TUCoPS :: Privacy :: priv_126.txt

Privacy Digest 1.26 11/20/92

PRIVACY Forum Digest     Friday, 20 November 1992     Volume 01 : Issue 26

         Moderated by Lauren Weinstein (lauren@cv.vortex.com)
                Vortex Technology, Topanga, CA, U.S.A.
	
                     ===== PRIVACY FORUM =====

   	  The PRIVACY Forum digest is supported in part by the 
	      ACM Committee on Computers and Public Policy.


CONTENTS
	Re: Wire Taps, Key Management, and Privacy (Dorothy Denning)
	SURVEY RESULTS: Is Big Brother Watching You? (Lorrayne Schaefer)


 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The PRIVACY Forum is a moderated digest for the discussion and analysis of
issues relating to the general topic of privacy (both personal and
collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

ALL submissions should be addressed to "privacy@cv.vortex.com" and must have
RELEVANT "Subject:" lines.  Submissions without appropriate and relevant
"Subject:" lines may be ignored.  Subscriptions are by an automatic
"listserv" system; for subscription information, please send a message
consisting of the word "help" (quotes not included) in the BODY of a message
to: "privacy-request@cv.vortex.com".  Mailing list problems should be
reported to "list-maint@cv.vortex.com".  All submissions included in this
digest represent the views of the individual authors and all submissions
will be considered to be distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "cv.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system.  Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.

For information regarding the availability of this digest via FAX, please
send an inquiry to privacy-fax@cv.vortex.com, call (310) 455-9300, or FAX
to (310) 455-2364.
-----------------------------------------------------------------------------

VOLUME 01, ISSUE 26

   Quote for the day:

	Psychiatrist: "Tell me Harold, what do you do for fun?
	   	       What activity gives you a different sense of 
		       enjoyment from the others?
		       What do you find fulfilling?
		       What gives you that special satisfaction?"

	Harold:	       "I go to funerals."
		
					-- G. Wood and Bud Cort
					   "Harold and Maude" (1972)
		   
----------------------------------------------------------------------

Date:    Thu, 19 Nov 92 17:57:01 EST
From:    denning@cs.georgetown.edu (Dorothy Denning )
Subject: Re: Wire Taps, Key Management, and Privacy

In PRIVACY Forum Digest V01 #25, Brinton Cooper writes:

  In RISKS DIGEST 13.87, Dorothy Denning .. spoke of the high costs of lawful
  surveillance and asserted, "Much of this is related to organized crime,"
  perhaps a scare tactic?

Actually the majority of taps goes to narcotics investigations. After
that comes racketeering and gambling.  According to the FBI, the
hierarchy of Organized Crime has been neutralized or destabilized
through the use of electronic surveillance, and thirty odd years of
successes would be reversed if the ability to conduct court-authorized
electronic surveillance was lost.  I believe this represents an honest
assessment of what they see would happen. 

   Her solution involves nongovernmental "key centers" which,
   presumably, would not give out keys to anyone without a properly
   executed court order.

By way of context, I'm looking for a way to balance our national
interests for privacy and security with those for effective law
enforcement.  This is one idea I proposed.  I am not pushing it as "the
solution".  In any case, the idea was for users to register their keys
with a trustee (key center).  Or, using a technique invented by Silvio
Micali, you could split your key into parts and register each part with
a different trustee.  Law enforcement would have to take a court order
to each trustee in order to get the pieces and reconstruct the key.

   She cites that the "...phone companies are so fussy about court
   orders that they send them back if the semicolons aren't right...,"
   apparently believing that the rights of the citizens are thereby
   protected.  For the following reasons, this is a politically naive
   position.

   1. It provides that our right to protection from illegal governmental
   search and seizure and/or illegal eavesdropping rests on the good will
   and integrity of a phone company!

Your statement does not follow from what I said.  I said the phone
companies are fussy.  I know of no cases where the phone companies
assisted with unauthorized taps.  If you do, please cite.  They could
go out of business if they didn't respect the rights of their
customers.  Even so, your right to protection does not rest entirely on
the phone company.  Title 18 makes tapping without a court order
illegal.

Crypto will make it much more difficult for anyone to tap illegally. If
the keys are registered with a trustee other than the phone company, someone
would have to subvert both the trustee and the phone company (to get the
bits).

   3. Court orders, search warrants, and the like protect citizens only
   when the information or evidence gathered is to be used in court against
   a suspect.  If information is being gathered for political purposes,
   blackmail, or other subversion of law (Watergate, Iran-Contra, the
   Italian bank scandal, etc), the purloined information will never see a
   public forum but can still do great harm to innocent persons.  Thus, the
   constraints of court orders are obviated.

I expect that most of this information is not being obtained by wiretapping.
It is popular to suggest it is and difficult to refute.  If someone
in law enforcement is found to be tapping without a court order, they
could be convicted of violating Title 18.  

But in any case, it will be very difficult for LE to intercept without a
court order with the new digital technologies and crypto.

  The FBI needs to fund its own R&D from its own budget, just as the
  rest of the government at all levels must do.  There is talent that can
  "red team" modern telecommunications and find trapdoors when necessary.

Are you suggesting that it would be better for the FBI to break the
cryptosystems than go through a trustee with a court order?

Dorothy Denning 

------------------------------

Date:    Fri, 13 Nov 92 09:16:56 EST
From:    lorrayne@smiley.mitre.org
Subject: SURVEY RESULTS:  Is Big Brother Watching You?

   [ These results refer to a survey originally seen here in the 
     PRIVACY Forum on Monday, 6 July 1992 (Volume 01 : Issue 07).
     The survey size was reported as 100 people.  The original
     survey introduction is included below. -- MODERATOR ]

---

The purpose of this survey is to collect data for a presentation that I
will give at this year's National Computer Security Conference in October.
I would like to thank you for taking the time to fill out this survey.  If
you have any questions, you can call me at 703-883-5301 or send me email at
lorrayne@smiley.mitre.org.  Please send your completed survey to:

Lorrayne Schaefer
The MITRE Corporation
M/S Z213
7525 Colshire Drive
McLean, VA 22102

1.	What is your title?

Engineer		31%		Manager			14%
Computer Scientist	25%		Systems Administrator	10%
Administrator		4%		Student			10%
Not Provided		2%		Professor		3%
Author			1%


2.	What type of work does your organization do?

Education		24%		Software Development	19%
Hardware Development	15%		Research		11%
Not Provided		6%		Other			8%
Government		6%		System Administration	2%
Telephone		5%		System Development	2%
Network Development	2%

3.	Does your organization currently monitor computer activity?  (Yes/No)

Yes			67%
No			32%
Unknown			1%

If yes, what type of monitoring does your company do (e.g., electronic
mail, bulletin boards, telephone, system activity, network activity)?

All			16%		System Activity			17%
Bulletin Boards		4%		Network Activity & Other	12%
Other			3%		Telephone Usage			7%
E-mail			2%		System & Network Activity	5%
Unknown			1%		N/A				1%

4.	If you are considering (or are currently) using a monitoring tool,
	what exactly would you monitor?  How would you protect this 
	information?

System Usage		17%		N/A				43%
Accounting		5%		Nothing				11%
Everything		4%		Network Traffic			10%
Don't Know		3%		Other				2%
Bulletin Board		1%		Security			3%
E-mail			1%

5.	Are you for or against monitoring?  Why/why not?  Think in terms of
	whether it is ethical or unethical ("ethical" meaning that it is
	right and "unethical" meaning it is wrong) for an employer to
	monitor an employee's computer usage.  In your response, consider
	that the employee is allowed by the company to use the computer and
	the company currently monitors computer activity.

Against			52%
For			47%
N/A			1%

6.	If your company monitors employees, is it clearly defined in your
	company policy?

N/A			35%
No			34%
Yes			31%

7.	In your opinion, does the employee have rights in terms of being
	monitored?

Yes			90%
No			8%
Don't Know		2%

8.	In your opinion, does the company have rights to protect its as
	sets by using a form of monitoring tool?

Yes			91%
No			6%
Don't Know		3%

9.	If you are being monitored, do you take offense?  Managers: How do
	you handle situations in which the employee takes offense at being
	monitored?

No			42%
Yes			36%
N/A			22%

10. 	What measures does your company use to prevent misuse of monitoring in
        the workplace?

None			36%		Don't Know		17%
N/A			22%		Policy			6%
Control of Information	4%		Security		6%
Honor System		4%		Warnings		3%
Other			2%

11.	If an employee is caught abusing the monitoring tool, what would
	happen to that individual?  If your company is not using any form of
	monitoring, what do you think should happen to an individual who
	abused the tool?

Reprimand		64%		Don't Know		17%
N/A			10%		Termination		5%
Nothing			4%

12.	Is it unethical to monitor electronic mail to determine if the
	employee is not abusing this company resource (e.g., suppose the
	employee sends personal notes via a network to others that are not
	work related)?  Why or why not?

No			49%
Yes			49%
N/A			2%

------------------------------

End of PRIVACY Forum Digest 01.26
************************

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH