TUCoPS :: Privacy :: priv_220.txt

Privacy Digest 2.20 6/13/93

PRIVACY Forum Digest        Sunday, 13 June 1993        Volume 02 : Issue 20

          Moderated by Lauren Weinstein (lauren@vortex.com)
                Vortex Technology, Topanga, CA, U.S.A.
	
                     ===== PRIVACY FORUM =====

   	  The PRIVACY Forum digest is supported in part by the 
	      ACM Committee on Computers and Public Policy.


CONTENTS
	The other side of Clipper (A. Padgett Peterson)
	Traffic analysis (Mathew Lodge)
	NIST CSSPAB 6/4/93 Resolutions (Dave Banisar)
	CLI News from Spain - June 7, 1993 (Rafael Fernandez Calvo)
	USPS NCOA request results (Steve Peterson)
	CPSR Clipper Testimony 6/9 (Dave Banisar)


 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

ALL submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to
"list-maint@vortex.com".  All submissions included in this digest represent
the views of the individual authors and all submissions will be considered
to be distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system.  Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.  All PRIVACY Forum materials are also
available through the Internet Gopher system via a gopher server on
site "gopher.vortex.com".

For information regarding the availability of this digest via FAX, please
send an inquiry to privacy-fax@vortex.com, call (310) 455-9300, or FAX
to (310) 455-2364.
-----------------------------------------------------------------------------

VOLUME 02, ISSUE 20

   Quote for the day:

      "The life so short, the craft so long to learn."

			-- Hippocrates, 5th century B.C.
	
----------------------------------------------------------------------

Date:    Fri, 4 Jun 93 09:05:30 -0400
From:    padgett@tccslr.dnet.mmc.com
	 (A. Padgett Peterson,P.E. Information Security - - (407)826-1101)
Subject: The other side of Clipper

As apparently the sole individual to see a positive side of Clipper, I
would like to comment that this is not so much an evolution of
cryptographc practise as a revolution and requires a different mindset.

First, I believe that the tapping capability of Clipper/Capstone will 
prevent its ever replacing STU-IIIs and other complex algoritms for
dedicated point-point connections that require absolute privacy. 
Legislation from the government banning "any other cryptography" would
be impossible to enforce and akin to trying to stuff knowlege back into
Pandora's box. It is just not going to be happen and the government is
intelligent enough not to take on a losing battle that could just
flood the legal system (and there would be pleanty of floodees).

Next, what Capstone represents is a new kind of crypto that the miliary
has enjoyed for years. Anytime, anywhere, to anyone. No complex and
archane key management, no prearranged signals, the key management
appears to be able to be handled intermally *including session ignition*.
That I do not understand *how* this is done does not mean that it isn't
(and if you read the 30 April Capstone document you will find the words
"A Key Exchange Algorithm based on a public key exchange.").

Finally, it has been said that "business will not accept Clipper/Capstone".
Hogwash. The bulk of American business could care less if the government
can tap their communications that are being sent in the clear today 
anyway ! What American business wants is freedom from "due care" lawsuits,
hackers, and competitors. To a hospital transmitting X-Rays over phone
lines, it is the patient's lawyer that concerns the hospital, not the
government's.

IMHO the tap capability is *necessary* for American business to embrace
Clipper/Capstone so long as their security department can also do so.
Since we are now talking "owner's rights", I believe this will happen and
will not require a court order.

Already the precidents are being set in the California E-Mail monitoring
cases. Certainly maintaining this right will require the ability for the
owner to monitor such transmissions or accountability will be lost.

As a result, I believe that Clipper/Capstone is going to change how we
think about telecommunications and that the current arguments against
Clipper will turn out to be its greatest strengths.

					Warmly (94 today),
						Padgett

                    (usual disclaimers apply) 

ps IMHO the "problem" with key management is already solved & is just a 
   diversionary smokescreen. All of the facts have not been released.

