TUCoPS :: Privacy :: priv_203.txt

Privacy Digest 2.03 1/15/93

PRIVACY Forum Digest     Friday, 15 January 1993     Volume 02 : Issue 03

         Moderated by Lauren Weinstein (lauren@cv.vortex.com)
                Vortex Technology, Topanga, CA, U.S.A.
                     ===== PRIVACY FORUM =====

   	  The PRIVACY Forum digest is supported in part by the 
	      ACM Committee on Computers and Public Policy.

	PRIVACY Briefs (Lauren Weinstein; PRIVACY Forum Moderator)
	Expectation of Dependability (A. Padgett Peterson)
	Public water bills (Walter Smith)
	Utility bills going to law enforcement (Jim Harkins)	
	Traceable Cash, Breakable Codes (chaz_heritage.wgc1@rx.xerox.com)
	Re: Perot campaign raiding credit data? (Larry Seiler)
	Op-ed piece on telephone Calling Number ID (Michael L. Scott)
	Released GSA Docs Slam FBI Wiretap Proposal (Dave Banisar)

 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

The PRIVACY Forum is a moderated digest for the discussion and analysis of
issues relating to the general topic of privacy (both personal and
collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

ALL submissions should be addressed to "privacy@cv.vortex.com" and must have
RELEVANT "Subject:" lines.  Submissions without appropriate and relevant
"Subject:" lines may be ignored.  Subscriptions are by an automatic
"listserv" system; for subscription information, please send a message
consisting of the word "help" (quotes not included) in the BODY of a message
to: "privacy-request@cv.vortex.com".  Mailing list problems should be
reported to "list-maint@cv.vortex.com".  All submissions included in this
digest represent the views of the individual authors and all submissions
will be considered to be distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "cv.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system.  Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.

For information regarding the availability of this digest via FAX, please
send an inquiry to privacy-fax@cv.vortex.com, call (310) 455-9300, or FAX
to (310) 455-2364.


   Quote for the day:

	"There even are places, where English, completely disappears!
	 Why, in America they haven't used it in years."

			-- Prof. Henry Higgins (Rex Harrison)
			   "My Fair Lady" (1964)


PRIVACY Briefs (from the Moderator)


A report commissioned by the British government has recommended sweeping new
controls on the British press.  A strict code of conduct was suggested, with
large fines for violators.  The report claims that self-regulation has been
a failure.  Some complaints appear to revolve around what are being called
"physical intrusions"--entering property without permission to take pictures
or make recordings, for example.  New laws regarding interception of
telecommunications and related privacy concerns are also recommended.  Much
of the current controversy appears to revolve around London tabloids which
have published transcripts of "sexy" recordings (from portable phone
transmissions) involving members of the British royal family.


An East London store specializing in "spy" equipment has reported booming
sales.  They say that 95% of their sales go to businesses who wish to
eavesdrop on their employees or on other businesses.


Date:    Sat, 9 Jan 93 09:52:36 -0500
From:    padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
Subject: Expectation of Dependability

Mark Rotenberg presents as part of the guidelines (emphasis mine):

> From:    Marc Rotenberg <Marc_Rotenberg@washofc.cpsr.org>
> Subject: OECD Security Guidelines
>      "While growing use of information systems has generated
>many benefits, it has also shown up a widening gap between
>the need to protect systems and the degree of protection
>currently in place.  Society has become very dependent on
>technologies that are not yet sufficiently dependable.  All
>individuals and organizations have a need for proper
>information system operations (e.g. in hospitals, air traffic
>control and nuclear power plants).

This is nothing new, society has *always* been vulnerable to
insuficiently dependable technology. What has changed is the
ability of a single failure to affect ever larger numbers of 
people *who did not know of their dependancy*.

With the rise of the industrial revolution came the capability
for unnatural disaster (though the fall of the Tower of Babel might
be a much earlier precident). During the ninteenth century, reports
were rife with train and steamship disasters, but it wasn't until
the twenteth century that the capability for cataclysm reached
its current bounds beginning fittingly enough with the "unsinkable"

Interestingly enough the tanker spill in the Shetlands recently brought
out the fact that that ship, like the Titanic, did not have a full
double hull, a point brought out in the Titanic inquiry and subsequently
retrofitted to both sister ships, the Olympic and the Britannic nearly
eighty years ago. (However there does not appear to be a worldwide
standard and double hulls are expensive...)

