Date: Wed, 02 Mar 94 13:00:58 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V4#037 Computer Privacy Digest Wed, 02 Mar 94 Volume 4 : Issue: 037 Today's Topics: Moderator: Leonard P. Levine Re: Privacy and Sexual Crimes Re: Electronic Banking - CheckFree Computer databases of information FBI Digital Telephony Proposal and PCS mobile phones Re: EFF on FBI Telephony Bill Re: EFF on FBI Telephony Bill Re: Van Eck Radiation Helps Catch Spies The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. Back issues are available via anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The archives are in the directory "pub/comp-privacy". Archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: swayne@draper.com (A. Steven Wayne) Date: Tue, 1 Mar 1994 17:49:31 GMT Subject: Re: Privacy and Sexual Crimes Organization: The Charles Stark Draper Laboratory, Inc. Chuck Weckesser <71233.677@CompuServe.COM> wrote: Should Rapist's And Pedophiles Be Forced To Register With The Authorities Every Time They Move Away? There are two issues here: the rights of the individual (who I assume to have been previously convicted) and the security of society. Since, in many cases, these deviants suffer from an essentially incurable mental illness and are likely to be a danger to society and neither they nor society will gain anying by further incarceration; society might reasonably look to protect itself by keeping tabs on these individuals. ------------------------------ From: matt@ra.oc.com (Matthew Lyle) Date: Tue, 1 Mar 1994 18:24:30 GMT Subject: Re: Electronic Banking - CheckFree Organization: OpenConnect Systems, Dallas, TX Hyatt_Edward_R@byu.edu writes: I have thought about using the CheckFree service, but I am worried about the prospect of giving them my SS#, bank account #, etc. Can I trust their claim of confidentiality; and what would protect my information from being disclosed to other organizations? I would like to hear what others think. They will set up the account without having your SS#. Mine is set up with CheckFree that way. -- Matthew Lyle matt@oc.com matt@utdallas.bitnet (NeXTMail) matt@cubist.intosh.com OpenConnect System, Dallas, Texas (214) 888-0474 ------------------------------ From: chiang@berdis.ecn.purdue.edu (Ray Lon Chiang) Date: Tue, 1 Mar 1994 19:01:33 GMT Subject: Computer databases of information Organization: Purdue University Engineering Computer Network I am currently taking a class on Cryptography and Privacy. One of the class' "assignments" (not graded, just for "fun") is to look up various computer information databases which exist, and mention any privacy issues for each of these databases. I've found a great deal of information online (cpsr.org, ftp.convex.com, various FAQs), but I still have a few questions. I'd appreciate replies by email. I will post a summary if people want it. In any case, if I've glossed over anything, I'd appreciate any pointers to information or direct information. Also, if you provide direct information and want anonymity, please say so in your email. -Ray PS: Is there any research going on regarding ensuring accuracy of databases? After reading most of the privacy-related newgroups for several years, I've never really seen any such information. I'm just making mention of it because of all of the comments like "30% of all entries in such-and-such database has errors or is ambiguous. ------------------------------------------------------------------------------- 1) Compuserve's Phonefile I remember reading something about the Phonefile system on Compuserve. However, since I don't have a Compu$erve account (nor do I want one for the obviou$ reason$), I don't have any details about how this system works. - What kind of searches are possible with this database? (e.g. Is it possible to do multiple field searches with boolean expressions? Is it possible to use some sort of wildcard search?) - How much information is on this database? Is a given user's address, phone number, etc. in there? How many users are there? I'd appreciate it very much if anyone could give me some pertinent details. 2) Reverse-Tracing Phone Numbers Obviously, the phone companies can (and usually) will do this. I'm wondering if some of the other 1-900 numbers which allow you to do this maintain their own database (as opposed to having some sort of connection to various phone companies). 3) Company Employee Records Any company keeps records of its employees, both past and present. I suppose the main issue here concerns the availability of such information and the duration for which certain bits of information (e.g. drug tests, tax records, health insurance, etc.) are kept. Exact policies might be nice to see, but I'd like to get a general idea of the ranges. I know that at least some sort of record is kept since I was required to use the same employee number from one summer job and another summer job at the same company several years later. 4) Federal Records The government probably has the single largest combined database of information on most individuals, law-abiding or otherwise. :) I would expect that most of this information is distributed across many departments. I suppose some of the more obvious would be: - Criminal records with the FBI (in the NCIC). - Tax records in the IRS. - Medical information in the MIB. I would appreciate it if anyone would point out the many (i.e. notable bureaus under each of the goverment departments) combinations of (type of record)/(government bureau) that exist. Note: I've taken a look at the Federal Register at gopher.internet.com, but it's rather obscure. I'll probably take a look at the paper version if it's available here... 5) Mailing List Companies/Credit Bureaus I've called a few places for information, but some of these people were relatively unhelpful (or unfriendly). I suppose I'm just looking for more specific information about who these types of companies generally deal with. Just as an afterthought, I noticed that a lot of the people I talked to at specific companies weren't particularly helpful. For the most part, I guess they were confused by various requests. I'm not too sure if this is an effect of customer service-type people, since this is the first time I've dealt with customer service people I couldn't communicate with effectively. ------------------------------ From: "M. Hedlund" Date: Tue, 1 Mar 1994 12:05:01 -0800 (PST) Subject: FBI Digital Telephony Proposal and PCS mobile phones [N. B. -- this article has also been posted to comp.risks and sent to the EFF and Wired.] This article elaborates on part of the EFF statement issued last week concerning the FBI's proposed Digital Telephony wiretap bill. The EFF condemned the bill, which enlarges law enforcement powers of surveillance, granted by wiretap laws, by adding tracking ability. Addressed herein is point two of the EFF statement, concerning the surveillance of mobile communica- tors, such as cellular phones, Personal Communications Services (PCS) and laptop computers. PCS mobile phones create severe privacy risks for future phone users, especially under the FBI's proposal; and these risks strongly support the EFF's position. The FBI asserts that their proposal adapts existing wiretap laws to account for emerging communications technologies. Wiretap laws have not adequately covered mobile communications, and the FBI is correct to assume that some revisions will be necessary to adequately balance law enforcement needs with the privacy rights of mobile phone users. Their proposed revisions, however, do not simply provide for wiretap; instead, the FBI seeks to expand wiretap laws, allowing law enforcement officers to track the signalling information of mobile communcations users. The EFF believes that the FBI proposal would create an enormous hole in the privacy rights of individuals suspected of crimes. Their statement notes: It is conceivable that law enforcement could use the signalling information to identify the location of a target.....This provision takes a major step beyond current law in that it allows for a tap and/or trace on a *person*, as opposed to mere surveillance of a phone line. This fear is completely realistic. It is not simply "conceivable" that the FBI's proposal would allow law enforcement to surveil the location of a target -- positioning technology is a planned part of PCS networks, one of the technological advances anticipated by the proposal. Similar positioning technology is planned for cellular phones, as well. PCS advances cellular phone technology by integrating mobile communications with other phone networks, and by expanding the services and quality mobile phones can offer. Most PCS proposals involve three forms of mobility: terminal mobility, the ability to make and receive calls at any location, and the ability of the phone network to track the location of the mobile phone; personal mobility, the ability of the user to be reach- able by a single phone number at all times; and service mobility, the ability of the user to access CLASS(sm)-like features, such as Call Waiting and Caller ID, from any phone they use. The FBI proposal requires phone companies, when presented with a wiretap order, to transmit the content and the signalling, or "call setup information," from the tapped phone to law enforcement officers. With a wireline phone, such as a residence phone line, call setup information would comprise only the originating and dialled phone numbers, as well as billing information (such as the residence address) for the call. Because of the wireless aspect of PCS, however, call setup information for a PCS phone includes very detailed information on the location and movement of the caller. PCS mobile phones will connect with the phone network via "microcells," or very small receivers similar to those used for cellular phones. While a cellular network uses cells with up to an 8 to 10 mile radius, PCS networks will use microcells located on every street corner and in every building. The call setup information for a PCS call would include the microcell identifier -- a very specific means of locating the user. An order for a PCS wiretap would allow law enforcement officers to receive a detailed, verifiable, continuous record of the location and movement of a mobile phone user. These phones are also likely to "feature" automatic registration: whenever the PCS mobile phone is on (in use or able to receive calls), it will automatically register itself with the nearest microcell. Law enforce- ment agencies, able to track this registration, would have the equivalent of an automatic, free, instantaneous, and undetectable global positioning locator for anyone suspected of a crime. PCS tries to improve on cellular phone privacy and security by incorporating cryptographic techniques. Encryption could not only create a secure phone conversation, but could also (coupled with use of a PIN number) insure that only a valid subscriber could make calls on a particular phone, preventing fraudulent calls on stolen phones. An additional phone-to-network authentication could prevent fraudulent calling through a "masquerade" phone designed to simulate a user's registration. But the FBI proposal would require that such encryption be defeatable in wiretap circumstances. As the proposal stands, this form of weak encryption is distinguishable from the Clipper Chip because the phone companies, not a key escrow arrangement, enable law enforcement access; but it is entirely possible that the Clipper Chip could be used as the encrypting device. In either circumstance, PCS encryption could be compromised by careless or malicious law enforcement officials. Perhaps it is time for Phil Zimmerman and ViaCrypt to begin work on PGPCS -- and let us all hope we are so lucky. The cellular phone market is tremendous, and analysts believe that the PCS market, incorporating both voice and data communications, will be even larger. Coupled with the FBI's Digital Telephony proposal, PCS raises many privacy and security risks, making the EFF's condemnation of the FBI proposal all the more appropriate. CLASS is a service mark of Bell Communications Research (Bellcore). For more information: * Bellcore Special Report SR-INS-002301, "Feature Description and Functional Analysis of Personal Communications Services (PCS) Capabilities," Issue 1, April 1992. Order from Bellcore, (800) 521-CORE (2673), $55.00. * GAO report GAO/OSI-94-2, "Communications Privacy: Federal Policy and Actions," November 1993. Anonymous FTP to cu.nih.gov, in the directory "gao-reports". * EFF documents, available via anonymous FTP or gopher: ftp://ftp.eff.org/pub/EFF/Policy/Digital_Telephony ------------------------------ From: bernie@fantasyfarm.com (Bernie Cosell) Date: Wed, 2 Mar 1994 00:51:51 GMT Subject: Re: EFF on FBI Telephony Bill Organization: Fantasy Farm, Pearisburg, VA David M. Berman writes: If laws such as the FBI Telephony Bill and the legislation surrounding the clipper chip, skipjack, etc. come to pass, I'm going to have to ignore my excitement about all of these new technologies and retreat into the safety of paper for all of my information, communication, and financial needs. You might temper your rather abrupt conclusion by pondering how your paper provides any safety those other media will not. What can we do? How do we get Geraldo, Dan Rather, Pat Robertson, or whichever idiot to whom Americans like to attend, to come out in the press against these nightmares? Haven't we learned any lessons from McCarthy, Orwell, or the East Germans? I've signed the clipper petition, I've e-mailed Patrick Leahy, but I still don't see any POPULAR debate over these attempts to overrun the Constitution. The reason for that is that there is no such "attempt". I haven't heard _anyone_ raise an even *remotely* Constitutional issue with regard to either Clipper or the Digital Telephony bill. There is a HUGE amount of misinformation, intentional exaggeration, and unfounded paranoia being spread by the anti-clipper, anti-telephony folk, resulting in a large number of people [perhaps including you, considering your remarks] getting an incredibly distorted and muddled picture of the situation. ------------------------------ From: DAZEDTOO Date: Tue, 1 Mar 94 20:50:42 -0500 Subject: Re: EFF on FBI Telephony Bill Organization: Delphi (info@delphi.com email, 800-695-4005 voice) David M. Berman writes: What can we do? How do we get Geraldo, Dan Rather, Pat Robertson, or whichever idiot to whom Americans like to attend, to come out in the press against these nightmares? Haven't we learned any lessons from McCarthy, Orwell, or the East Germans? I've signed the clipper petition, I've e-mailed Patrick Leahy, but I still don't see any POPULAR debate over these attempts to overrun the Constitution. We need to get creative and get busy. I know how you feel. I live in Tucson and nobody has been talking about Clipper and the FBI Digital Telephony Bill at all. Not even the newspapers. So I got my ass in gear and sent off a couple of letters to the editor's of the newspapers here. I sent mail to nightly@nbc.com asking them to start reporting on all this stuff on NBC. And just like other people have done sent off mail to a couple of congress people. ------------------------------ From: herronj@MAIL.FWS.GOV Date: Tue, 01 Mar 94 17:28:56 MST Subject: Re: Van Eck Radiation Helps Catch Spies BTW, did you know that Zenith sells a non-Van Eck-able PC, or did at one time. GSA Schedule, no doubt. These are called Tempest computers. My previous employment was as a DOD contractor working on this type computer as well as more secure communications systems. Let there be NO DOUBT that with proper equipment you can be a mile a way and pick up everything going on at a PC or peripheral. Even with Tempest equipment, where the case alone can add $20,000 or more to the price tag, a couple of loose screws (and the case on a tempest pc usually has around 25 compared to 5 on a normal pc) can defeat all of the EMF radiation protection. We had periodic checks from NSA spooks that came in with their eavesdropping equipment to monitor us for tempest leaks. They could always find something and usually torqueing down a few screws would fix the problem. Don't think that just because you have many computers that they wouldn't be able to pick out one from the crowd and monitor it. Each computer has a different electronic signature (much like a different carrier frequency) that allows its signals to be separated and deciphered. Normal keyboards, printers and monitors are the worst. Imagine sitting a mile away and picking up every scan line that your monitor generates and reconstructing it. (By the way our keyboards operated by blocking light patterns in certain patterns and detecting this with CCD's, no electro-mechanical noise). ------------------------------ End of Computer Privacy Digest V4 #037 ****************************** .