------------------------------

Date:    Fri, 4 Jun 93 15:10:32
From:    mjl-b@minster.york.ac.uk
Subject: Traffic analysis

In V02 #19, Burton Strauss writes:
> Date:    Fri, 28 May 1993 23:49:10 -0400 (EDT)
> From:    bstrauss@BIX.com
> Subject: Clipper Chip

[stuff deleted]
> ... I wonder if the government really
> thinks they can manage the flow.  Even if there is a backdoor in clipper and
> they can crack, trivially, every conversation 'they' want, how does the
> government (nefarious FBI, NSA, etc people) expect to sift the 'interesting'
> things from the sheer volume?
> 
> One of the key military technologies is traffic analysis -- even if you
> can't read the meaning, a sudden increase in traffic is an indication that
> 'something' is up.  But there is 999 or 1000 messages per day, and nothing
> to set off a traffic alert.

This has long been a recognised problem, and is easily solved by continuous
transmission of information. You continuously transmit a stream of data
(usually randomly generated). When you want to transmit a real message, you
insert it into the random data stream.

This raises the problem of how to identify the real messages from the
rubbish -- prefixing a code or keywork leaves the data stream open to attack
by a good cryptanalyist, who is looking for just such a repeated item. (see
the sci.crypt FAQ for more on this sort of attack)

It has long been known that the British Government's GCHQ (Government
Communications Head Quarters) is continually working on various systems that
try to identify "interesting" messages in the mass of information that they
receive. I imagine the NSA in the USA does the same (since it is reputed to
be the largest employer of mathematicians and purchaser of computer
equipment in the world, I imagine it's quite good at it.)

There's a nice discussion about the problems of information transmission in
Nelson DeMille's novel "The Talbot Odyssey" It also has a nice nightmare
scenario for the wiping out of all electronic devices in the USA that might
interest PRIVACY readers.

Mat

| Mathew Lodge             | "What's your name, boy?" "Kate." "Isn't that |
| mjl-b@minster.york.ac.uk |  a bit of a girl's name?" "It's short for... |
| University of York, UK   |  Bob." -- Blackadder II                      |

------------------------------

Date:    Fri, 4 Jun 1993 20:46:59 EST    
From:    Dave Banisar <banisar@washofc.cpsr.org>
Subject: NIST CSSPAB 6/4/93 Resolutions


                 NIST Crypto Resolutions

  Computer System Security and Privacy Advisory Board
                       June 4, 1993

                      Resolution #1

At Mr. Kammer's request we have conducted two days of 
hearings.  The clear message of the majority of input 
was that there are serious concerns regarding the Key 
Escrow Initiative and the Board concurs with these 
concerns.  Many of these issues are still to be fully 
understood and more time is needed to achieving that 
understanding.

Accordingly, this Board resolves to have an additional 
meeting in July 1993 in order to more completely respond 
to Mr. Kammer's request and to fulfill its statutory 
obligations under P.L. 100-235.  The Board recommends 
that the inter-agency review take note of our input 
collected, our preliminary finding, and adjust the 
timetable to allow for resolution of the significant 
issues and problems raised.

Attached to this resolution is a preliminary 
distillation of the serious concerns and problems.


                     Resolution #2

Key escrowing encryption technology represents a 
dramatic change in the nation's information 
infrastructure.  The full implications of this 
encryption technique are not fully understood at this 
time.  Therefore, the Board recommends that key 
escrowing encryption technology not be deployed beyond 
current implementations planned within the Executive 
Branch, until the significant public policy and 
technical issues inherent with this encryption technique 
are fully understood.

[Attachment to Resolution #1]]

-  A convincing statement of the problem that Clipper 
attempts to solve has not been provided.

- Export and important controls over cryptographic 
products must be reviewed.  Based upon data compiled 
from U.S. and international vendors, current controls 
are negatively impacting U.S. competitiveness in the 
world market and are not inhibiting the foreign 
production and use of cryptography (DES and RSA)

- The Clipper/Capstone proposal does not address the 
needs of the software industry, which is a critical and 
significant component of the National Information 
Infrastructure and the U.S. economy.

- Additional DES encryption alternatives and key 
management alternatives should be considered since there 
is a significant installed base.

- The individuals reviewing the Skipjack algorithm and 
key management system must be given an appropriate time 
period and environment in which to perform a thorough 
review.  This review must address the escrow protocol 
and chip implementation as well as the algorithm itself.

- Sufficient information must be provided on the 
proposed key escrow scheme to allow it to be fully 
understood by the general public.  It does not appear to 
be clearly defined at this time and, since it is an 
integral part of the security of the system, it appears 
to require further development and consideration of 
alternatives to the key escrow scheme (e.g., three 
"escrow" entities, one of which is a non-government 
agency, and a software based solution).

- The economic implications for the Clipper/Capstone 
proposal have not been examined.  These costs go beyond 
the vendor cost of the chip and include such factors as 
customer installation, maintenance, administration, chip 
replacement, integration and interfacing, government 
escrow systems costs, etc.

- Legal issues raised by the proposal must be reviewed.

- Congress, as well as the Administration, should play a 
role in the conduct and approval of the results of the 
review.

=======================================================
    NIST Resolutions on Key Escow Issues and Clipper
                       provided by
                 CPSR Washington office
           666 Pennsylvania Ave., SE Suite 303
                  Washington, DC 20003
               rotenberg@washofc.cpsr.org
=======================================================

------------------------------

Date:    Mon,  7 Jun 93 13:39:49 -0100
From:    rfcalvo@guest2.atimdr.es (Rafael Fernandez Calvo)
Subject: CLI News from Spain - June 7, 1993 


    CCCCC  LL     II
   CC      LL     II
   CC      LL     II    --  N E W S   FROM   S P A I N  --- June 7, 1993
    CCCCC  LLLLLL II

 COMMISSION for LIBERTIES
 and INFORMATICS (*)

      PRIVACY AND GENERAL ELECTIONS: TRICKS OF THE TRADE
      --------------------------------------------------

 Spain held general parlamentary elections yesterday, June 6th.
Regardless of the ocutcome (the ruling Socialist Party obtained again
a majority of the seats), one of the parties participating in the
event, "Centrist Unity-Spanish Democratic Party", was expelled of the
race on June 1 by the Electoral Control Committee on the grounds that
the party was actually a sham put up by a group of direct marketing
pirates.

 Regardless of the fact that this party had no choice whatsoever
of winning a single seat, it showed again one of the problems
that has been plaguing citizens' privacy in Spain since 1977 (first
democratic elections after forty years of dictatorship): the use for
commercial purposes of the magnetic tapes containing the Election
Census, provided to the parties by the Public Administration.

 Big parties do not seem to have participated in data smuggling
practices but there is evidence that many of the companies that process
the tapes provided by them are the main source of abuse against the
privacy of citizens in regard to their personal data in Spain, since they
duplicate and sell the tapes. This fact has been frequently dennounced by
CLI (*).

 The recently approved Personal Data Law could help to stop these
practices.

* SOME WORDS ABOUT CLI

 The --Commission for Liberties and Informatics, CLI-- is an independent
and pluralistic organization that was officially constituted in April
'91.

 Its mission is to "promote the development and protection of
citizens' rights, specially privacy, against misuse of Information
Technologies".

 As of May '93, CLI is composed by nine organizations, with
a joint membership of about 3,000,000 people. They cover a very
wide spectrum of social interest groups: associations of computer
professionals, judges, civil rights leagues, trade unions, consumers
groups, direct marketing industry, etc.

 CLI is confederated with similar bodies created in some other Spanish
Regions such as Valencia, Basque Country and Catalonia, and has fluid
working relationships with many public and private Data Protection bodies
and entities all over the world, including CNIL, CPSR and Privacy
International.

