Date: Thu, 17 Feb 94 12:53:58 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V4#032 Computer Privacy Digest Thu, 17 Feb 94 Volume 4 : Issue: 032 Today's Topics: Moderator: Leonard P. Levine Re: WA state bill could censor VR and multimedia Re: WA state bill could censor VR and multimedia Free Encryptor. Come n' get it. Electronic Food Stamps Re: Clipper Overseas "Big Brother Inside" Logo Government Encryption Policies and Internet Break-ins Re: Clipper Overseas Re: Privacy in Mailing Lists Cellular phones National Information Infrastructure Testimony The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. Back issues are available via anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The archives are in the directory "pub/comp-privacy". Archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: finagler@leland.Stanford.EDU (Bradley James Rhodes) Date: 16 Feb 1994 04:23:02 GMT Subject: Re: WA state bill could censor VR and multimedia Organization: Stanford University, CA 94305, USA Robert Jacobson writes: The bill was amended to remove this clause and to simply state that virtual reality, like other media (including videogames), should have an age-group rating concocted by the local software association. It's fairly sure that the bill may go through other changes in a conference with a House bill not containing these clauses. I called today (2/15) and it appears the clause was indeed taken out by the Ways and Means committee. ------------------------------ From: Chuck Weckesser <71233.677@CompuServe.COM> Date: 16 Feb 94 11:12:35 EST Subject: Re: WA state bill could censor VR and multimedia The Washington State Bill does not have a prayer of passing muster with the Supreme Court. This is settled law. Their bill will fail. I bet my next paycheck on it. One cannot interfere with any aspect of the First Amendment except so called "fighting words" (e.g. yelling "fire" in a crowded theater). ------------------------------ From: qwerty@netcom.com (Xenon) Date: Wed, 16 Feb 1994 07:48:01 GMT Subject: Free Encryptor. Come n' get it. Organization: PGP Info Clearinghouse. -----BEGIN PGP SIGNED MESSAGE----- When in the Course of human events, it becomes necessary for one people to ensure their own right to privacy, they get PGP :-). Tired of sending your e-mail on postcards? Send me mail with Subject "Bomb me!" to get Gary Edstrom's PGP FAQ and my "Heres' How to MacPGP!" guide. (They are also available by anonymous ftp to netcom.com in /pub/gbe and /pub/qwerty). PGP is the free encryption program designed by Phil Zimmerman, and is available for most any computer. -=Xenon=- -----BEGIN PGP SIGNATURE----- Version: 2.3 iQCVAgUBLWGI2ASzG6zrQn1RAQHcbAP/eXmlL1cCWW0WuRIk51LW+76BAbc+Oh33 YjJHXpZJqT+oDAilG/mZTulS+E2Ea0U1TnAQ5oaph+4kDV9vaa9T1Xr9gqxAIceJ qojhnB56iHyQ1P5zorhB3slOFzLp7SMcyiLNTHKbld+kAWHJimD08FkQkLphLk/N r0ARUwIYStM= =+A4f -----END PGP SIGNATURE----- ------------------------------ From: "Mich Kabay / JINBU Corp." <75300.3232@CompuServe.COM> Date: Wed, 16 Feb 1994 08:28:46 -0600 (CST) Subject: Electronic Food Stamps Posted in Risks by: "Eric Burch" >INTERNET:burch@vnet.IBM.COM 15-Feb-94 08:54 ESTRe: Lone Star cards In RISKS 15.54 you wrote (actually, quoting a newspaper reporter) about Texas starting to distribute "Lone Star" cards in lieu of paper food stamps. In the state of Maryland, we've had the "Independence" card, which does the same thing for about a year (the advantages of a smaller state, I guess). From what I've heard, it has cut down on food stamp fraud, and since it's tied into the supermarket scanner, only the correct foods are covered by the card. (On the shelves, where the price is displayed, the supermarket will display a "WIC Approved" sticker next to the items that are covered by the card). The device that accepts the card is a small keyboard/mag card reader next to the small shelf mounted above the scanner proper (used to, say, write checks). From what I've seen, the 'Independence' card works well (although the keyboard used to enter the PIN is a bit too exposed). The big Risk is that the same device is used to pay for groceries on your credit or ATM card. In the case of the ATM card, you have to enter your PIN (big-time Risk there; I never pay this way)--but if you use your Visa or MasterCard YOU NEED NOT ENTER ANY IDENTIFYING INFORMATION! If you want to pay by credit card, you take the card out of your wallet, put it through the mag card reader, return it to your wallet (the cashier never looks at the card since they are busy scanning products). When it's time to pay, you tell the cashier that you're using a card, they press a key, a confirmation message comes up on the device (you then press the "yes" key), you wait a few seconds for a bank approval, sign a slip that printed up (since the cashier never saw your card, who's to say if the signature is forged?) and walk out with your purchase. I'd guess that the procedure is that the cashier has to examine the card, but rarely happend in practice. It's an exercise of the reader to identify the risk here. The slip that is signed is just a printout on the same stock as the receipt--not anything that is forwarded to the credit card company (so it seems). I guess this way even small-time hoodlums can feed their families easily :-) (Feel free