Similarly, few of the passengers on the Hindenberg realized that a
refusal by the United States to sell helium to Germany (considered a
war material) left them vulnerable.

Point is that an excess trust in "magic" is not a new charactoristic
of the human race, it is inherant. Further, until an exception occurs,
often there is no way to predict it, there are just too many possibilities.

The Atomic age brought conciousness of this forth for the first time, I
recall a movie "The Magnetic Monster" as just one of a collection of
"one mistake and the world will end" thoughts of the fifties.

Is there an answer - probably not - but one cause is the secretiveness
of many designs that prevent them from being analyzed by those who might
be able to spot a vulnerability, but this brings up a privacy concern:
Should designs that will be used or could affect the public be public
information ? Sticky wot ?


Date:    Sat, 9 Jan 1993 19:12:16 -0800
From:    wrs@newton.apple.com (Walter Smith)
Subject: Public water bills

Another data point for the privacy of utility bills:  There was much
consternation a year ago here in Palo Alto, California when the local
weekly newspaper coerced the water company to reveal the names, addresses,
and usage of the top 100 residential water users in the previous year.  The
paper published this information in a large feature article.

(NOTE: I don't have the issue in front of me, so the following is just my
recollection.)  The legal situation was a conflict between California laws
regarding personal privacy and public records.  The "top 100 users" idea
was a compromise between the privacy of the customers and the public "right
to know", due to the drought, who was using the most water.  The city
council has since stopped this practice, which is not surprising since many
of the "outed" water users were wealthy Silicon Valley entrepeneurs who own
huge water-guzzling estates...

- W

Walter Smith                "Mid-1993,                      408-974-5892
Newton Group             well under $1000"       Internet: wrs@apple.com
Apple Computer, Inc.                             AppleLink: walter.smith


Date:    Mon, 11 Jan 93 09:48:58 PST
From:    pacdata!jimh@UCSD.EDU (Jim Harkins)
Subject: Utility bills going to law enforcement

Concerning the practice of some utility companies to report sudden changes in
utility bills to law enforcement I submit the following.  I recently bought a
new 486 PC that I leave on all the time.  With the base unit, monitor, printer,
etc it must suck up a lot of power, probably about 3-5 grow lights worth.  
Right after buying the computer my toilet developed a slight leak that I haven'
fixed yet (been playing with the computer).  It's not much of a leak, but as 
it's 24 hours a day it could probably supply 3-5 trays of plants.

A few months ago local DEA agents raided a man's house based on incorrect
information.  Evidently they never announced themselves, and the homeowner
reacted to several men beating down his door at midnight by getting a gun.  He
was shot several times (he survived).  No drugs were found, no charges were

So is the combination of my leaving my computer on all day, not fixing a leaky
toilet, and sleeping with a gun about to get me killed?



Date:    Mon, 11 Jan 1993 05:34:25 PST
From:    chaz_heritage.wgc1@rx.xerox.com
Subject: Traceable Cash, Breakable Codes

[PFD V02.02: Tue, 29 Dec 92: Jerry Leichter: On expectations of privacy]

>This is viewed with universal shock and horror as a new intrusion on our
obvious traditional right to complete anonymity in cash transactions.

But is there really any such traditional right?<

Of course not. Banks (as we British have discovered to our cost recently, e.g.
BCCI, NatWest) are there to serve not the interests of their customers but
those of their major shareholders; they are pillars of the Establishment, and
of course they will inform upon any of their less well-to-do customers,
whatever contracts of confidentiality there might be between them, if they
think that they might thereby do a favour for those upon whom they might turn
for support later (RIch criminals, on the other hand, are called 'financiers'
here, and are vigorously defended by the courts against slurs on their
character; vide Maxwell v. 'Private Eye', several cases).

This is why only amateur terrorists, gun-runners and drug-smugglers, the small
fry, the weekend warriors, ever use cash. A cursory study of the history of
professional organised crime and unconventional warfare strongly suggests that
the international currencies of choice between their exponents are gold
bullion, heroin and armaments. In more modern times plutonium, and possibly
even oralloy, are said to have played the same role. Since possession of any of
these is illegal anyway (at least it is here), one need not expect those who
use these currencies to worry too much about the so-called fiduciary integrity
of their 'bankers' - since any disputes would probably be settled not by
lengthy litigation but by shortened shotguns - nor about their views on
privacy, since the penalties for informers among these groups are harsh and of
long traditional standing.

The authorities have also apparently gone astray in trying to gain absolute
control of cryptography, to prevent 'terrorists' and 'drug-smugglers' from
using secret codes to fool law enforcers. Of course only a crass amateur would
trust a telephone line or a commercial electronic encipherment system with
their secrets, no matter what their 'rights' were alleged to be; professional
covert communications at this level - such as they are - have, it seems, for
about a century been dominated by an archaic, slow, manual system known in the
US as 'Vernam' or in UK as 'Foreign Office One Time Pad', which apparently, if
correctly used, never provides sufficient key-consistent ciphertext for there
to be any realistic probability of a successful brute-force attack using
current supercomputers, and has therefore, it is said, never been broken.
Commercial users might need fast, high-capacity automatic crypto equipment
which is, of course, susceptible to both brute-force and other attacks, but
messages like 'Three hundred Armalites at $99.95 each' or 'Revolution starts
1200 Thursday; if wet, in church hall' perhaps do not.

If the authorities truly think that by tracing (or simply banning, as seems
more likely in the long term) cash, opening mail, tapping phones and suspending
the suspect's 'right to silence' they will stop the likes of the Medellin
cocaine traffickers or the Abu Nidal terrorist group then IMHO they are
probably mistaken and, if so, also wasting a lot of public money (mind you,
aren't those 'Miami Vice' speedboats *fun*? So much more stylish than an
ordinary pair of police-issue shoes...).

If, on the other hand, all this 'war on drugs', 'war on Bolshies', 'war on
jaywalkers', etc. stuff is just a cover for setting up, with the support of an
apparently unquestioningly docile majority of the public, general surveillance
and control measures that would have gladdened the hearts of Himmler or Beria,
then IMHO they're doing rather well...




Date:    Mon, 11 Jan 93 12:56:27 EST
From:    "Larry Seiler, x223-0588, MLO5-2  11-Jan-1993 1252" 
Subject: Re:  Perot campaign raiding credit data?

On the one hand, I'm glad to hear that the FBI and the news services are 
taking this seriously.  It's a terrible thing if people steal private data
such as credit records.

On the other hand, a cynical part of me says "why bother"?  Wouldn't Orix
have sold that same data to any customer who claimed a "business need" to
know it, with no checking and without asking permission?

It's as if a policeman comes across 10 soldiers and one civilian looting a
store, and arrests the civilian but leaves the soldiers to their work.
Well, of course, looters should be arrested and the police cannot do
anything about the soldiers.  But I cannot help thinking that the reporters
covering this story have missed the point:  Equifax' databases are *not*
secure, and even if they were, there are so many legal ways to get the data
that the only advantage I can see to stealing it is that there is less of a
paper trail to show who got the data.



Date:    Wed, 13 Jan 93 08:46:28 -0500
From:    scott@cs.rochester.edu
Subject: Op-ed piece on telephone Calling Number ID

I recently wrote the following article for the editorial page of the
Rochester, NY _Times_Union_.  It appeared (edited down a couple of
paragraphs) on Tuesday, January 12th, 1993, under the (newspaper chosen)
headline "Call Id Will Be Boon For Telemarketers".  I thought I'd share
it with the net.


    Unless you act immediately, your name, address, and telephone number are
about to be added to the marketing lists of a whole new set of telephone soli-
citors and direct-mail advertisers.  How?  Through the "Call ID" facility
recently introduced by Rochester Telephone.

    Call ID or, more accurately, Calling Number Identification (CNID), is a
mechanism that gives your telephone number to anyone you call.  CNID is being
promoted as a way to enhance personal privacy: if you pay for CNID service and
buy a special phone, you can see the number from which you are being called
before you decide to answer.  Unfortunately, CNID is much more useful to the
marketing industry than it is to individuals.  On the whole, it is likely to
_reduce_ your personal privacy, rather than enhance it.

    To its credit, Rochester Telephone has sought to educate customers,
through phone bill inserts and newspaper ads, about the technical details of
CNID.  Moreover, it is permitting customers to opt out of the system.

    By default, your telephone number will be given to anyone you call, unless
you punch a special code before you dial.  If you call the phone company and
request "all-call restrict," this behavior will be reversed: your number will
_not_ be given to anyone you call, _unless_ you punch a special code first.

    Many people would "like to know `who is it?'" before they pick up the
phone.  Advertising slogans notwithstanding, however, CNID doesn't tell you.
Suppose you buy into the service.  When your phone rings and displays the call-
ing number, how will you decide whether to answer?  Do you know the phone
numbers of all the people you might be willing to talk to?  If not, how will
you resist the urge to pick up the phone "just in case"?  Even if you memorize
the phone numbers of all your friends, how will you know if they call you from
a different phone, or if your spouse calls from a gas station when the car
breaks down, or if a stranger calls to tell you that your child has been
injured while out playing?

    Experience with CNID in other states suggests that the real beneficiaries
are commercial customers who want to compile -- and then sell -- a list of the
people who call them.  For $200, your favorite business can buy a "reverse
directory" that lists all the phone numbers in the Rochester area, in numeri-
cal order, with the names and addresses that go with them.  For $350, they can
buy this directory on a computer-readable laser disk.  A business that keeps
track of the numbers from which it is called can easily generate a list of the
people who made those calls, or at least of the people who own the numbers.
Call a movie theater for show times, and within a few days you may begin to
receive junk mail and phone calls inviting you to join a video-of-the-month
club.  Call a bank or broker to check on interest rates and you may begin to
receive cold calls from financial advisors.  Call any sort of specialty shop
(toy store, gun shop, pro shop -- even a fancy restaurant) and you're likely
to find yourself on yet another marketing list.

    These lists are very big business.  A multi-billion-dollar industry now
collects and organizes personal information on ordinary people.  The same com-
pany that sells reverse directories will, for a price, augment the listing
with estimates of family income (guaranteed 98% accurate to within $5,000),
number of children, number of cars, favorite hobbies, etc.  One of their
sources of information is a CNID-like service that was offered to businesses
with 1-800 and 1-900 numbers several years ago.  (Your number is given away
whenever you make an 800 or 900 call, and there's nothing you can do to
prevent it.)  The company representative to whom I spoke expects local CNID
to increase his business substantially, but he understands the cost: he has
switched to all-call restrict for his own phone.

    For those who want to eliminate nuisance phone calls, there are better
alternatives than CNID.  Many people have taken to leaving their answering
machines on all the time.  I have friends whose recording says "Please state
your name and the person for whom you are calling.  If no one picks up the
phone right away, you may leave a message."  Of course, they have to listen
whenever the phone rings, but they'd have to go look at the number display if
they had CNID.

    An option that saves you the trouble of even going to the phone when an
unwanted call arrives can be purchased for $70 from local telephone stores
(though not from the Rochester Telephone product center).  It's a "call
screening" box that plugs in between your phone and the wall, and that can be
programmed with a special 4-digit "security code."  Callers hear a recorded
message that asks them to type in the code.  If they get it wrong, your phone
doesn't even ring.  Friends who know the code can call you from anywhere.
Hammacher Schlemmer sells a fancier version that remembers up to 300 different

    If privacy were really the goal, telephone companies could easily provide
the name of the owner of the calling number, rather than the number itself, in
a CNID service.  The name would be much more useful to residential customers
than the number is, but would be much less useful to marketers, since names do
not uniquely identify households.  Equally easily, phone companies could pro-
vide services that duplicate the functionality of call screening boxes.  If
they allowed callers to identify themselves, either by voice or by punched-in
code, you would be in a far better position to decide whether you wanted to
answer.  Knowing that your call is from "Tom at work" is a lot more useful,
from a privacy point of view, than knowing the number from which the call was
placed.  At the same time, this sort of personalized identification is useless
for the collection of marketing lists.

    Privacy-enhancing alternatives to CNID have been proposed in testimony to
the FCC and before public service commissions across the country.  In every
case, telephone companies have resisted the proposals, on the grounds that
they do not adequately meet the needs of their marketing customers.  Marketers
are clearly hoping that most Rochester residents won't bother to opt out of
CNID.  I urge you to disappoint them: call the Rochester Telephone customer
service number (777-1200) and request all-call restrict.  Keeping your phone
number private is easy and free.

Michael L. Scott is an Associate Professor of Computer Science at the Univer-
sity of Rochester and a member of Computer Professionals for Social Responsi-
bility.  The views expressed here are his own.


Date:    Fri, 15 Jan 1993 23:22:47 -0500
From:    Dave Banisar <banisar@washofc.cpsr.org>
Subject: Released GSA Docs Slam FBI Wiretap Proposal

"GSA Memos Reveal that FBI Wiretap Plan was
Opposed by Government's Top Telecomm Purchaser"

        The New York Times reported today on a document obtained
by CPSR through the Freedom of Information Act.  ("FBI's
Proposal on Wiretaps Draws Criticism from G.S.A.," New York
Times, January 15, 1993, p. A12)

        The document, an internal memo prepared by the General
Services Administration, describes many problems with the
FBI's wiretap plan and also shows that the GSA strongly
opposed the sweeping proposal.  The GSA is the largest
purchaser of telecommunications equipment in the federal

        The FBI wiretap proposal, first announced in March of
1992, would have required telephone manufacturers to design
all communications equipment to facilitate wire surveillance.
The proposal was defeated last year. The FBI has said that it
plans to reintroduce a similar proposal this year.

        The documents were released to Computer Professionals
for Social Responsibility, a public interest organization,
after CPSR submitted Freedom of Information Act requests
about the FBI's wiretap plan to several federal agencies last

        The documents obtained by CPSR reveal that the GSA,
which is responsible for equipment procurement for the
Federal government, strongly opposed two different versions
of the wiretap plan developed by the FBI.  According to the
GSA, the FBI proposal would complicate interoperability,
increase cost, and diminish privacy and network security.
The GSA also stated that the proposal could "adversely
_affect national security._"

        In the second memo, the GSA concluded that it would be a
mistake to give the Attorney General sole authority to waive
provisions of the bill.

        The GSA's objections to the proposal were overruled by
the Office of Management and Budget, a branch of the White
House which oversees administrative agencies for the
President.  However, none of GSA's objections were disclosed
to the public or made available to policy makers in

        Secrecy surrounds this proposal.  Critical sections of a
report on the FBI wiretap plan prepared by the General
Accounting Office were earlier withhold after the FBI
designated these sections "National Security Information."
These sections included analysis by GAO on alternatives to
the FBI's wiretap plan.  CPSR is also pursuing a FOIA lawsuit
to obtain the FBI's internal documents concerning the wiretap

        The GSA memos, the GAO report and others that CPSR is
now seeking indicate that there are many important documents
within the government which have still not been disclosed to
the public.

Marc Rotenberg
CPSR Washington office

Note: Underscores indicate underlining in the original text.
Dashes that go across pages indicate page breaks.

[Computer Professionals for Social Responsibility is a non-
profit, public interest membership organization. For
membership information about CPSR, contact
cpsr@csli.stanford.edu or call 415/322-3778.  For information
on CPSR's FOIA work, contact David Sobel at 202/544-9240



              Control No. X92050405
               Due Date:     5/5/92

Brenda Robinson (S)

After KMR consultations, we still _"cannnot support"_ Draft
Bill. No. 118 as substantially revised by Justice after its
purported full consideration of other agencies' "substantive

Aside from the third paragraph of our 3/13/92 attachment
response for the original draft bill, which was adopted as
GSA's position (copy attached), Justice has failed to fully
address other major GSA concerns (i.e., technological changes
and associated costs).

