Date: Thu, 30 Jul 92 17:01:52 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@PICA.ARMY.MIL Subject: Computer Privacy Digest V1#068 Computer Privacy Digest Thu, 30 Jul 92 Volume 1 : Issue: 068 Today's Topics: Moderator: Dennis G. Rears Re: Cellular phone scanners Encrypted Communications SSN Abuse IRS: ssn for my kids ? CC's and South Korea Re: SSN & TV rental Emerging Privacy Issues in Libraries The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@pica.army.mil and administrative requests to comp-privacy-request@pica.army.mil. Back issues are available via anonymous ftp on ftp.pica.army.mil [129.139.160.200]. ---------------------------------------------------------------------- Subject: Re: Cellular phone scanners Date: Tue, 28 Jul 92 16:44:59 PDT From: "Willis H. Ware" RE: Mark Bell >>Cellular phone scanners: Are they illegal? I don't believe so. One >>can buy a nice Bearcat scanner from DAK in Canoga Park , California, >>for a little over $200. They put a message in the box that it is >>"ILLEGAL to use the scanner over the range of 845-860 MhZ according >>to Congressional law..." Yes, I know about DAK, its catalog, the publisher's story about tuning into illicit conversation [at one time advertising copy said that he had stumbled onto a call-girl ring operating via cellulars], and the slip in the box. When DAK first offered the thing for sale a year or more ago, the catalog also said that these units were no longer allowed to be made and one should hurry to buy one before the supply was exhausted. Such cautionary remarks have disappeared in subsequent catalogs but I don't know why. DAK as usual seems to have an inexhaustable supply of remaindered products! Maybe Drew compressed the space, maybe it was all an illusion, maybe there was a court challenge. I once also saw a converter that would extend older Bearcats into the upper range, and it carried the same kind of warnings; in fact, it said that the manufacturer had negotiated a special deal to allow him to sell out his inventory and then make no more. Advertising hype? Maybe. But do remember that Virginia makes it illegal to OWN, much less operate, a radar detector so such laws are possible -- at least until challenged in court. If anyone can lay hands on the exact law, we could have a look. Willis Ware ------------------------------ Date: Wed, 29 Jul 92 12:20:06 EDT From: Dana Paxson Subject: Encrypted Communications ** LONG ** In general, I think laws making encrypted communications illegal are wasteful, stupid and oppressive, for the following reasons: 1) They would be a violation of free speech rights. 2) They would be a waste of time and effort, since determining violation can be impossible. 3) They would be a further waste of time and effort, since such laws are impossible to enforce. 4) They would allow a government to apply enforcement selectively, singling out a few (for arbitrary reasons) and prosecuting them under the vague suspicion that some communication contained en- crypted matter. Point 1) seems self-evident to me. Regarding Points 2) - 4): A few examples and demonstrations come to mind. One of the most interesting and illuminating is the old 'Bacon cipher' controversy: the notion that Shakespeare's folios contained subtle typeface variations that amounted to an encipherment of text written by Francis Bacon, text which indicated that Bacon was actually the author of the Shakespeare plays. As I remember it, there was a heated scholarly controversy over this idea for many years, which had all the earmarks of crankdom making an assault on basic literary understanding. Both sides of the debate attracted large numbers of followers. It was all put to rest (at least from a scientific point of view) when one researcher who understood cryptography quite well managed to demonstrate that by reading the supposed typeface variations in different ways and supplying some additional overlays or adjustments of data (which the pro- Bacon people said was necessary to read the hidden text), he could make Shakespeare's folio produce any hidden text he wanted it to! Admittedly the cryptographic methods assumed by the pro-Bacon group were faulty, and modern cryptanalysts would not make the mistake of inserting a text-decryption overlay that in effect would be inserting the encrypted message they wanted to find. Any astute analyst would spot this immediately. The trouble is that not everyone involved in trying to make determinations of violation of anti-encryption law is quali- fied either to avoid making such an analytical error or to catch one being made. And this statement makes no assump- tion of malice. What if malice IS the motive? So perhaps someone might count the characters in each line in this posting, convert the counts to characters with some simple arithmetic function, apply some transformation (either transposition or substitution, with some arbitrary key) and decide that I am a dangerous subversive because of the resul- ting "content" emerging from this process. There is in fact no such content. Another such someone might profess to have found another message of mine which, when used as a key, produces a plain- text from selected words in this message. Between selecting another message, and selecting the words, they could put any concealed text in my message that they wanted to find. Behind all this is the greasy odor of pseudoscience. Once a pseudoscientist sets mind on getting a result, all evidence leads to it. Or, as one wag put it, "When the theory does not agree with the facts, the facts must be disposed of." Mix the pseudoscientists with the oppressive or manipulative politicians, and the results can be explosive. It is a dangerous farce. It could be worse law. Turning to the other end of things, can any REAL concealed ciphertext be detected? The answer is, simply, no. The reason, strangely enough, is virtually the same as the reason that the Bacon-cipher people thought they had succeeded. All the correspondents need to do is to establish two entirely independent communications pathways, sending the apparent plaintext message over one channel, and a key for extracting other messages from it over the other. Unless a cryptanalyst has access to both channels, no encrypted message sent on one channel can be decrypted if the encryption was done with a key based on a one-time pad (a once-used series of characters or values) sent over the other channel. The Bacon-cipher people did this unwittingly when they created the data overlays, which amounted to the key. The channels need not occupy the same medium, nor the same place or time. A private conversation can serve as one channel, and the public network(s) the other. So if I wanted to plant an encrypted message in this message, I would only have to set up a key to produce it, and send the key via let- ter, radio, telephone, carrier pigeon, whisper, etc. to the intended recipients of the hidden message. If I took care with that communication, no one would have a clue. And I could make this message contain two entirely contra- dictory encryptions for two different recipients, just by sending them different keys. As an aside, this is how some people who tell fortunes or interpret holy scriptures make a living. I'm not referring to honest students of scripture or human nature, only to the folks with an axe to grind or money to be made. Such people can be extremely dismissive of scientific argument and evidence. Hoping my recollections of the Bacon cipher controversy are basically accurate, Dana Paxson Network Applications Systems Group Northern Telecom 97 Humboldt Street Rochester, New York 14609 dwp@cci.com 1 716 654-2588 Disclaimer: The opinions expressed above are mine personally, and do not necessarily reflect the views of my employer. ------------------------------ Date: Wed, 29 Jul 92 18:13 GMT From: Andrew Koran <0003967939@mcimail.com> Subject: SSN Abuse >No dice. So I asked if anyone had ever approached them this way,wanting >to bypass the checking procedure with a 100% cash deposit? (You know >the answer...) No, no one ever had. No one ever had a problem withgiving >the SSN. I agree, I noted that their concern for the privacy of your SSN is lost-UNLESS, they themselves have had a problem in the past with the abuse of their SSN. I have had the past experience of someone (ex-mother-in-law) using my SSN to obtain a credit account for a public utility. When she skipped town my TRW, TransUnion, and EquiFaxall picked it up on my credit report. I spent a year and half removing it from my TRW and TransUnion credit reports, I'm still working with (read with great difficulty here) EquiFax as of this date to correct this type of abuse. Never looks bad until it happens to you! Andrew A. Koran ------------------------------ From: Maurice O'Donnell Subject: IRS: ssn for my kids ? Organization: The World Public Access UNIX, Brookline, MA Date: Wed, 29 Jul 1992 22:00:20 GMT To get a jump on the beginning of the year tax questions. I don't want to get ssn's for my kids just yet. does anyone know what I have to do to convince the IRS that they in fact exist? [Moderator's Note: I think the tax reform act of 1986 requires it for children over 2 years of age. ._dennis ] -- Maurice O'Donnell +---------^> | * < internet---> mo@world.std.com +-.-----. \ 7 uucp-------> uunet!world!mo \_\_/ ------------------------------ Date: 29 Jul 92 18:32:14 EDT From: Gordon Meyer <72307.1502@compuserve.com> Subject: CC's and South Korea [this submission is being xposted to RISKS] "Governments Come Looking for Card Information" It has been six months since the South Korean government's order that {credit card} issuers surrender files detailing individual account information, and card companies are still smarting. The reason: The companies are uncertain whether they can prevent the government of any foreign country from taking similar action. Issuers agree they have no objection to turning over account information to a government when the information is pertinent to taxation cases, but they are angry that the South Korean govern- ment imposed its will in a case involving national trade issues. Not only does the order raise questions about individuals' privacy rights, but the card companies are fearful of further government intervention that could curtail their card operations in South Korea. The country accounts for 0.8% of all MasterCard and Visa volume, and 1.4% of their charges outside the USA. On just what further action the South Korean government could take, card executives are unwilling to speculate. In fact, the card companies are so worried about inciting the wrath of the government that they still refuse to discuss the matter in detail. (...) Last October {1991} the South Korean government, reportedly concerned about the widening deficit between outgoing and incoming tourism dollars, decreed that all card issuers turn over information on their cardholders' overseas purchases from May thru August 1991. The government also demanded the issuer's magnetic tapes, which record the amount and location of each transaction. Observers speculate that the order was prompted by a suspicion that citizens were evading a $3000.00 cap on overseas spending ...{exclusive of airline and travel costs}... by using multiple cards. (...) Issuers argue the economic link between tourism and the trade deficit is weak at best. Some suggest that what the government really wants to do is crack down on excessive spending, which it reportedly deems a poor habit for its citizens. Not only are the card issuers irked that their protests have fallen on deaf ears, but they are deeply concerned that the government may move to put additional caps on cardholder spending. "We have no idea how the information will be used, and that is a big concern," says the card association spokesperson. "It's a bit unnerving not knowing what is going to happen." (...) Some observers believe the government's action may even prompt other governments to follow suit. Diners Club International, for example, reportedly fought similar decrees in Brazil, but was ultimately forced to comply. Diners declines further comment on the matter. There appears to be very little the card companies can do if a country's laws do not prevent government seizure of consumer data. Amercian Express Co. reportedly protested the South Korean decree in vain. "We are visitors here and if the government chooses it can ask us to leave," says on card company executive. "We have a business to run and we will always cooperate fully." Indeed, with the card companies working to establish a global payment system, they're not in a strong position to challenge the fiats of local governments. Maybe card issuers can be as well served by data- protection laws as cardholders. Excerpted from "Credit Card Management" June 1992 Gordon R. Meyer Internet:72307.1502@compuserve.com GEnie: GRMEYER CIS: 72307,1502 ------------------------------ From: "Wm. L. Ranck" Subject: Re: SSN & TV rental Date: 30 Jul 92 14:24:15 GMT idela!bell@uunet.uu.net (Mark Bell) writes: : : I then offered to put the entire value of the TV down as a cash deposit. : Not a credit card chit -- actual hundred dollar bills. Shucks, I'd make : the deposit be LIST price, not the street price! All in the legitimate : effort to respect their security interest in the TV. : : No dice. So I asked if anyone had ever approached them this way, wanting : to bypass the checking procedure with a 100% cash deposit? (You know the : answer...) No, no one ever had. No one ever had a problem with giving : the SSN. : This just goes to show that the 'manager' of this place was an idiot. He was following some coporate policy to the letter when it was obviously the wrong thing to do in this case. I have worked in retail and believe me, any intelligent businessperson would have accepted the cash deposit. Of course most of those rental places are set up to basically rip-off low income families. Any one with an IQ above room temperature probably couldn't stomach working there for long. -- ******************************************************************************* * Bill Ranck DoD #496 ranck@joesbar.cc.vt.edu * ******************************************************************************* ------------------------------ From: keelings@wl.aecl.ca Subject: Emerging Privacy Issues in Libraries Organization: AECL RESEARCH Date: Thu, 30 Jul 1992 21:26:27 GMT Apparently-To: comp-society-privacy@uunet.uu.net In a previous article, ole!rwing!peterm@nwnexus.wa.com (Peter Marshall) wrote: >Would appreciate comments on the following scenario: . . . >Related questions having to do with commoditizing information, and >commercialization and privatization, may also be of relevance in such a >scenario as they are in other privacy areas; and such tendencies may be >facilitated by ideological influences provided, for example, by REINVENTING >GOVERNMENT. My only comment would be "What the heck does all this bureaucratic mumbo-jumbo mean in English?!?" "...commoditizing information..."?!? ...................................................................... keelings@wl.aecl.ca wp33::keelings AECL Research - Whiteshell Labs. ..programmer/analyst, DTD/ESAB/SDS Pinawa, Man., Canada R0E 1L0 ....Voice: 204-753-2311; loc. 2309....Fax: 204-753-2455............... ------------------------------ End of Computer Privacy Digest V1 #068 ******************************