to pass this to Risks digest--I'd guess you're getting mail from all over and you can edit the followup contribution with the juciest tidbits.) <> Michel E. Kabay, Ph.D. Director of Education National Computer Security Association ------------------------------ From: howland@walrus.mvhs.edu (Curt Howland) Date: Wed, 16 Feb 1994 15:20:13 GMT Subject: Re: Clipper Overseas Organization: Worlds Welfare Work Association Christopher Zguris <0004854540@mcimail.com> writes: I haven't seen this discussed so I'm going to ask. You haven't been over in comp.org.eff.david-sternlight receintly... What are the implications for Clipper's use on communications between US and foreign countries and companies? Everything your post alludes to, in my opinion. Clipper is a secret system, where the keys are burned in during manufacture. Therefore, ALL clipper chips will have their keys held by the US government. It's part of the spec. It's a given that the NSA monitors a lot of data communications, That's what they exist for. and I remember reading about the monitoring ofUS communications using NSA equipment in foreign countries thereby by avoiding the issue of monitoring on US soil, When anyone cares to ask, that's their reasoning. so couldn't the same trick be used to monitor communications in foreign countries that would also include US links? This is the simplicity of abuse that Clipper lends itself to. It's not a matter of the NSA/spooks WANTING to be able to listen at will, but of them designing a system themselves for the "good of all" that hands them this capability. The designed the entire system, and we can only wonder what it really does, since it's illegal to know. Having an 80 bit key and the NSA is like leaving a kid in a candy store and expecting that he won't know how to open the jars. They will find a way. As far as privacy goes, the desire is there for just the nitch that Clipper fills for the individual/corp. Clipper's noise is making a lot of people take notice of just how open things are to listening most of the time, I only hope other options get created while Clipper is still "voluntary". --- Curt Howland "Ace" DoD#0663 EGFC#011 EFF#569 howland@walrus.mvhs.edu '82 V45 Sabre "Laws do not persuade just because they threaten." -Seneca, 65 AD ------------------------------ From: Dave Banisar Date: Wed, 16 Feb 1994 10:24:49 EST Subject: "Big Brother Inside" Logo Organization: CPSR Washington Office Big Brother Inside Logo A parody of the Intel's Logo modified for the Clipper Chip is now available for use for stickers, posters, brochures etc. The Big Brother Inside graphic files are now available at the CPSR Internet Archive - ftp/gopher cpsr.org /cpsr/privacy/crypto/clipper big_brother_inside_sticker.ps (postscript-scale to fit your project) big_brother_inside_logo.gif (Color GIF - good startup/background screen) big_brother_inside_picts_info.txt (Info on the files) The files have also been uploaded to America Online in the Mac Telecom and Graphic Arts folders. big_brother_inside_sticker.ps is a generic postscript file, created in CorelDraw. The postscript image lies landscape on the page, and consists of the intel-logo's ``swoosh'' and crayon-like lettering on the inside. This design was originally created for the sticker project: the image was screened onto transparent stickers 1" square for the purpose of applying them to future clipper-chip products. (cdodhner@indirect.com was in charge of that project; as far as I know he's still distributing them for a small donation to cover printing & mailing costs). The design was created by Matt Thomlinson ------------------------------ From: Paul Robinson Date: Wed, 16 Feb 1994 13:26:05 -0500 (EST) Subject: Government Encryption Policies and Internet Break-ins Organization: Tansin A. Darcos & Company, Silver Spring, MD USA Bill Stewart , writes in newsgroup alt.security, among others: [Sure would be nice if the EFF or CPSR would put out a press release along these lines. Anybody?] The news from the Information Superhighway hasn't been good this week. Major breakins have been occurring If it's the "Information Superhighway", shouldn't that read "major Carjackings" rather than breakins? :) from someone who's been stealing users' passwords as they log in across the net, using them to break into their machines, and using their machines to watch the net for more passwords. It's not really that hard to stop - encryption technology has been available for several years that sends passwords across the net in encrypted form the eavesdroppers can't use - but most people haven't deployed encryption. Why not? P.I.T.A. (Pain in the 'somewhere') and costly. Security is a pain; as I write in my mailing list, backups, among other things, are like getting your teeth cleaned; something you put off because it's unpleasant. Well, part of it's just laziness, but in large part the use of encryption has been restricted by the government's Cold War era policies against developing, using, or distributing encryption software. If you want to take the laws on encryption on its face, there is no restriction on a private party creating an encryption program for use in the United States; that much isn't in question. The government may be pushing the trojan horse "Clipper" chip, but people can still use any encryption method they can buy or obtain. The real issue that seems to bother people is international transmissions. Also, the people that own the trademark "Clipper" for a type of microprocessor chip should sue the government for damages, since the various agencies have in effect used eminent domain to sieze a private trademark for public purposes. Encryption is the mathematical privacy coding that lets people send their passwords and conversations privately. If you want to sell encryption software overseas, you have to get a munitions export license, just as you would for exporting assault rifles or nuclear weapon parts, Whether this is correct or not is another issue. I believe there are exceptions for anything which is public domain, publicly available in a store over the counter, or otherwise has no special restrictions on purchase. I may be wrong on this point. and they'll only give you a license for crippled software that the NSA can break easily, unless you're a bank or selling to a "friendly" government's military. If you want to sell encryption software in the US, you can't export it, which means you have to sell separate US and export versions. People believe they cannot legally export this material, which serves the same purpose, whether or not it actually is illegal (a prohibition which imposes a penalty and can stand constitutional challenge) which is another question. And if you want to give it away free, like lots of university and public domain software, you can't just post it to the net or make it available for ftp (the Internet version of the public library), without risking years in jail or at least having your computers confiscated while the government tries to decide whether to indict you - and you'd better be able to afford some *very* good lawyers. Can this sort of free speech really be illegal? Nobody's really sure, the government won't give you permission and few people want to risk the jail time to find out if they'll give you forgiveness. It is my personal opinion that the ITAR rules declaring written computer programs to be in the same class as munitions or ordnance to be a "prior restraint" within the meaning of various court cases and that it possible someone could frame a case for having the ITAR restrictions declared unconstititutional on those grounds. There are generally only two reasons the courts will tolerate prior restraint: obscenity and national security. The first one isn't applicable (ever seen a porno version of PGP? I haven't, and I'm certain alt.sex would have postings about it) and the second is "national security". The second might be stronger, but in this case, the way the laws are written they are not written to that purpose, but explicitly as a licensing scheme which IMO is not permitted. One need only ask one question: if a listing of a cryptographic program were printed in the {New York Times}, would the Times have to have a license in order to send copies of its papers outside of the U.S. If not, then people doing the same thing on computer should not be required to obtain a license, and if so, the regulations requiring a license, in effect, represent a license on the content of material and thus represent an unconstitutional attempt to suppress content. Now someone (as Vice President Al Gore did) might point out that cryptography can be used to fight wars. Well, there are two points: one, the particular law restricts even the export of untouched computer programs once imported into the U.S. This would be on the order of forbidding the {New York Times} from reprinting articles appearing in the {London Observer} when the Times is then reprinted in its sister paper, the International Herald Tribune. Also, generally "national security" has only been able to be argued for works that are secret. This material is published worldwide and thus is not secret; further, it is printed material and as such is subject to the full protection of the first amendment. If the online community is really upset over this, the answer is to find some lawyers who either are willing to do this for free, or find someone willing to pay to fight the law in court. It is possible to file a lawsuit to have a law or regulation declared unconstitutional; it is for that very reason that people cannot in some cases afford to break a law that is untenable. There is a very old history behind this in that the NRA was declared unconstiutional in the 1930's case of _Schecter v. NRA_. (No, this is the National Recovery Act/Administration, not the National Rifle Association.) ------------------------------ From: kec@stubbs.ucop.edu Date: Wed, 16 Feb 94 17:10:11 PST Subject: Re: Clipper Overseas Organization: University of California, Berkeley <0004854540@mcimail.com> writes: I haven't seen this discussed so I'm going to ask. What are the implications for Clipper's use on communications between US and foreign countries and companies? If company A in the US is communicating with Company B is some other part of the world over a Clipper-encrypted data link couldn't the NSA legally monitor and decode the communition if they chose to do so? This is a *very* interesting question. As you may recall, CPSR had some strong objections to NSA's involvement in the development of Clipper, which seemed especially inappropriate for encryption that would be used within the US (NSA isn't supposed to do its "spying" within our borders). But this question that Christopher brings up could very explain explain their interest. I can't imagine that foreign companies are going to be willing to purchase and use software that carries encryption that is escrowed by the US. And the market for software is decidedly international. Also, if the email system I'm using in the US uses Clipper, how am I going to send mail to overseas users? Will they have to accept the conditions of Clipper in order to communicate with me? It all seems awfully short-sighted to me. ------------------------------ From: root@cu48.crl.aecl.ca.sun (System Admin) Date: Wed, 16 Feb 1994 19:35:31 GMT Subject: Re: Privacy in Mailing Lists Organization: AECL Research Use an anonymous posting service like anon.penet.fi... Martin A. Thompson WORKSTATION/NETWORK ADMINISTRATOR FOR NUCLEAR PHYSICS BRANCH (WITH MATHEMATICS AND COMPUTATION BRANCH) STN. 49 CRL, CHALK RIVER ONTARIO, CANADA (613) 584-3311 x 4087 (or x4157 to page me) FAX: (613) 584-1800 root@cu48.crl.aecl.ca ------------------------------ From: jkayany@garnet.acns.fsu.edu (Joseph Kayany) Date: 17 Feb 1994 01:16:15 GMT Subject: Cellular phones Organization: Florida State University I am looking for a few cellular phone users who would spare me 5 minutes. I have three questions to ask in connection with a research we are conducting. If you are a cellular phone user and don't mind talking with me, please send me a note to: jkayany@garnet.acns.fsu.edu Thanks a million ------------------------------ From: Robert Ellis Smith <0005101719@mcimail.com> Date: Thu, 17 Feb 94 09:28 EST Subject: National Information Infrastructure Testimony PRINCIPLES OF PRIVACY FOR THE NATIONAL INFORMATION INFRASTRUCTURE Robert Ellis Smith Publisher, PRIVACY JOURNAL, and Attorney at Law Before the NII Task Force Working Group on Privacy January 26, 1994 1. Any analysis of the National Information Infrastructure must recognize that privacy includes more than an expectation of confidentiality. The right to privacy also includes (1) freedom from manipulation by others and (2) the opportunity to find safe havens from the crassness and commercialism of daily life. 2. The infrastructure must be an INFORMATION-TRANSFER medium, not a SALES medium. It must be primarily an INFORMATION medium, and only secondarily an ENTERTAINMENT medium. (Will the information superhighway be only another way to exploit couch potatoes?) 3. It must have different levels of security and confidentiality so that some sector in it allows for confidential communications. These communications could be intercepted by law enforcement only under current Fourth Amendment guidelines. Aside from that, in the confidential portion of the infrastructure, there must be strict penalties for the interception of any PERSONAL data without the consent of BOTH the sending party and the person who is the subject of the data. And for aggrieved individuals and organizations there should be a right to sue for breaches of confidentiality. 4. There must be some portion of the infrastructure free from commercial messages and free from the commercial uses of the names and electronic mail addresses of the users. Even though it is commercial-free, this sector need not necessarily be operated by the government or a non-profit entity. 5. In the sectors of the infrastructure available for use by individuals, there must remain opportunities for ACCESSING (non-personal) data anonymously (as exist in a library situation now). Whether to permit anonymous MESSAGE-SENDING in these sectors remains, for me, an open question. To deny this will deprive the network of much of its spontaneity, creativity, and usefulness; however, to permit anonymous message-sending runs the risk of having these sectors dominated by obscene, inaccurate, slanderous, racially and sexually-insulting chatter - and worse. 6. Privacy interests are less compelling, to me, in two other sectors of the proposed infrastructure. In those sectors transmitting proprietary business information and sensitive business dealings, the organizations using the network will see to it themselves that security meets there needs, and they will have the resources to pay for it. By the same token, in those sectors providing point-of-sale services (presumably from the home), companies offering these services will provide adequate security or risk losing customers. 7. The infrastructure ought not become a means for large conglomerates to transfer personal information between and among subsidiaries where the data-handling is regulated (credit bureaus, cable companies, medical providers) and entities where the data-handling is not regulated (telephone providers, brokerages, credit-card processors, telemarketing). ___________ Rather than proposing specific safeguards -- which can be drafted later -- the task force can be most effective in 1994 by establishing the DOMINANT THEMES of the infrastructure: information-transfer, not commercialism; democratic access not corporate dominance; diversity (in usage as well as in levels of security) not conformity. ------------------------------ End of Computer Privacy Digest V4 #032 ****************************** .