Date: Wed, 20 May 92 10:02:39 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@PICA.ARMY.MIL Subject: Computer Privacy Digest V1#032 Computer Privacy Digest Wed, 20 May 92 Volume 1 : Issue: 032 Today's Topics: Moderator: Dennis G. Rears Explanation of support for free Caller-ID blocking. Re: "IF you have nothing to hide..." Re: "IF you have nothing to hide..." Re: Privacy and Law and Order (Long) Re: Privacy is a right SSN's and blood Re: Privacy in video rental records? Re: "IF you have nothing to hide..." Public Battle Over Secret Codes, John Markoff, NYTimes May 7 (fwd from comp-privacy) Re: An answer to "IF you have nothing to hide..." Re: "IF you have nothing to hide..." Re: Cordless Phones Re: Free TRW Credit Report Re: "IF you have nothing to hide..." The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@pica.army.mil and administrative requests to comp-privacy-request@pica.army.mil. Back issues are available via anonymous ftp on ftp.pica.army.mil [129.139.160.200]. ---------------------------------------------------------------------- From: Bob Weiner Subject: Explanation of support for free Caller-ID blocking. Date: Wed, 20 May 1992 01:10:37 GMT [Article describes decision by Washington state to require free caller-id blocking is vehemently opposed by US West because they claim their business customers who pay for id recognizer equipment will get too many calls without IDs.] > The companies said an offer of free line-blocking, or automatic blocking > of the caller's name or number, would doom caller-ID service. A key tip off to customer-driven companies that many of their customers (remember consumers are customers, too) oppose the service, at least as applied to their lines. > "Washington has just adopted the most constrictive and conservative > regulation on called ID in the nation.," said Lisa Bowersock, spokeswoman > for US West in Seattle. Companies often go to local governments to get tax reductions or other favors as an inducement to build up particular businesses in a local area. Why then should companies be surprised or even publicly voice opposition when every so often those same governments listen to the voice of their constituents? > "There's no incentive for the company to introduce the service," she > added. "The regulations adopted today won't even allow companies to recover > the costs of line-blocking for individual customer". And Washington state and the rest of the world will get along as well as they did before if US West does not introduce the service. Clearly this is a PR attempt at blame laying, but the facts are, that the choice as to whether to offer the service is still up to US West. Choice has not been taken away from them, although they would like people to feel that way. > If line-blocking is free, they said, people who buy caller-ID equipment > will get too many calls in which identifications are blocked and will not > sufficiently benefit from the service to make it viable. "If literacy tests and poll taxes are removed, then all these new people might vote. Then we'd have to count their votes and maybe even listen to the positions that they thereby voice. Think of how unfair that would be to these groups over here who have been able to dominate political decisions before and have almost exclusively funded party activities." One would think that large businesses would have evolved beyond such sterile arguments, recognizing the privacy rights of all of their customers, not just the highest paying ones. Now I know better. All the state is saying is let customers make privacy decisions once and for all without the spectre of money looming over their heads. Bob -- 99% of what my law office does is word processing. -- A lawyer ------------------------------ From: Chuck Bacon Subject: Re: "IF you have nothing to hide..." Date: Wed, 20 May 1992 01:17:53 GMT In article ygoland@edison.seas.ucla.edu (The Jester) writes: > >There have been several posts regarding my quest for a definitive >statement regarding WHY the concept of "if you have nothing to hide >then you have nothing to fear" is wrong. However these posts have >consistently ignored the point I ended my post with, that examples >do NOT make a point, they only illustrate one. The responses seen so >far have been examples and lots of them, some good, some not, but >examples none the less. So far no one has been able to write a >concise explination of WHY they feel that this idea is wrong. We are >all in agreement that the statement IS wrong. Why is everyone >(myself included) having so much trouble comming up with a short, >direct, statement of why? > The Jester >-- >"Only the blind see in color." >"Any union based upon pigment is foolish ignorance designed to >give power to those few who enjoy power's taste above the common >welfare." Now I see I must apologize for an intemperate response to Jester's original post. I just joined this newsgroup and OF COURSE never thought anyone else could respond cogently. We really are up against the distinction between privacy and secrecy. I can't deny that I do things--in a bathroom for instance--which I don't wish observed. These are innocent matters, yet can involve very strong desires for privacy, or even secrecy. Granting a right of privacy here amounts to an aesthetic act of government. Life could be lived, if my covert smoking, diet violations, love for adult lit. etc., were all perforce public. But I would not like it. Secrecy is a condition which everyone maintains over some aspect of life. My .sig advocates abhorrence of secrecy, but sometimes it's necessary. My riposte "--what if you are a gun collector?" was intended to raise the self-protection fear that some gun collectors might feel, if their collections became public knowledge. There is a danger of burglary, if valuables are not concealed to some degree. Enhancement of the law enforcement function would be a most important reason to relinquish privacy, if law enforcement were perfect and uncorruptible. But the spectre of another J. Edgar Hoover, hunting who knows what, frightens me. Many readers of this and other newsgroups are computer types. For me, there is a fascination with the prospect of collating huge databases, one with the other. The automated work of collecting call records, for instance, to go with credit and purchase histories, augmented with Census data, all leading to detailed profiles of all citizens; now there's a challenge of truly admirable proportions! When I think of this as a programmer, I envision beautiful paychecks. But when I see myself as subject of this probing, I'm outraged. Let's not do it. OK, folks. I've just