Date: Wed, 13 May 92 17:10:27 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@PICA.ARMY.MIL Subject: Computer Privacy Digest V1#024 Computer Privacy Digest Wed, 13 May 92 Volume 1 : Issue: 024 Today's Topics: Moderator: Dennis G. Rears Public Battle Over Secret Codes, John Markoff, NYTimes May 7 Oregon PUC CallerID Decision Why hide if you have nothing to hide Re: SSNs as Identification Re: E-mail privacy should be independent of carrier. NJ Caller-ID experience The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@pica.army.mil and administrative requests to comp-privacy-request@pica.army.mil. Back issues are available via anonymous ftp on ftp.pica.army.mil [129.139.160.200]. ---------------------------------------------------------------------- Date: Sat, 9 May 1992 16:11:11 -0400 From: Monty Solomon Subject: Public Battle Over Secret Codes, John Markoff, NYTimes May 7 >From: dlv@cunyvms1.gc.cuny.edu (Dimitri Vulis, CUNY GC Math) >Newsgroups: sci.crypt >Subject: Public Battle Over Secret Codes, John Markoff, NYTimes May 7 >Date: 9 May 92 02:43:51 GMT A Public Battle Over Secret Codes By JOHN MARKOFF THE NEW YORK TIMES, THURSDAY, MAY 7, 1992 An issue long relegated to testy grumbling between software engineers and intelligence agents has suddenly grown into a public dispute between the Bush Administration and business executives. In a digital age that finds more and more information protected by elaborate coding techniques, both sides are asking: Who should hold the keysto the codes? Not the Government, say members of an increasingly militant computer and software industry. Apple Computer, Microsoft and Sun Microsystems are among the companies vowing to oppose Federal efforts to keep tight control on the use of coding technology, known as encryption. ``There is really no way to control this technology,'' said nathan P. Myhrvold, vice president for advanced technology at Microsoft. ``What are you going to do, call up John Gotti and tell him that it's illegal to use coded technology? All regulations do is hurt people who are trying to be law-abiding and it's a nightmare for business users who are trying to protect information.'' Technique available to all Once a tool only of diplomats, military officers and spies, advances encryption techniques have become avaibale to anyone with access to cheap computer chips. Nowadays, virtually all information can be translated into digital form and protected ith electronic codes --- whether is it a cellular telephone conversation, electropnic memo, medical record, corporate payroll, television program or cash from the automated teller machine. And advances in hardware and software have made these codes virtually uncrackable to anyone not knowing the precise string of letters or numbers that represents the key to translating the encypted informatiom. A House Judiciary pantel will hear testimony on the issue today, for the second time in nine days, as Congress ponders whether to resurrect legislation that would give intelligence officcials a greater ability to monitor the use of encryption by businesses and individuals. An alternative move, favored by a growing number of industry executives, would be to scale back Government control of computer encryption, by curtailing the powerful National Security Agency's broad jurisdiction over the private use and export of encryption technology. The President has vowed to veto such a bill. In his concluding remarks at last week's hearing, Representative Jack Brooks, Democrat of Texas, chairman of the subcommittee, indicated that business executives would have a chance in the next session to present their case. ``We need to examine closely the claims by industry that the current attempts by U.S. intelligence and law-enforcement agencies to restrict this technology will seriously impair privacy and technological development in our country'', he said. Working on Differences The computer industry had been trying for months to work out its differences quietly with the N.S.A., the secretive Pentagon branch whose job it is to protect the military's computers and conduct global electronic intelligence gathering. But dissent within the industry and the convening of Congressional hearings have brought the dispute into the open. Since the first computers appeared in the 1940's, old-line manufacturers like I.B.M. have traditionally cooperated --- however grudgingly --- with national-security and law-enforcement officials to keep computer codes out of the wrong hands and the, keys in the right ones. Such cooperalion was wise in the days when the military and the Federal Government were the largest computer customers. And during the cold war, it was easier for the Government to defend its policies. New Attitude Among Companies But lately, the younger generation of companies that grew up selling business computers, including Apple, Microsoft and Sun, has dug in its heels. The companies argue that Government efforts to stifle encryption, technology is not only wrong but futile, putting American business at a disadvantage to foreign competitors who face few constraints in creating and using encryption. ``The most important security measures in which any of us engage in our daily business no longer have anything to do with safes, locks guards or badges,'' said Whitfield Diffie, a computer researcher at Sun Microsystems and one of the nation's leading cryptographers. ``Modern security technology has transplanted written signatures and the simple act of recognizing a colleague from the traditional world of face-to-face meetings and pen-and-ink communi- cations to a world in which digital electronic communications are the norm.'' The banking industry is also concerned about the threat of legislation, that would force software makers to provide a ``trap door'', making it easier for Federal agents to decipher encrypted files. The industry currently transmits $350 trillion a year via encrypted wire transfers, and each day United States banks transmits 350,000 encoded messages transfer ring funds to other nations. Changing encryption techniques not only would compromise the security of computerized banking transactions but would cost many millions of dollars, said John Byrne, general counsel for the American Banking Association. But Government officials see any costs or inconveniences to business as the trade-off for maintaining law and order. ``This is a very real problem'', said Kier Boyd, deputy assistant director of technical services of the F.B.I. ``Somebody who has a rudimentary knowledge of cryptography can generate something on a personal computer which would give us fits as far as reading it.'' The genie, indeed, is out of the bottle. Officials at the Information Technology Association of America, a computer industry trade group, recently obtained a copy of a commercial program called Cryptos written by programmers in Moscow. Cryptos, which runs on a standard I.B.M. personal computer, encodes data by the two most popular techniques. One is the United States Data Encryption Standard, whicti the N.S.A. established in 1977 to foster a commercial encryption format that businesses could use (and the Govemment could read, as needed). The. second is known simply as RSA, an, encryption format widely adopted for, business use.; it was developed outside the N.S.A.'s sphere by academic researchers. The Cryptos package, which is available in software stores in Moscow, sells for about $200. The encryption war between American industry and Government has been waged on several fronts in recent months. Just last month, for instance, the Justice Department began pressing Congress for a bill that would require telephone companies to install equipment making wiretaps easier to conduct in today's network. The limited introduction of encryption into the telephone network, along with the widespread use of fiber optics and digital transmitters, has made electronic eavesdropping much more difficult than in the days when snoopers needed to do little more than hot-wire a copper phone line. And it was also last month that some industry executives began charging that the N.S.A. had played a quiet role in limiting the strength of a proposed cryptographic standard for future cellular telephones. Opposing Needs ``The N.S.A.'s needs run almost directly counter to the economic needs of the country, which include the development of high-technology products based on cryptography'', said Mare Rotenberg, national director for the Computer Professionals for Social Responsibility, a public interest group. Before the International Business Machines Corporation introduced its newest family of mainframes in 1991, I.B.M. tried for more than a year to persuade the N.S.A. to allow it to build a special piece of hardware that would automatically encode information processed by the new computers. Finally, after unsuccessful meetings that went as high as Adm. William O. Studeman, director of the agency at the time, and high-ranking I.B.M. officials, the company threw up its hands. It now submits individual license requests for each export sale --- and is frequently turned down. Corporate executives and industry consultants who have experience in dealing with the N.S.A. say that despite the end of the cold war and the growing importance of cryptography for business purposes, they expect the agency to continue resisting any fundamental challenges to its control. Still, industry pressure has appar ently led the agency to attempt to negotiate a compromise with Ameri can software publishers. The industry had originally backed trade legislation, still pending, which would move control over cryptogra phy exports from the N.S.A. to the Commerce Department. But because the Bush Administration has threat ened to veto the legislation, the soft ware pubHshers have quietly attempted to arrange a deal. But, the largest American computer makers, including I.B.M. and the Digital Equipment Corporation, have refused to participate in the negotiations, saying privately that the weakened RSA would not be acceotable to their customers. The nominee for the jab of director of the N.S.A., Rear Adm. John M. McConnell, declined to be inter viewed for this arIIcle. Michael S. Conn, chief of information policy for agency, said thal national security. concerns with cryptogrgaphy could not be dealt with in a public debate. But the agency, he said, remains confident that it can ``continue to meet our mission demands in light of advances in technology.'' --- Caption: Representative Jack Brooks of Texas is chairman of the subcommittees hearing testimony on whether legislation should be resurrected to give intelligence and law-enforcement officials greater ability to monitor the use of coding technology by businesses and individuals. --- Box: The Encryption Tug-of-War As compyters left the lboratory and entered mainstream business life, the need for privacy of electronic data and communications followed. researchers and the Government's national security apparatus have wrestled over standards and secrecy ever since. 1976 Public key approach is proposed Martin E. Hellman of Stanford University and his colleagues, Whitfield Diffie and Ralph Merkle, conceive a new, moe practical way to protect information. One mathematical key that can be made public is used to encode the information, but a second, secret key is needed to decypher it. 1977 D.E.S. becomes national standard The National Bureau of Standards and the National Security Agency define the first public national encryption standard, known as the Data Encryption Standard. because the N.S.A. shortened the standard's proposed mathematical key, some cryptographers say it could be broken by powerful computers. 1978 Government clapms down on researcher Using an obscure patent law provision, the N.S.A. orders a University of Wisconsin computer scientist, George I. Davida, to keep secret all details of a computer security device he has dveloped or face two years in jail and a $10,000 fine. 1980 Security review of reserach papers begins A groups of United States mathematicians and computer scientists decide to voluntarily submit cryptography reserach papers to the N.S.A. for review before they are published in scientific journals. 1991 Scientists partly crack the code Two Israeli scientists, Adi Shamir and Eli Bhiman, develop the first mathematical technique capable of breaking the D.E.S. code under certain limited circumstances. 1991 Industry attempts a compromise Software executives propose a deal with the N.S.A. that would allow export of a scaled-down version of a popular encryption format for business users. I.B.M. and othe industry critics refuse to participatein the negotiations, saying the compromises would make codes too easy to crack. The N.S.A. has not yet reaches a decision on the proposal. Dimitri Vulis CUNY GC Math DLV@CUNYVMS1.BITNET DLV@CUNYVMS1.GC.CUNY.EDU Disclaimer: my Usenet postings don't necessarily represent anyone's views, especially my own and/or CUNY's. ------------------------------ Subject: Oregon PUC CallerID Decision Date: Tue, 12 May 92 8:11:08 PDT From: peter marshall In its CallerID, etc. proceeding, the OPUC issued a decision on 5/6/92, according to which CallerID may be offered only with free call and line- blocking for all customers, provision of line-blocking deactivation, and required offering of Call Trace and Selective Call Rejection as these capabilities are available to telcos. In dealing with "sale of Caller ID information," the PUC Order also noted that "CLASS...technology would allow a utility to set up another data base to keep track of incoming calls for specific numbers and then sell the list of calls to the receiving party or to a third party." The decision also observed that the FCC's CPNI rules "prohibit US West from recording calls to a specific receiving party and selling the list to a third party without the customer's consent." But, noting that "both privacy interests would suffer from sales to third parties," the Commission also stated it would "announce a regulatory policy for all of Oregon's telecommunications utilities." In doing so, the OPUC observed that "In a sale to a third party, the utility would perform a monitoring function which has a 'big brother' flavor to it. The monitoring would involve a breach of trust because the utility would be using information...for another purpose." Peter Marshall ------------------------------ From: "Wm. Randolph Franklin" Subject: Why hide if you have nothing to hide Date: Tue, 12 May 92 16:39:50 -0400 I'll answer a slightly different question, i.e., "If you have committed no crime...", since "If you have nothing to hide..." is ambiguous. Hope this is ok. 1. Although you have done nothing illegal, your legal acts may have a positive correlation with a crime. So you're guilty until you prove yourself innocent. Now, this has always been somewhat true; you might have a good explanation for walking up to strangers' doors and trying to see if they're locked, but you're in trouble until you give it. What's different is that with database matching, the government can spend very little money to cause you a lot of trouble. The equilibrium has shifted. Since you don't want examples, I won't provide them, but this does happen. 2. There are crimes that almost everyone does, but which almost no one is charged with. More information in the hands of government gives them the power of selective enforcement against their enemies. 3. There are things that are perfectly legal, but which are socially objectionable or controversial. If you had an abortion, would you want your name and number publicized? You didn't commit a crime, but now the antis can phone you at 3am and call you a murderer. 