 CLI has its headquarters in:

Padilla 66, 3 dcha.
E-28006 Madrid, Spain

Phone: (34-1) 402 9391
Fax: (34-1) 309 3685
E-mail: rfcalvo@guest2.atimdr.es

------------------------------

Date:    Wed, 9 Jun 93 15:38:12 CDT
From:    Steve Peterson <peterson@fs.fs.com>
Subject: USPS NCOA request results

In February, I sent a Privacy Act request to the US Postal Service, asking
them to identify everyone who had received a copy of the change of address I
had filed with them in 1990.

I recently received a 2 inch thick response from the USPS.  It turns out that
no one made a specific request for my records at the local post office.  It
was not possible to identify whether others had been informed via the USPS's
National Change of Address (NCOA) data base; they did, however, provide me
with the complete list of everyone who requested the data base from 9/1990
to 2/1993.

I don't have the time to scan in all of the months of the data base, but I
scanned in January, 1993 as a recent and representative sample.  My apologies
in advance for any misspellings or formatting problems.  OCR is good, but not 
perfect.

I believe that the entries prefixed by "MC" are Members of Congress.

--

Steve Peterson                                                  612 851 1523
FOURTH SHIFT Corporation                            7900 International Drive
peterson@fs.com                                    Bloomington, MN 55425 USA

	[ The complete text of this message, including the USPS list,
	  which I have slightly reformatted, is available in
	  the PRIVACY Forum archives.  To access:

	    Via Anon FTP: From site "ftp.vortex.com": /privacy/usps-addr.Z
					          or: /privacy/usps-addr

	    Via e-mail: Send mail to "listserv@vortex.com" with
	                the line:

			    get privacy usps-addr

		        as the first text in the BODY of your message.

	    Via gopher: From the gopher server on site "gopher.vortex.com"
		in the "*** PRIVACY Forum ***" area under "usps-addr".

							-- MODERATOR ]

------------------------------

Date:    Sat, 12 Jun 1993 12:30:38 EST
From:    Dave Banisar <banisar@washofc.cpsr.org>
Subject: CPSR Clipper Testimony 6/9

        On June 9, 1993, Congressman Edward Markey, Chairman of the
House  Subcommittee on Telecommunications and Finance held an oversight
hearing on Rencryption and telecommunications network security.
Panelists were Whitfield Diffie of Sun Microsystems, Dr. Dorothy
Denning,  Steven Bryen of Secure Communications, Marc Rotenberg of the
CPSR Washington Office and E.R. Kerkeslager of AT&T.

        Congressman Markey, after hearing the testimony presented,
noted that the Clipper proposal had raised an Rarched eyebrow among the
whole committee and that the committee viewed the proposal
skeptically. This statement was the latest indication that the Clipper
proposal has not been well recieved by policy makers.  Last Friday, the
Computer Systems Security and Privacy Advisory Board of NIST issued two
resolutions critical of the encryption plan, suggesting that further
study was required and that implementation of the plan should be
delayed until the review is completed.
        At the Third CPSR Cryptography and Privacy Conference on Monday, 
June 7, the Acting Director of NIST, Raymond Kammer, announced that the
implementation of the proposal will be delayed and that a more comprehensive
review will be undertaken.  The review is due in the fall.  Kammer told the
Washington Post that maybe we won't continue in the direction we started
out.

	[ The complete testimony mentioned above is now available
	  in the PRIVACY Forum archives.  To access:

	    Via Anon FTP: From site "ftp.vortex.com": /privacy/cpsr-clip.1.Z
					          or: /privacy/cpsr-clip.1

	    Via e-mail: Send mail to "listserv@vortex.com" with
	                the line:

			    get privacy cpsr-clip.1

		        as the first text in the BODY of your message.

	    Via gopher: From the gopher server on site "gopher.vortex.com"
		in the "*** PRIVACY Forum ***" area under "cpsr-clip.1".

							-- MODERATOR ]

------------------------------

End of PRIVACY Forum Digest 02.20
************************

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH