TUCoPS :: Privacy :: priv_425.txt

Privacy Digest 4.25 12/5/95

PRIVACY Forum Digest     Tuesday, 5 December 1995     Volume 04 : Issue 25

            Moderated by Lauren Weinstein (lauren@vortex.com)         
              Vortex Technology, Woodland Hills, CA, U.S.A.
	
                       ===== PRIVACY FORUM =====              

    -------------------------------------------------------------------
              The PRIVACY Forum is supported in part by the 
               ACM Committee on Computers and Public Policy,
          "internetMCI" (a service of the Data Services Division 
      of MCI Telecommunications Corporation), and Cisco Systems, Inc.
                                 - - -
             These organizations do not operate or control the
         PRIVACY Forum in any manner, and their support does not
          imply agreement on their part with nor responsibility 
               for any materials posted on or related to
                           the PRIVACY Forum.
    -------------------------------------------------------------------


CONTENTS 
	PRIVACY Forum on "NBC Nightly News"
	   (Lauren Weinstein; PRIVACY Forum Moderator)
	National Caller ID Debuts--Almost
	   (Lauren Weinstein; PRIVACY Forum Moderator)
	Re: Businesses monitoring employee e-mail (Nick Avery)
	Applied Cryptography case filings on the Web (Phil Karn)
	Re: Getting your clearance on the net (David M. Kennedy)
        Re: S. 1360 - Medical Privacy - CPT statement for today's hearing
	   (Jim Warren)
	Privacy Watchdog Outs Big Brother Companies (Dave Banisar)
	Senate Holds Hearings on Medical Privacy (Marc Rotenberg)


 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to
"list-maint@vortex.com". 

All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system.  Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.  All PRIVACY Forum materials are available
through the Internet Gopher system via a gopher server on site
"gopher.vortex.com".  Access to PRIVACY Forum materials is also available
through the Internet World Wide Web (WWW) via the Vortex Technology WWW 
server at the URL: "http://www.vortex.com".
-----------------------------------------------------------------------------

VOLUME 04, ISSUE 25

   Quote for the day:

	"Mr. President, we must not allow a mine shaft gap!"
			
			--  General "Buck" Turgidson (George C. Scott)
  			    "Dr. Strangelove: Or, How I Learned to Stop
			     Worrying and Love the Bomb" (1964)

----------------------------------------------------------------------

Date:    Tue, 5 Dec 95 14:28 PST
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: PRIVACY Forum on "NBC Nightly News"

Greetings.  I'd like to thank everyone who has commented on the appearance
of the PRIVACY Forum (and your loyal moderator) during a segment regarding
privacy issues on "NBC Nightly News" (and some NBC-affiliated venues, such
as CNBC) a week ago.  While obviously the amount of time available during a
thirty minute national newscast for such pieces is quite limited, I feel
that NBC did a great job of calling to people's attention the fact that the
technologies of computers and computer networks can bring great benefits but
also need to be managed with care to avoid creating new privacy intrusions.
Thanks again!

--Lauren--

------------------------------

Date:    Tue, 5 Dec 95 14:23 PST
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: National Caller ID Debuts--Almost

Another milestone (millstone?) in the ongoing saga of Calling Number ID
(CNID) services passed on Dec. 1, when national CNID theoretically began to
function.  What this really meant is that with some notable exceptions,
telcos and long distance companies are now required (as per an FCC order) to
pass calling party numbers on interstate calls, for display on caller ID
units.  

This follows a long chain of events which ultimately resulted in
the mandated universal provision of per-call ID blocking on interstate
calls (and in most areas, on intrastate calls as well) and the
permitting of per-line ID blocking of both interstate and intrastate
calls (where mandated in individual states) with per-call unblocking.

The exceptions to the universal national availability of CNID information
are delays granted to some smaller telcos whose equipment is not yet capable
of passing the information; delays for technical reasons involving
payphones, PBX systems, hotel phones, and the like; and the entire state of
California.  Since no California telcos have met the state PUC mandated
public education requirements regarding CNID services and ID blocking
options (e.g., *67 for per-call blocking, how to order per-line blocking,
etc.) the FCC has granted California telcos a six month extension.
Theoretically, this means that California telcos should *not* be sending out
calling party numbers on interstate calls at this time, and CNID itself will
not be made available in California until the education requirements are met.

It's worth noting, however, that there are reports that some California
caller numbers have been creeping across state lines anyway, probably due to
switch misconfigurations by some local telcos.  It might be wise for
everyone to start getting into the habit of dialing *67 at the start of all
calls (if their local switch will accept it yet) if they wish to protect
their numbers, at least until such a time (if any) that per-line ID blocking
options become available.  Remember also that calls to 800 and 900 numbers
have caller number information delivered via a different (ANI) system, and
are not subject to ID blocking.

--Lauren--

------------------------------

Date:    Sun, 19 Nov 1995 00:25:27
From:    Nick Avery <nick@avery.win-uk.net>
Subject: Re: Businesses monitoring employee e-mail

Surely the issue here is that the computers and all data on it are the
property of the company. This includes e-mail. My recommendation to
employers is that a Security policy should exist and be publicised to staff
which makes this clear. If there is no expectation or implied promise of
privacy, then nobody's rights are affected. 

Nick Avery, Liverpool - <<Standard disclaimers apply>>

------------------------------

Date:    Mon, 20 Nov 1995 21:00:06 -0800
From:    Phil Karn <karn@unix.ka9q.ampr.org>
Subject: Applied Cryptography case filings on the Web

The government has filed its Motion to Dismiss, or In The Alternative,
For Summary Judgment in the case of Karn vs State Dept. This case
challenges the arbitrary Commodity Jurisdiction Request rulings
made for the book Applied Cryptography and for a floppy disk containing
the same source code printed in the book.

I've begun scanning in and HTMLizing the various government documents,
some of which are sizeable. As I finish them I'm putting them up on
my web page. Please feel free to pass around this URL:

http://www.qualcomm.com/people/pkarn/export/index.html

--Phil

------------------------------

Date:    Wed, 22 Nov 1995 13:22:21 -0500
From:    David M Kennedy <David_M_Kennedy@smtp.ord.usace.army.mil>
Subject: Re: Getting your clearance on the net

Name withheld on request (Risks 17.41) discusses a relatively new
system used by the Defense Investigative Service for submission of
Personnel Security Questionnaires (PSQ) called, not surprisingly, the
EPSQ.  The current version is 1.2.

>You obviously don't sign the form (no digital signature capability); at
> some point in the future they said I'll be asked to sign a hardcopy.

    I have applicants sign the form prior to transmission.  We terminate any
applicant who lies on their forms.

>The risks of sending any sort of confidential information over the net
> have been described to death, so there's nothing new.  It just amazes
> me that the U.S. government office responsible for handing out
> clearances could be so unaware of the risks as to allow it. 
....yadda, yadda, yadda.

    The data is encrypted by the EPSQ program as it creates the disk file. 
The program uses FUNCky a product of dLESKO, Inc of Jersey City, NJ. 
Before the encrypted file is transmitted, it's zipped using PKWARE and
the program requires the user to use PKZIP's encryption feature.
    FUNCky has not been evaluated to meet FIPS 140-1 requirements for
cryptographic modules and the DIS recognizes it is not equal to DES. 
Most security-aware professionals know of the plethora of PKZip
crackers available.
    So Name Withheld's data was double encrypted before being sent
over the net, and it's stored in a file that can't easily be read. This begs
the question of how much security is necessary to protect Name
Withheld's data?  After all, we're not talking launch codes here.  DIS
recognizes the need to use FIPS 140-1 compliant encryption and is
moving in that direction.  In the mean time they've put something in the
hands of security managers in the field that provides adequate
safeguards considering the value of the data and the risks associated
with it's compromise.
    Version 2.0 of the EPSQ will have more robust encryption.  Among the
products under consideration are RSA's BE SAFE and AT&T's SURITY.
    Both Name Withheld and DavidG3276@aol.com demonstrate the RISKS
of posting without checking the facts beforehand.

For PRIVACY Forum Digest readers: DavidG whined about the risks of the US
Army's use of computers to assist in field artillery fire control, something
we've done since Vietnam.

Dave Kennedy [US Army MP] [CISSP] (husband of a former Artillery Officer)
a.k.a. 76703.2557@compuserve.com volunteer SysOp National
Computer Security Association forum on CompuServe GO NCSAFORUM

------------------------------

Date:    Wed, 15 Nov 1995 08:24:26 -0800
From:    jwarren@well.com (Jim Warren)
Subject: Re: S. 1360 - Medical Privacy - CPT statement for today's hearing

Jamie Love from Ralph Nader's group just posted a lengthy comment/analysis
of the privacy problems re Senate Bill 1360.  This excerpts his lead, plus
ending pointers to where full information can be obtained.

--jim
Jim Warren, GovAccess list-owner/editor (jwarren@well.com)
Advocate & columnist, MicroTimes, Government Technology, BoardWatch, etc.

===

>These were our comments at today's hearing on S. 1360.  We did not
>testify.  (only one opponent of the bill was permitted to testify today).
>jamie
>
>
>          Comments of Consumer Project on technology
>                               on
>   S. 1360 - the Medical Records Confidentiality Act of 1995
> submitted to the Senate Committee on Labor and Human Resources*
>
>                          James P. Love
>                       November 14, 1995
>
>Introduction
>
>     The following comments of the Consumer Project on Technology
>(CPT) outline our suggestions for improvements in S. 1360, the
>Medical Records Confidentiality Act.  While we join others in
>applauding the sponsors of S. 1360 for focusing attention on the
>important issue of privacy of medical records, we cannot support
>the bill as introduced.  ...
>
> ...
>
>     The Consumer Project on Technology has created an Internet
>discussion list for this issue, called med-privacy, which
>available for subscriptions from listproc@essential.org. Send a
>note to listproc@tap.org, with the message:
>
>     subscribe med-privacy yourfirstname yourlastname
>
> Our World Wide Web page has additional information, and is
>located at:
>
>     http://www.essential.org/cpt/privacy/privacy.htm.
>
>     The Consumer Project on Technology (CPT) is a project of the
>Center for Study of Responsive Law.  The CPT was created by Ralph
>Nader this year to study a number of issues related to new
>technologies, including telecommunications regulation, pricing of
>pharmaceutical drugs, intellectual property rights, and the
>impact of computers on privacy.  The URL for CPT is
>http://www.essential.org/cpt/cpt.html.
>
>----------------------------------------------------------------------
>James Love, love@tap.org
>P.O. Box 19367, Washington, DC 20036; v. 202/387-8030; f. 202/234-5176
>Consumer Project on Technology; http://www.essential.org/cpt/cpt.html
>Taxpayer Assets Project; http://www.essential.org/tap/tap.html

------------------------------

Date:    4 Dec 1995 10:32:25 -0500
From:    "Dave Banisar" <banisar@epic.org>
Subject: Privacy Watchdog Outs Big Brother Companies

MEDIA RELEASE

Contact: Simon Davies, Privacy International
Davies@privint.demon.co.uk

PRIVACY WATCHDOG OUTS BIG BROTHER COMPANIES 

New report uncovers a massive international surveillance trade funded by the
arms industry and led by the UK

On Monday 4 December, Privacy International will publish Big Brother
Incorporated, a 150 page report which investigates the global trade in
repressive surveillance technologies. The report, to be published on several
Web sites on the Internet, shows how technology companies in Europe and
North America provide the surveillance infrastructure for the secret police
and military authorities in such countries as China, Indonesia, Nigeria,
Angola, Rwanda and Guatemala

The reports primary concern is the flow of sophisticated computer-based
technology from developed countries to developing countries - and
particularly to non-democratic regimes.  The report demonstrates how these
companies have strengthened the lethal authority of the world's most
dangerous regimes.

The report lists the companies, their directors, products and exports.  In
each case, source material is meticulously cited.  Privacy International is
publishing the report in digital form in several sites on the Internet to
ensure its accessability by interested parties anywhere in the world.

Surveillance technologies are defined as technologies which can monitor,
track and assess the movements, activities and communications of
individuals.  More than 80 British companies are involved, making the UK the
world leader in this field. Other countries, in order of significance, are
the United States, France, Israel, the Netherlands and Germany.

_Big Brother Incorporated_ is the first investigation ever conducted into
this trade.  Privacy International intends to update the report from time to
time using trade fair documents and leaked information from whistleblowers.

The surveillance trade is almost indistinguishable from the arms trade. More
than seventy per cent of companies manufacturing and exporting surveillance
technology also export arms, chemical weapons, or military hardware.
Surveillance is a crucial element for the maintenance of any non-democratic
infrastructure, and is an important activity in the pursuit of intelligence
and political control.  Many countries in transition to democracy also rely
heavily on surveillance to satisfy the demands of police and military. The
technology described in the report makes possible mass surveillance of
populations.  In the past, regimes relied on targeted surveillance.

Much of this technology is used to track the activities of dissidents, human
rights activists, journalists, student leaders, minorities, trade union
leaders, and political opponents. It is also useful for monitoring larger
sectors of the population. With this technology, the financial transactions,
communications activity and geographic movements of millions of people can
be captured, analysed and transmitted cheaply and efficiently.

Western surveillance technology is providing invaluable support to military
and totalitarian authorities throughout the world.  One British computer
firm provided the technological infrastructure to establish the South
African automated Passbook system, upon which much of the functioning of the
Apartheid regime British surveillance cameras were used in Tianamen Square
against the pro-democracy demonstrators.  In the 1980s, an Israeli company
developed and exported the technology for the computerised death list used
by the Guatemalan police. Two British companies routinely provide the
Chinese authorities with bugging equipment and telephone tapping devices. 

	Privacy International was formed in 1990 as a non-government,
non-profit organisation.  It brings together privacy experts, human rights
advocates and technology experts in more than 40 countries, and works toward
the goal of promoting privacy issues worldwide.  The organisation acts as an
impartial watchdog on surveillance activities by governments and
corporations.

For further information or interview, contact Simon
Davies in London at davies@privint.demon.co.uk.  The address of the web
site is  http://www.privacy.org/pi/reports/big_bro/

David Banisar (Banisar@privacy.org)     *  202-544-9240 (tel)
Privacy International Washington Office *  202-547-5482 (fax)
666 Pennsylvania Ave, SE, Suite 301     *  HTTP://www.privacy.org/pi/
Washington, DC 20003                   

------------------------------

Date:    Wed, 22 Nov 1995 00:54:06 -0800
From:    "Marc Rotenberg" <rotenberg@epic.org>
Subject: Senate Holds Hearings on Medical Privacy

	[ From EPIC Alert 2.15 -- MODERATOR ]

On Tuesday, November 14, the Senate Committee on Labor and Human
Resources held a hearing on the controversial Medical Record 
Confidentiality Act (S. 1360). The committee heard from the sponsors, 
several industry groups, an AIDS advocacy group supporting the bill 
and a patients rights group opposing the bill.

The hearing was contentious and most witnesses and Senators in
attendance agreed that substantial changes in the bill were necessary.
Dr. Denise Nagel, a practicing psychiatrist and the President of the
Coalition for Patient Rights of New England testified that the bill
would "codify some of the most egregious breaches of ethics, morals 
and the Hippocratic oath that this country has ever seen." Dr. Nagel 
pointed to weaknesses in the consent provision: "Senate Bill 1360 not
only permits some types of such extremely objectionable disclosures to
third parties without notification or consent, but its procedures will
mislead patients in this respect.  The patient not only will be
unaware of this further dispersion of his personally-identified
information, but will be cruelly tricked by the initial assurance that
the disclosure will be solely for treatment and payment."

The Consumer Project on Technology (CPT) submitted a detailed
statement to the Committee with comments on how to improve the bill.
CPT Director James Love described the bill as "fundamentally flawed"
and said it would "legitimize and contribute to the continued erosion of
personal privacy." Evan Hendricks, chairman of the U.S. Privacy Council,
wrote that "the current proposal will do more harm than good by 
legitimizing a large database surveillance system while leaving 
Americans without sufficient choices or remedies to retain a
satisfactory level of privacy."

Despite early predictions that the bill would be adopted by the Senate
before Thanksgiving, quick action now appears unlikely. It is expected
that the Senate will take up the bill again after the Christmas break.

More information about medical privacy, including the testimony
of Dr. Nagel and the text of S. 1360, is available at:

           http://www.epic.org/privacy/medical/

------------------------------

End of PRIVACY Forum Digest 04.25
************************

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH