Date: Wed, 22 Sep 93 16:20:42 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@PICA.ARMY.MIL Subject: Computer Privacy Digest V3#043 Computer Privacy Digest Wed, 22 Sep 93 Volume 3 : Issue: 043 Today's Topics: Moderator: Dennis G. Rears Professional Report Online: Computers, Gov't and Privacy Re: Privacy Bill? Re: crypto witchhunt? Re: Computer Privacy Digest V3#040 The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@pica.army.mil and administrative requests to comp-privacy-request@pica.army.mil. Back issues are available via anonymous ftp on ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: Lew Oleinick Subject: Professional Report Online: Computers, Gov't and Privacy Date: 21 Sep 1993 09:48:25 -0500 Organization: The University of Texas - Austin I have just completed work on my Master's Thesis. The title is "Computerized Governmental Database Systems Containing Personal Information and the Right to Privacy." I thought there might be an interest in this topic on the net and for that reason I am posting the abstract and table of contents of my thesis. The report itself is available via anonymous FTP. I attended the Lyndon B. Johnson School of Public Affairs at the Univ. of Texas-Austin where I specialized in information technology policy. At the LBJ school, masters students write something called a "professional report" rather than a thesis. So technically, my thesis is really a professional report. I have placed a copy of my report online along with the abstract and table of contents. I have also placed a copy of my resume online as I will be looking for work soon and hoped to make some contacts in government or industry with those who are interested in my area of study. The report, abstract, TOC, and resume are stored in a directory that is accessible via anonymous FTP. The ftp site is: bongo.cc.utexas.edu login=anonymous. Change directories to pub/lewo. You will find the following files: -rw-r--r-- 1 lewo 3951 Sep 19 17:31 abstract.txt -rw-r--r-- 1 lewo 125657 Sep 19 17:22 privacyreport.zip -rw-r--r-- 1 lewo 5363 Sep 19 17:34 resume.txt -rw-r--r-- 1 lewo 4774 Sep 19 17:23 tableofcontents.doc The report itself is labeled "privacyreport.zip." As it is zipped be sure to transfer in binary format. NOTE !!! This file is a WordPerfect 5.1 file that was written on a PC. The file was zipped using PKZIP. I have not translated the file to a straight ASCII file as of yet because the WP51 translation program doesn't capture footnotes and I don't have the time quite yet to write the macro to do this for me. What this means is that unless you have WP51 or higher on a PC you won't be able to read the text in its entirety. However, if you have MS Word, you'll be able to read the body of the text. The report is about 102 pages long. Any comments or suggestions are welcome at: lewo@emx.cc.utexas.edu I will post a compilation of comments and suggestions if a desire for such a compilation is present on the net. Enjoy, -- Lew Oleinick ------------- begin abstract and TOC ------------------ ABSTRACT Computerized Governmental Database Systems Containing Personal Information And The Right to Privacy by Lewis William Oleinick, M.P.Af. The University of Texas at Austin, 1993 SUPERVISORS: Chandler Stolp and Philip Doty This report identifies and examines the potential threats to individual privacy created by the collection, aggregation, and dissemination of personal information by governmental agencies and the role computer systems play in potentiating such threats. Computer matching, computer profiling, the national criminal justice database, and portfolio creation via data aggregation of personal information are the governmental activities stipulated to be potentially threatening to personal privacy. These four activities are forms of "dataveillance." Dataveillance poses dangers to the security of civil liberties in a free society. To carry on an intelligible discussion about privacy and how the collection, aggregation, and dissemination of personal information by governmental agencies may threaten individual privacy it is necessary to first define privacy and personal information. Independence, autonomy, dignity, and respect create a conceptual framework upon which privacy may be defined. Privacy is a culturally defined norm. As such a discussion of the American cultural tradition of privacy is necessary to understand both how Americans have defined privacy over time and the roles privacy has played in American society in 1) "starting over," 2) in interpersonal relationships, and 3) in maintaining the "balance of power" with the State. Privacy is held to be as important as the unalienable rights of "life, liberty, and the pursuit of happiness" by the majority of the American public. Americans have become more and more concerned with their privacy as intrusive technologies have evolved. Many Americans fear that computers allow the U.S. Government too much power over the average citizen. Privacy has been protected in the United States by precedents set in court cases, by legislation and by executive act. The breadth of cases pertaining to privacy precludes the examination of all cases. Supreme Court cases provide a historical overview of the evolution of the right to privacy as the questions presented to the Court have become more complex with the introduction of new technologies into the law enforcement process. Congress has attempted to address the public's concerns of the government's collection, aggregation, and dissemination of personal information by passing legislation designed to protect individual privacy. The four major pieces of legislation passed by Congress for the protection of the citizen's right to privacy are the Freedom of Information Act, the Privacy Act, the Computer Security Act of 1987, and the Computer Matching and Privacy Protection Act of 1988. The Office of Management and Budget has produced regulations designed to enforce the intent of the legislation promulgated by Congress. These regulations are contained in OMB Circular A-130 which details federal information policy. This report concludes by suggesting the need for the implementation of a Privacy Protection Board at the national level. Such a board would be based on the model suggested by David Flaherty. The primary conclusion that should be drawn from this report is that society as a whole must re-evaluate the existing paradigm of who should be in control of personal information; i.e., should it be the agency who collects it or should the power of control remain with the individual about whom the information was collected. This report suggests that a certain modicum of control over the disclosure of personal information should revert to the individual about whom the information was collected. TABLE OF CONTENTS Chapter 1. Introduction. . . . . . . . . . . . . . . . . . . . .1 Description of Problem. . . . . . . . . . . . . . . . . . .1 Governmental Activities of Interest . . . . . . . . . . . .2 Reasons for Concern . . . . . . . . . . . . . . . . . . . .3 Bringing the Concerns to a Personal Level . . . . . . . . .3 Justification for Focusing on Governmental Activities . . . . . . . . . . . . . . . . . .4 Recapitulation of Topic and Statement of Position . . . . . . . . . . . . . . . . . . .5 Explanation for the Ordering of the Presentation of Material . . . . . . . . . . . . . .5 Ordering of Presentation of Materials . . . . . . . . . . .6 Chapter 2. Governmental Dataveillance. . . . . . . . . . . . . .7 Introduction. . . . . . . . . . . . . . . . . . . . . . . .7 Defining Surveillance and Dataveillance . . . . . . . . . .7 Forms of Governmental Dataveillance . . . . . . . . . . . .8 Transition from Personal Surveillance to Mass Dataveillance . . . . . . . . . . . . . . . . . . 13 Dangers of Personal and Mass Dataveillance . . . . . . . . . . . . . . . . . . . . . . 14 Chapter 3. Privacy and Personal Information: The Relationship Explored . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Introduction. . . . . . . . . . . . . . . . . . . . . . . 19 Terms necessary for the definition of privacy. . . . . . . . . . . . . . . . . . . . . . . . 19 Definition of Personal Information. . . . . . . . . . . . 23 Definition of Privacy . . . . . . . . . . . . . . . . . . 24 Difficulties with Defining Privacy. . . . . . . . . . . . 25 Chapter 4. The Cultural Tradition of Privacy in American Society27 Introduction. . . . . . . . . . . . . . . . . . . . . . . 27 Public Opinions on Privacy. . . . . . . . . . . . . . . . 27 Privacy's Role in "Starting Over" -- A Cultural Basis. . . . . . . . . . . . . . . . . . . . . 34 The Role of Privacy of Personal Information in Interpersonal Relationships . . . . . . . . . . . . . . . . . . . . . . 40 The State and the "Balance of Power". . . . . . . . . . . . . . . . . . . . . . . . . . 45 Chapter 5. A Brief Legal History of the Right to Privacy: A Survey of Selected Supreme Court Cases . . . . . . . . . . . . 49 Introduction. . . . . . . . . . . . . . . . . . . . . . . 49 Reasons for Choosing the Ten Cases. . . . . . . . . . . . 50 Analysis of Cases . . . . . . . . . . . . . . . . . . . . 51 Mapp v. Ohio . . . . . . . . . . . . . . . . . . . . 52 Griswold v. State of Connecticut. . . . . . . . . . . . . . . . . . . . . 53 Katz v. United States. . . . . . . . . . . . . . . . 55 Stanley v. State of Georgia. . . . . . . . . . . . . . . . . . . . . . . 57 Eisenstadt v. Baird. . . . . . . . . . . . . . . . . 59 Roe v. Wade. . . . . . . . . . . . . . . . . . . . . 60 United States v. Miller. . . . . . . . . . . . . . . 62 Whalen v. Roe. . . . . . . . . . . . . . . . . . . . 64 Bowers v. Hardwick . . . . . . . . . . . . . . . . . 66 United States Department of Justice v. Reporters Committee for Freedom of the Press. . . . . . . . . . . . . . . . . . . . . . 67 Summation of Cases and Problems with Judicial Activism . . . . . . . . . . . . . . . . . . . . 70 Chapter 6. Legislative and Executive Action to Protect the Privacy of Personal Information. . . . . . . . . . . . . . . . 73 Introduction. . . . . . . . . . . . . . . . . . . . . . . 73 The Freedom of Information Act. . . . . . . . . . . . . . 74 The Privacy Act . . . . . . . . . . . . . . . . . . . . . 76 Criminal Justice Information Control and Protection of Privacy Act of 1974 . . . . . . . . . . 82 The Computer Security Act of 1987 . . . . . . . . . . . . 83 The Computer Matching and Privacy Protection Act of 1988. . . . . . . . . . . . . . . . . . 85 OMB Circular A-130. . . . . . . . . . . . . . . . . . . . 88 Chapter Summary . . . . . . . . . . . . . . . . . . . . . 91 Chapter 7. Conclusion and Suggestions for Additional Legislation93 Introduction. . . . . . . . . . . . . . . . . . . . . . . 93 Recapitulation of Major Themes. . . . . . . . . . . . . . 93 Policy and Advancing Technology . . . . . . . . . . . . . 98 Government Responsibilities . . . . . . . . . . . . . . . 99 Suggestions for Additional Legislation. . . . . . . . . .101 Conclusion. . . . . . . . . . . . . . . . . . . . . . . .102 -- ----------------------------------------------------------- Lew Oleinick lewo@emx.cc.utexas.edu Systems Analyst 512-471-3241 ext. 269 Statistical Services Group Univ. of Texas - Austin ------------------------------ From: "Theodore L. Dysart" Subject: Re: Privacy Bill? Date: 21 Sep 1993 20:51:10 GMT Organization: Worcester Polytechnic Institute In article peterson@CS.ColoState.EDU (james peterson) writes: >I have recently been hearing about a privacy bill being considered >by Congress. Does anyone have the text of this bill to post? I am doing a paper on e-mail privacy and I looked into this legislation. It is sponsored by Senator Paul Simon, and it is called "The privacy for consumers and workers act" As explained to me by his aide, it does the following: If an organization declares that it has the right to read/review your e-mail, it must do so all the time. If they do not review mail on a regular basis, but retain the right to, they must make you aware of the fact that they have "opened" your mail. It doesn't stop them from doing it, but at least you must be informed. 8) The aide told me that it was unavailable in an on-line format, but they are happy to send it to you. (took about 2 wks.) We voluntered to do some surveys or research for the office, but their interest was more directed towards Unions. (The brochure with the record from the hearing included an extensive statement from the Union at the Sharaton Hotel in Boston.) Ted. ------------------------------------------------------------------------------- _/_/_/_/_/ _/_/_/_/ _/_/ |Thodore L. Dysart | Also Student Conductor for _/ _/ _/ _/ |dysart@wpi.wpi.edu| the WPI Glee Club and Head _/ _/_/_/ _/ _/ | Sales Rep. for | Chef for the WPI Baker's _/ _/ _/ _/ | WIN Enterprise | Dozen - Available for _/ _/_/_/_/ _/_/ | (508)753-1522 | Special Occasions 792-9119 ------------------------------ From: amn@ubik.demon.co.uk (Anthony Naggs) Subject: Re: crypto witchhunt? Organization: UBIK (we are everywhere!) Reply-To: amn@ubik.demon.co.uk Date: Wed, 22 Sep 1993 03:16:34 +0000 The attached messages accompanied Shari Steele's posting in the latest issue of Computer Underground Digest (v5 #73, aka comp.society.cu-digest). I think they offer useful information, I hope you can republish them. Regards, Anthony ----< begin included text >---- Date: Sun, 19 Sep 1993 21:15:22 CDT From: CuD Moderators Subject: File 1--U.S. Gov't Begins Attack on Moby Crypto ((MODERATORS' NOTE: The following posts on the U.S. Customs Service subpoena directed against Grady Ward and others came from a variety of sources. We pulled together the three that seemed to best summarize events of the past few days. In editing them, we can't reconstruct where they all came from, but most appeared on Usenet in the past few days. The following was distributed on Usenet by Grady Ward)). ++++++++++ Subpoena served on Austin Code Works for material related to Moby Crypto. At 10:30 PM EDT Thursday, 16 Sept 1993 Theodore R. Siggins, special agent for the Department of Treasury, U.S. Customs Service office of enforcement for Austin, TX (512) 482-5502 served the following subpoena: United States District Court Northern District of California TO: Custodian of Records Austin Code Works 11100 Leafwood Lane Austin, TX (512) 258-0785 SUBPOENA TO TESTIFY BEFORE GRAND JURY documents of object(s) PLACE U.S. Courthouse & Federal Building 280 South First Street San Jose, CA 95113 Grand Jury Room 2115 September 22, 1993 9:00 AM YOU ARE ALSO COMMANDED to bring with you Any and all correspondence, contracts, payments, and record, including those stored as computer data, relating to the international distribution of the commercial product "Moby Crypto" and any other commercial product related to PGP and RSA Source Code for the time period June 1, 1991 to the present. CLERK RICHARD W. WIERKING by deputy clerk (illegible) This subpoena is issued on application of the United States of America Michael J. Yamaguchi United States Attorney Assistant U.S. Attorney William P. Keane 280 S. First St., Suite 371 San Jose, CA 95113 (408) 291-7221 s/a Robin Sterzer, Customs 93-1348(SJ) 93-1(SJ) 9 September 1993 served by Theodore R. Siggins special agent Department of Treasury U.S. Customs Service Office of Enforcement P.O. Box 99 Austin, TX 78767 (FTS) 770-5502 (512) 482-5502 +-------------------------- BACKGROUND ---------------------------- The day before yesterday I faxed the following to the NSA: Grady Ward 3449 Martha Ct. Arcata, CA 95521 (707) 826-7715 grady@netcom.com Charlotte Knepper National Security Agency 301 688 7834 FAX 301 688 8183 Sep 93 Re: Moby Crypto and the Austin Code Works Recently you phoned Maria Guthery at the Austin Code Works (512-258-0785) to voice your concern about the publication for export of my product 'Moby Crypto'. As the editor and author of the compilation I made sure not to include any executable code -- only the algorithmic description in C source code that can be found (and exported) from scores of books and journals from the US distributed throughout the world. I believe that this material qualifies for the 'public domain' technical documentation exception under the current DTR rules. It seems to me that proscribing the publication of material because it is conveyed on a magnetic media rather than paper pulp is an NSA initiative that is both destructive to our basic freedom of expression and to the trade renaissance that Vice President Al Gore and the Clinton Administration are trying to foster. Even the Supreme Court recognizes the role of the computer media in protecting our freedom; beginning this 1993 calendar year all decisions will be provided in electronic form. Further, as you may know, it was recently decided that White House records in electronic form must be protected as a permanent archive of our government. Clearly, magnetic media must be treated as a logical extension of the power and fundamental right of the print media. Please phone, fax, e-mail or post your ideas or any literature to me that you think useful if I have misapprehended the situation. Of course if you wish I will send you a gratis copy of the software (about nine megabytes of sources for DES, RSA, IDEA, Lucifer, PGP, SHA, and so on) for your advice and comments. Very truly yours, GRADY WARD +-------------------- WHAT YOU SHOULD DO --------------------- NSA and the US Treasury has started a new, aggressive campaign to prevent the spread of cryptographic ideas, algorithms, sources, and documentation. The subpoena was served on the ACW in the night because they MIGHT have sold a copy of source code, already available worldwide, to a foreign national. If you value the freedom to disseminate ideas on both paper and magnetic and electronic media, you should immediately preserve your right to have such knowledge by obtaining a copy of the source to Pretty Good Privacy and all other cryptographic materials before a possible complete blackout of such material is attempted by the US authorities. It is not yet against the law to possess source code to PGP, the world's foremost encryption application in the United States. Source is available for a variety of platforms including MS-DOS, Unix, and Macintosh from the following sites: soda.berkeley.edu ghost.dsi.unimi.it nic.funet.fi ota.ox.ac.uk van-bc.wimsey.bc.ca and many other sites For more information about PGP, send a blank mail message to: pgpinfo@mantis.co.uk -- Grady Ward grady@netcom.com 3449 Martha Ct. compiler of Moby lexicons Arcata, CA 95521-4884 e-mail or finger grady@netcom.com (707) 826-7715 (voice/24hr FAX) for more information ------------------------------ Date: Sun, 19 Sep 1993 22:29:54 CDT From: CuD Moderators Subject: File 2--Phil Zimmermann's Comments on the Moby Crypto Incident On Tuesday, 14 September 93, Leonard Mikus, president of ViaCrypt, also known as LEMCOM Systems, in Phoenix, Arizona, was served a Subpoena to Testify Before Grand Jury, to produce documents. The subpoena was issued by the US District Court of Northern California, by Assistant US Attorney William P. Keane in San Jose, as part of an investigation from the San Jose office of US Customs, conducted by Special Agent Robin Sterzer. The US Attorney above Keane is Michael J. Yamaguchi. ViaCrypt is the company that will be selling a fully licensed commercial version of PGP, starting in November. ViaCrypt has a license from PKP to sell products that embody the patents held by PKP. That includes PGP, using the RSA algorithm. The subpoena, dated 9 September, orders the production of "Any and all correspondence, contracts, payments, and records, including those stored as computer data, involving international distribution related to ViaCrypt, PGP, Philip Zimmermann, and anyone or any entity acting on behalf of Philip Zimmermann for the time period June 1, 1991 to the present." The date specified for the production of documents is 22 September 93. The written agreement between ViaCrypt and myself explicitly states that US State Department cryptographic export controls will be adhered to. The implications of this turn of events are that this US Customs investigation has escalated to the level of a Federal Grand Jury and a US Attorney. US Customs says that this change was precipitated by a ruling recently handed down from the State Department that PGP is not exportable. Other subpoenas and/or search warrants are expected. I am the principal target of the investigation. I have advised EFF, CPSR, and my other attorneys of the situation. A legal defense fund will be set up by my lead attorney (Phil Dubois, 303 444-3885) here in Boulder. This case raises some serious public policy questions regarding First Amendment rights to publish, rights to privacy as affected by widespread availability of cryptographic technology, the equivalence of electronic publication with paper publication, the availability of lawful domestic cryptographic technology in the face of export controls, and certain other Constitutional rights. This may turn into the test case for these issues. Philip Zimmermann ------------------------------ Date: Tue, 21 Sep 93 22:21 PDT From: John Higdon Reply-To: John Higdon Organization: Green Hills and Cows Subject: Re: Computer Privacy Digest V3#040 Bryon Propst writes: > What has happened to our government over the > last 200 years? We once believed that what the private citizen did was > his own business until there was physical evidence that they were > harming another's Constitutional rights. Now, you believe that you > have the right to "take a preventative stance toward crime and > corruption...". Sounds good, but where does that lead us? To invading > ALL areas of our citizens lives that were once deemed private, in the > hope that you may find a potential infraction?!? It is actually worse than that. Large amounts of money are spent by law enforcement create elaborate environments to facilitate crime. Attractive scams are set up and then the officials sit back and see who falls into the trap. Sometimes it seems as though these "sting" operations are designed to "drum up business" as it were. These entrapments (what else can you call them?) pass legal muster when the agencies argue to the court that only people who have a propensity toward crime will nibble at the bait. This may or may not be true, but it certainly could conceivably create criminal activity where none would have occurred otherwise. So what it amounts to is having a government that goes out of its way to sniff around trying to find evidence of criminal activity that is otherwise not manifest, and when it cannot find any, creates it. -- John Higdon | P. O. Box 7648 | +1 408 264 4115 | FAX: john@ati.com | San Jose, CA 95150 | 10288 0 700 FOR-A-MOO | +1 408 264 4407 ------------------------------ End of Computer Privacy Digest V3 #043 ******************************