TUCoPS :: Privacy :: priv_307.txt

Privacy Digest 3.07 3/26/94

PRIVACY Forum Digest      Saturday, 26 March 1994       Volume 03 : Issue 07

          Moderated by Lauren Weinstein (lauren@vortex.com)
            Vortex Technology, Woodland Hills, CA, U.S.A.
	
                     ===== PRIVACY FORUM =====

   	  The PRIVACY Forum digest is supported in part by the 
	      ACM Committee on Computers and Public Policy.


CONTENTS 
	Outlawing non-(goverment) approved encryption (A. Padgett Peterson)
	Clipper & other countries (Konrad Van Zyl)
	NASA "privacy" controversy on Usenet (Jonathan McDowell)
	New Book From IOM On Health Data Privacy (Marc Schwartz)
        Tonya Harding E-Mail (Erik Nilsson)
	Gambling (Phil Agre)
        Intrusion-Detection Workshop (Teresa Lunt)


 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

ALL submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to
"list-maint@vortex.com".  All submissions included in this digest represent
the views of the individual authors and all submissions will be considered
to be distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system.  Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.  All PRIVACY Forum materials are also
available through the Internet Gopher system via a gopher server on
site "gopher.vortex.com".

For information regarding the availability of this digest via FAX, please
send an inquiry to privacy-fax@vortex.com, call (818) 225-2800, or FAX
to (818) 225-7203.
-----------------------------------------------------------------------------

VOLUME 03, ISSUE 07

   Quote for the day:

	"In the not too distant future,
	 Next Sunday A.D.
	 There was a guy named Joel,
	 Not too different from you or me.
	 He worked at Gizmonic Institute,
	 Just another face in a red jumpsuit.
	 He did a good job cleaning up the place,
	 But his bosses didn't like him,
	 So they shot him into space..."

  	  -- From original theme of "Mystery Science Theater 3000" ("MST3K")
	     (Local Minneapolis television and cable's "Comedy Central")

----------------------------------------------------------------------

Date:    Mon, 7 Mar 94 08:32:33 -0500
From:    padgett@tccslr.dnet.mmc.com 
	 (A. Padgett Peterson, P.E. Information Security)
Subject: Outlawing non-(goverment) approved encryption.

>    The Clinton administration has adopted the chip, which would allow
> law enforcement agencies with court warrants to read the Clipper codes
> and eavesdrop on terrorists and criminals.  But opponents say that, if
> this happens, the privacy of law-abiding individuals will be a risk.
> They want people to be able to use their own scramblers, which the
> government would not be able to decode.

Lately I have been seeing too much of what IMNSHO ammounts to hype and
distortion over Clipper & Company.

"The Clinton Administration has adopted the chip" - for communications with
the govenment of information that is considered "sensitive but unclassified",
i.e. that information covered by the Privacy Act - public law 93-579.

Currently much of this information (such as IRS forms) is currently being 
sent in the clear since no practical alternative exists. Since the information
is being sent to-from the gov, who cares if the gov can tap it ?

No-one has said that consenting adults cannot communicate in any form they
want nor that the gov has to able to listen in easily other than in a 
technical sense. Book codes are still the easiest to generate and the hardest
to break (unless you know what book to use). If the gov tried to it would
be trivial to make anything decode to the Congressional Record and what
court will be able to say that wasn't what you sent ?

Point is that to outlaw general encryption is like King Canute ordering the
sun to rise in the West - the sun will ignore the order and there is not
much the king can do about it.

For that matter, no-one claims to have broken triple-DES and that is still 
a gov standard.

Again IMHO the amount of encryption available to the average American today
is limited to whatever is on their ATM card. Clipper is not perfect but
is *more* and is *good enough for government work*.

Seems to me that the detractors are just trying to limit *my* choices before
I get a chance to exercise then and *that* smacks of censorship.

					Hotly,
						Padgett

------------------------------

Date:    Tue, 8 Mar 1994 16:18:17 GMT+2
From:    "VAN ZYL KE" <9381945@info.up.ac.za>
Subject: Clipper & other countries

Hallo.

Following two issues of comments regarding Clipper, FBI wire tapping 
etc. i wish to ask the following question :

Have anyone considered the effect of Clipper and other
such proposals and their possible implementation on other countries ?

Asking that, i refer specifically to less stable countries 
where stable refers to politics and human rights. 

These countries will increasingly be using their own 
versions of a "digital highway" and Internet. Following the example 
that can be set by your goverment, it bodes ill for the privacy of 
citizens in less developed countries.

I do not for one moment expect the U.S. to be held responsible for 
the abuse of I.T. in other countries or any other problems, but only 
raised the question from a worried citizens point of view.

Thank you

Konrad Van Zyl

------------------------------

Date:    Sun, 13 Mar 94 13:46:02 EST
From:    jcm@urania.harvard.edu (Jonathan McDowell)
Subject: NASA "privacy" controversy on Usenet [Subject chosen by MODERATOR]

    [ I requested a summary of this rather loud ongoing Usenet controversy.
      Mr. McDowell graciously provided the following.  -- MODERATOR ]

OK.  Here's a very brief summary. Ken Hollis is one of several people
within NASA who have responded to technical questions about the space program
on the internet. He also would post various interesting things like
the Houston space center house newsletter and his own compilation
of future Shuttle launches (the 'manifest'), which has become 
particularly useful since the last official manifest was well
over a year ago and is sadly out of date. The posting appended
below appeared on the Internet group sci.space.shuttle and immediately
produced lots of responses from Ken's readers and correspondents along
the lines of 'this is awful, censorship, let's sue NASA'. 

    - Jonathan

[ Apparently Ken Hollis actually works for a major NASA
  contractor, and the contractor, after being contacted
  by NASA, ordered him to cease those postings.  -- MODERATOR ]

   >From cfanews!hsdndev!wupost!cs.utexas.edu!utnut!utzoo!henry 
    Sun Mar 13 13:40:08 1994
    Newsgroups: sci.space.shuttle
    Path: cfanews!hsdndev!wupost!cs.utexas.edu!utnut!utzoo!henry
    From: henry@zoo.toronto.edu (Henry Spencer)
    Subject: Ken Hollis won't be posting any more
    Message-ID: <CMGGqv.8H7@zoo.toronto.edu>
    Date: Thu, 10 Mar 1994 15:37:41 GMT
    Organization: U of Toronto Zoology
    Lines: 54

    I got the following from Ken Hollis, with a request that I post it here:

  			 -----------------

    Greetings and Salutations:

    This will most likely be my last post to the Internet group
    sci.space.shuttle until such time as I leave my current company and work
    for a different company.

    Shortly after I posted the most recent manifest and launch pass info,
    some MSFC (Marshall Space Flight Center) PAO (Public Affairs Office)
    personnel sent copies of these documents (or parts thereof) to the KSC
    (Kennedy Space Center) NASA PAO office, questioning whether or not the
    information in these documents should be publicly distributed.  They did
    not understand that the launch pass and manifest files that I had put
    together on my own time were my (apparently misguided) attempts to create
    some enthusiasm about shuttle launches and get information out the
    Internet.  One more small joy in my life gone... (of the very few left...)

    After talking to the NASA PAO at KSC, I asked them to make whatever
    changes / deletions to the documents they liked in order to allay their
    concerns, and I awaited the changes (and I am still awaiting changes).  I
    was also informed that my disclaimers at the end of the document (i.e., my
    .sig) were not considered valid--it still "looked" official.

    The next contact I received was from the public affairs office in my
    company who had been contacted by the KSC PAO (subsequent to my
    conversation with KSC PAO).  Bringing this to the attention of my
    company changed the focus of the problem from an issue of the customer
    to a company issue.  Per my company's management directives, all
    questions to which I want to respond
    (whether these are questions posed to me personally or to "the net" at
    large, and whether on the net or in person) are to be cleared through my
    company's public affairs office, and I am to exercise good judgment while on
    *or* off duty in my responses.  *ANY* postings from me about the shuttle
    must first be approved by my manager or supervisor and then by the company
    public affairs.  I agreed to no longer reply to any sci.space.shuttle
    postings, with my assumption that if I fought them on this, I would have an
    increased chance of a layoff / job termination.

    I was also informed that since MSFC now has access to the Internet, they
    were "considering" officially answering all questions concerning NASA /
    shuttle.

    My help is not required...
    ------------------------------------------------------------------------
    Official disclaimer : I don't talk officially for NASA, and they
    don't make any commitments for me.  Seemed like a fair deal.
    Ken Hollis
    INTERNET: HOLLIS@TITAN.KSC.NASA.GOV          SPAN/HEPnet: KSCP00::HOLLIS
    Dizzyclaimer:  If you believe this is in any way, shape, or form actual
    official information or opinion,then you are probably as confused if not
    more so than I am...I think...
			  -----------------

------------------------------

Date:    Tue, 22 Mar 94 10:54 EST
From:    SchwartzM@DOCKMASTER.NCSC.MIL
Subject: New Book From IOM On Health Data Privacy

I just received a new book published for the National Academy of Science's
Institute of Medicine entitled "Health Data in the Information Age:  Use,
Disclosure and Privacy".  The copyright is 1994 and is the result of a
follow-on project to their 1991 publication "The Computer Based Patient
Record:  An Essential Technology For Health Care".  This new book covers a
variety of topics including the recognition of the formation of so-called
Regional Health Data Networks for the purpose of tracking patient outcomes
and facilitating improved access to medical data on patients.  A great deal
of the book deals with the significant privacy issues that will need to be
addressed as we move toward the computerization of the medical record and
the use of computer networks for remote consulting, including legislative
approaches.  Additional work covers the issues surrounding the release of
health care provider specific data (hospital/physician) relative to attempts
to give the public an ability to make quality of care decisions in their
selections of providers.  This is already being done in New York,
Pennsylvania and other states in the realm of cardiac surgery and cardiology
related interventions and has come under significant fire from the health
care community for being, at best mis-leading to an uninformed public, at
worst a significant threat to patient access to health care.

The book may be ordered from National Academy Press at 1-800-624-6242 and
is priced at $39.95.  It is a major work in this area and I would strongly
urge its reading to anyone interested.

Marc Schwartz Director of Clinical Services Summit Medical Minneapolis,
MN 55447 Voice:  612-473-3250 Internet:  SchwartzM at dockmaster.ncsc.mil

------------------------------

Date:    Wed, 23 Mar 1994 11:13:11 -0800
From:    erikn@goldfish.mitron.tek.com (Erik Nilsson)
Subject: Extracted [by MODERATOR] from CPSR/PDX 7 #2: Tonya Harding E-Mail

  [ Extracted from CPSR/PDX Vol. 7 #2; March 1994  -- MODERATOR ]

[b 1] TONYA HARDING'S E-MAIL WAS HACKED BY DAVE BARRY, OTHER REPORTERS

Accessory-after-the-fact and former skater Tonya Harding was the
victim of hacking by an unknown number of reporters, including
syndicated columnist Dave Barry, according to a variety of print and
net sources.

The Dallas Morning News reported on February 24th that Michelle
Kaufman of the Detroit Free Press, Ann Killion of the San Jose Mercury
News and Jere Longman of The New York Times read Ms. Harding's e-mail
access code off of her credentials from a television close-up, and
guessed her password.

Alex Johnson of the Knight-Ridder/Tribune News Service reports that
soon afterward, Dave Barry admitted to hacking Ms. Harding's e-mail
account himself.  Mr. Barry vigorously defended his actions. saying
that reporters do such things "... all the time."  Mr. Barry's editor
at the Miami Herald also defended Mr. Barry's actions, likening them
to watching the dismemberment of chickens on television.

The Mercury News backed Ms. Killion's actions. The Times had no
comment. 

Heath Meriwether, executive editor of the Detroit Free Press, took a
somewhat less permissive attitude.  "Obviously, it's something we
don't approve of," said Mr. Meriwether.  It's against our policy, and
Michelle [Kaufman] regrets it. It shouldn't have been done. But in my
opinion, Michelle is a fine reporter with great integrity. She
realizes she made a mistake. We're reviewing it and will be
apologizing to Tonya [Harding]."

Hacking into e-mail accounts has been sufficient to earn criminal
charges for US hackers in the past.  While US law may well not apply
to a property crime in Norway, the spectacle of reporters claiming it
was no big deal to do something that people are serving prison
sentences for in the US was disquieting to posters to groups such as
JOURNET and alt.2600.

The Detroit News provided a bizarre postscript to events when they ran
a story on involvement by their rival Detroit paper, the Detroit Free
Press.  The story included a Detroit Free Press photo of Ms. Kaufman
that, according to some sources, was obtained when the News hacked the
Free Press on-line photo archive.

Thanks to Marsha Woodbury, Alex Johnson, Chris Hawley, and Jeff
Johnson for several postings on this story.

------------------------------

Date: Sat, 19 Mar 1994 09:04:47 -0800
From: Phil Agre <pagre@weber.ucsd.edu>
Subject: Gambling

  [ Extracted from RISKS-FORUM Digest; Tuesday 22 March 1994;
    Volume 15 : Issue 68  -- MODERATOR ]

For those with an interest in risks, the technology supplement to Forbes
magazine, Forbes ASAP, is a regular smorgasbord.  The 10/25/93 issue, for
example, includes an article about Bally's casinos' use of customer databases
to optimize their investments in "comping", the practice of offering free
drinks, hotel rooms, plane tickets, and what-not to high rollers.  Given
enough information about an individual's bets (regardless of whether they
win), a straightforward economic calculation can decide which level of 
comping is optimal.  (The full reference is: David H. Freedman, Odds man in
[Bally's Atlantic City casino], Forbes ASAP, 25 October 1993, pages 33-35.)

The problem is getting the information into the computer.  The Bally's casino
accomplishes this in two ways.  At roulette tables and the like, they simply
have someone watch the game and enter bets into a portable computer.  (This
computer can also determine how much credit to extend to a given customer.)
At the slot machines, they give each player a card with a magnetic strip that
goes into the machine for as long as the player is playing.  (They also offer
a strap to keep the card attached to your wrist, so you don't walk away from
the machine without it.)

The risks, of course, are obvious.  Rational gamblers can take advantage 
of competition between casinos, choosing the best comping deal.  But many
people are addicted to gambling, and these innovations also make it easy for
an addict on a binge to gamble away the maximum possible sum.  Furthermore, 
as the article points out, "the riot of blinking lights, the clacking of
spinning wheels, the absence of outside views or public phones -- all of this
encourages the otherwise solidly grounded visitor to lose track of time and
space, not to mention financial common sense".  Profit margins are high, and
investors are pleased.

The analogy to data-intensive marketing of cigarettes (see Risks 15.62) is
strong.  What's next?  How about a frequent drinker's club for premium brands
of liquor?  Or individualized advice for children, based on detailed family
demographics, about how to shame their parents into buying them expensive
toys?  It wouldn't be that hard.  You could actually get a toy to do the
explaining.  Each product from a given toy company would contain a single chip
with a small microprocessor, a simple RF receiver, some memory, and a speech
synthesis device.  When the toy goes through the checkout, an RF device built
into the cash register downloads the toy with a demographic profile of the
family derived from credit files pulled up through the purchase transaction.
Then, as the child plays with the toy, the toy explains to the child the
virtues of various other toys from the same company, along with suggestions
for persuasion tactics that consumer research has shown to work well on
parents in that particular market segment.  If the toys can send as well as
receive wireless data transmissions then newer toys can reprogram the older
ones.  Better yet, the child's videogame system, which will surely get its
software over phone lines in the near future, could also download all of the
child's other toys with new sales pitches, based on records of whether the
previous pitches worked, as well as the latest market research and television
and movie product tie-ins.

Phil Agre, UCSD

------------------------------

Date:    Thu, 10 Mar 94 11:25:41 -0800
From:    Teresa Lunt <lunt@csl.sri.com>
Subject: INTRUSION-DETECTION WORKSHOP


                 THIRTEENTH INTRUSION-DETECTION WORKSHOP

                             May 19-20, 1993
                            SRI International
                       Menlo Park, California, USA

You are invited to attend a two-day workshop on intrusion detection to be
held at SRI International in Menlo Park, California on May 19-20, 1993, which
are the Thursday and Friday following the 1994 IEEE Symposium on Research in
Security and Privacy in Oakland, California.  This will be the thirteenth in
a series of intrusion-detection workshops.

The workshop will consist of several short presentations as well as
discussion periods.  If you have any progress to report on an
intrusion-detection project or some related work that would be appropriate
for a short presentation, please indicate the title and a paragraph
describing your proposed talk on the enclosed form.  You can also indicate
there your suggestions for discussion topics.  Please email the completed
form to Liz Luntzel at luntzel@csl.sri.com

If you and/or your colleagues wish to attend, please RSVP via email using the
attached form.  For other questions, please email Liz at luntzel@csl.sri.com
or call her at 415-859-3285.  You can also send us a fax at 415-859-2844.

There will be a $100 charge for the workshop.  This fee includes lunches in
SRI's International Dining Room.  Please sendg your check to Liz Luntzel,
EL248, SRI International, Computer Science Laboratory, 333 Ravenswood Avenue,
Menlo Park, California  94025.
 
The workshop will begin at 9am and will conclude at 5pm on Thursday,
and will be from 9am to 2pm on Friday.
 

--------------------------------------------------------------------------

                         DIRECTIONS TO SRI

SRI is located at 333 Ravenswood Avenue in Menlo Park.  The workshop
will be held in room IS109, which is in the International Building.
To get to SRI:

>From Highway 101:
>From I-101, take Willow Road (Menlo Park) west to Middlefield
Road (approx. 1 mile).  Turn right onto Middlefield Road.  Go one 
block and turn left onto Ravenswood Avenue.  SRI Building A (red 
brick building) is 1/4 mile up Ravenswood Avenue, on the left.  
The address is 333 Ravenswood Avenue.  

>From I-280:
>From I-280, take Sand Hill Road (east towards Menlo Park). Follow Sand
Hill Road to Junipero Serra and turn left.  Bear right at the next light,
and turn right at the stop sign onto Santa Cruz.  Take Santa Cruz to
El Camino and turn right.  Then take the first left, onto Ravenswood.
Cross the railroad tracks.  SRI is at 333 Ravenswood, on the right. If you
continue along Ravenswood toward Middlefield, you will come to the
conference parking area at the corner of Ravenswood and Middlefield.

>From Central Expressway:
>From Central Expressway, go north towards Menlo Park all the way
to where it merges with El Camino Real.  Continue north on El Camino, 
staying in the right lane, for a few blocks, and turn right onto
Ravenswood Ave.  Cross the railroad tracks, and after the first light
look for SRI on your right.  SRI is at 333 Ravenswood.
 
Visitors may park in the small visitors lot in front of Building A or in the
conference parking area at the corner of Ravenswood and Middlefield (where
there is lots of space).  The workshop will be held in the International
Building, the white concrete structure on Ravenswood to the East (closer to
Middlefield) of Building A.  Visitors should sign in at International
Building --- from the parking lot go up the steps and across the courtyard.
 
-----------------------------  cut here  ------------------------------------

                      PLEASE RSVP USING THIS FORM
                        to luntzel@csl.sri.com

                Thirteenth Intrusion-Detection Workshop
                               May 19-20
                          SRI International
                            Menlo Park, CA

Yes! I will attend the Intrusion-Detection Workshop May 19-20 at SRI.  I am
sending a check for $100 to Liz Luntze, EL248, SRI International, Computer
Science Laboratory, 333 Ravenswood Avenue, Menlo Park, California  94025.

Please complete the following:
 
Name:
 
Title:
 
Affiliation:
 
Address:
 
 

Check one:
    I will present a talk.
    I will not present a talk.
 
Please complete the following:
 
Title of Talk:
 
Abstract:
 
Suggestions for Discussion Topics:
 
-----------------------------------------------------------------------------

------------------------------

End of PRIVACY Forum Digest 03.07
************************

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH