Signature Standard and the
recent National Security Directive on computer security authority.  The
information that we have gathered suggests that further hearings are
necessary to assess the activities of the National Security Agency since
passage of the Computer Security Act of 1987.

The National Security Agency
and the Digital Signature Standard

     Through the Freedom of Information Act, CPSR has recently learned that
the NSA was the driving force behind the selection and development of the
Digital Signature Standard (DSS).  We believe that the NSA's actions
contravene the Computer Security Act of 1987.  We have also determined that
the National Institute of Standards and Technology (NIST) attempted to
shield the NSA's role in the development of the DSS from public scrutiny.

     The Digital Signature Standard will be used for the authentication of
computer messages that travel across the public computer network.  Its
development was closely watched in the computer science community.
Questions about the factors leading to the selection of the standard were
raised by a Federal Register notice, 56 Fed. Reg. 42, (Aug 30, 1991), in
which NIST indicated that it had considered the impact of the proposed
standard on "national security and law enforcement," though there was no
apparent reason why these factors might be considered in the development of
a technical standard for communications security.

     In August 1991, CPSR filed a FOIA request with the National Institute
of Standards and Technology seeking all documentation relating to the
development of the DSS.  NIST denied our request in its entirety.  The
agency did not indicate that they had responsive documents from the National
Security Agency in their files, as they were required to do under their own
regulations.  15 C.F.R. Sec. 4.6(a)(4) (1992).  In October 1991, we filed a
similar request for documents concerning the development of the DSS with the
Department of Defense.  The Department replied that they were forwarding the
request to the NSA, from whom we never received even an acknowledgement of
our request.

     In April 1992, CPSR filed suit against NIST to force disclosure of the
documents.  CPSR v. NIST, et al., Civil Action No. 92-0972-RCL (D.D.C.).  As
a result of that lawsuit, NIST released 140 out of a total of 142 pages.
Among those documents is a memo from Roy Saltman to Lynn McNulty which
suggests that there were better algorithms available than the one NIST
eventually recommended for adoption. If that is so, why did NIST recommend a
standard that its own expert believed was inferior?

     Further, NIST was required under Section 2 of the Computer Security Act
to develop standards and guidelines to "assure the cost-effective security
and privacy of sensitive information in federal systems."  However, the
algorithm selected by NIST as the DSS was purposely designed to minimize
privacy protection: its use is limited to message authentication.  Other
algorithms that were considered by NIST included both the ability to
authenticate messages and the capability to incorporate privacy-enhancing
features.  Was NSA's interest in communication surveillance one of the
factors that lead to the NIST decision to select an algorithm that was
useful for authentication, but not for communications privacy?

     Most significantly, NIST also disclosed that 1,138 pages on the DSS
that were created by the NSA were in their files and were being sent back to
the NSA for processing.  Note that only 142 pages of material were
identified as originating with NIST.  In addition, it appears that the patent
for the DSS is filed in the name of an NSA contractor.

     The events surrounding the development of the Digital Signature
Standard warrant further Congressional investigation.  When Congress passed
the Computer Security Act, it sought to return authority for technical
standard-setting to the civilian sector.  It explicitly rejected the
proposition that NSA should have authority for developing technical
guidelines:

     Since work on technical standards represents virtually
     all of the research effort being done today, NSA would
     take over virtually the entire computer standards job
     from the [National Institute of Standards and
     Technology].  By putting the NSA in charge of developing
     technical security guidelines (software, hardware,
     communications), [NIST] would be left with the
     responsibility for only administrative and physical
     security measures -- which have generally been done
     years ago.  [NIST], in effect, would on the surface be
     given the responsibility for the computer standards
     program with little to say about the most important part
     of the program -- the technical guidelines developed by
     NSA.

Government Operation Committee Report at 25-26, reprinted in 1988 U.S.
Code Cong. and Admin. News at 3177-78.  See also Science Committee
Report at 27, reprinted in 1988 U.S.C.A.N. 3142.

     Despite the clear mandate of the Computer Security Act, NSA does,
indeed, appear to have assumed the lead role in the development of the DSS.
In a letter to MacWeek magazine last fall, NSA's Chief of Information Policy
acknowledged that the Agency "evaluated and provided candidate algorithms
including the one ultimately selected by NIST."  Letter from Michael S. Conn
to Mitch Ratcliffe, Oct. 31, 1991.  By its own admission, NSA not only urged
the adoption of the DSS -- it actually "provided" the standard to NIST.

     The development of the DSS is the first real test of the effectiveness
of the Computer Security Act.  If, as appears to be the case, NSA was able
to develop the standard without regard to recommendations of NIST, then the
intent of the Act has clearly been undermined.

     Congress' intent that the standard-setting process be open to public
scrutiny has also been frustrated.  Given the role of NSA in developing the
DSS, and NIST's refusal to open the process to meaningful public scrutiny,
the public's ability to monitor the effectiveness of the Computer Security
Act has been called into question.

     On a related point, we should note that the National Security Agency
also exercised its influence in the development of an important standard for
the digital cellular standards committee.  NSA's influence was clear in two
areas.  First, the NSA ensured that the privacy features of the proposed
standard would be kept secret.  This effectively prevents public review of
the standard and is contrary to principles of scientific research.

     The NSA was also responsible for promoting the development of a standard
that is less robust than other standards that might have been selected.
This is particularly problematic as our country becomes increasingly
dependent on cellular telephone services for routine business and personal
communication.

     Considering the recent experience with the DSS and the digital cellular
standard, we can anticipate that future NSA involvement in the technical
standards field will produce two results: (1) diminished privacy protection
for users of new communications technologies, and (2) restrictions on public
access to information about the selection of technical standards.  The first
result will have severe consequences for the security of our advanced
communications infrastructure.  The second result will restrict our ability
to recognize this problem.

     However, these problems were anticipated when Congress first considered
the possible impact of President Reagan's National Security Decision
Directive on computer security authority, and chose to develop legislation
to promote privacy and security and to reverse efforts to limit public
accountability.

National Security Directive 42

      Congressional enactment of the Computer Security Act was a response to
President Reagan's issuance of National Security Decision Directive ("NSDD")
145 in September 1984.  It was intended to reverse an executive policy that
enlarged classification authority and permitted the intelligence community
broad say over the development of technical security standards for
unclassified government and non-government computer systems and networks.
As noted in the committee report, the original NSDD 145 gave the
intelligence community new authority to set technical standards in the
private sector:

     [u]nder this directive, the Department of Defense (DOD)
     was given broad new powers to issue policies and
     standards for the safeguarding of not only classified
     information, but also other information in the civilian
     agencies and private sector which DOD believed should be
     protected.  The National Security Agency (NSA), whose
     primary mission is one of monitoring foreign
     communications, was given the responsibility of
     managing this program on a day-to-day basis.

H. Rep. No. 153 (Part 2), 100th Cong., 1st Sess. 6 (1987).  The legislation
was specifically intended to override the Presidential directive and to
"greatly restrict these types of activities by the military intelligence
agencies ... while at the same time providing a statutory mandate for a
strong security program headed up by [NIST], a civilian agency."  Id. at 7.

     President Bush issued National Security Directive ("NSD") 42 on July 5,
1990.  On July 10, 1990, Assistant Secretary of Defense Duane P. Andrews
testified before the House Subcommittee on Transportation, Aviation, and
Materials on the contents of the revised NSD.  The Assistant Secretary
stated that the "the new policy is fully compliant with the Computer
Security Act of 1987 (and the Warner Amendment) and clearly delineates the
responsibilities within the Federal Government for national security
systems."

     On August 27, 1990, CPSR wrote to the Directorate for Freedom of
Information of the Department of Defense and requested a copy of the revised
NSD, which had been described by an administration official at the July
hearing but had not actually been disclosed to the public.  CPSR
subsequently sent a request to the National Security Council seeking the
same document.  When both agencies failed to reply in a timely fashion, CPSR
filed suit seeking disclosure of the Directive. CPSR v. NSC, et al., Civil
Action No. 91-0013-TPJ (D.D.C.).

     The Directive, which purports to rescind NSDD 145, was recently
disclosed as a result of this litigation CPSR initiated against the National
Security Council.

     The text of the Directive raises several questions concerning the
Administration's compliance with the Computer Security Act:

     1. The new NSD 42 grants NSA broad authority over "national security
systems."  This phrase is not defined in the Computer Security Act and
raises questions given the expansive interpretation of "national security"
historically employed by the military and intelligence agencies and the
broad scope that such a term might have when applied to computer systems
within the federal government.

     If national security now includes international economic activity, as
several witnesses at your hearings suggested, does NSD 42 now grant NSA
computer security authority in the economic realm?  Such a result would
clearly contravene congressional intent and eviscerate the distinction
between civilian and "national security" computer systems.

     More critically, the term "national security systems" is used
throughout the document to provide the Director of the National Security
Agency with broad new authority to set technical standards.  Section 7 of
NSD 42 states that the Director of the NSA, as "National Manager for
National Security Telecommunications and Information Systems Security," shall

     * * *

     c. Conduct, *approve*, or endorse research and
     development of techniques and equipment to secure
     national security systems.

     d. Review and *approve* all standards, techniques,
     systems, and equipment, related to the security of
     national security systems.

     * * *

     h. Operate a central technical center to evaluate and
     *certify* the security of national security
     telecommunications and information systems.

(Emphasis added)

     Given the recent concern about the role of the National Security Agency
in the development of the Digital Signature Standard, it is our belief that
any standard-setting authority created by NSD 42 should require the most
careful public review.

     2. NSD 42 appears to grant the NSA new authority for  information
security.  This is a new area for the agency; NSA's role has historically
been limited to communications security.  Section 4 of the directive
provides as follows:

     The National Security Council/Policy Coordinating
     Committee (PCC) for National Security Telecommuni-
     cations, chaired by the Department of Defense, under the
     authority of National Security Directives 1 and 10,
     assumed the responsibility for the National Security
     Telecommunications NSDD 97 Steering Group.  By
     authority of this directive, the PCC for National Security
     Telecommunications is renamed the PCC for National
     Security Telecommunications and Information Systems,
     and shall expand its authority to include the
     responsibilities to protect the government's national
     security telecommunications and information systems.

(Emphasis added).

     Thus, by its own terms, NSD 42 "expands" DOD's authority to include
"information systems."  What is the significance of this new authority?
Will it result in military control of systems previously deemed to be
civilian?

     3. NSD 42 appears to consolidate NSTISSC (The National Security
Telecommunications and Information Systems Security Committee) authority for
both computer security policy and computer security budget determinations.

     According to section 7 of the revised directive, the National Manager
for NSTISSC shall:

     j. Review and assess annually the national security
     telecommunications systems security programs and
     budgets of Executive department and agencies of the U.S.
     Government, and recommend alternatives, where
     appropriate, for the Executive Agent.

     NTISSC has never been given budget review authority for federal
agencies.  This is a power, in the executive branch, that properly resides
in the Office of Management and Budget.  There is an additional concern that
Congress's ability to monitor the activities of federal agencies may be
significantly curtailed if this NTISSC, an entity created by presidential
directive, is permitted to review agency budgets in the name of national
security.

     4. NSD 42 appears to weaken the oversight mechanism established by the
Computer Security Act.  Under the Act, a Computer Systems Security and
Privacy Advisory Board was established to identify emerging issues, to
inform the Secretary of Commerce, and to report findings to the
Congressional Oversight Committees.  Sec. 3, 15 U.S.C. Sec. 278g-4(b).

     However, according to NSD 42, NSTISSC is established "to consider
technical matters and develop operating policies, procedures, guidelines,
instructions, and standards as necessary to implement provisions of this
Directive."  What is the impact of NSTISSC authority under NSD 42 on the
review authority of the Computer Systems Security and Privacy Advisory Board
created by the Computer Security Act?

Conclusion

     Five years after passage of the Computer Security Act, questions remain
about the extent of military involvement in civilian and private sector
computer security.  The acknowledged role of the National Security Agency in
the development of the proposed Digital Signature Standard appears to
violate the congressional intent that NIST, and not NSA, be responsible for
developing security standards for civilian agencies.  The DSS experience
suggests that one of the costs of permitting technical standard setting by
the Department of Defense is a reduction in communications privacy for the
public.  The recently released NSD 42 appears to expands DOD's security
authority in direct contravention of the intent of the Computer Security
Act, again raising questions as to the role of the military in the nation's
communications network.

     There are also questions that should be pursued regarding the National
Security Agency's compliance with the Freedom of Information Act.  Given the
NSA's increasing presence in the civilian computing world, it is simply
unacceptable that it should continue to hide its activities behind a veil of
secrecy.  As an agency of the federal government, the NSA remains
accountable to the public for its activities.

     We commend you for opening a public discussion of these important
issues and look forward to additional hearings that might address the
questions we have raised.


                                                     Sincerely,


                                                     Marc Rotenberg,
			  			     Director
                                                     CPSR Washington Office

------------------------------

Date:    Thu, 20 Aug 92 18:24:47 EDT
From:    "Lance J. Hoffman" <hoffman@seas.gwu.edu>
Subject: Undergraduate course on computers, freedom, and privacy
 
For those in the Washington DC area, I am offering an
interdisciplinary undergraduate credit course in the fall on
computers, freedom, and privacy.  It is described below.  If you
are a non-degree student (i.e., not currently enrolled at the
university) and wish to enrolling, call (202) 994-5000 after August
28 and select the "Quick Admit" option of the voicemail and you
will be connected, they tell me, to a human.
  
 
                     THE GEORGE WASHINGTON UNIVERSITY
                 School of Engineering and Applied Science
         Department of Electrical Engineering and Computer Science
 
              CS701 - FREEDOM AND PRIVACY IN THE COMPUTER AGE
Tuesdays 3:30-6:00 p.m., Phillips Hall T414B
                          Prof. Lance J. Hoffman
                                 Fall 1992
 
This interdisciplinary course is being offered to all university students
(and walk-ins).  It does not carry graduate credit, and you need not be a
matriculated student to take it.  No prior computer experience is required
and it will not teach anyone much about "how to" use or build computers.  It
is a social impact course with lots of videotapes, guest lecturers, class
discussion, etc.  A term project and final exam are both required.
 
COURSE DESCRIPTION:
 
Computers are changing our daily lives and raising new issues of privacy,
freedom of speech, search and seizure, access to personal and governmental
information, professional responsibilities, ethics, criminality, and law
enforcement.  This course examines these using written and videotape
proceedings of recent major conferences which spanned many disciplines.
 
TEXT:
 
  Proceedings of the First Conference on Computers, Freedom, and Privacy,
  IEEE Press, 1991
 
  Proceedings of the Second Conference on Computers, Freedom, and Privacy,
  ACM Press, 1992 may or may not be available in time.  If the printed book
  is not available, you will download the file from the network and print it
  out to read (we will teach you how to do this).
 
  "CS 701 Readings", available from the GWU Bookstore
 
Videotapes assigned to view before class are available on reserve in the
Gelman Library.
 

                           *TENTATIVE*
                            LECTURES
 
Meeting   Date
Number
1    9/1   Overview.  Administrative matters.
2    9/8   Getting on the Internet from GWU. Using anonymous FTP. 
           Downloading and uploading.  Network services.  Using IBM
           PCs to do the upcoming crypto exercises.  A layman's
           introduction to cryptography
3    9/15  Network promises and behavoir
4    9/22  Free Speech and the Public Phone Net
5    9/29  Digital telephony.  Cryptography for Everyone
6    10/6  Who Holds the Keys?
7    10/13 Who's in your genes? 
8    10/20 A Data Protection Board?/Third Party Use
9    10/27 Privacy and Intellectual Freedom in
           the Digital Library          
10   11/3  Electronic Voting: The Promises and the Fears
11   11/10 Caller ID and Other Telco Issues
12   11/17 Computers in the Workplace
13   11/24 International Implications
14   12/1  Project Presentations   
15   12/8  Project Presentations

-- 
Professor Lance J. Hoffman
Department of Electrical Engineering and Computer Science
The George Washington University
Washington, D. C. 20052

(202) 994-4955
fax: (202) 994-0227
hoffman@seas.gwu.edu

------------------------------

Date:    Tue, 18 Aug 1992 15:22:45 PDT
From:    Nikki Draper <draper@Csli.Stanford.EDU>
Subject: CPSR 1992 Annual Meeting

************************************************************************

           COMPUTER PROFESSIONALS FOR SOCIAL RESPONSIBILITY

                           1992 ANNUAL MEETING
                          OCTOBER 17TH AND 18TH

                           STANFORD UNIVERSITY
                          PALO ALTO, CALIFORNIA

************************************************************************

In the heat of a presidential campaign, CPSR asks computer
professionals to take a critical look at how politics affects
technology  and how technology affects the political process.
Computer scientists  from across the country will rigorously
examine this years techno - speak to find the substance amid
the line noise.

Our annual  meeting is open to everyone who has an interest in
computers, communication, and our role as citizens in a  high-tech
society.

Computer Professionals for Social Responsibility is a national alliance
of professionals dedicated to promoting the responsible use of
computer technology, ensuring that information technology plays a
positive role in society.

***********************************************************************

SATURDAY, OCTOBER 17TH

8 a.m. - 9 a.m.     Registration and Continental Breakfast

9:00 - 9:15         Welcome

9:15 - 10:45        Teledemocracy & Citizen Participation:
                    Beyond the Electronic Town Meeting

Electronic media allow politicians and the general public to
communicate in new ways.  An election year look at the dangers
and the opportunities of electronic democracy.

10:45 - 11:00       Break

11:00-12:30         The Politics of Cryptography

Cryptography is a means of ensuring the privacy and integrity of
electronically transmitted information.  The military/intelligence
establishment has traditionally restricted the development and
dissemination of this technology.  With the end of the Cold War and
the rapid expansion of the electronic network, government policy in
cryptography has come to the forefront.  This panel examines the
current issues.  Moderated by David Sobel, Legal Counsel for CPSR.

12:30 - 2:00        Lunch break

2:00 - 3:30         Everything's Digital!
                    Media Convergence: Hope, Hell, or Hype?

Big industry players are promoting multimedia convergence as the
next technological frontier.  There's smoke, but is there fire?  As all
forms of information congeal into a digital soup, convergence raises
issues of ownership, authorship, integrity and access.  Is convergence
television to the 10th power, a consumer nightmare, or a true vision
of a new creativity?  Moderated by Amy Pearl of Sun Microsystems.

3:30-3:45            Break

3:45-5:00            Envisioning Technology Policy
                     in a Democratic Society

How do we translate our vision of technology's promise into
democratic reality?  A panel of activists looks at the development
of American technology policy and asks the crucial question:  Is it
the vision thing or deep doodoo? CPSR Board member, Jim Davis
moderates.

5:00-7:30            Break

7:30-8:30            No Host Bar at Ming's Villa

8:30-10:30           Banquet at Ming's Villa

Dave Liddle of Interval Research speaks on Computing in the
21st Century.  Announcement and presentation of the Norbert
Wiener Award for Social and Professional Responsibility in
Computing.

SUNDAY, OCTOBER 18TH

8 a.m. - 9 a.m.     Continental Breakfast

9:00 - 9:15         Welcome

9:15- 10:30         CPSR:  How We Have Impact and Why We Win

For over a decade, CPSR has had an important impact on national,
international, state and local technology policy.  To continue our
success, CPSR activists share case studies of our of public policy
successes.  By understanding why we win, we can maximize our
impact in the future.

10:30-10:45        Break

10:45-12:15        Organizing for the Future

A plenary discussion of CPSR's program areas - defining the issues,
building consensus, and setting the agenda.

12:15-2 p.m.         Lunch

2:00-3:00            CPSR Working Groups

Break out groups, based on the morning's plenary, allow participants
to chart CPSR's plans on key program issues:  civil liberties, privacy,
21st Century, reliability and risk, workplace issues, and more.

5 minute break

3:00 - 4:00         Leadership Development Workshops

Break out sessions on leadership development, organizing on the
net, chapter development, and more.

4:00-4:15           Break

4:15-5:30           Reports, evaluation, and President's message.

 ***********************************************************************

Name _____________________________________________________

Address ___________________________________________________

City__________________________State ________Zip Code_________

Telephone__________________________________________________

Important:  Registration is on a first come, first serve basis.  We
expect these events will sell out, so it is important that you return
the registration form as soon as possible to guarantee places at the
meeting and banquet.

EARLY REGISTRATION (received by 10/9/92)

CPSR Member
Meeting and banquet      $85
Meeting only             $45
Banquet only             $40

Nonmember
Meeting and banquet      $95
Meeting only             $50
Banquet only             $45

By adding $40 for a one-year CPSR membership, you can become
eligible for member prices. CPSR also offers a sliding scale fee for
registration to the meeting.  If you are interested, call the National
Office at 415-322-3778, for details or send us email at
cpsr@csli.stanford.edu

LATE REGISTRATION (received after 10/9/92)

CPSR Member
Meeting and banquet     $95
Meeting only            $50
Banquet only            $45

Nonmember
Meeting and banquet     $105
Meeting only            $55
Banquet only            $50


I want a vegetarian dinner at the Banquet.  _____YES ______NO

BRING SOMEONE WHO IS NOT A CPSR MEMBER TO THE ANNUAL MEETING, AND GET $5.00 OFF
 YOUR REGISTRATION FEE!!

I can't attend the Annual Meeting, but I want to support the work of
CPSR.  I've enclosed a tax deductible contribution to help create a
successful organization.  Total enclosed $___________

Please send me _____ brochures to hand out to my friends and
colleagues.  Make check payable to CPSR. Mail to:
CPSR
P.O. Box 717,
Palo Alto, CA 94301

For more information on CPSR call 415-322-3778 or send email to
cpsr@csli.stanford.edu

------------------------------

End of PRIVACY Forum Digest 01.13
************************



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH