Date: Thu, 11 Mar 93 17:32:48 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@PICA.ARMY.MIL Subject: Computer Privacy Digest V2#024 Computer Privacy Digest Thu, 11 Mar 93 Volume 2 : Issue: 024 Today's Topics: Moderator: Dennis G. Rears Re: Dorothy Denning's article in Comm. of ACM re: Credit Card Validation Re: NEW EDITION OF THE PRIVACY GUIDE? Social Security Numbers as ID Re: Dorothy Denning's article in Comm. of ACM The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@pica.army.mil and administrative requests to comp-privacy-request@pica.army.mil. Back issues are available via anonymous ftp on ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: Carl Ellison Subject: Re: Dorothy Denning's article in Comm. of ACM Date: 9 Mar 1993 21:08:44 GMT Organization: Stratus Computer, Software Engineering In article thomas@ponder.csci.unt.edu (Tom Thomas) writes: >I am not at all persuaded by Dorothy Denning's defense [...] Beyond this, >Dr. Denning rationalizes the regulation of cryptography, [...] > >Once again, we are being asked to sacrifice a substantial and fundamental >freedom for the sake of negligible safety and security. [...] > >Am curious about others' reactions to 'To Tap Or Not To Tap' in the March >1993 'Communications of the ACM'. I agree. I'm going to prepare a rebuttal article/letter to send to CACM (and probably post here as well), but first I have to carefully read all articles. It's hard. My blood pressure keeps going up and I have to set it down. Among other things, the gov't side focuses on only 1 of 8 scenarios: variable values Denning's focus good guy: (govt, private) govt (eg., FBI saint) bad guy: (govt, private) private (eg., drug dealer) encrypter: (good guy, bad guy) bad guy If that's the only scenario you look at or give reasonable weight to, it's very hard to justify private crypto. So -- we need to prohibit such a focus from being established. Meanwhile, I'm not at all sure that the gov't should have a right to wiretap in the first place. Is the gov't allowed to bug a confessional in a Roman Catholic church? Can it bug an interview room used by a lawyer for an imprisoned client? A telephone gives, by its very nature, a suggestion of privacy: (you have to hold your mouth close to it and hold it close to your ear -- something you would do in person only if you were whispering a secret.) That means that the telephone is seducing you into revealing secrets you would not normally reveal in public -- just as you might in a confessional or in a private room with your lawyer. [Before you protest that I'm jumping to conclusions, I have *many* examples of my own conversations with girlfriends over a telephone which I would never have spoken through a PA system. I often intentionally lowered my voice and brought my mouth closer to the mouthpiece, in fact, to keep my roommate from hearing what I was saying....and I know how easy it is to wiretap, but even I got seduced into treating a telephone as a private channel. It was in asking myself why I behaved this way that I realized the psychological relationship of telephone handset usage to whispering.] - Carl -- - <> - Carl Ellison cme@sw.stratus.com - Stratus Computer Inc. M3-2-BKW TEL: (508)460-2783 - 55 Fairbanks Boulevard ; Marlborough MA 01752-1298 FAX: (508)624-7488 ------------------------------ From: "Michael T. Palmer" Subject: re: Credit Card Validation Date: 9 Mar 1993 21:23:20 GMT Organization: NASA Langley Research Center, Hampton, VA In article Brinton Cooper writes: >Now, Citibank is asking (US Government employee) users of it's Diner's >club cards to supply them with validation info. When activating a new >(e.g., personal) account, changing address, or otherwise enquiring about >one's file, the caller may be asked to supply such information in order >to assure the credit company of the caller's legitimate identity. >Information requested is: > > Name > Acccount # > Address > Date of Birth > Social Security Number (you were surprised, maybe?) > Mother's Maiden Name (My hospital asks for this one, too.) > Business and home phones > Other Diner's accounts to which this info applies. [etc] >On the one hand, this has the potential to expose what little privacy we >have left. On the other hand, one can argue that it protects us >from malicious persons. I don't yet know whether I shall comply. I don't know if I will, either. I'll have to think about this. Although... I could make up some outrageous "Mother's Maiden Name" like Spinkelschwartzenheimer. That's serve the validation purpose (as long as I can *remember* it), but doesn't give out any info on my personal life. (Oooh! Dang! Now I can't use that one because I already posted it!) >[Moderator's Note: I don't use the Diner Card Club. It's one less card >I have to carry around. On the other hand I have passworded all my >accounts (credit card, utilities, insurance, etc) that can be accessed >by phone. I started this after my phone and electric service was cut off >by someone claiming to be me. The "Mother's maiden name" is no security. > ._dennis ] While passwording your credit cards is a good idea, some of us MUST MUST MUST use that damn Diner's Club card. When I go on Gov't travel, I *must* charge hotels, rental cars, and registration fees to that card if I want reimbursement without an act of Congress. Management has made this CRYSTAL clear to us. Michael T. Palmer | "A man is crazy who writes a secret in any m.t.palmer@larc.nasa.gov | other way than one which will conceal it RIPEM key on server | from the vulgar." - Roger Bacon ------------------------------ From: hirai@cc.swarthmore.edu (Eiji Hirai) Subject: Re: NEW EDITION OF THE PRIVACY GUIDE? Organization: Computing Center, Swarthmore College, Swarthmore, PA, USA Date: Tue, 9 Mar 1993 21:41:13 GMT Mark McFadden writes: :No edition since 1980!?! Does anyone know if another is planned? The new edition came out in 1990. AUTHOR Hendricks, Evan. TITLE Your right to privacy : a basic guide to legal rights in an information society / Evan Hendricks, Trudy Hayden, Jack D. Novick. EDITION 2nd ed., completely rev. and up-to-date. PUBLISHER Carbondale : Southern Illinois University Press, c1990. DESCRIPT xxii, 184 p. ; 18 cm. SUBJECT Privacy, Right of --United States. SERIES An American Civil Liberties Union handbook. NOTE Rev. ed. of: Your rights to privacy / Trudy Hayden. c1980. Includes bibliographical references. ISBN 0809316323. ALT. ENTRY Hayden, Trudy. Novik, Jack. ------------------------------ From: Matthew B Cravit Subject: Social Security Numbers as ID Date: Tue, 9 Mar 93 16:52:25 EST I was discussing a recent bunch of bicycle and computer thefts here at Michigan State University with one of the campus police officers, and in the course of our discussion, I asked what he suggested one do by way of identifying property. I asked if it was advisable to put a SSN on the bottom of my computer by way of identification, as the police in Toronto (Canada) where I used to live suggested using your SIN (Canadian equivalent to an SSN) for identification of property. He said that quite apart from the fact that this is not a good idea from a privacy standpoint (I already knew that), putting a SSN on articles for identification was quite useless because he said that the Social Security Administration will NOT release the name belonging to a particular SSN to any local or state law enforcement agency FOR ANY REASON UNDER ANY CIRCUMSTANCES. Is this assertion of his correct? [Moderator's Note: This is true. The few law enforcement agencies I have dealt with have always recommended to use you driver license number. Of course this was before states starting using a SSN as a driver license number. ._dennis ] /Matthew Cravit, Undergraduate Communications/Computer Science Student Michigan State University, East Lansing, Michigan Internet: cravitma@studentc.msu.edu OR cravitm@clvax1.cl.msu.edu ------------------------------ From: Peter Swanson Subject: Re: Dorothy Denning's article in Comm. of ACM Date: 10 Mar 1993 02:49:02 GMT Organization: University of Michigan Engineering, Ann Arbor In article thomas@ponder.csci.unt.edu (Tom Thomas) writes: >...Dorothy Denning's defense of proposed >legislation that would regulate the development of communication technology >to ensure government wiretapping capabilities... > >...'To Tap Or Not To Tap' in the March 1993 >'Communications of the ACM'. FYI: Dorothy Denning has another article, 'Wiretapping and cryptography', on p. 16 of the March 1993 IEEE Spectrum. The subject matter is the same. -- | Peter J. Swanson | pjswan@caen.engin.umich.edu | | PhD Pre-Candidate | controls specialist | | Electrical Engineering:Systems | Fortunately, ah keep muh feathuhs | | University of Michigan | numbahd for just such ahn emergency.| ------------------------------ End of Computer Privacy Digest V2 #024 ******************************