preached to the converted. How do we get to the heathen? -- Chuck Bacon - crtb@helix.nih.gov ( alas, not my 3b1 )-: ABHOR SECRECY - PROTECT PRIVACY ------------------------------ From: Chuck Bacon Subject: Re: "IF you have nothing to hide..." Date: Tue, 19 May 1992 23:53:50 GMT In article ygoland@edison.seas.ucla.edu (The Jester) writes: >One of the reasons that many people are against 'intrusive' laws is >because they disagree with the rational "If you have nothing to >hide, then you don't need to worry." However what I have failed to >see is a single cogent explination of WHY the rational of "If you >have nothing to hide, then you have nothing to fear" is a bankrupt >one. Would anyone care to provide a concise explination of WHY the >previously mentioned rational is wrong? And please, though examples >are useful for illustration of a point, they do not make one. > The Jester The Jester wishes to remain anonymous. Perhaps a superior news package would always provide your true identity. Nothing to hide? Then why be anonymous? You have nothing to hide. Are you an atheist? -a gun collector? -a homosexual? -a woman living alone? -did any of your family ever change their surname legally? -do you like "adult" art? None of the above? You really are a pretty dull shit. And yes, I'm damned angry at the "nothing to hide" attack. I had it pulled on me by police forty years ago, and it still grates. Police types like to use it because most people get tongue-tied, trying to express their outrage. I'll appreciate it when everyone understands my .sig. >-- > The Jester >"You can lead a herring to water, but you have to walk really fast, >or he'll die."-Stolen from my Evil Mistress (TM) > NWILSON@MIAVX1.ACS.MUOHIO.EDU -- Chuck Bacon - crtb@helix.nih.gov ( alas, not my 3b1 )-: ABHOR SECRECY - PROTECT PRIVACY ------------------------------ From: Emmett Subject: Re: Privacy and Law and Order (Long) Date: 14 May 92 03:29:14 GMT In article John Higdon writes: >> From: Conrad Kimball writes: > >> If I was given the option of selecting my line's default to be either >> blocked or unblocked, with a '*' code to temporarily reverse the >> default, I'd be a happy camper. > >Is this what it would take to satisfy you on the whole matter of CNID? >This comes under the heading of "feature implementation" and is so >trivial as be not worth mentioning, yet is would be, for you, the >salvation of CNID. Incredible. > Key words there are 'for you'. As for the 'feature implementation' argument, when is the last time you tried to get something changed after you accepted delivery? It's always made sense to me to get it right the first time. The fact that there is a controversy over this issue at all should show you that not everyone believes it would be offered as a feature. [ Argument that privacy shouldn't be given up now that we have it, deleted ] >And that, dear sir, is exactly why you and millions like yourself can >get credit cards, debit cards, instant store accounts, bank lines of >credit, property sale closures in days instead of months, and all of >the financial conveniences that are taken for granted these days. Do >you think that all of these companies and financial institutions would >just hand you the money if they knew nothing about you? In Smalltown, Do you think I would get letters about 'Terrific new products we're just absolutely positve you'll love hearing about, even when we send you yet another copy of this letter with a TENTH variant of your name on it.' if they new nothing about me?? >after you had lived there for about ten years, Mr. Smith might just >open a store account for you with a small limit. After another ten of >showing a good payment history (as observed and recorded by Mr. Smith) >you might get your limit raised. Of course all of this credit is only >good at one place: Mr. Smith's. > >Today, your credit is portable and easily obtained at new locations. >How did YOU think that it was possible to walk into a store for the >first time in your life and open an account? Magic? > >> Must we tolerate (nay, even aid and abet!) repeats of the shoddy history >> of credit bureaus such as TRW, in which the worst problem is not so much >> that they have a lot of data (which some would argue is a problem in >> itself), but rather that so much of the data they have is incorrect, >> and use of which can seriously damage people. > >Then it should be corrected. I have done this myself; it is not hard. >Without this extensive database, we would be forced back into a >cash and carry society. While some may approve of that, there are many >more who would not. > Your argument is that you and others who share your opinion feel you would be inconvenienced if you were forced into a situation not of your choosing or of your liking. Guess what my argument is. >> Some people have raised concerns >> about lifestyle data being fed to insurance companies, which being *very* >> highly motivated to reduce risk, raise rates or refuse coverage in >> situations that do not in fact warrant it. And, when they raise your >> rates or refuse you coverage, how are you to know the basis for their >> unjust decision? > >Try asking. Someone, somewhere started the "truism" that "they" are >unreachable, untouchable, and have unlimited power. I have received >such things as notices of cancellation and simply called the company to >get an explanation. In some cases, after discussing the matter, the >cancellation was rescinded. I am surprised that you give people so little >credit for being able to pick up a phone or write letters of inquiry. Why is this my responsibility?? These people are paid quite handsomely for providing information that is presumed accurate by their customers. Extending your line of reasoning leads to the argument that if I choose to eat food that has been shipped to a grocery store in a truck, then I'm responsible for doing maintainance work on the truck. >Of course, failing to mention those avenues of redress gives more >weight to your argument. And speaking of weight: > >> - The greenhouse effect. > >> - Smoking. > >> - Logging > >What do these things have to do with privacy? Is the implication that >the consequences are on a par with these things? Is this the only way you >can make your argument seem non-trivial? The most serious privacy >violations that could occur in modern society will not kill, mame, or >even cause much more than a minor annoyance or inconvenience. We are >not talking disasterous global climate changes here. We are not talking >500,000 deaths a year. We are not even talking about endangered >species. > No, we're talking about minor annoyances and inconveniences. Frankly, given a choice I'd just as soon avoid them. Besides, it's at least as important to me as the issue of death from smoking (I don't smoke) and will impact me personally a lot more than spotted owls (I doubt I'll encounter a significant number of spotted owls in my liftime, but I'm pretty sure I haven't seen the last of the annoyances and inconveniances. Besides [ my turn to be dramatic ], falling two feet is pretty minor by itself, but if they happen to be the last two feet of a hundred foot drop, the results are noticable. [ Bluster about things I consider irrelevant deleted ] > >There is someone who asserted in print that we are all going >to get cancer because of electrical transmission lines. I would guess >that you must be in favor of shutting down our electrical grid until >someone proves him wrong. Never mind that it would disrupt our whole >way of life, destroy the economy, and literally make it impossible for >people to live in our cities. But we cannot take any chances now, can >we? > Until you hit the bit about shutting down the cities, you weren't doing too badly there. Shut 'em down says I. :-) >So it is with privacy. A few very noisy people are running around >announcing the death of all we hold near and dear because some nasty >people can find out our little secrets. Shall we return to green visors >and ledger paper until the theorists can come to a conclusion one way >or another? Does it really matter? > For someone who was just complaining about making sweeping statements just for effect, don't you think this is a bit much?? Personally I see it as a bandage. I'd rather do away with the nasty people that can 'find out our little secrets'. As far as I'm concerned it does matter. If it were an ideal world, I can't think of anything I've personally done in the privacy of my own home that I would really care one way or another if the world knew about (a few things that might disturb my mother, but such is life). Unfortunately, there are a lot of people in the world (and even in Montana) who possess value systems that I choose not to subscribe to. Some of them have the clout to be more than minor annoyances. You used the metaphor of Smalltown, USA. In Smalltown, there was only one Mrs. Grundy, if you include Tinytown and Diminuitive-ville to the list we're talking about at least three Mrs. Grundys. How many do you suppose live in the New York or LA areas alone? Can you really blame me for not wanting to be forced to deal with them?? > >-- > John Higdon | P. O. Box 7648 | +1 408 723 1395 > john@zygot.ati.com | San Jose, CA 95150 | M o o ! -- Larry Emmett v 'Computers are a lot like the God of the Internet:icsu8249@cs.montana.edu /o\ Old Testament. A whole lot of rules Bitnet: icsu8249@MtsUnix1.bitnet --- and no mercy.' -- Joseph Campbell ------------------------------ From: Gary Greene Subject: Re: Privacy is a right Date: Wed, 20 May 92 08:34:58 GMT Dennis; I find it difficult to excise any of Bob Weiner's text. If you need to go ahead, but it all appears relevant to me. --Gary In comp.society.privacy Brian L. Kahn writes: >In article rsw@cs.brown.edu (Bob Weiner) wri tes: > The matter is simple and much like the reason we have a presumption of > innocence in the legal system. The burden should be on the accuser or > in the case of privacy, on those who want to expose something. > Basically, the view is that privacy, like presumption of innocence, is > a right. There is no need to justify one's exercise of that right but > there is need to justify infringement upon it. >Nicely stated, but I can't accept the comparison between privacy and >presumption of innocence. Privacy may be a right in some sense, and I >sure wish it were explicitly in the constitution. ... In some States it *is* part of the constitution (California at least). >However, we are >obliged to surrender this right in many instances, in exchange for >privileges. I believe Bob was saying that the burden was on the agency requiring information to justify the requirement. Providing information does not surrender any right to privacy per se, since private can mean private to you and me, not just private to me. Information has a proprietary nature as any software publisher will tell you. If I give you access to information I own I can restrict your use of it via copyright and license or other restrictions. The proprietary nature of information and any right to privacy are very closely related and are just as closely related to your right to be secure in your person and your effects from seizure by either public or private persons or by the government without due-process. Indeed, I find it difficult envision the right to own property without the right to hold it private to yourself (the old Libertarian saw, I know). Getting back to information and privacy issues, even in states where a right to privacy is not part of their constitution there are usually stringent statutory restrictions on the agency's use and distribution of this information ...at least restrictions on government agencies. In addition the information requested must usually be substantively germane to the purpose for which it is requested. For instance, it is difficult to see how any state agency could issue a license without the name of the person to whom it is being issued, and enough identifying information so that any officer involved in enforcing the proper exercise of the license to identify the person attempting to use the license. There is a quid-pro-quo in applying for a service which must empower the provider to *give* the service, else there is no enforcible contract. The same is true in applying for a privelege. Are you suggesting that a right to privacy must be absolute to exist? Few if any such absolute rights exist, not even due-process. >Your car has ID tags, and you have to carry a license >with your name (and usually your picture) to operate on public roads. >You have to identify yourself in order to use financial services >(checks or credit), to rent items (tapes, tools, cars), to get service >from public utilities. Can you even own property in a town without >revealing your name? These agencies and people may still be restrained under existing statute and constitutional provisions (both state and federal) from disbursing this information to others. I believe *this* is the point of privacy disputes, and it is here that a right of privacy as Bob outlines it appears. ...Paragraph about surrenderable and unsurrenderable rights deleted... >Perhaps the right we really have is a right to independence, not >privacy. If you want to be alone and do everything for yourself, you >may. If so then we are in real trouble because I know of no one who is capable of such complete independence short of discovering a new uninhabited desert island. :-) If you can't do it, how could it be a right? Cheers, Gary Greene garyg@netcom.com (at home) Santa Clara, California ------------------------------ Subject: SSN's and blood Date: 19 May 92 18:33:54 EDT (Tue) From: "John R. Levine" >The local red cross wanted my ssn when I gave blood. They got really >ugly when I refused. The people at the Red Cross can be remakably dense, particularly considering that all their blood comes from unpaid volunteers. I donate both here in Boston and at my beach house near Philadelphia. Both wanted my SSN. Around here, there must be lots of privacy freaks because they all know the routine for people who don't use an SSN. They make up an ID using the first few letters of your name and your birth date which they can easily look up if you don't have the card and don't remember the ID. Down at the beach they were baffled when I told them that I didn't know my SSN and didn't have it handy anywhere. (It's true, all my tax records are up here.) They couldn't handle the alphanumeric ID on my Boston donor card, evidently different Red Cross regions have different, incompatible computer systems. So they took my unnumbered blood, begging me to call them the moment I could find my number. Sure, uh huh, etc. About a month later, the Philadelphia Red Cross sent me a donor card with a made up number starting with four zeros. So they can deal perfectly well with number-free donors, but their field people don't know about it. Regards, John Levine, johnl@iecc.cambridge.ma.us, {spdcc|ima|world}!iecc!johnl ------------------------------ From: "Michael H. Riddle, Esq." Subject: Re: Privacy in video rental records? Date: Wed, 20 May 92 12:47:52 GMT In a previous posting, NEELY_MP@darwin.ntu.edu.au (Mark P. Neely, Northern Territory University)) writes: >I picked this one off a mailing list... > > > > State Attorney John Tanner (Volusia Co, FL) has subpoenaed the rental >records of two video shopkeepers to identify the individuals who rented >one of four named explicit films. > > Ostensibily, the customers are only wanted as potential witnesses. >Tanner states that he does not intend to prosecute any citizen whose >name might be on this list. Both store owners are resisting, citing >customers' rights to privacy. Tanner maintains people who rent material >have no expectation of privacy. * * * > In a state known nationally for its revolving door prisons, it is >shameful that Tanner is trying to make reelection hay out of this issue. >Hopefully he has underestimated the number of voters who occasionally >view explicit films. Hmm. It's apparently also a shame that they have prosecutors who appear not to know the law! The post from the mailing list quotes Mr. Tanner as "mainatin[ing] people who rent material have no expectation of privacy." I would respectfully disagree, at least with respect to video materials. The Electronic Communication Privacy Act has rather detailed provisions limiting access to video rental records. The pertinent portion is reproduced below. > TITLE 18 UNITED STATES CODE > CHAPTER 121. STORED WIRE AND ELECTRONIC COMMUNICATIONS AND > TRANSACTIONAL RECORDS ACCESS > > s 2710. Wrongful disclosure of video tape rental or sale records > > (a) Definitions. For purposes of this section- > > (1) the term "consumer" means any renter, purchaser, or > subscriber of goods or services from a video tape service provider; > > (2) the term "ordinary course of business" means only debt > collection activities, order fulfillment, request processing, and > the transfer of ownership; > > (3) the term "personally identifiable information" > includes information which identifies a person as having > requested or obtained specific video materials or services from > a video tape service provider; and > > (4) the term "video tape service provider" means any person, > engaged in the business, in or affecting interstate or foreign > commerce, of rental, sale, or delivery of prerecorded video > cassette tapes or similar audio visual materials, or any person > or other entity to whom a disclosure is made under subparagraph > (D) or (E) of subsection (b)(2), but only with respect to the > information contained in the disclosure. > > (b) Video tape rental and sale records. > > (1) A video tape service > provider who knowingly discloses, to any person, personally > identifiable information concerning any consumer of such provider > shall be liable to the aggrieved person for the relief provided in > subsection (d). > > (2) A video tape service provider may disclose personally > identifiable information concerning any consumer- > > (A) to the consumer; > > (B) to any person with the informed, written consent of the > consumer given at the time the disclosure is sought; > > (C) to a law enforcement agency pursuant to a warrant issued > under the Federal Rules of Criminal Procedure, an equivalent State > warrant, a grand jury subpoena, or a court order; > > (D) to any person if the disclosure is solely of the names and > addresses of consumers and if- > > (i) the video tape service provider has provided the > consumer with the opportunity, in a clear and conspicuous manner, > to prohibit such disclosure; and > > (ii) the disclosure does not identify the title, > description, or subject matter of any video tapes or other audio > visual material; however, the subject matter of such materials may > be disclosed if the disclosure is for the exclusive use of > marketing goods and services directly to the consumer; > > (E) to any person if the disclosure is incident to > the ordinary course of business of the video tape service provider; > or > > (F) pursuant to a court order, in a civil proceeding upon a > showing of compelling need for the information that cannot be > accommodated by any other means, if- > > (i) the consumer is given reasonable notice, by the person > seeking the disclosure, of the court proceeding relevant to the > issuance of the court order; and > > (ii) the consumer is afforded the opportunity to appear > and contest the claim of the person seeking the disclosure. > > If an order is granted pursuant to subparagraph (C) or (F), > the court shall impose appropriate safeguards against unauthorized > disclosure. > > (3) Court orders authorizing disclosure under subparagraph (C) > shall issue only with prior notice to the consumer and only if the > law enforcement agency shows that there is probable cause to > believe that the records or other information sought are relevant > to a legitimate law enforcement inquiry. In the case of a State > government authority, such a court order shall not issue if > prohibited by the law of such State. A court issuing an order > pursuant to this section, on a motion made promptly by the video > tape service provider, may quash or modify such order if the > information or records requested are unreasonably voluminous in > nature or if compliance with such order otherwise would cause an > unreasonable burden on such provider. > > (c) Civil action. > > (1) Any person aggrieved by any act of a person > in violation of this section may bring a civil action in a United > States district court. > > (2) The court may award- > > (A) actual damages but not less than liquidated damages in > an amount of $ 2,500; > > (B) punitive damages; > > (C) reasonable attorneys' fees and other litigation costs > reasonably incurred; and > > (D) such other preliminary and equitable relief as the > court determines to be appropriate. > > (3) No action may be brought under this subsection unless such > action is begun within 2 years from the date of the act complained > of or the date of discovery. > > (4) No liability shall result from lawful disclosure permitted > by this section. > > (d) Personally identifiable information. Personally identifiable > information obtained in any manner other than as provided in this > section shall not be received in evidence in any trial, hearing, > arbitration, or other proceeding in or before any court, grand > jury, department, officer, agency, regulatory body, legislative > committee, or other authority of the United States, a State, or a > political subdivision of a State. > > (e) Destruction of old records. A person subject to this section > shall destroy personally identifiable information as soon as > practicable, but no later than one year from the date the informa- > tion is no longer necessary for the purpose for which it was > collected and there are no pending requests or orders for access > to such information under subsection (b)(2) or (c)(2) or pursuant > to a court order. > > (f) Preemption. The provisions of this section preempt only the > provisions of State or local law that require disclosure prohibited > by this section. -- <<<< insert standard disclaimer here >>>> mike.riddle@inns.omahug.org | Nebraska Inns of Court bc335@cleveland.freenet.edu | +1 402 593 1192 (Data/Fax) Sysop of 1:285/27@Fidonet | V.32/V.42bis / G3 Fax ------------------------------ From: Nelson Bolyard Subject: Re: "IF you have nothing to hide..." Date: Tue, 19 May 1992 20:53:50 GMT blk@mitre.org (Brian L. Kahn) writes: > > > ygoland@edison.seas.ucla.edu (The Jester) writes: > >Would anyone care to provide a concise explination of WHY the > >previously mentioned rational is wrong? > > >This seems like a logical argument to me, but I would sure like to >hear an argument (attitude, explanation, credo?) that better explains >the assumptions behind discussions appearing in this group. OK, try this on for size: Personal privacy is prerequisite to, and the basis of, personal freedom, autonomy, self-esteem, and interpersonal relationships. People are willing to part with things they don't understand and don't perceive as necessary. Unfortunately, the foundations of our rights and freedoms are ill understood by the masses. ------------------------------ From: Ofer Inbar Subject: Public Battle Over Secret Codes, John Markoff, NYTimes May 7 (fwd from comp-privacy) Date: Tue, 19 May 92 16:12:23 EDT This is a New York Times article that was posted to the comp-privacy mailing list (which is also the newsgroup comp.society.privacy), regarding the recent 'trap door' bill. Incidentally, John Markoff, the author of this article, is online at markoff@nisc.nyser.net Note to comp-privacy moderator: This article was originally submitted OCR'ed and uncorrected. I have gone through and corrected most, if not all, of the OCR errors, so that is why I am resubmitting. Use it if you wish. Forwarded message: >Date: Sat, 9 May 1992 16:11:11 -0400 >From: Monty Solomon >Newsgroups: comp.society.privacy >Subject: Public Battle Over Secret Codes, John Markoff, NYTimes May 7 >X-Submissions-To: comp-privacy@pica.army.mil >X-Administrivia-To: comp-privacy-request@pica.army.mil >X-Computer-Privacy-Digest: Volume 1, Issue 024, Message 1 of 6 >From: dlv@cunyvms1.gc.cuny.edu (Dimitri Vulis, CUNY GC Math) >Newsgroups: sci.crypt >Subject: Public Battle Over Secret Codes, John Markoff, NYTimes May 7 A Public Battle Over Secret Codes By JOHN MARKOFF THE NEW YORK TIMES, THURSDAY, MAY 7, 1992 An issue long relegated to testy grumbling between software engineers and intelligence agents has suddenly grown into a public dispute between the Bush Administration and business executives. In a digital age that finds more and more information protected by elaborate coding techniques, both sides are asking: Who should hold the keys to the codes? Not the Government, say members of an increasingly militant computer and software industry. Apple Computer, Microsoft and Sun Microsystems are among the companies vowing to oppose Federal efforts to keep tight control on the use of coding technology, known as encryption. ``There is really no way to control this technology,'' said Nathan P. Myhrvold, vice president for advanced technology at Microsoft. ``What are you going to do, call up John Gotti and tell him that it's illegal to use coded technology? All regulations do is hurt people who are trying to be law-abiding and it's a nightmare for business users who are trying to protect information.'' Technique available to all Once a tool only of diplomats, military officers and spies, advanced encryption techniques have become available to anyone with access to cheap computer chips. Nowadays, virtually all information can be translated into digital form and protected with electronic codes --- whether it is a cellular telephone conversation, electronic memo, medical record, corporate payroll, television program or cash from the automated teller machine. And advances in hardware and software have made these codes virtually uncrackable to anyone not knowing the precise string of letters or numbers that represents the key to translating the encrypted information. A House Judiciary panel will hear testimony on the issue today, for the second time in nine days, as Congress ponders whether to resurrect legislation that would give intelligence officials a greater ability to monitor the use of encryption by businesses and individuals. An alternative move, favored by a growing number of industry executives, would be to scale back