Further, by merely eliminating the FCC and any discussion of
cost issues in the revision, we can not agree as contended by
Justice that it now " ... takes care of kinds of problems
raised by FCC and others ...."

Finally, the revision gives Justice sole unilateral exclusive
authority to enforce and except or waive the provisions of
any resultant Iaw in Federal District Courts. Our other
concerns are also shown in the current attachment for the
revised draft bill.

Once again OMB has not allowed sufficient time for a more
through review, a comprehensive internal staffing, or a
formal response.


                       Wm. R. Loy  KMR     5/5/92

Info: K(Peay),KD,KA,KB,KE,KG,KV,KM,KMP,KMR,R/F,LP-Rm.4002

(O/F) -   9C1h (2) (a) - File (#4A)


                       DIGITAL TELEPHONY

The proposed legislation could have a widespread impact on
the government's ability to acquire _new_ telecommunications
equipment and provide electronic communications services.

_Existing_ Federal government telecommunications resources
will be affected by the proposed new technology techniques
and equipment. An incompatibility and interoperability of
existing Federal government telecommunications system, and
resources would result due to the new technological changes

The Federal Communications Commission (FCC) has been removed
from the legislation, but the Justice implementation may
require modifications to the "Communications Act of 1934,"
and other FCC policies and regulations to remove
inconsistencies. This could also cause an unknown effect on
the wire and electronic communications systems operations,
services, equipment, and regulations within the Federal
government. Further, to change a major portion of the United
States telecommunications infrastructure (the public switched
network within eighteen months and others within three years)
seems very optimistic, no matter how trivial or minimal the
proposed modifications are to implement.

In the proposed legislation the Attorney General has sole
_unilateral exclusive_ authority to enforce, grant exceptions
or waive the provisions of any resultant law and enforce it
in Federal District Courts. The Attorney General would, as
appropriate, only "consult" with the FCC, Department of
Commerce, or Small Business Administration. The Attorney
General has exclusive authority in Section 2 of the
legislation; it appears the Attorney General has taken over
several FCC functions and placed the FCC in a mere consulting

The proposed legislation would apply to all forms of wire and
electronic communications to include computer data bases,
facsimile, imagery etc., as well as voice transmissions.

The proposed legislation would assist eavesdropping by law
enforcement, but it would also apply to users who acquire the
technology capability and make it easier for criminals,
terrorists, foreign intelligence (spies) and computer hackers
to electronically penetrate the public network and pry into
areas previously not open to snooping. This situation of
easier access due to new technology changes could therefore
affect _national security_.



The proposed legislation does not address standards and
specifications for telecommunications equipment nor security
considerations. These issues must be addressed as they effect
both the government and private industry. There are also
civil liberty implications and the public's constitutional
rights to privacy which are not mentioned.

it must be noted that equipment already exists that can be
used to wiretap the digital communications lines and support
court- authorized wiretaps, criminal investigations and
probes of voice communications. The total number of
interception applications authorized within the United States
(Federal and State) has been averaging under nine hundred per
year. There is concern that the proposed changes are not cost
effective and worth the effort to revamp all the existing and
new telecommunications systems.

The proposed bill would have to have the FCC or another
agency approve or reject new telephone equipment mainly on
the basis of whether the FBI has the capability to wiretap
it. The federal- approval process is normally lengthy and the
United States may not be able to keep pace with foreign
industries to develop new technology and install secure
communications. As a matter of interest, the proposed
restrictive new technology could impede the United States'
ability to compete in digital telephony and participate in
the international trade arena.

Finally, there will be unknown associated costs to implement
the proposed new technological procedures and equipment.
These costs would be borne by the Federal government,
consumers, and all other communications ratepayers to finance
the effort. Both the Federal government and private industry
communications regular phone service, data transmissions,
satellite and microwave transmissions, and encrypted
communications could be effected at increased costs.


  Documents disclosed to Computer Professionals for Social
Responsibility (CPSR), under the Freedom of Information Act
December 1992


End of PRIVACY Forum Digest 02.03

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2023 AOH