4. Back to correlations: Medically the term "abortion" covers most or all pregnancies that end very early, which is, I think, 10% or more of all pregnancies. Do you want to receive those 3am calls because you had a spontaneous abortion, and the anti who read your medical file missed the word "spontaneous", or didn't know the medical definition of abortion? 5. Even if you have committed a crime, should the government have infinite powers to catch you? Even though today's leaders would never be abusive, the power we give them to match databases etc., will still be available to the next, perhaps less perfect, administration. -------- Wm. Randolph Franklin Internet: wrf@ecse.rpi.edu (or @cs.rpi.edu) Bitnet: Wrfrankl@Rpitsmts Telephone: (518) 276-6077; Telex: 6716050 RPI TROU; Fax: (518) 276-6261 Paper: ECSE Dept., 6026 JEC, Rensselaer Polytechnic Inst, Troy NY, 12180 ------------------------------ Date: Wed, 13 May 1992 7:56:21 -0400 (EDT) From: "Dave Niebuhr, BNL CCD, 516-282-3093" Subject: Re: SSNs as Identification michael.scott.baldwin@att.com writes: >Several people have written to me challenging my statement that SSN's >are only divulged for ex-employees. [... test deleted ...] >Dave Neibuhr writes: >| My employer specifically states that, when logging into a computer system, >| no personal identification whatsoever is to be used as a method of access >| any system. This includes employee id number. >I assume you keep records of which logins belong to which employees though. >If my login is "mike", isn't that "personal identification" of some sort? Not if it is something that is totally ficticious and we have a lot of users who for some reason, use initials, the name of a project that they work on, etc. My name, being difficult to spell because of the placement of the various letters can come out in quite a few variations and it would take a lot of digging to find anything about me. With a SSN, the list is narrowed down to one single individual If anyone tried to do any checking based on the spelling above, it wouldn't compute since it is misspelled. Dave Dave Niebuhr Internet: niebuhr@bnl.gov / Bitnet: niebuhr@bnl Brookhaven National Laboratory Upton, NY 11973 (516)-282-3093 ------------------------------ From: Steve Barber Subject: Re: E-mail privacy should be independent of carrier. Date: Wed, 13 May 1992 12:30:09 GMT In mrose@kali.stsci.edu (Mike Rose) writes: >work. The way I see it, if I'm doing something so private that I >choose to use a public access host, then my employer shouldn't be >paying me to do it. This answer assumes a particular type of working environment, where every thing you do while on the employer's premises is necessarily directed at work related tasks. I don't know about the rest of you, but when I'm working on a straight yearly salary, I get to manage my own time. I often take care of personal matters while at work, some of which I like to keep private. While I have never had an employer I distrusted enough to take the measures I described (I would probably find another job first), not everyone is so mobile. As e-mail becomes more ubiquitous, perhaps this scenario will become more common, at least with the laws the way they are. -Steve -- Steve Barber sbarber@panix.com "The direct deed is the most meaningful reflection." - Bill Evans The above is not a legal advice. It is, at best, a discussion of generalities. Consult your attorney before acting in a specific situation. ------------------------------ Date: Wed, 13 May 92 10:22 EDT From: michael.scott.baldwin@att.com Subject: NJ Caller-ID experience Jack Decker writes: Some early jurisdictions offered Caller-ID with no blocking at all. As experience with the system grew, per-call blocking became commonplace. Then jurisdictions began mandating the per-line blocking for a fee be offered. Bills now are pending in jurisdictions without blocking to offer at least per-call blocking. NJ Bell was one of the first companies to offer Caller-ID (was it *the* first?) over 2 years ago. To this day, we do *not* have per-call or per-line blocking, and as far as I know, there are no pending bills or mandates for such. By now, we have lots of experience with Caller-ID here, and I have not heard an uproar about its terrible invasion of privacy. Actually, you *can* block Caller-ID by placing an operator-assisted call (e.g., calling card), but that's not the same as *67. So tell me: why is it that NJ Bell, with one of the oldest implementations and the most experience with Caller-ID, not gotten around to offering "commonplace" per-call or "mandated" per-line blocking? Hmm. [Moderator's Note: NJ Bell was able to push it through the Board of Public Utilites without blocking. The last time I moved (Apr 91) NJ Bell told me that blocking would not be available in the forseeable future. They will only offer it if they have to. I would have sent in a letter to the Board of Public Utilities asking for blocking but since I have set up an alternate way to protect my identify when I call I decided it was not worth the hassle. _Dennis ] ------------------------------ End of Computer Privacy Digest V1 #024 ******************************