TUCoPS :: Privacy :: priv_708.txt

Privacy Digest 7.08 5/01/98

The following document is from the PRIVACY Forum Archive at 
Vortex Technology, Woodland Hills, California, U.S.A.

For direct web access to the PRIVACY Forum and PRIVACY Forum Radio,
including detailed information, archives, keyword searching, and 
related facilities, please visit the PRIVACY Forum via the web URL:

    http://www.vortex.com

-----------------------------------------------------------------------

PRIVACY Forum Digest      Friday, 1 May 1998      Volume 07 : Issue 08

            Moderated by Lauren Weinstein (lauren@vortex.com)         
              Vortex Technology, Woodland Hills, CA, U.S.A.
	                 http://www.vortex.com 
	
                       ===== PRIVACY FORUM =====              

    -------------------------------------------------------------------
                 The PRIVACY Forum is supported in part by
                    the ACM (Association for Computing)     
	         Committee on Computers and Public Policy,      
          "internetMCI" (a service of the Data Services Division         
                  of MCI Telecommunications Corporation), 
	  	  Cisco Systems, Inc., and Telos Systems.
                                 - - -
             These organizations do not operate or control the     
          PRIVACY Forum in any manner, and their support does not
           imply agreement on their part with nor responsibility   
        for any materials posted on or related to the PRIVACY Forum.
    -------------------------------------------------------------------


CONTENTS 
	Privacy or Technology Questions / Concerns 
	   (Lauren Weinstein; PRIVACY Forum Moderator)
	Cell Phone Jamming (Lauren Weinstein; PRIVACY Forum Moderator)
        PacBell hard sell on CallerID (Paul Hoffman)
	Portable fingerprint scanner (Phil Agre)
	Direct mail (Phil Agre)
	UK Crypto Policy - govt statement - 27 April 1998 (Keith Parkins)
	EFC Press Release:  Canada's Top Cryptographers Oppose 
	   Crypto Regulation (Jeffrey Shallit)


 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to
"list-maint@vortex.com". 

All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system.  Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.  

All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "gopher.vortex.com".  

Access to PRIVACY Forum materials is also available through the Internet
World Wide Web (WWW) via the Vortex Technology WWW server at the URL:
"http://www.vortex.com"; full keyword searching of all PRIVACY Forum files
is available via WWW access.
-----------------------------------------------------------------------------

VOLUME 07, ISSUE 08

   Quote for the day:

	"I guess I just have a good kisser."

		-- Audrey Fulquard (Jackie Joseph)
		   "The Little Shop of Horrors" (Allied Artists; 1960)

----------------------------------------------------------------------

Date:    Fri, 1 May 98 18:14 PDT
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Privacy or Technology Questions / Concerns

Greetings.  In the ongoing course of moderating the PRIVACY Forum, I receive
a large amount of e-mail from people who aren't submitting messages for
possible inclusion in the digest, but rather who want to discuss or get
advice regarding particular privacy and/or technology concerns.  Within the
limits of available time I do my best to help in such situations, though it
is impossible to respond personally to every query.  

To make it somewhat easier for folks with privacy or "technology and
society" questions or concerns to send "not for the digest" messages to me,
I've created a specific web page with a form for such messages, which can be
used instead of e-mail for such materials.  The form should not be used for
digest submissions.  

Again, I can't promise to respond to every query sent via the form, but I'm
glad to try help where I can.

The form can be accessed by following the links through the PRIVACY Forum
to:

   http://www.vortex.com/privform.html

--Lauren--
Lauren Weinstein
Moderator, PRIVACY Forum
http://www.vortex.com

------------------------------

Date:    Fri, 1 May 98 17:14 PDT
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Cell Phone Jamming

Greetings.  I recently viewed an announcement of the development by an
Israeli firm of a system for, essentially, the jamming of cellular telephone
systems.  The proposed uses for the device are to ensure lack of
interruption at theaters and other cultural events ("acoustic nuisances"),
avoiding cell phone "interference" with medical devices, and various
security-oriented applications where it was considered desirable to prevent
use of any sort of cell phone (including analog, digital, PCS, etc.)

A number of concerns immediately came to mind.  Would such a device be
legal?  What would be the potential liability of an entity that used such a
device if an important call or page were blocked?  Would there be
unscrupulous uses for such a system, perhaps by criminals wishing to prevent
calls into or out of a "target" area?  Would such a jamming device
potentially represent its own interference problems to unrelated devices?

The firm's web page states that appropriate licenses are required to use the
equipment.  Offhand, I don't know of a license in the U.S. that would permit
the interfering with common carrier communications in such a manner. 
I contacted the firm via e-mail and received a rapid response.  They 
suggested that since anyone was free to shield their building from radio 
signals, the use of an "active" device such as their's was analogous.  
They also suggested that their device would not affect pagers, only cell 
phones.  As for possible criminal use, they seemed to feel that this was the 
same problem faced by much technology, including firearms and Internet access.

I sent a follow-up message pointing out my concerns over their "shielding
equals active jamming" concept.  I also pointed out that stand-alone pagers
are being rapidly replaced by integral paging systems built into digital
cellular and PCS phones.  It is not technically possible (as far as I know)
to interfere with the voice communications portion of these phones without
blocking the paging functions as well.  

So far, I have not received any response to my follow-up message. 
Cellular systems, the Global Positioning Satellite system, and other complex
radio-based networks have become critically intertwined into our lives.
Needless to say, the implications of the availability of devices to jam
communications systems, which we all expect to work when needed, are serious
indeed.

--Lauren--
Lauren Weinstein
Moderator, PRIVACY Forum
http://www.vortex.com

------------------------------

Date:    Sun, 19 Apr 1998 17:52:57 -0700
From:    Paul Hoffman <phoffman@proper.com>
Subject: PacBell hard sell on CallerID

You may find the following conversation amusing. I called PacBell on
Wednesday to have the automatic check payment on my phone numbers switched
off because it wasn't working well with Quicken 98. No problem. At the end
of the conversation, the PacBell employee asked the customary "is there
anything else I can do for you", to which I said no. Thus follows:

PacBell Employee: "I notice that you have maximum CallerID blocking on all
these lines. Would you like me to change that to selective blocking?"
Me: "No, why would I?"
PBE: "Well, many customers report they have problems calling some people
that do not allow calls from people with CallerID blocking on."
Me: "That's only happened once to me, and I didn't care to talk to that
person."
PBE: "Well, that sounds like a good reason you would want to remove it on
all your lines."
Me: "Don't touch it. Really. I like having it on."
PBE: "OK. We were told to inform customers like you of the problems that
CallerID causes for some people."

The term "hard sell" comes to mind.

--Paul Hoffman

------------------------------

Date:    Tue, 28 Apr 1998 14:06:06 -0700 (PDT)
From:    Phil Agre <pagre@weber.ucsd.edu>
Subject: portable fingerprint scanner

An article in the LA Times (Robert J. Manzano, Portable scanner will
speed police fingerprint checks, Los Angeles Times, 17 April 1998, page
B2) reports on a new "portable scanner that can read fingerprints [and]
compar[e] the prints with a central file within five minutes", together
with a system that maintains a database of palm prints.  Both systems
"are being used by San Francisco police as part of a testing period".
Although the police suggest that the devices "make it less likely for
innocent people to be arrested", evaluation of the test should determine
whether significantly more people are being fingerprinted as a result
of the easy availability of the scanner.  Police use of such scanners
may not pose a significant civil liberties concern in isolation, but
it is part of a vastly larger pattern of new identification and tracking
technologies that are being applied in a tremendous variety of niches.

Phil Agre

------------------------------

Date:    Tue, 28 Apr 1998 14:22:21 -0700 (PDT)
From:    Phil Agre <pagre@weber.ucsd.edu>
Subject: direct mail

The other day I was accosted at a conference by a representative of
the direct mail industry who took issue with some statements I had made
on this mailing list.  He made several arguments that I found peculiar.
I do not have a verbatim transcript of his remarks, so the phrases in
quotes here are my (inevitably inaccurate) attempts to paraphrase what
he said.

(1) "It is unreasonable to require individuals to give consent before
receiving direct mail because we cannot shut down commerce, and commerce
cannot function unless people can hear about opportunities that they do
not already know about."

The problem with this argument is that people already have many such
opportunities, including advertisements in dozens of media.  Defenses
of unsolicited advertisements through direct mail, therefore, require
a more specific justification.  Commerce would proceed perfectly well,
in other words, if direct mail were outlawed tomorrow.

(2) "You are curtailing freedom by preventing people from allowing
themselves to receive direct mail."

If I understand correctly, the point of this argument is that defenders
of "opt-in" schemes would require a separate "opt-in" for every single
mailing or mailing list, and would thus outlaw any mechanism by which
a person could state to the world a generalized willingness to receive
direct mail.  This is, of course, absurd and false.  The principle is
informed consent.  An organization that wishes to create a mechanism
that allows people to solicit direct mail should be able to structure
that mechanism however they like, so long as the solicitation requires
an express, fully informed request by the individual, and so long as the
data thereby collected is handled in accordance with generally accepted
fair information practices.

What is more, even *if* such generalized mechanisms were outlawed,
"opt-in" schemes would still not curtail individuals' freedom to receive
direct mail, inasmuch as everyone could easily check the "yes" box every
time they surrender their personal information.  Reasonable constraints
on the traffic in personal information by direct mailers simply do not
abridge the liberty of the people whose personal information is thereby
being protected, and it is perverse to suggest otherwise.

(3) "It would indeed be wrong if marketers were targeting people as
individuals, but they must be able to send mail to people on account of
their membership in particular demographic categories."

Marketers often assert that they do not target people as individuals,
but this statement is nearly meaningless.  Marketers target people
if they believe that doing so is likely to be profitable, and indeed
nobody ever targets anybody else for anything except in terms of their
own goals.  On the other hand, neither do marketers simply target
people based on their demographic characteristics, unless the notion
of demographics is expanded to include purchase histories and an
increasingly wide variety of other information.

It was on the basis of these arguments that this individual portrayed
my views as utterly beyond the pale of reasonable discourse.  It is
distressing to think that such arguments continue to succeed, year
in and year out, in postponing common-sense regulatory measures that
overwhelming majorities of Americans support in polls.

Phil Agre

------------------------------

Date:    Fri, 01 May 1998 18:32:33 +0100
From:    Keith <keith@redkbs.com>
Subject: UK Crypto Policy - govt statement - 27 April 1998

'In principle it's voluntary; but, de facto, it's compulsory.
This is exactly what so many of us in the US have worked very
hard to stop.' -- Phil Zimmermann, InfoSec98

In the early hours of Tuesday 28 April 1998 I tuned into the BBC
World Service News to hear a detailed report on the UK Crypto
Policy - strange no mention on UK news.

The report started with an announcement that the British
Government was growing increasingly concerned at the amount of
encrypted traffic on the Internet, traffic that it could not read.

>From the description of the policy that followed, it appeared to
be the same tired, old, discredited policy that the government
introduced a year ago (shelved by the slight inconvenience of an
election).

By coincidence, later in the day I attended a security conference
InfoSec98 addressed by Nigel Hickson (UK, DTI).  What he put
forward appeared to be no different to the policies of a year ago.
He dragged in the same old red herring of crime - this completely
ignores the fact that it will be 'voluntary' to hand over keys,
no criminal is going to voluntarily relinquish their keys.

Hickson spoke of legislation within the next year - we are now on
the fast track.

The reception Hickson received was not welcoming, and his
proposals were widely criticised by fellow speaker Phil Zimmermann.

What was recognised was the need for standards, but as stated by
Phil Zimmermann, these are best served by the Internet Task Forces.

The only role for local legislation/regulation, would be to
ensure that those signing keys, only do so on positive proof of
ID (whatever that may be), and that those escrowing keys are
subjected to heavy penalties if they release unauthorised keys.

Phil concentrated on the human rights issues and 'voluntary'.  He
noted with some concern the level of CCTV monitoring on the
streets of London, and the frittering away of civil rights.

'Voluntary' - yes it's voluntary, but don't expect government
contracts, don't expect government grants.  Don't expect
government to recognise keys unless certified by their own
approved agencies.

In a couple of years time when the voluntary scheme fails it is
likely to become mandatory.

The reason for the sudden reawakening of interest is that proposals
were laid before Parliament the previous day in response to a
written question (ie Mon 27 April 1998).

        Secure Electronic Commerce Statement
        Summary of Responses

Hickson did give some positive messages.  The need for standards
and interoperability.  He highlighted, without naming names,
Certifying Authorities, who, on receipt of an e-mail (and of course
a suitable fee), will, with no ID, sign keys.

From a quick survey of many of the bogus products at InfoSec
over the last two years, most are peddling snake oil, I would add
that there is a need to weed out much of this garbage.

I had hoped to talk to Nigel Hickson, but unfortunately he had to
immediately leave for another meeting.

Wednesday 29 April 1998, I received a copy of the proposals, plus
summary to previous proposals.

        Secure Electronic Commerce Statement
        Summary of Responses

>From a quick scan, it appears little changed.  The response, as
much rumoured, was widespread rejection of the proposals.

It is easy to take liberties with people.  In this case people
will be denied rights that they did not even realise they had.

It is incumbent upon everyone who uses encryption, to encourage
its widespread use, and to organise opposition to these plans.

In particular encourage human rights groups, social reform
groups, environmental groups and campaigning groups to use
encryption.  These are the groups who most need it, and are best
placed to run effective campaigns.

The proposals will by stealth introduce a Police State into the UK.

More information

        http://www.heureka.clara.net/sunrise/spooks.htm
        http://www.heureka.clara.net/sunrise/ukdtittp.htm

If the need arises, I will produce a new Web page to update
current events.  Anyone organising opposition, please let me know
and I'll provide a free link.

Copies of the UK proposals may be obtained direct from Nigel
Hickson.

        Nigel Hickson
        Communication and Information Industries Directorate
        Department of Trade and Industry
        151 Buckingham Palace Road
        LONDON  SW1W 9SS

        tel     +44 171 215 1315

...................  after reading both papers  ................

Summary  Well written, virtually what is contained within my own
submission

        http://www.heureka.clara.net/sunrise/ukdtittp.htm

Statement  Poorly written waffle.  TTPs are to go from mandatory
to voluntary, handing over of keys to be voluntary (unless of
course subjected to a warrant).  The one ominous feature is the
involvement of the Home Office.  The driving force to date has
been the DTI whose primary concern has been a secure environment
for business, any involvement of the Home Office bodes ill for
civil liberties.  Further consultation and the issue of a White
Paper later in the year.

Duncan Campbell has an excellent article in The Guardian, OnLine
section, 'Coded message', Thurs 30 April 1998.  His comment
'It's a classic case of Neanderthal thinking - no safeguard at
all' is an apt summing up.

        http://www.guardian.co.uk/online

Keith Parkins <keith@redkbs.com>

------------------------------

Date:    Mon, 20 Apr 1998 11:04:55 -0400 (EDT)
From:    Jeffrey Shallit <shallit@shell.golden.net>
Subject: EFC Press Release:  Canada's Top Cryptographers 
			     Oppose Crypto Regulation
  
	  ELECTRONIC FRONTIER CANADA (EFC) --- PRESS RELEASE
				 
(For immediate release --- April 20, 1998)


CANADA'S LEADING CRYPTOGRAPHERS OPPOSE CRYPTOGRAPHY REGULATION


Fourteen of Canada's leading cryptographers -- experts in the coding
and decoding of messages -- have signed letters opposing government
regulation of cryptography.  The letters were delivered to the
Task Force on Electronic Commerce today at a roundtable meeting
on cryptography hosted by Industry Canada.

The letters were written in response to a February 1998 Industry
Canada report entitled "A Cryptography Policy Framework for
Electronic Commerce", which listed possible scenarios for
government regulation of cryptographic hardware and software.
Dr. David Jones, president of Electronic Frontier Canada, a non-profit
civil liberties group, delivered the letters this morning in Ottawa.

"Cryptography is essential for the transition to a wired society,"
said Jones.  "It is the key enabling technology that will allow
Canadians to keep our personal information and communications private
without fear of eavesdropping, as well as safeguard the security of
our online transactions, without fear of fraud.  If the government
places restrictions on the use of cryptography, it would likely do
more harm than good."

The Industry Canada report suggests that, in deference to
law enforcement and national security concerns, one policy option
might be to ban cryptographic products that do not allow the
government to listen in.

But Canada's leading cryptographers claim such a ban would be
infeasible.  Dr. Charles Rackoff, professor of computer science 
at the University of Toronto and author of several fundamental
papers on cryptography, stated that prohibition of such products
"would be unenforceable in practice, since the basic mathematical
methods are published and well known and can be easily
implemented in software by any bright high-school student."

Indeed, three of the signers, Dr. Scott Vanstone and Dr. Alfred J.
Menezes of the University of Waterloo, and Dr. Paul C. van Oorschot
of Entrust Technologies, have written and published a book
entitled _Handbook of Applied Cryptography_ (CRC Press, 1997)
that describes the mathematics of encryption in great detail.

Canada's cryptographers also expressed concern that export controls
on cryptographic products would adversely affect the fledgling
Canadian cryptography industry.  Additional restriction would
"severely handicap Canadian products and technology as they
compete in the global market for information security products,"
said Dr. Menezes.

Dr. Jeffrey Shallit, Vice-President of Electronic Frontier
Canada agreed:   "Cryptographic software and hardware has the
potential to be a billion-dollar industry.  If Canada is to
take part, it must ease its export restrictions, not strengthen
them."

Electronic Frontier Canada is a non-profit educational organization 
devoted to ensuring the rights and freedoms enshrined in the Charter
of Rights and Freedoms are preserved as new computing and
communications technologies emerge.    

The list of signers of the the letters follows.  AFFILIATIONS ARE FOR
IDENTIFICATION PURPOSES ONLY.   Signers do not speak for the institutions
that employ them, and the opinions of the signers do not necessarily
reflect those of the employing institution.

===

Scott Vanstone, Ph. D., University of Waterloo (co-author, Handbook of
Applied Cryptography, CRC Press, 1997)

Charles Rackoff, Ph. D., University of Toronto
rackoff@cs.toronto.edu

Carlisle M. Adams, Ph. D., Entrust Technologies
cadams@entrust.com

Sharon Boeyen, Senior Consultant, Advanced Security Technology Group,
Entrust Technologies

Helmut Jurgensen, Ph. D., University of Western Ontario
helmut@uwo.ca

Alfred Menezes, Ph. D., University of Waterloo (co-author, Handbook of
Applied Cryptography, CRC Press, 1997)
ajmeneze@math.uwaterloo.ca

Robert J. Zuccherato, Ph. D., Entrust Technologies

Paul C. van Oorschot, Ph. D., Entrust Technologies (co-author, Handbook
of Applied Cryptography, CRC Press, 1997)
paulv@entrust.com

Michael J. Wiener, Ph. D., Senior Cryptologist, Entrust Technologies
wiener@entrust.com

Howard Heys, Ph. D., Memorial University of Newfoundland
howard@engr.mun.ca

Hugh C. Williams, Ph. D., University of Manitoba
Hugh_Williams@macmail.cs.umanitoba.ca

Gordon Agnew, Ph. D., University of Waterloo
gbagnew@crypto1.uwaterloo.ca

Ian Goldberg, Researcher, Internet Security, Authentication, Applications, and
Cryptography Research Group, University of California, Berkeley
iang@cs.berkeley.edu

Rob Lambert, Certicom Corporation
rlambert@certicom.com


			- 30 -

EFC Contact Information:
 
 
Electronic Frontier Canada
 
 Dr. David Jones        phone: (905) 525-9140 x24689    fax: (905) 546-9995
        email: djones@efc.ca

	[Dr. Jones will be in Ottawa on Monday, April 20, and hence
	unavailable for comment.]
 
 Dr. Jeff Shallit       phone: (519) 888-4804           fax: (519) 885-1208
        email: shallit@efc.ca

 Dr. Richard Rosenberg  phone: (604) 822-4142           fax: (604) 822-5485
	 email: rosen@efc.ca

 
 
Electronic Frontier Canada, online archives:
 
 URL:   http://www.efc.ca/

EFC Fax:  (519) 745-0941  (if busy, call (519) 743-8754)

------------------------------

End of PRIVACY Forum Digest 07.08
************************

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH