PRIVACY Forum Digest Sunday, 13 June 1993 Volume 02 : Issue 20
Moderated by Lauren Weinstein (lauren@vortex.com)
Vortex Technology, Topanga, CA, U.S.A.
===== PRIVACY FORUM =====
The PRIVACY Forum digest is supported in part by the
ACM Committee on Computers and Public Policy.
CONTENTS
The other side of Clipper (A. Padgett Peterson)
Traffic analysis (Mathew Lodge)
NIST CSSPAB 6/4/93 Resolutions (Dave Banisar)
CLI News from Spain - June 7, 1993 (Rafael Fernandez Calvo)
USPS NCOA request results (Steve Peterson)
CPSR Clipper Testimony 6/9 (Dave Banisar)
*** Please include a RELEVANT "Subject:" line on all submissions! ***
*** Submissions without them may be ignored! ***
-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond. The
moderator will choose submissions for inclusion based on their relevance and
content. Submissions will not be routinely acknowledged.
ALL submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored. Excessive "signatures" on submissions are
subject to editing. Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com". Mailing list problems should be reported to
"list-maint@vortex.com". All submissions included in this digest represent
the views of the individual authors and all submissions will be considered
to be distributable without limitations.
The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp.vortex.com",
in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password. The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access. PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system. Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive. All PRIVACY Forum materials are also
available through the Internet Gopher system via a gopher server on
site "gopher.vortex.com".
For information regarding the availability of this digest via FAX, please
send an inquiry to privacy-fax@vortex.com, call (310) 455-9300, or FAX
to (310) 455-2364.
-----------------------------------------------------------------------------
VOLUME 02, ISSUE 20
Quote for the day:
"The life so short, the craft so long to learn."
-- Hippocrates, 5th century B.C.
----------------------------------------------------------------------
Date: Fri, 4 Jun 93 09:05:30 -0400
From: padgett@tccslr.dnet.mmc.com
(A. Padgett Peterson,P.E. Information Security - - (407)826-1101)
Subject: The other side of Clipper
As apparently the sole individual to see a positive side of Clipper, I
would like to comment that this is not so much an evolution of
cryptographc practise as a revolution and requires a different mindset.
First, I believe that the tapping capability of Clipper/Capstone will
prevent its ever replacing STU-IIIs and other complex algoritms for
dedicated point-point connections that require absolute privacy.
Legislation from the government banning "any other cryptography" would
be impossible to enforce and akin to trying to stuff knowlege back into
Pandora's box. It is just not going to be happen and the government is
intelligent enough not to take on a losing battle that could just
flood the legal system (and there would be pleanty of floodees).
Next, what Capstone represents is a new kind of crypto that the miliary
has enjoyed for years. Anytime, anywhere, to anyone. No complex and
archane key management, no prearranged signals, the key management
appears to be able to be handled intermally *including session ignition*.
That I do not understand *how* this is done does not mean that it isn't
(and if you read the 30 April Capstone document you will find the words
"A Key Exchange Algorithm based on a public key exchange.").
Finally, it has been said that "business will not accept Clipper/Capstone".
Hogwash. The bulk of American business could care less if the government
can tap their communications that are being sent in the clear today
anyway ! What American business wants is freedom from "due care" lawsuits,
hackers, and competitors. To a hospital transmitting X-Rays over phone
lines, it is the patient's lawyer that concerns the hospital, not the
government's.
IMHO the tap capability is *necessary* for American business to embrace
Clipper/Capstone so long as their security department can also do so.
Since we are now talking "owner's rights", I believe this will happen and
will not require a court order.
Already the precidents are being set in the California E-Mail monitoring
cases. Certainly maintaining this right will require the ability for the
owner to monitor such transmissions or accountability will be lost.
As a result, I believe that Clipper/Capstone is going to change how we
think about telecommunications and that the current arguments against
Clipper will turn out to be its greatest strengths.
Warmly (94 today),
Padgett
(usual disclaimers apply)
ps IMHO the "problem" with key management is already solved & is just a
diversionary smokescreen. All of the facts have not been released.
------------------------------
Date: Fri, 4 Jun 93 15:10:32
From: mjl-b@minster.york.ac.uk
Subject: Traffic analysis
In V02 #19, Burton Strauss writes:
> Date: Fri, 28 May 1993 23:49:10 -0400 (EDT)
> From: bstrauss@BIX.com
> Subject: Clipper Chip
[stuff deleted]
> ... I wonder if the government really
> thinks they can manage the flow. Even if there is a backdoor in clipper and
> they can crack, trivially, every conversation 'they' want, how does the
> government (nefarious FBI, NSA, etc people) expect to sift the 'interesting'
> things from the sheer volume?
>
> One of the key military technologies is traffic analysis -- even if you
> can't read the meaning, a sudden increase in traffic is an indication that
> 'something' is up. But there is 999 or 1000 messages per day, and nothing
> to set off a traffic alert.
This has long been a recognised problem, and is easily solved by continuous
transmission of information. You continuously transmit a stream of data
(usually randomly generated). When you want to transmit a real message, you
insert it into the random data stream.
This raises the problem of how to identify the real messages from the
rubbish -- prefixing a code or keywork leaves the data stream open to attack
by a good cryptanalyist, who is looking for just such a repeated item. (see
the sci.crypt FAQ for more on this sort of attack)
It has long been known that the British Government's GCHQ (Government
Communications Head Quarters) is continually working on various systems that
try to identify "interesting" messages in the mass of information that they
receive. I imagine the NSA in the USA does the same (since it is reputed to
be the largest employer of mathematicians and purchaser of computer
equipment in the world, I imagine it's quite good at it.)
There's a nice discussion about the problems of information transmission in
Nelson DeMille's novel "The Talbot Odyssey" It also has a nice nightmare
scenario for the wiping out of all electronic devices in the USA that might
interest PRIVACY readers.
Mat
| Mathew Lodge | "What's your name, boy?" "Kate." "Isn't that |
| mjl-b@minster.york.ac.uk | a bit of a girl's name?" "It's short for... |
| University of York, UK | Bob." -- Blackadder II |
------------------------------
Date: Fri, 4 Jun 1993 20:46:59 EST
From: Dave Banisar <banisar@washofc.cpsr.org>
Subject: NIST CSSPAB 6/4/93 Resolutions
NIST Crypto Resolutions
Computer System Security and Privacy Advisory Board
June 4, 1993
Resolution #1
At Mr. Kammer's request we have conducted two days of
hearings. The clear message of the majority of input
was that there are serious concerns regarding the Key
Escrow Initiative and the Board concurs with these
concerns. Many of these issues are still to be fully
understood and more time is needed to achieving that
understanding.
Accordingly, this Board resolves to have an additional
meeting in July 1993 in order to more completely respond
to Mr. Kammer's request and to fulfill its statutory
obligations under P.L. 100-235. The Board recommends
that the inter-agency review take note of our input
collected, our preliminary finding, and adjust the
timetable to allow for resolution of the significant
issues and problems raised.
Attached to this resolution is a preliminary
distillation of the serious concerns and problems.
Resolution #2
Key escrowing encryption technology represents a
dramatic change in the nation's information
infrastructure. The full implications of this
encryption technique are not fully understood at this
time. Therefore, the Board recommends that key
escrowing encryption technology not be deployed beyond
current implementations planned within the Executive
Branch, until the significant public policy and
technical issues inherent with this encryption technique
are fully understood.
[Attachment to Resolution #1]]
- A convincing statement of the problem that Clipper
attempts to solve has not been provided.
- Export and important controls over cryptographic
products must be reviewed. Based upon data compiled
from U.S. and international vendors, current controls
are negatively impacting U.S. competitiveness in the
world market and are not inhibiting the foreign
production and use of cryptography (DES and RSA)
- The Clipper/Capstone proposal does not address the
needs of the software industry, which is a critical and
significant component of the National Information
Infrastructure and the U.S. economy.
- Additional DES encryption alternatives and key
management alternatives should be considered since there
is a significant installed base.
- The individuals reviewing the Skipjack algorithm and
key management system must be given an appropriate time
period and environment in which to perform a thorough
review. This review must address the escrow protocol
and chip implementation as well as the algorithm itself.
- Sufficient information must be provided on the
proposed key escrow scheme to allow it to be fully
understood by the general public. It does not appear to
be clearly defined at this time and, since it is an
integral part of the security of the system, it appears
to require further development and consideration of
alternatives to the key escrow scheme (e.g., three
"escrow" entities, one of which is a non-government
agency, and a software based solution).
- The economic implications for the Clipper/Capstone
proposal have not been examined. These costs go beyond
the vendor cost of the chip and include such factors as
customer installation, maintenance, administration, chip
replacement, integration and interfacing, government
escrow systems costs, etc.
- Legal issues raised by the proposal must be reviewed.
- Congress, as well as the Administration, should play a
role in the conduct and approval of the results of the
review.
=======================================================
NIST Resolutions on Key Escow Issues and Clipper
provided by
CPSR Washington office
666 Pennsylvania Ave., SE Suite 303
Washington, DC 20003
rotenberg@washofc.cpsr.org
=======================================================
------------------------------
Date: Mon, 7 Jun 93 13:39:49 -0100
From: rfcalvo@guest2.atimdr.es (Rafael Fernandez Calvo)
Subject: CLI News from Spain - June 7, 1993
CCCCC LL II
CC LL II
CC LL II -- N E W S FROM S P A I N --- June 7, 1993
CCCCC LLLLLL II
COMMISSION for LIBERTIES
and INFORMATICS (*)
PRIVACY AND GENERAL ELECTIONS: TRICKS OF THE TRADE
--------------------------------------------------
Spain held general parlamentary elections yesterday, June 6th.
Regardless of the ocutcome (the ruling Socialist Party obtained again
a majority of the seats), one of the parties participating in the
event, "Centrist Unity-Spanish Democratic Party", was expelled of the
race on June 1 by the Electoral Control Committee on the grounds that
the party was actually a sham put up by a group of direct marketing
pirates.
Regardless of the fact that this party had no choice whatsoever
of winning a single seat, it showed again one of the problems
that has been plaguing citizens' privacy in Spain since 1977 (first
democratic elections after forty years of dictatorship): the use for
commercial purposes of the magnetic tapes containing the Election
Census, provided to the parties by the Public Administration.
Big parties do not seem to have participated in data smuggling
practices but there is evidence that many of the companies that process
the tapes provided by them are the main source of abuse against the
privacy of citizens in regard to their personal data in Spain, since they
duplicate and sell the tapes. This fact has been frequently dennounced by
CLI (*).
The recently approved Personal Data Law could help to stop these
practices.
* SOME WORDS ABOUT CLI
The --Commission for Liberties and Informatics, CLI-- is an independent
and pluralistic organization that was officially constituted in April
'91.
Its mission is to "promote the development and protection of
citizens' rights, specially privacy, against misuse of Information
Technologies".
As of May '93, CLI is composed by nine organizations, with
a joint membership of about 3,000,000 people. They cover a very
wide spectrum of social interest groups: associations of computer
professionals, judges, civil rights leagues, trade unions, consumers
groups, direct marketing industry, etc.
CLI is confederated with similar bodies created in some other Spanish
Regions such as Valencia, Basque Country and Catalonia, and has fluid
working relationships with many public and private Data Protection bodies
and entities all over the world, including CNIL, CPSR and Privacy
International.
CLI has its headquarters in:
Padilla 66, 3 dcha.
E-28006 Madrid, Spain
Phone: (34-1) 402 9391
Fax: (34-1) 309 3685
E-mail: rfcalvo@guest2.atimdr.es
------------------------------
Date: Wed, 9 Jun 93 15:38:12 CDT
From: Steve Peterson <peterson@fs.fs.com>
Subject: USPS NCOA request results
In February, I sent a Privacy Act request to the US Postal Service, asking
them to identify everyone who had received a copy of the change of address I
had filed with them in 1990.
I recently received a 2 inch thick response from the USPS. It turns out that
no one made a specific request for my records at the local post office. It
was not possible to identify whether others had been informed via the USPS's
National Change of Address (NCOA) data base; they did, however, provide me
with the complete list of everyone who requested the data base from 9/1990
to 2/1993.
I don't have the time to scan in all of the months of the data base, but I
scanned in January, 1993 as a recent and representative sample. My apologies
in advance for any misspellings or formatting problems. OCR is good, but not
perfect.
I believe that the entries prefixed by "MC" are Members of Congress.
--
Steve Peterson 612 851 1523
FOURTH SHIFT Corporation 7900 International Drive
peterson@fs.com Bloomington, MN 55425 USA
[ The complete text of this message, including the USPS list,
which I have slightly reformatted, is available in
the PRIVACY Forum archives. To access:
Via Anon FTP: From site "ftp.vortex.com": /privacy/usps-addr.Z
or: /privacy/usps-addr
Via e-mail: Send mail to "listserv@vortex.com" with
the line:
get privacy usps-addr
as the first text in the BODY of your message.
Via gopher: From the gopher server on site "gopher.vortex.com"
in the "*** PRIVACY Forum ***" area under "usps-addr".
-- MODERATOR ]
------------------------------
Date: Sat, 12 Jun 1993 12:30:38 EST
From: Dave Banisar <banisar@washofc.cpsr.org>
Subject: CPSR Clipper Testimony 6/9
On June 9, 1993, Congressman Edward Markey, Chairman of the
House Subcommittee on Telecommunications and Finance held an oversight
hearing on Rencryption and telecommunications network security.
Panelists were Whitfield Diffie of Sun Microsystems, Dr. Dorothy
Denning, Steven Bryen of Secure Communications, Marc Rotenberg of the
CPSR Washington Office and E.R. Kerkeslager of AT&T.
Congressman Markey, after hearing the testimony presented,
noted that the Clipper proposal had raised an Rarched eyebrow among the
whole committee and that the committee viewed the proposal
skeptically. This statement was the latest indication that the Clipper
proposal has not been well recieved by policy makers. Last Friday, the
Computer Systems Security and Privacy Advisory Board of NIST issued two
resolutions critical of the encryption plan, suggesting that further
study was required and that implementation of the plan should be
delayed until the review is completed.
At the Third CPSR Cryptography and Privacy Conference on Monday,
June 7, the Acting Director of NIST, Raymond Kammer, announced that the
implementation of the proposal will be delayed and that a more comprehensive
review will be undertaken. The review is due in the fall. Kammer told the
Washington Post that maybe we won't continue in the direction we started
out.
[ The complete testimony mentioned above is now available
in the PRIVACY Forum archives. To access:
Via Anon FTP: From site "ftp.vortex.com": /privacy/cpsr-clip.1.Z
or: /privacy/cpsr-clip.1
Via e-mail: Send mail to "listserv@vortex.com" with
the line:
get privacy cpsr-clip.1
as the first text in the BODY of your message.
Via gopher: From the gopher server on site "gopher.vortex.com"
in the "*** PRIVACY Forum ***" area under "cpsr-clip.1".
-- MODERATOR ]
------------------------------
End of PRIVACY Forum Digest 02.20
************************
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
