TUCoPS :: Privacy :: priv_306.txt

Privacy Digest 3.06 3/6/94

PRIVACY Forum Digest       Sunday, 6 March 1994       Volume 03 : Issue 06

          Moderated by Lauren Weinstein (lauren@vortex.com)
            Vortex Technology, Woodland Hills, CA, U.S.A.
	
                     ===== PRIVACY FORUM =====

   	  The PRIVACY Forum digest is supported in part by the 
	      ACM Committee on Computers and Public Policy.


CONTENTS 
	PRIVACY Briefs (Lauren Weinstein; PRIVACY Forum Moderator)
	TV Network News Seeks Victims of Privacy Problems
	   (Lauren Weinstein; PRIVACY Forum Moderator)
	Re: PGP (Charlie Stross)
	DES Recertified for Use (Mike Winkelman)
	'We {Will} Find you...' (Paul Robinson)
	FBI Digital Telephony and PCS mobile phones (M. Hedlund)
        Re: Newsday article: The Clipper Chip Will Block Crime 
	   (Brinton Cooper)
        Re: Newsday article: The Clipper Chip Will Block Crime
	   (Dorothy Denning)
	NTIA Releases Notice of Inquiry On Privacy Issues (Beth Givens)


 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

ALL submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to
"list-maint@vortex.com".  All submissions included in this digest represent
the views of the individual authors and all submissions will be considered
to be distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system.  Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.  All PRIVACY Forum materials are also
available through the Internet Gopher system via a gopher server on
site "gopher.vortex.com".

For information regarding the availability of this digest via FAX, please
send an inquiry to privacy-fax@vortex.com, call (818) 225-2800, or FAX
to (818) 225-7203.
-----------------------------------------------------------------------------

VOLUME 03, ISSUE 06

   Quote for the day:

	"Don't get on that ship! 
	 ... 'To Serve Man', it's -- it's a COOKBOOK!"

	  	  -- "The Twilight Zone" (original version: 1959-1964)
	              Episode: "To Serve Man"

----------------------------------------------------------------------

PRIVACY Briefs (from the Moderator)

---

The National Rifle Association (NRA) recently caused a storm of protest when
it announced that while it would continue to keep the names of current
members private, they planned to start selling the lists of names of persons
who had *left* the organization within the last several years.  Protests
from former members apparently caused the NRA to reverse this decision, and
to announce that they would keep the names of both former and present members
private, for the time being in any case.

---

An arrangement between National Information Bureau Ltd. (NIB) and CompuServe,
Inc. will allow NIB's subscribers to access NIB's databases of DMV, credit
history, workers' comp., tax, real-estate, crime and other related databases
via CompuServe.  The companies claim that "several levels of security" will
be in place to prevent unauthorized access to these databases.

------------------------------

Date:    Sun, 6 Mar 94 12:51 PST
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: TV Network News Seeks Victims of Privacy Problems

Greetings.  For quite sometime now, one of the three primary commercial U.S.
television network news organizations has been in contact with me regarding
the possibility of their devoting an evening hour (of one of their news
magazine programs) to the topic of privacy concerns and problems.  We've
talked at some length about the issues and they're pretty well up to speed
on the overall topic (they've been reading this digest for quite sometime).

However, in order to produce a program with sufficient "pathos," they feel
that they need on-camera interviews with an individual or individuals
who have been severely "burned" by privacy problems and are willing
to talk about them.  Such interviews would tend to serve as "anchors"
around which the discussion of issues, interviews with experts, etc.
could revolve.  Unless the individual privacy problem interviews can occur,
the segment probably won't be produced.

I've been saying for ages that the only way we can expect progress toward
solving many of the problems we discuss in this digest is through raising
the level of public consciousness of the issues--to help convince people
that privacy affects *them*.  In this day and age, television represents
perhaps the most potent avenue to accomplish this.

I've already pointed out to the network representative that, almost by
definition, a person who has had his or her privacy invaded in the past is
not terribly likely to want to go on national television and expose
themselves even further!  However, the hope is that some person or persons
will feel strongly enough about the problems that they'd be willing to do so
anyway, in the interests of helping to advance privacy issues.

Are there "risks" to doing media interviews?  Of course.  As anyone who
deals with the media frequently can tell you (myself included), once the
interview is over and the tape is back in the box, you do not have any
control over how the material will be used.  How much of the interview will
appear (if any), how it will be edited, what material will be juxtaposed
with yours--all of these will be beyond your control.  That's just the way
it is.