Government control of computer encryption, by curtailing the powerful National Security Agency's broad jurisdiction over the private use and export of encryption technology. The President has vowed to veto such a bill. In his concluding remarks at last week's hearing, Representative Jack Brooks, Democrat of Texas, chairman of the subcommittee, indicated that business executives would have a chance in the next session to present their case. ``We need to examine closely the claims by industry that the current attempts by U.S. intelligence and law-enforcement agencies to restrict this technology will seriously impair privacy and technological development in our country'', he said. Working on Differences The computer industry had been trying for months to work out its differences quietly with the N.S.A., the secretive Pentagon branch whose job it is to protect the military's computers and conduct global electronic intelligence gathering. But dissent within the industry and the convening of Congressional hearings have brought the dispute into the open. Since the first computers appeared in the 1940's, old-line manufacturers like I.B.M. have traditionally cooperated --- however grudgingly --- with national-security and law-enforcement officials to keep computer codes out of the wrong hands and the keys in the right ones. Such cooperation was wise in the days when the military and the Federal Government were the largest computer customers. And during the cold war, it was easier for the Government to defend its policies. New Attitude Among Companies But lately, the younger generation of companies that grew up selling business computers, including Apple, Microsoft and Sun, has dug in its heels. The companies argue that Government efforts to stifle encryption technology is not only wrong but futile, putting American business at a disadvantage to foreign competitors who face few constraints in creating and using encryption. ``The most important security measures in which any of us engage in our daily business no longer have anything to do with safes, locks, guards or badges,'' said Whitfield Diffie, a computer researcher at Sun Microsystems and one of the nation's leading cryptographers. ``Modern security technology has transplanted written signatures and the simple act of recognizing a colleague from the traditional world of face-to-face meetings and pen-and-ink communications to a world in which digital electronic communications are the norm.'' The banking industry is also concerned about the threat of legislation that would force software makers to provide a ``trap door'', making it easier for Federal agents to decipher encrypted files. The industry currently transmits $350 trillion a year via encrypted wire transfers, and each day United States banks transmit 350,000 encoded messages transferring funds to other nations. Changing encryption techniques not only would compromise the security of computerized banking transactions but would cost many millions of dollars, said John Byrne, general counsel for the American Banking Association. But Government officials see any costs or inconveniences to business as the trade-off for maintaining law and order. ``This is a very real problem'', said Kier Boyd, deputy assistant director of technical services of the F.B.I. ``Somebody who has a rudimentary knowledge of cryptography can generate something on a personal computer which would give us fits as far as reading it.'' The genie, indeed, is out of the bottle. Officials at the Information Technology Association of America, a computer industry trade group, recently obtained a copy of a commercial program called Cryptos written by programmers in Moscow. Cryptos, which runs on a standard I.B.M. personal computer, encodes data by the two most popular techniques. One is the United States Data Encryption Standard, which the N.S.A. established in 1977 to foster a commercial encryption format that businesses could use (and the Govemment could read, as needed). The second is known simply as RSA, an encryption format widely adopted for business use; it was developed outside the N.S.A.'s sphere by academic researchers. The Cryptos package, which is available in software stores in Moscow, sells for about $200. The encryption war between American industry and Government has been waged on several fronts in recent months. Just last month, for instance, the Justice Department began pressing Congress for a bill that would require telephone companies to install equipment making wiretaps easier to conduct in today's network. The limited introduction of encryption into the telephone network, along with the widespread use of fiber optics and digital transmitters, has made electronic eavesdropping much more difficult than in the days when snoopers needed to do little more than hot-wire a copper phone line. And it was also last month that some industry executives began charging that the N.S.A. had played a quiet role in limiting the strength of a proposed cryptographic standard for future cellular telephones. Opposing Needs ``The N.S.A.'s needs run almost directly counter to the economic needs of the country, which include the development of high-technology products based on cryptography'', said Marc Rotenberg, national director for the Computer Professionals for Social Responsibility, a public interest group. Before the International Business Machines Corporation introduced its newest family of mainframes in 1991, I.B.M. tried for more than a year to persuade the N.S.A. to allow it to build a special piece of hardware that would automatically encode information processed by the new computers. Finally, after unsuccessful meetings that went as high as Adm. William O. Studeman, director of the agency at the time, and high-ranking I.B.M. officials, the company threw up its hands. It now submits individual license requests for each export sale --- and is frequently turned down. Corporate executives and industry consultants who have experience in dealing with the N.S.A. say that despite the end of the cold war and the growing importance of cryptography for business purposes, they expect the agency to continue resisting any fundamental challenges to its control. Still, industry pressure has apparently led the agency to attempt to negotiate a compromise with American software publishers. The industry had originally backed trade legislation, still pending, which would move control over cryptography exports from the N.S.A. to the Commerce Department. But because the Bush Administration has threatened to veto the legislation, the software publishers have quietly attempted to arrange a deal. But the largest American computer makers, including I.B.M. and the Digital Equipment Corporation, have refused to participate in the negotiations, saying privately that the weakened RSA would not be acceotable to their customers. The nominee for the job of director of the N.S.A., Rear Adm. John M. McConnell, declined to be interviewed for this article. Michael S. Conn, chief of information policy for the agency, said that national security concerns with cryptogrgaphy could not be dealt with in a public debate. But the agency, he said, remains confident that it can ``continue to meet our mission demands in light of advances in technology.'' --- Caption: Representative Jack Brooks of Texas is chairman of the subcommittees hearing testimony on whether legislation should be resurrected to give intelligence and law-enforcement officials greater ability to monitor the use of coding technology by businesses and individuals. --- Box: The Encryption Tug-of-War As computers left the laboratory and entered mainstream business life, the need for privacy of electronic data and communications followed. Researchers and the Government's national security apparatus have wrestled over standards and secrecy ever since. 1976 Public key approach is proposed Martin E. Hellman of Stanford University and his colleagues, Whitfield Diffie and Ralph Merkle, conceive a new, more practical way to protect information. One mathematical key that can be made public is used to encode the information, but a second, secret key is needed to decypher it. 1977 D.E.S. becomes national standard The National Bureau of Standards and the National Security Agency define the first public national encryption standard, known as the Data Encryption Standard. Because the N.S.A. shortened the standard's proposed mathematical key, some cryptographers say it could be broken by powerful computers. 1978 Government clapms down on researcher Using an obscure patent law provision, the N.S.A. orders a University of Wisconsin computer scientist, George I. Davida, to keep secret all details of a computer security device he has developed or face two years in jail and a $10,000 fine. 1980 Security review of reserach papers begins A groups of United States mathematicians and computer scientists decide to voluntarily submit cryptography reserach papers to the N.S.A. for review before they are published in scientific journals. 1991 Scientists partly crack the code Two Israeli scientists, Adi Shamir and Eli Bhiman, develop the first mathematical technique capable of breaking the D.E.S. code under certain limited circumstances. 1991 Industry attempts a compromise Software executives propose a deal with the N.S.A. that would allow export of a scaled-down version of a popular encryption format for business users. I.B.M. and other industry critics refuse to participate in the negotiations, saying the compromises would make codes too easy to crack. The N.S.A. has not yet reached a decision on the proposal. ------------------------------ From: "Osborne, John Blair" Subject: Re: An answer to "IF you have nothing to hide..." Date: 20 May 92 07:25:18 GMT In charest@ai-cyclops.jpl.nasa.gov (Len Charest) writes: >In article , ygoland@edison.seas.ucla.edu (The Jester) writes: >|> >|> There have been several posts regarding my quest for a definitive >|> statement regarding WHY the concept of "if you have nothing to hide >|> then you have nothing to fear" is wrong. However these posts have >|> consistently ignored the point I ended my post with, that examples >|> do NOT make a point, they only illustrate one. The responses seen so >|> far have been examples and lots of them, some good, some not, but >|> examples none the less. So far no one has been able to write a >|> concise explination of WHY they feel that this idea is wrong. We are >|> all in agreement that the statement IS wrong. Why is everyone >|> (myself included) having so much trouble comming up with a short, >|> direct, statement of why? >Perhaps you missed this... >In article , michael.scott.baldwin@att.com writes: >|> Let me try, without using examples: the definition of what it is that you >|> have to "hide" rests with the government, not you. If the legal system >|> creates bankrupt laws that make your private life punishable, then you end >|> up hiding and fearing for simply living your life and pursuing your own >|> happiness. >BTW, I assume that since "we are all in agreement that the statement is wrong", you were just playing devil's advocate in your original post vis a vis your 'nom de net', Mr. Jester. > .................................................. > Len Charest, Jr. > JPL Artificial Intelligence Group > charest@aig.jpl.nasa.gov First, sorry to quote all of this--possibly wasted bandwidth. Oh, well. I think the real problem (of Jester's original post) relates to how we define "nothing to fear". If we assume only criminal fear, then his statement (If nothing to hide, nothing to fear...) is most likely logically correct. The actual problem is we have much more to fear than simply criminal convictions. I cannot imagine anyone who lives a life that could please every single little (interest) group. This means everyone has good reason to "hide" certain aspects of their private lives from public view. The reasons "honest" people "hide" things are numerous, and many examples have been given. "Honest" people "hide" things to avoid embarrassment, harassment, and persecution for any of the legal (but possibly disliked) things they do. I think many of the posters have discounted the motivation provided by a desire to avoid embarrassment, harassment, and persecution outside of the legal system. As to "hiding" behavior that is illegal due to a "wrong" law, I think rational people can disagree here. I can see where some people might feel laws (even bad ones, unless/until changed) must be respected, or the system fails to function. I can also see where some people might feel the right thing to do would be to make the law unenforceble by making it impossible to "catch" someone breaking it. I think the best thing to do in a case like this, would be to change the law. This is not always practical or possible however. Oh, well. Just my thoughts on the matter. Flames and mail welcome. John John Blair Osborne Georgia Institute of Technology, Atlanta Georgia, 30332 Internet: gt1032b@prism.gatech.edu uucp: ...!{decvax,hplabs,ncar,purdue,rutgers}!gatech!prism!gt1032b -- John Blair Osborne Georgia Institute of Technology, Atlanta Georgia, 30332 Internet: gt1032b@prism.gatech.edu uucp: ...!{decvax,hplabs,ncar,purdue,rutgers}!gatech!prism!gt1032b ------------------------------ From: Paul Robinson Subject: Re: "IF you have nothing to hide..." Date: 19 May 92 22:58:55 GMT Reply-To: probinson@ultra.enet.dec.com In article , ygoland@edison.seas.ucla.edu (The Jester) writes: |I am working with a friend of mine |to learn and understand public key encryption. We are doing this |mostly because its a really 'nifty' problem that we both want to |learn more about. At the end of our 'educational' drive we intend to |write a paper, in as plain english as possible, explaining to |everyone EXACTLY how public key works It shouldn't be taking you this long, unless you're trying to comprehend the bowels of a specific public key algorithm (there are several). Describing how a specific algorithm works is overkill if what you want is to get people onto the public key bandwagon. Unless you're trying to prove that it's hard to derive one key of a pair from the other, and it's hard to believe that no such proof exists in a readable form. |and in addition we intend on |producing a program that will provide the most secure public key |encryption possible on today's pc (it will be in ansi C with |variable strength based upon processor speed so anyone on any |machine can run it). The strength of public key algorithms is directly related to key length, which I suppose makes it easy to adjust based on processor speed. A more useful and friendly program would let me, the user, decide what strength I wanted, knowing that greater strength would require more CPU time. I'm curious; how do you plan to associate public keys with people? I can't send a secret message to you unless I know your public key; what agent can I trust to give me your public key correctly? Furthermore, if you upgrade your PC and therefore decide to increase your encryption strength, you will necessarily change your key (it will become longer). How will I know that? And how will you know which of your various public keys was used to encrypt the message I sent you? | ...[implications of public key encrypted communication deleted]... | |On a final note:The program I intend to release is freeware. However |I refuse to believe the someone, somewhere, hasn't done this before! |All the information on public key is available in any good library |and the actual principals are quite simple (I could release the |program today if I didn't bother trying to understand WHY what I was |doing actually worked). Isn't there a public key encryption program |out there some place? It has been done before. As I recall, the program was withdrawn because any such program would violate one or more patents (according to those who own the patents). At least one of these patent owners is, how shall I say it, very vigorous in his pursuit of those who would infringe upon his patents. |And a final note:I have no intent of ever using a government |sponsored public key encryption system. With laws such as the one |going through congress that requires all encryption systems to have |back doors the government can use, with laws requiring phone |companies to have equipment that the FBI can easily trace, and with |holes already found in the current proposed government (nsa?) public |key encryption standard, I don't trust the government any farther |than I can throw it. Holes found in NIST DSS? I've heard a lot about its unsuitability for the stated purposes, and lack of confidence due to the comparatively short time that it has been under analysis, but nothing about any actual holes. Paul Robinson It's not DEC saying it, it's me saying it. ------------------------------ From: Peter Gorny Subject: Re: Cordless Phones Date: Tue, 19 May 1992 16:31:55 GMT jangerma@magnus.acs.ohio-state.edu (Jake Angerman) writes: >lupine!mellon@uunet.uu.net (Ted Lemon) writes: >>Privacy *is* important. While it's impossible to prevent Joe Random >>Loser from listening in on your cellular phone conversations.... oops - there is a difference between c-phones (a public telephone system on radio basis) and the cordless phones you use at home or in your office -- there you have a single main station and one remote station only. >How would someone go about doing this? If my neighbor and I both >have cordless phones, why is it that when I pick mine up I don't >home-in on their conversation? That is in fact what happens - hidden for your ears. The phone listens into 40 (or 80 or more) channels and picks the first unoccupied for your use. The newer systems have a complicated security system, which does not only prevent others from listening to your conversation but also to use your account. (Exactly this "homing-in" possibility it the reason why in most European countries it is forbidden to use normal cheap cordless phones as you can by them in the US) >Can you run out of frequencies? Yes, you can... Peter Gorny ------------------------------ Subject: Re: Free TRW Credit Report Date: Tue, 19 May 92 17:54:08 EDT From: shaw@shaw.vitruvius.cs.cmu.edu In article you write: |> In article michael@xanadu.com (Michael McClary) writes: |> >Note, by the way, that many banks and credit-card providers make the |> >last month-or-so of your account history available over the phone to |> >anyone who can touch-tone in the account number and your zipcode or |> >SS number. |> |> Well, Fleet Bank, when they send you your statement, gives you an |> extra code to punch in for your account information. Nice of them... |> -------------------- A few years ago my bank (Pittsburgh National) started offering this "service". If I recall correctly, it used account number and SSN for id. Quite a number of us demanded to have it disabled for our accounts. After considerable discussion in which the bank tried to persuade us that we really wanted the service, they allowed us to disable it (in writing) on a per-account basis. Mary Shaw Mary.Shaw@cs.cmu.edu ------------------------------ From: The Jester Subject: Re: "IF you have nothing to hide..." Date: 19 May 92 20:45:10 GMT In article egdorf@zaphod.lanl.gov (Skip Egdorf) writes: [Excellent discussion of basic logic that i was fully aware of and am now beating myself for not remembering.. i.e. the basic if-then conclusion with a false f means a true then] >How do we discuss this from this point? > In point for discussion remaining is:Which right is worth more? Your right to privacy or society's right to be protected from criminals? The Jester -- "Only the blind see in color." "Any union based upon pigment is foolish ignorance designed to give power to those few who enjoy power's taste above the common welfare." ------------------------------ End of Computer Privacy Digest V1 #032 ******************************