Date: Fri, 11 Feb 94 21:29:51 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V4#029 Computer Privacy Digest Fri, 11 Feb 94 Volume 4 : Issue: 029 Today's Topics: Moderator: Leonard P. Levine WA state bill could censor VR and multimedia Help with Computer Privacy Policy Privacy in Mailing Lists New Mailing List on Information Problems Re: Data Encryption and Privacy -- PGP Issues The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. Back issues are available via anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The archives are in the directory "pub/comp-privacy". Archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: Robert Jacobson Date: Thu, 10 Feb 94 08:09:08 -0800 Subject: WA state bill could censor VR and multimedia A friend who frequents the Washington state government passed this on to me: There is a bill at the state level: (excerpts from ``Public Health & Safety Act 1994'' bill, SBR 6174) NEW SECTION. Sec. 706 (1) A license is required for the commercial use of virtual reality technology for entertainment or purposes other then bona fide education, training, research, and development. where VR is defined: NEW SECTION. Sec 702. (4) ``Virtual Reality'' means any computer or other electronic technology that creates an enhanced illusion of three-dimensional, real-time or near-real-time interactive reality through the use of software, specialized hardware, holograms, gloves, masks, glasses, computer guns, or other item capable of producing visual, audio, and sensory effects of verisimilitude beyond those available with a personal computer. My friend was present at the hearing of a portion of this bill. Evidentally, the person backing the bill, Senator Phil Talmadge, and his crew are convincing the State Congress that VR will permit ``a realistic illusion of killing another person and such an illusion will make it easier for someone to go out and acutally commit such a crime outside of VR'' (quoting my friend who was quoting from memory). This is all part of the movement to reduce violence by controlling media and entertainment. However, because of a misunderstanding of the possibilities of the technology and the lack of a total suspention of disbelief which most researchers would claim will never happen, the government would like to restrict and control anything which has VR elements, whether being marketed as VR or not. The important issue which needs to be addressed right now is not so much a method to reduce the violence in communities but the nature of government-level control. The State Congress has a very short calendar this year. This matter could be voted upon as early as next week (week of 14 Feb 94), and the congressional session ends 8 March 1994, so this could be voted into law in less than one month. Senator Phil Talmadge (206) 786-7436 Leading the opposition: Senator Sheldon (206) 786-7644 Senate Fax: (206) 786-1999 Commission on Public Health & Safety Act 1994 Bill to be heard in Ways & Means Committee (Sen. Rinehart, Chair), Wednesday night, February 9, 1994; then to Rules. for status of bill, call Secretary of Senate: 206/786-7550 ------------------------------ From: plbuschm@nyx10.cs.du.edu (Pete Buschman) Date: Thu, 10 Feb 94 23:00:06 GMT Subject: Help with Computer Privacy Policy Organization: Nyx, Public Access Unix at U. of Denver Math/CS dept. Attention: This is a general request to readers of the newsgroups alt.privacy, comp.society.privacy, alt.comp.acad-freedom.* and misc.legal.computing. Please Note: This is NOT a netwide flame issue. I have refrained from naming my home institution as I hold no malice for them and am trying to conststructively change an unfair system. If you choose to respond, I only ask that you do so constructively and with consideration. I am a student at a Private College. This institution has a campus-wide network with a direct internet connection, and the majority of students use the system exclusively for email purposes. The thought that their privacy might possibly be violated does not occur to most of them. Two days ago, a close friend of mine was quietly asking for extra space on his account. He was treated rudely and informed that before the space would be granted him, they would look at his files to see if there was anything they felt should be deleted or backed up on disk. He explained the situation to me and I researched what little computer policy did exist. In doing so, I found information on the EDUCOM code which was posted in all labs, and also a little loophole that stated the College would conform to all Michnet acceptable use standards. The result was that the Director of Computer Services received a notice from us stating that they had no right to inspect a students files without the students permission because that action violated the the standards the College claimed to follow. RESULT: Much to our incredible surprise, we, as students, have been asked to demonstrate to the Administration what an official privacy policy would be like, and to _prove_ that other schools have such policies for students computer rights. The personal reaction, however, indicates that they don't believe we can come up with much. [ Help me prove them wrong. ] This school is _very_ resistant to change and I believe, that if we come up with enough precedents and even Federal law if possible, they cannot help but issue an official policy statement or risk extremely bad publicity. We have been informed that a committee has been formed to deal with this issue, and are going to insist on our right to present information or even possibly serve on that committee. OUR GOAL: To force the Administration into a position where, due to overwhelming precedent, legal or academic, they must implement an official policy regarding computer privacy. This policy would include, but not be limited to: 1. Acknowledgement of computer files as intellectual property. 2. Permission from the student must be required before files are inspected, modified, or deleted in cases where criminal conduct is not suspected. 3. In cases where criminal conduct is suspected and the app ropriate college authorities insist on a search of files, the student WILL be notified and MUST be present at the time of searching unless the student waives that right. 4. Logging of students activities on the computers is unlawful unless the student has been informed prior to the time the logging was begun or has previously consented to such activity. 5. Any user has the right to know if their files have been examined or their activities logged anytime within record. The above are just some of the examples we have thought of specifically for our school. The College has a long history of violating the above because there was no policy to prevent it. Please help us change this! WHY WE NEED HELP: Note: Although the tone of this post might sound as if a large response is expected, please do not take it as such. This is not our only method of research, but a supplement to it. Any information we get as a response is greatly appreciated as it will aid us in changing something that truly needs it. We are required to present this information in the next few weeks. The research loads are immense if we wish to truly cover all the bases and make this policy as fair to everyone as possible. The administration is going to try and rush this through as quickly as possible, and we need to get everything relevant in before the issue is closed. WHAT WE NEED: We need any and all information on Privacy, Intellectual Rights, and what constitutes these, _Appropriate_to_an_Academic environment I am already aware of the vast resources available through ftp.EFF.org, and I am asking you, as readers, of these related newsgroups, if you have any information you are willing to contribute, please do so. The areas we need information on are the following: (We don't expect you to mail these, as that may be to much to expect. Pointers to ftp sites are quite acceptable. If you wish to use email, by all means do so.) 1. Legal format for presenting our ideas. Neither of us has any legal experience and we want to make this as official as possible. 2. Precedents and Laws relating to Computer Privacy. 3. Exceptional Policies from other academic institutions. If your school deals with these issues in unique ways, please send us yours! 4. Situations where Federal or State Law does _not_ apply to a private institution. 5. Anything else we might have missed which is relevant. CONCLUSION: To any and all, who offer help. Thank you! Our goal is to preserve the rights of computer users where we are and we applaude anyone else who has been able to effect a similar change at their schools. [Respond via email or followup post. I'm not picky and I started following these newsgroups every day as well.] Note: Denver University is NOT my home site and is NOT the school referred to in this post. I use NYX for my news activities. Mail sent to NYX is forwarded to me so email responses will reach me. Best wishes and a hearty Thank You to anyone who offers help. I am excited about this. Regards to all. Peter L. Buschman plbuschm@nyx.cs.du.edu Say NO to the Clipper Initiative.! ------------------------------ From: "Prof. L. P. Levine" Date: Fri, 11 Feb 1994 12:01:48 -0600 (CST) Subject: Privacy in Mailing Lists Organization: University of Wisconsin-Milwaukee Earlier this month I received the following request in the Computer Privacy Digest input box: (The userid is deleted.) Date: Fri, 4 Feb 1994 15:59:06 From: To: comp-privacy-request@uwm.edu I would like to request a mailing list of subscribers who participate in your bulletin board system. Please send info to: xxxx@xxx.xxx.edu Thank you. I sent the author a response indicating that if it was submitted as a request for posting, I would be glad to ask each of you if you wanted to send the author a mailing permitting the author to set up a separate list. I indicated that such a global request of a Privacy list was especially insensative. Some of you might be aware that there is a group for the moderators of digests. I sent that group a report on this request, and found out some interesting things. From: "Vision List Digest moderator (Philip Kahn)" Date: Mon, 7 Feb 1994 10:06:46 -0800 I get those requests about 2-3 times/year. Why do you think she was asking? I have never gotten a response to that question. From: rrb@deja-vu.aiss.uiuc.edu (Bill Pfeiffer) Date: Tue, 8 Feb 1994 16:55:09 -0600 (CST) I get these requests all the time. Seems that bitnet listservers have that command built in to them and some find it to be commonplace. I never give them out either. A check with postmaster@xxx.xxx.edu gave me the response that the account holder did this all the time, was probably naive, and that the work might well not have been that of the legal account holder anyhow, as University security was not perfect. Several of the other moderators discussed with me just how insecure our mailing lists were. It seems that the pseudo-user-name for the mailing must be a publicly readable word, and is, in fact printed in the document that the readers get. Although a person could not read the list itself, he or she could use this name and mail information to whoever was in the file attached to the name. I had been aware of this for some time and, like other moderators, have taken care to see to it that the name does not point to any real list except when I am actively posting to the Digest. During those short intervals, others may post also. The system will make me aware of it if/when someone tries. Other intrusions into your privacy also may exist. For example, there is a headerline that forces a return message to the originator. It looks like "Return-Receipt-To: xxx@xxx.xxx.edu" and must be included in the header group without an intervening white space. This message, were it sent to a list, would return a set of replies to the poster indicating a great deal about who had received the mailing. Careful examination of your incoming mail would reveal the presence of such a header line. I use such a line in my individual correspondence. It is a quick check to see that the mail got through to the user's mailbox and it usually arrives seconds after I send the mail. It nearly doubles network traffic, however, and administrators frown. I never deliberately include it when mailing to a group. The last time I did (I thought the name I was mailing to was an individual) the 450 "return receipt" messages reminded me to be more careful. Mailing lists may not be secure. Even allowing someone to use one, without allowing him or her to read it, can reveal some of the names of those in it. If you do not trust your moderator to keep the data secure and you are concerned, you can not stay on a list. There is no security to an unmoderated list. I am interested in the judgements of this group. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of Computer Privacy Digest and Professor of Computer Science | comp.society.privacy. University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu ---------------------------------+----------------------------------------- ------------------------------ From: Paul Robinson Date: Fri, 11 Feb 1994 13:38:11 -0500 (EST) Subject: New Mailing List on Information Problems This is to announce the creation of a list for the public disclosure of bugs, system problems, viruses, and any other conditions in a computer system that people should be aware of so they can fix the problem. It is also appropriate to report security holes, dangerous conditions in PBXs, cellular and wire telephone systems, and other computer-controlled devices. Also reports of things such as default accounts and passwords on systems that should be changed, etc. The focus will be on reporting clear descriptions of problems including how to generate them. The idea being that this will alert people to the nature of certain problems that they might be unaware of. Reproducing these conditions lets others know what is being done, and can allow people to post solutions on how to block them. The purpose in creating this list is that currently, the only means currently available for reporting discovered security holes in computer systems and possibly other areas is via the Computer Emergency Research Team (CERT) out of Carnegie Mellon University. The problem with CERT reporting is that the reports generally tend to be done in secrecy, and it fails to let system administrators and others know about what is happening so that these things can be fixed. In short, CERT acts like a black hole and takes too long to publicize problems until lots of places get hit because they didn't know about it. Some people feel that reports should not be publicized because potential reports might become available to "the bad guys." Well, the truth of the matter is that "the bad guys" trade their discoveries around all the time; the current use of secrecy is only hurting "the good guys" who want to protect their systems. This list has just been created, and pending creation of an automated processor will be temporarily moderated since my current equipment does not yet tell me what address the message is sent to. This will be changed in the next two weeks. There will, however, be two addresses. The general list will be PROBLEMS@TDR.COM which is used to post a report to the list. To subscribe to the list, use PROBLEMS-REQUEST@TDR.COM Currently, both addresses are moderated. This will change shortly as I upgrade the software on my system. Persons wishing to make a report but not be identified should state so in the text of their message. In the future, they will do so by using the -request address which will come to me directly. Persons wanting to receive this service by facsimile should contact me for details. All messages requesting subscriptions or posting information will be acknowledged. Please pass this announcement around. It is my intent to set this up such that people can publicly report known bugs, viruses and problems in clear detail so everyone knows about them and can encourage much faster response to these problems than is currently available. It may even embarass some manufacturers into making fixes sooner when their errors are glaringly exposed in public. --- Paul Robinson - Paul@TDR.COM ------------------------------ From: jeg@aurora.jhuapl.edu (John Grimes) Date: Sat, 12 Feb 1994 01:47:49 GMT Subject: Re: Data Encryption and Privacy -- PGP Issues Organization: Johns Hopkins Continuing Professional Programs >close@lunch.asd.sgi.com (Diane Barlow Close) writes: Earlier I asked some questions about PGP (and other stuff) and found out that PGP stood for a really good encryption system. Then someone pointed out to me that PGP implements the RSA public-key encryption algorithm, and there is a patent on the use of RSA for digital communication, and that includes email. I also said if you use PGP to encrypt or sign email which you then send to someone else, and you have not obtained a license for use of the patent from the patent holders, you are "infringing" the patent. >>"Tansin A. Darcos & Company" <0005066432@mcimail.com> wrote: PGP IS freely available and free to use and its use infringes on nothing: Late last year, the owners of the 5 patents dealing with RSA encryption (PKP Partners, Inc.) made a special arrangement with the National Institutes of Science and Technology that in exchange for a trade of certain encryption inventions developed by NIST to them, they would make the following provisions: - Individuals using RSA encryption (which would include the methods used in PGP) may do so *royalty free* and *without having to obtain a license*; >Rest deleted. That left me totally confused. Does PGP infringe or doesn't it? Are there exceptions or aren't there? I wrote to Jim Bidzos asking for clarification and he basically said that the stuff about PGP being free and legal was pure fiction. Jim said that PGP is definitely unlicensed and is considered infringing by the patent holders. >>jim@RSA.COM (Jim Bidzos) wrote: I was sent a copy of statements you made that RSA had made some licensing deal with the government, and that somehow this legitimized the use of pgp. This is not correct. You are probably referring to a Federal Register announcement last year in which it was proposed that the govt would get a license to use several PKP patents and PKP would license those patents uniformly to the private sector. This proposal was for a proposed Digital Signature Standard, never mentioned the RSA algorithm, never included the RSA patent, never had anything to with pgp, and was never executed anyway. >>Making, using, or selling or distributing pgp, which is unlicensed, is considered infringement by the patent holders, who reserve all rights and remedies at law. This has been made clear on many occasions and in many places, including letters written to CompuServ, AOL, and to a large number of universities, all of whom now prohibit its use or distribution, as stated in responses to us from their counsel. >>There is, however, free and properly licensed source code for encryption and authentication using the RSA cryptosystem for non-commercial purposes. This software is called RIPEM (for a copy, email the author, Mark Riordan at mrr@scss3.cl.msu.edu), and is based on free crypto source code called RSAREF (send any message to RSAREF@RSA.COM). Further, commercial licenses are available at low cost for RIPEM; however, in cases where consumer privacy is the application, no-cost commercial licenses have been and are routinely granted. Just because Jim Bidzos, PKP Partners, Inc., et al say that PGP is an infringement of the RSA patent does make not it so. To the best of my knowledge this issue has not seen a court room and until it does any rights claimed by the patent holders are just claims without teeth. This legal fearmongering bugs me to no end, I would like to see PKP Partners Inc. take their claims to court and get a definitive establishment of their "rights" before firing off responses like this. I am no legal expert, but a patent only gives the right to sue, it does not give the patent holder the final ruling on the extent of their rights granted under the patent or what the patent covers. John jeg@aardvark.jhuapl.edu ------------------------------ End of Computer Privacy Digest V4 #029 ****************************** .