However, I feel that this television network is interested in providing a
sympathetic platform for their interviewees on this topic, and frankly, if
you feel strongly enough that you want to try be of assistance, my own
feeling is that you need to be willing to sit down, do the interviews, and
hope for the best.  And, for what it's worth, my own experiences with
television interviews have been quite good to date.

So, if you've had significant privacy problems (any of the broad range of
topics we discuss in this digest would seem appropriate) and you're willing
to go on-camera with them, send me a note (either to lauren@vortex.com or
privacy@vortex.com) and I'll put you in touch with the appropriate parties.

--Lauren--

------------------------------

Date:    Mon, 21 Feb 1994 12:11:16 +0000 (GMT)
From:    Charlie Stross <charless@sco.COM>
Subject: re: PGP

close@lunch.asd.sgi.com (Diane Barlow Close) writes:
>Does PGP infringe or
>doesn't it?  Are there exceptions or aren't there?  I wrote to Jim Bidzos
>asking for clarification and he basically said that the stuff about PGP
>being free and legal was pure fiction.  Jim said that PGP is definitely
>unlicensed and is considered infringing by the patent holders.  He
>responded directly to "Tansin A. Darcos & Company" and cc'd me on the
>response, asking me to forward this to any newsgroup or mailing list that
>might be discussing this issue:

This assertion that PGP is in violation of a patent is interesting.

Firstly, to the best of my knowledge the patent is only valid in the
United States. Other countries have differing patent laws, and PGP is
not (to the best of my knowledge) in violation of any patents filed
outside the USA.

Furthermore, since release 1, PGP has been developed outside the USA,
where it continues to be used legally.

Secondly, as far as I know the alleged patent violation is currently
the subject of legal action. PKP are asserting patent violation in
court; however I have not heard of any judgement in their favour, and
their claim is (or was) being contested. There  is allegedly some
question over the validity of the patent and its applicability to PGP,
and it would be prudent to let the court decide -- rather than taking
the word of one of the plaintiffs as truth. Fools rush in where
lawyers fear to tread ...

-- Charlie
SCO Technical Publications: tel. +44-(0)923-816344 x579
 
------------------------------

Date:    28 Feb 94 14:41:37 EST
From:    Mike Winkelman <71042.3621@CompuServe.COM>
Subject: DES Recertified for Use

I guess in all the noise about Clipper most
folks have not noticed that DES has been
recertified as a standard for another 5 years.
A lot can happen in five years.

------------------------------

Date:    Wed, 2 Mar 1994 23:17:29 -0500 (EST)
From:    Paul Robinson <PAUL@TDR.COM>
Subject: 'We {Will} Find you...'

In an article on the cover of the February 10, 1994 {Washington 
Technology} magazine of the same name, talks about a specialized use of 
biometrical information (specific details unique to a person like size, 
etc.) to identify them.

The idea behind this is that in an airport, an infrared camera is mounted
near the arriving passengers section, taking pictures of every person who
is passing through the facility.  This captures the 'aura' or underlying
facial vascular system (pattern of blood vessels and such).  In 1/30 of
one second, it captures the data and forwards it via high-speed data lines
to an FBI database that has stored auras of the worlds most-wanted
criminals and terrorists, then matches generate an order to nab a suspect,
supposedly producing "a piece of evidence that is as rock-solid as any
presented to a court." 

Currently, infrared cameras are being attached to desktop computers to 
create digitized thermograms of people's faces in 1/30 of a second.  The 
company that is working on this technology, Betae Corp, an Alexandria, VA 
government contractor, claims that the aura is unique for every single 
person.  The photos in the front of the article show two clearly 
different thermographic images that are claimed to be from identical twins.

The facial print does not change over time (and would allegedly require 
very deep plastic surgery to change it), retains the same basic patterns 
regardless of the person's health, and can be captured without the 
person's participation.  The technology will have to show it is a better 
choice than current biometric techniques such as retinagrams (eye 
photographs, voice prints and the digital fingerprint.

A Publicity-Shy Reston, VA company called Mikos holds the patent for 
certain technology uses of this concept.  Dave Evans of Betac who has 
obtained certain "non exclusive" rights in the technology claims that 
"thermograms are the only technology he has seen in his more than two 
decades of security work that meet the five major criteria of an ideal 
identification system:  They are unique for every individual, including 
identical twins; they identify individuals without their knowing 
participation; they perform IDs on the fly; they are invulnerable to 
counterfeiting or disguises; they remain reliable no matter the subject's 
health or age," the article said.  Only retinal photos are equivalent, 
but potential assasins aren't likely to cooperate in using them.

Right now it takes about 2-4K per thermograph, (it says '2-4K of computer 
memory' but I suspect they mean disk space) and that's not really a 
problem for a PC-Based system of 2000 or so people going to and from a 
building; it's another magnitude of hardware to handle millions of 
aircraft travelers in airports.  Also, infrared cameras are not cheap, in 
the $35,000 to $70,000 range, which, for the moment is likely to keep 
small law enforcement facilities from thermographing all persons arrested 
the way all persons arrested are routinely fingerprinted.  But we can 
expect the price to come down in the future.

The writer apparently had to agree with Evans not to raise privacy and 
security issues in the article, it says, since first they have to show 
the technology works.  But even it raised questions:

- The technology could be a powerful weapon in a "big brother" arsenal, 
  with cameras in front of many stores and street corners, scanning for
  criminals or anyone on the government's watch list?
- Does the government have the right to randomly photograph people for
  matching them against a criminal database?
- What guarantees do we have that thermographs are actually unique for
  every person, or that the system is foolproof?
- What is the potential for blackmail, with thermographs to prove people
  were in compromising places and positions?

There are also my own points

- While this can be used to protect nuclear power plants against 
  infiltration by terrorists (as one example it gives), what is to stop it,
  for example, to be used to find (and silence or eliminate) critics and
  dissidents?  I wouldn't give China 30 seconds before it would use 
  something like this to capture critics such as the victims of Tianamen 
  Square. 

- Long history indicates that better technology is not used to improve 
  capture of criminals who violate the lives and property of other private
  parties, it is used to go after whatever group the government opposes.
  That's why people who defend themselves with guns against armed
  criminals in places where gun controls are in effect, can expect to
  be treated harsher than the criminal would have been.  Existence of
  criminals supports the need for more police and more police-state laws;
  defending oneself against criminals shows the ineffectiveness of those
  laws.

---
Paul Robinson - Paul@TDR.COM

------------------------------

Date:    Tue, 1 Mar 1994 13:37:46 -0800 (PST)
From:    "M. Hedlund" <hedlund@netcom.com>
Subject: FBI Digital Telephony and PCS mobile phones

{Cross-posted to RISKS & EFF}

	This article elaborates on part of the EFF statement issued last 
week concerning the FBI's proposed Digital Telephony wiretap bill.  The EFF
condemned the bill, which enlarges law enforcement powers of surveillance,
granted by wiretap laws, by adding tracking ability. Addressed herein is point
two of the EFF statement, concerning the surveillance of mobile communica-
tors, such as cellular phones, Personal Communications Services (PCS) and 
laptop computers.  PCS mobile phones create severe privacy risks for future
phone users, especially under the FBI's proposal; and these risks strongly
support the EFF's position.

	The FBI asserts that their proposal adapts existing wiretap laws to
account for emerging communications technologies.  Wiretap laws have not 
adequately covered mobile communications, and the FBI is correct to assume
that some revisions will be necessary to adequately balance law enforcement
needs with the privacy rights of mobile phone users.  Their proposed
revisions, however, do not simply provide for wiretap; instead, the FBI
seeks to expand wiretap laws, allowing law enforcement officers to track
the signalling information of mobile communcations users.

	The EFF believes that the FBI proposal would create an enormous hole 
in the privacy rights of individuals suspected of crimes.  Their statement
notes:
	It is conceivable that law enforcement could 
	use the signalling information to identify the
	location of a target.....This provision takes a 
	major step beyond current law in that it allows
	for a tap and/or trace on a *person*, as opposed
	to mere surveillance of a phone line.


	This fear is completely realistic.  It is not simply "conceivable"
that the FBI's proposal would allow law enforcement to surveil the location
of a target -- positioning technology is a planned part of PCS networks,
one of the technological advances anticipated by the proposal.  Similar
positioning technology is planned for cellular phones, as well.

	PCS advances cellular phone technology by integrating mobile
communications with other phone networks, and by expanding the services
and quality mobile phones can offer.  Most PCS proposals involve three forms
of mobility: terminal mobility, the ability to make and receive calls at
any location, and the ability of the phone network to track the location
of the mobile phone; personal mobility, the ability of the user to be reach-
able by a single phone number at all times; and service mobility, the ability
of the user to access CLASS(sm)-like features, such as Call Waiting and 
Caller ID, from any phone they use.

	The FBI proposal requires phone companies, when presented with a 
wiretap order, to transmit the content and the signalling, or "call setup
information," from the tapped phone to law enforcement officers.  With a
wireline phone, such as a residence phone line, call setup information would
comprise only the originating and dialled phone numbers, as well as billing
information (such as the residence address) for the call.  Because of the
wireless aspect of PCS, however, call setup information for a PCS phone
includes very detailed information on the location and movement of the caller.

	PCS mobile phones will connect with the phone network via "microcells,"
or very small receivers similar to those used for cellular phones.  While a
cellular network uses cells with up to an 8 to 10 mile radius, PCS networks
will use microcells located on every street corner and in every building.  
The call setup information for a PCS call would include the microcell identi-
fier -- a very specific means of locating the user.  An order for a PCS 
wiretap would allow law enforcement officers to receive a detailed,
verifiable, continuous record of the location and movement of a mobile phone
user.

	These phones are also likely to "feature" automatic registration: 
whenever the PCS mobile phone is on (in use or able to receive calls), it
will automatically register itself with the nearest microcell.  Law enforce-
ment agencies, able to track this registration, would have the equivalent of
an automatic, free, instantaneous, and undetectable global positioning
locator for anyone suspected of a crime.

	PCS tries to improve on cellular phone privacy and security by
incorporating cryptographic techniques.  Encryption could not only create
a secure phone conversation, but could also (coupled with use of a PIN 
number) insure that only a valid subscriber could make calls on a particular
phone, preventing fraudulent calls on stolen phones.  An additional phone-to
-network authentication could prevent fraudulent calling through a 
"masquerade" phone designed to simulate a user's registration.

	But the FBI proposal would require that such encryption be defeatable
in wiretap circumstances.  As the proposal stands, this form of weak encryp-
tion is distinguishable from the Clipper Chip because the phone companies,
not a key escrow arrangement, enable law enforcement access; but it is entirely
possible that the Clipper Chip could be used as the encrypting device.  In
either circumstance, PCS encryption could be compromised by careless or 
malicious law enforcement officials.  Perhaps it is time for Phil Zimmerman
and ViaCrypt to begin work on PGPCS -- and let us all hope we are so lucky.

	The cellular phone market is tremendous, and analysts believe that 
the PCS market, incorporating both voice and data communications, will be 
even larger.  Coupled with the FBI's Digital Telephony proposal, PCS raises
many privacy and security risks, making the EFF's condemnation of the FBI
proposal all the more appropriate.



CLASS is a service mark of Bell Communications Research (Bellcore).

For more information:

*	Bellcore Special Report SR-INS-002301, "Feature Description and
	Functional Analysis of Personal Communications Services (PCS)
	Capabilities," Issue 1, April 1992.  Order from Bellcore, (800)
	521-CORE (2673), $55.00.

*	GAO report GAO/OSI-94-2, "Communications Privacy: Federal Policy
	and Actions," November 1993.  Anonymous FTP to cu.nih.gov, in the
	directory "gao-reports".

*	EFF documents, available via anonymous FTP or gopher:
	ftp://ftp.eff.org/pub/EFF/Policy/Digital_Telephony


]\/[. ]-[edlund
<hedlund@netcom.com>

------------------------------

Date:    Tue, 1 Mar 94 18:46:58 GMT
From:    Brinton Cooper <abc@ARL.ARMY.MIL>
Subject: Re: Newsday article: The Clipper Chip Will Block Crime

In discussing the Clipper controversy, Denning says, of those who oppose
the government's access to Clipper-encrypted communications:

>    The Clinton administration has adopted the chip, which would allow
> law enforcement agencies with court warrants to read the Clipper codes
> and eavesdrop on terrorists and criminals.  But opponents say that, if
> this happens, the privacy of law-abiding individuals will be a risk.
> They want people to be able to use their own scramblers, which the
> government would not be able to decode.
> 
>    If the opponents get their way, however, all communications on the
> information highway would be immune from lawful interception.  


Not too many Clipper proponents have publicly and forcefully stated
a belief that use non-Clipper encryption in communications should be
outlawed.  That is precisely what Denning says in the foregoing,
however.  The belief is that private citizens should NOT be able to use
their own scramblers "which the government would not be able to decode."

What ever happened to the First Amendment to the Constitution?
Apparently, the study of US History is no longer practiced.  The
ultimate enemy is not, and never has been, "the criminal;" it is 
government.

Alas, they listen but do not hear.

_B

------------------------------

Date:    Tue, 1 Mar 94 14:18:21 EST
From:    denning@chair.cosc.georgetown.edu (Dorothy Denning)
Subject: Re: Newsday article: The Clipper Chip Will Block Crime

> In discussing the Clipper controversy, Denning says, of those who oppose
> the government's access to Clipper-encrypted communications:
> 
> >    The Clinton administration has adopted the chip, which would allow
> > law enforcement agencies with court warrants to read the Clipper codes
> > and eavesdrop on terrorists and criminals.  But opponents say that, if
> > this happens, the privacy of law-abiding individuals will be a risk.
> > They want people to be able to use their own scramblers, which the
> > government would not be able to decode.
> > 
> >    If the opponents get their way, however, all communications on the
> > information highway would be immune from lawful interception.  
> 
> 
> Not too many Clipper proponents have publicly and forcefully stated
> a belief that use non-Clipper encryption in communications should be
> outlawed.  That is precisely what Denning says in the foregoing,
> however.  The belief is that private citizens should NOT be able to use
> their own scramblers "which the government would not be able to decode."
>
I did not say that other forms of encryption should be outlawed and
that is not my position or the position of the government. The
opponents of Clipper are urging the government to drop Clipper.  If the
government does that, then Clipper will not even be a choice.  Thus,
there will be no communications encrypted with Clipper, and hence all
encrypted communications will be immune from lawful interception (unless
the encryption scheme is weak).
 
Dorothy Denning

------------------------------

Date:    Thu, 3 Mar 1994 17:44:28 -0800 (PST)
From:    "BETH GIVENS, PRIVACY RIGHTS CLEARINGHOUSE 619-260-4806" 
	 <B_GIVENS@USDCSV.ACUSD.EDU>
Subject: NTIA RELEASES NOTICE OF INQUIRY ON PRIVACY ISSUES

3/3/94 Important NTIA proceeding on privacy.
Please post and otherwise distribute. Thanks.
=============================================

NTIA RELEASES NOTICE OF INQUIRY ON PRIVACY ISSUES

CONTACT:  Larry Williams  
(202) 482-1551
MARCH 1, 1994  

     The National Telecommunications and Information
Administration (NTIA) is undertaking a comprehensive review of
privacy issues relating to private sector use of
telecommunications-related personal information associated with
the National Information Infrastructure (NII).

     Public comment is requested on issues relevant to such a
review.  After analyzing the comments, NTIA will issue a report
and make recommendations as needed.

     The inquiry will focus on potential uses of personal
information generated by electronic communications, including
interactive multimedia, cable television and telephony.  NTIA is
studying the issues that arise when such telecommunications-
related information is used to create detailed dossiers about
individuals.  NTIA seeks to determine whether any overarching
privacy principles can be developed that would apply to all firms
in the telecommunications sector.  In addition, NTIA is
soliciting comment on other countries' actions to ensure the
privacy of information transmitted over telecommunications
networks, and to ascertain how any U.S. policies in this area
will affect the international arena.

     The Notice of Inquiry and Request for Comments appears
in Part IX of the February 11, 1994, Federal Register and is
also available on the NTIA Bulletin Board at (202) 482-1199. 
Set communications parameters to no parity, 8 data bits and 1
stop.  Go into the menu "Teleview-Public Notices and Comments."
File size is 48,514 bytes or about 18 pages of text. Internet 
users can telnet into the BBS at ntiabbs.ntia.doc.gov.

     Comments should be filed on or before March 30, 1994. 
NTIA is accepting comments in writing or posted electronically 
via its BBS. 

     If you have further questions, please contact Carol E.
Mattey or Lisa I. Leidig at the Office of Policy Analysis and
Development, NTIA, 202-482-1880.

------------------------------

End of PRIVACY Forum Digest 03.06
************************

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH