Date: Mon, 19 Apr 93 16:07:38 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@PICA.ARMY.MIL Subject: Computer Privacy Digest V2#034 Computer Privacy Digest Mon, 19 Apr 93 Volume 2 : Issue: 034 Today's Topics: Moderator: Dennis G. Rears CPSR reaction to new Government Encryption Initiative Where to find out about Privacy Laws in Cdn Re: SSN Re: SSN Re: SSN Re: Don't post to this group! Reaction to the Administration's encryption proposal Credit card application The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@pica.army.mil and administrative requests to comp-privacy-request@pica.army.mil. Back issues are available via anonymous ftp on ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- Organization: CPSR Civil Liberties and Computing Project From: Dave Banisar Date: Fri, 16 Apr 1993 16:43:02 EST Subject: CPSR reaction to new Government Encryption Initiative April 16, 1993 Washington, DC COMPUTER PROFESSIONALS CALL FOR PUBLIC DEBATE ON NEW GOVERNMENT ENCRYPTION INITIATIVE Computer Professionals for Social Responsibility (CPSR) today called for the public disclosure of technical data underlying the government's newly-announced "Public Encryption Management" initiative. The new cryptography scheme was announced today by the White House and the National Institute for Standards and Technology (NIST), which will implement the technical specifications of the plan. A NIST spokesman acknowledged that the National Security Agency (NSA), the super- secret military intelligence agency, had actually developed the encryption technology around which the new initiative is built. According to NIST, the technical specifications and the Presidential directive establishing the plan are classified. To open the initiative to public review and debate, CPSR today filed a series of Freedom of Information Act (FOIA) requests with key agencies, including NSA, NIST, the National Security Council and the FBI for information relating to the encryption plan. The CPSR requests are in keeping with the spirit of the Computer Security Act, which Congress passed in 1987 in order to open the development of non-military computer security standards to public scrutiny and to limit NSA's role in the creation of such standards. CPSR previously has questioned the role of NSA in developing the so-called "digital signature standard" (DSS), a communications authentication technology that NIST proposed for government-wide use in 1991. After CPSR sued NIST in a FOIA lawsuit last year, the civilian agency disclosed for the first time that NSA had, in fact, developed that security standard. NSA is due to file papers in federal court next week justifying the classification of records concerning its creation of the DSS. David Sobel, CPSR Legal Counsel, called the administration's apparent commitment to the privacy of electronic communications, as reflected in today's official statement, "a step in the right direction." But he questioned the propriety of NSA's role in the process and the apparent secrecy that has thus far shielded the development process from public scrutiny. "At a time when we are moving towards the development of a new information infrastructure, it is vital that standards designed to protect personal privacy be established openly and with full public participation. It is not appropriate for NSA -- an agency with a long tradition of secrecy and opposition to effective civilian cryptography -- to play a leading role in the development process." CPSR is a national public-interest alliance of computer industry professionals dedicated to examining the impact of technology on society. CPSR has 21 chapters in the U.S. and maintains offices in Palo Alto, California, Cambridge, Massachusetts and Washington, DC. For additional information on CPSR, call (415) 322-3778 or e-mail . ------------------------------ From: "Michael C. Taylor" Subject: Where to find out about Privacy Laws in Cdn Organization: Mount Allison U, Sackville, N.B. Canada Date: Fri, 16 Apr 1993 22:42:34 GMT I was wondering where to look for laws on privacy for Computer related material. Esp. material entering/leaving the country by either physical or electronic means. ---------- Michael C. Taylor Internet: MCTaylor@MtA.ca Mount Allison University, Sackville, New Brunswick, Canada - Listen not to what I say, but to what I mean. - ------------------------------ From: "Keith F. Lynch" Subject: Re: SSN Date: 16 Apr 1993 23:15:02 -0400 Organization: Express Access Public Access UNIX, Greenbelt, Maryland USA In article fec@arch2.att.com writes: > The court system further explained in the summons package that jurors > are selected, in part, from drivers license files and that drivers > license numbers are used to differentiate people with the same name > living at the same address. Does this mean we are no longer guaranteed the right of jury by our peers, but now have a right of jury by drivers? That will be really reassuring to cyclists who get in legal cases against malicious or incompetent drivers. -- Keith Lynch, kfl@access.digex.com f p=2,3:2 s q=1 x "f f=3:2 q:f*f>p!'q s q=p#f" w:q p,?$x\8+1*8 ------------------------------ From: news@cbnewsh.att.com Date: Sat, 17 Apr 93 09:03:38 GMT Subject: Re: SSN Organization: Mary Ellen Carter Salvage Crew In article fec@arch2.att.com writes: I have just been summoned for jury duty in Hunterdon County, New Jersey..... Does anybody know of any reason why the court would have a legitimate need for my SSN? Do they withhold from the meager juror pay? Would it First of all, if they ask for it, they have to provide a Privacy Act Notice, and if they don't do so, you could have them hauled into court :-) you certainly don't have to provide the number without it. If you're really concerned about the number, two reasonable choices are to discuss your privacy concerns with the court bureaucrats (maybe their record-keeping limits use of the number to the paychecks), or to refuse to accept payment (if the pay is still $9/day?). Is Jury Duty pay taxable? It would seem that sub-minimum-wage money given to people who are forced to do a job doesn't sound like wages... With Social Security, I know they need the number if they're going to "credit" the taxes they collect to your "benefits", but could you just let them take the money and *not* give them your SSN to get any credit? Of course, if I *wanted* to get out of jury duty, I could explain to them that as an anarchist, I'm not willing to accept money from the government, and I'm not likely to decide in the government's favor when somebody's been accused of breaking a government-made law, and give out some Fully Informed Jury Association literature for the other jurors to read, which would be enough to get me ejected or jailed in about 15 minutes :-) In reality, I'd like to be on a jury, especially one dealing with a Crime against the State, such as drug abuse, because jurors have the right and responsibility not to convict people for violations of bad law, and I suppose I also have enough traditional "civic responsibility" to be willing to participate in conflict resolution (civil cases) and cases where someone may have committed a real crime against a person as well. -- # Pray for peace; Bill # Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ # No, I'm *from* New Jersey, I only *work* in cyberspace.... # White House Commect Line 1-202-456-1111 fax 1-202-456-2461 ------------------------------ Subject: Re: SSN Organization: I.E.C.C. Date: 18 Apr 93 17:33:06 EDT (Sun) From: "John R. Levine" >Does anybody know of any reason why the court would have a legitimate >need for my SSN? ... >[Moderator's Note: They need it for pay purposes. You can avoid giving >it to them up unitl the time you are chosen for jury duty. ._dennis ] I've been summoned for jury duty plenty of times over the years and have never had to give my SSN. Around here they have a one-day/one-trial plan which means that most jurors aren't on duty long enough to collect pay, but even on the one trial that did go that long (and they paid me $50, wow) they didn't even ask. Federal law requires that any governmental agency that asks for your SSN has to say under what authority they request it, what they will do with it, and what will happen if you don't provide it. There are apparently fines involved for non-compliance with the notification rules. Perhaps a polite note to your local jury commissioners is in order. Regards, John Levine, johnl@iecc.cambridge.ma.us, {spdcc|ima|world}!iecc!johnl ------------------------------ Date: Fri, 16 Apr 93 17:58:15 MDT From: David Wade Subject: Re: Don't post to this group! % Don't post to this newsgroup if you don't want to receive junk % mail (yes, snail mail) from Robert Ellis Smith's Privacy Journal. % (And at over $100 for a subscription you really gotta be into % this stuff to want it!) Well, alright... I'll bite. I subscribed to "Privacy Journal" for several years, and I really enjoy it. I`ve bought most of Robert Ellis Smith's books several years ago, and I've relied on his information many times for what is my "real" condition. (And if you are a student, [of almost anything] you are entitled to their $25.00/ year rate). I often ran out of money when it was around renewal time, and I often wondered about why I couldn't send RESmith stuff I found that related to our common interests... So, several years ago, at USENIX, in Washington, DC, Rob was holding a BOF about privacy, and I tried to get RESmith to come and attend. I found out that he was PC-bound, but seemed to be coming along nicely... (You can often see the hyphens`-' left inside words which were word-processed by PC-Software, and then moved to some other product with different sized columns, and the hyphens are "artifacted") And yes, I payed particular attention when RESmith finally got to our list, and I eagerly await his offer of an electronic-copy of his privacy journal which will cover a lot of things which I have not seen in these groups, and authoritatively. The level of bullshit around here spread in the "Social Security Number" articles has gotten so high that I wonder that Willis Ware is still posting now and then. There is a lot more to privacy than whether a clerk can refuse your check if you don't write your SocSecNum and Medicare Number and PHONE NUMBER, and ADDRESS on it. Have any of you taken time to think about the implication of DNA testing? And did you know that the courts believe it is SCIENTIFIC TRUTH at or above the 98% confidence level... And scientists are beginning to put that confidence level closer to 10%... And Murderers Walk, daily, because the DNA tests "PROVE they couldn't of dun it". Privacy Journal has been reporting about this for over 10 years... And if you really want to get into the SocSecNum thing, go read Willis Ware's 1974 Privacy Act... Which only applies to government agencies and their subcontractors.............................................. ...................................................................... ...................................................................... In order to apply it to you and your everyday life, you have to prove that the person/entity you want to force is "a government subcontractor". RESmith knows that. He doesn't waste my time with a lot of Sophomoric Drivel about SSNs. Several years ago, I took the time to key in large amounts of the Privacy Act, and try to explain it; I'm not going to do that now. "Life's Too Short". Go buy one/several of RESmith's books, or Willis's Privacy Act Analysis... (I was lucky, Willis sent me his last copy!!! But it is a "CONGRESS THING" which means you can get all this stuff from your Congresslime for free or a buck/two nintyeight.) And RESmith has been on top of the "Caller Number ID" stuff for the last five/seven/more? years... Have we seen enough Sophomoric Drivel about CNID? Yet, sometimes, actually; mostly, the electronic media has been a month or so ahead of the printed media... I just don't have to put up with the "But: Why?" aspect of the electronic media on print. But in the long run, I let my subscription lapse. But you can't say those things about Robert Ellis Smith around me!!! He was the only/first privacy advocate that many of us had. And if you don't want your subscription card, send it along to someone else that you think needs it... Forinstance, The Lady in Charge of Human Resources where you work. Fortunately for me, the lady here that I had so much trouble explaining about SocSecNums and Health Benefit Plan Providers to, (Dangerous split infinitive, that one there...) HAS QUIT. She is moving to California to become head of Human Resources at Livermore... Fortunately for them they have a constitutional amendment in place; not like here in New Mexico. So, clearly, we should heap praise upon the head of people who have been at the forefront of THE PRIVACY ISSUE. We should welcome them to our "First Lurch of Immediate Gratification". That place where we go to "howl" about society, as did your grandfathers. And remember, without these people to push back the limits, when you make your leap into the unknown, you'd have no place to land. Dave &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& I promised myself ( when I turned 21, ) that I wouldn't ever again do anything just once. I think that solves a lot of problems; no high speed crashes into bridge abutments, no one-night stands, etc. &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& ------------------------------ From: Carl Ellison Subject: Reaction to the Administration's encryption proposal Date: 17 Apr 1993 19:31:05 GMT Organization: Stratus Computer, Software Engineering I mailed the following letter to the President today. It might be good for others to write as well, if you're interested in this issue. - Carl ====================================================================== To: 0005895485@MCIMAIL.COM (White House) Subject: Second thoughts about your encryption proposal 17 April 1993 Dear Mr. President -- Since writing my initial reaction I have given considerable second thought to your encryption proposal, announced yesterday. I must withdraw my initial partial support for your plan, pending the release of further details. My initial assumption was that you were mandating the replacement of every telephone handset in the USA with one which would digitize the person's voice and encrypt it. I assumed that this replacement would start with cellular handsets and proceed through wireless and wired -- in order of severity of vulnerability. Given that the government would mandate such a change and that that change would interfere with the FBI's current ability to tap voice telephone calls on the public networks, it made sense to propose an encryption method which would allow the FBI to continue in court-ordered wiretaps -- specifically via key escrow. While it would be beneficial from the point of view of improving the privacy and security of citizens from illegal eavesdropping, I now believe that this proposal is far too costly to undertake at this time. The federal government is facing a huge debt and deficit and the private sector is far from thriving. The proposal to pay for some of this equipment with funds from civil forfeiture adds insult to injury, since abuses of civil forfeiture have led me to conclude that law enforcement's right to such funds should be severely restricted if not removed. If this proposal is only for limited use of such encryption, then it does little to advance the cause of citizen's privacy and it is in direct competition with existing products which already service the small market of citizens who are aware of their vulnerability and who are willing to pay for assurance of their privacy. It is especially disturbing that the press release suggests that this proposal is not merely a call for action but an already designed implementation which some agency of the administration is attempting to impose upon the American people. The talent exists in the private sector to address these security concerns. Meanwhile, there is a danger that the key escrow provision is intended to imply that all cryptosystems used by citizens in the lawful course of their daily personal and business lives must include key registration. This would be an unacceptable erosion of our current rights, especially of the fundamental right of privacy which you supported so strongly during your campaign. Legislation to this effect would be unenforceable. It would be easily and frequently broken -- leading to the danger that some law enforcement officer with a private grudge would have an easy method of filing a criminal complaint against the innocent victim of his grudge. A requirement for key registration would also come directly into conflict with certain uses of cryptography in advanced computer system design. In those cases, both key registration and use of some government-designed chip are unacceptable. Meanwhile, there is the additional danger that this proposal would serve as a vehicle for advancing the FBI's wiretap proposal which was rejected by Congress last year and which I oppose on several grounds. I look forward to full technical details of your proposal and to a public debate on its merits. Sincerely, Carl M. Ellison Senior Technical Consultant - Advanced Development Group Stratus Computer Inc. 55 Fairbanks Boulevard Marlborough MA 01752-1298 TEL: (508) 460-2783 FAX: (508) 624-7488 E-mail: cme@sw.stratus.com cme@vos.stratus.com -- - <> - Carl Ellison cme@sw.stratus.com - Stratus Computer Inc. M3-2-BKW TEL: (508)460-2783 - 55 Fairbanks Boulevard ; Marlborough MA 01752-1298 FAX: (508)624-7488 ------------------------------ From: Matthew B Cravit Subject: Credit card application Date: Sun, 18 Apr 93 13:02:31 EDT I received a credit card application (some kind of student Visa/Mastercard), and in looking at the application, I see that they want to know: My Resident Alien number (I am not a US citizen yet) All sources of income and how much I make per week from each My checking account NUMBER, bank and BALANCE The account numbers of any credit cards I have and my monthly payments The account numbers of any other bank accounts I have and their balances Social security number Should I be wary of providing any of this? Do they have a reasonable right to my Mastercard and AmEx account numbers and checking balance? /Matthew Cravit Michigan State University East Lansing, MI 48825 cravitma@studentc.msu.edu OR cravitm@clvax1.cl.msu.edu Compuserve : 71442,225 ------------------------------ End of Computer Privacy Digest V2 #034 ******************************