Date: Tue, 22 Mar 94 13:08:27 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V4#045 Computer Privacy Digest Tue, 22 Mar 94 Volume 4 : Issue: 045 Today's Topics: Moderator: Leonard P. Levine Deletion of Computer Privacy Addresses at pica.army.mil MCIMAIL Group Mailings Video Tape Rental Records FBI's Push for Digital Telephony FBI's Push for Digital Telephony Re: Network Security Re: Time Magazine on Clipper Re: Phone Book Pseudonyms Re: IRS Purchase Order Re: IRS Purchase Order New Book From IOM On Health Data Privacy The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. Back issues are available via anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The archives are in the directory "pub/comp-privacy". Archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: "Dennis G. Rears" Date: 21 Mar 94 11:12:01 EST Subject: Deletion of Computer Privacy Addresses at pica.army.mil The following email address will disappear at the end of the month: comp-privacy@pica.army.mil comp-privacy-request@pica.army.mil I see that some people are still using these addresses. As of 31 March, pica.army.mil will be providing the following services for the Computer Privacy Digest o ftp site for o telecom privacy o misc privacy files o computer privacy digest. o will run the subscriber list for readers who get the CPD as individual news articles via email (This is the last remaining function I need to transition with Professor Levine). I hope to add the CPD archives to my www server by May. dennis P.S. I think Len has done a marvelous job as Moderator since I left. [Moderator: (modestly blushing) Awe Shucks] ------------------------------ From: "Prof. L. P. Levine" Date: 21 Mar 1994 15:04:18 -0600 (CST) Subject: MCIMAIL Group Mailings Organization: University of Wisconsin-Milwaukee The MCIMAIL system, probably to comfortably handle reading groups, regularly posts the names of all members of a reading group to each member of that group. I am sure that this was designed into the system as a deliberate feature and I believe it is generally a good idea. (I must stress that this applies only to MCIMAIL. To my knowledge, in the greater Internet community such mailings display only your own name as addressee and not that of other readers.) I recently learned of this from others who deal with privacy who felt (as did I) that for a Privacy Digest this is not right; people who subscribe to such a list should not be forced to have their names made public to the other (MCIMAIL) readers. If they post, and if they do not ask me to make those postings anonymous, then they lose their "right to privacy" and become "public persons" to use the newspaper vernacular. One other digest group moderator felt so strongly about this that he decided to cut MCIMAIL users off from his mailings entirely. I believe his intention was to encourage MCIMAIL to change this policy by making them realize what is lost by it. I feel this is throwing out the baby with the bath water and have taken a different approach. I have modified the mailing procedure for Computer Privacy Digest to allow each MCIMAIL recipient to receive a separate mailing. This increases the burden on the Internet network, which normally mails to a group with a single posting coupled with a command to "explode" that posting into separate mailings. In doing this I effectively take the stance that for a Privacy group efficiency must give way to privacy. I am sure that for a different sort of mailing this is less of a problem. Thus, MCIMAIL readers of this digest will receive two copies of this mailing, one using the group mail procedure and the other displaying only their own names. Later mailings will be in the private form only. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of Computer Privacy Digest and Professor of Computer Science | comp.society.privacy. University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu ---------------------------------+----------------------------------------- ------------------------------ From: sutter@verisoft.com (Paul Sutter) Date: 21 Mar 1994 15:52:12 +1700 Subject: Video Tape Rental Records Beth Givens writes: Regarding the video rental privacy law: The law protects you from having the *titles* of videos that you rent released to others, but not Let's not get confused here. The law does *NOT* protect you from the release of the titles that you rent to others. The law simply makes it illegal to disclose the information; it does not prevent the disclosure of this information any more than the 55 speed limit prevents me from setting my cruise control at 68. The next time you are renting a video, take a look at any clerk in the store and ask yourself what that person would do for $100. And if not him, then the next guy. Lawmakers are not guarding your privacy; it's the kid behind the counter. ------------------------------ From: ks@netcom.com (Kurt F. Sauer) Date: 22 Mar 1994 03:43:43 GMT Subject: FBI's Push for Digital Telephony The New York Times, Sunday, March 20, 1994, buried in the lower right- hand corner of page 14: F.B.I. Director Extols New Wiretap Software WASHINGTON, March 19 (AP)--Louis J. Freeh, Director of the F.B.I., told Congress on Friday that law enforcement would be crippled in monitoring criminals through wiretaps if a proposed telecommunications bill was not passed. The bill would require telephone companies to install software in their new digital switching systems that would allow the F.B.I. and other law enforcement agencies to do court-authorized wiretaps. Mr. Freeh said traditional wiretaps were not sophisticated enough to sort out calls on digital networks, which can carry thousands of calls at once. Mr. Freeh, who has intensely lobbied for the bill, said the phone com- panies would not put in the new software voluntarily. The bill is opposed by the telephone industry for the fines it imposes and by some civil liberties groups as intrusive. "Unless Congress creates a new law, law enforcement's ability to protect the public against crime will be gravely eroded and the national security will be placed at risk," Mr. Freeh testified at a joint hearing of House and Senate Judiciary subcommittees. Mr. Freeh said the bill would not expand any of the legal standards for wiretaps. He said evidence from electronic surveillance had secured the convictions of more than 22,000 dangerous felons over the past decade. Senator Patrick Leahy, a Vermont Democrat who heads the Senate Judiciary subcommittee on technology and the law, said, "None of us wants to impede the ability to go after kidnappers, but we do have some very serious privacy concerns." -- Kurt F. Sauer Richardson, Texas ------------------------------ From: Dean Ridgway Date: 18 Mar 1994 12:55:26 -0800 Subject: FBI's Push for Digital Telephony Well you-know-who is at it again. According to _Business_Week_ 03/14/94 pg. 55, "Big Brother turns Big Ears on Electronic Networks". A measure soon to be introduced on Capitol Hill would require that all network providers, including the Internet and commercial on-line services, build in the capability to record any person's e-mail and deliver it to federal law-enforcement authorities. Government agents will need only to show a person merits investigation, rather than obtain a court order as is the case for telephone eavesdropping. The reasons given are the same old stories, drug dealers and criminals might be using computer networks and getting court orders are just too "inconvenient". I might just be paranoid but "merits investigation" sounds alot like just asking for. The next logical step will be to outlaw non-clipper encryption. Dean Ridgway | FidoNet 1:357/1.103 | InterNet ridgwad@csos.orst.edu | CIS 73225,512 | ------------------------------ From: herronj@MAIL.FWS.GOV Date: 21 Mar 94 08:34:10 MST Subject: Re: Network Security Mike Gadda writes: My university has a Novell Network and last year someone bugged the whole campus with a program called Lan Assist Plus. This program allows *anyone* to mess with what others are doing by having another persons screen captured on there own. The person being watched has no idea. This person can be rebooted or messed with by unwanted keystrokes. I couldn't believe it myself when I first saw it. I wonder if Novell anticipated this problem when creating their networks. The program you mention really doesn't have anything to do with Novell. LAN Assist works as a TSR that captures keys strokes and screens (much the same way pcAnywhere does) when activated by a remote computer. Even if the computer wasn't on a network a program could do the same thing and store the information to a local drive for later analysis. On a network the software simply makes use of the line to the outside world to transmit this data. The program is intended for technical support. When someone on the network has a problem they call their tech. support, who may be many miles away. The tech support person then starts up LAN assist, picks this users workstation, and has the person duplicate the problem. S/he can then very often solve the problem without ever leaving their desk (Lan Assist also allows the remote user to have control of the keyboard). Lan Assist has many options that leave privacy in place. Including the ability to require the user to "grant permission" prior to the take over, password takeover, a "wagon wheel" indicator that it is being monitored, etc. It is up to the system administrator to implement one or more of these privacy security measures. I know on our system we make loading LAN Assist a separate menu item, this way the TSR doesn't even load unless the user chooses to do so. Even then we use the "wagon wheel" indicator so the user knows exactly when they are being monitored. I personally believe the "wagon wheel" should be built in to the program so it is ALWAYS used and NOT AN OPTION. Actually it should be the law since this could be used to read peoples Email (as they read/write the mail), which is a violation of Federal Law. ------------------------------ From: wilhelm@lsesun6.epfl.ch (Uwe WILHELM) Date: 21 Mar 1994 14:57:59 GMT Subject: Re: Time Magazine on Clipper Organization: Ecole polytechnique federale de Lausanne laine@MorningStar.Com (Laine Stump) writes: If all the government is doing is taking a marketing approach with this Clipper chip technology, what's all the fuss? By simply adding another layer of encryption on top of Clipper will defeat its backdoor and threats from snooping. The government rarely suceeds at anything when it comes to business -- especially if it involves marketing. This is a common, and dangerous, misconception. Cryptographers know that it is much easier to break a code if they can analyze "chosen text" that has been encrypted, in other words if they can get a look at some sequence of input text they have chosen after it goes through the encryption algorithm. It is very possible (some say likely) that the Clipper algorithm puts patterns into the encrypted text which the NSA can later use to aid them in breaking any encryption used "on top" of a Clipper-encrypted data stream. It is widely rumored that the NSA already does this with a voice compression algorithm it developed which is widely used in telecommunications equipment. Do you unconditionally trust anyone and everyone who works for the U.S. Government? I might be completely off the point, and I have to admit that I'm not very sophisticated, if it actually comes down to doing real encryption. On the other hand, I thought I had a rather thorough understanding of how things work (in general). So, the question is: if I put another layer of encryption before the Clipper encryption and after the Clipper decryption - is your point still valid? me -> (my_encryption) -> (Clipper_encryption) -> (wire through NSA) -> (Clipper_decryption) -> (my_decryption) -> her/him I can't see any chosen plaintext attack. All the NSA (or whoever) has, is a encrypted stream of data, which is as safe as the encryption I used. I don't think there's much ado about nothing... but, who is able to take advantage of this kind of secure communication? and is it legal anyway? ------------------------------ From: poivre@netcom.com (poivre) Date: 21 Mar 1994 21:17:18 GMT Subject: Re: Phone Book Pseudonyms Organization: NETCOM On-line Communication Services (408 241-9760 guest) Dave Niebuhr (dwn@dwn.ccd.bnl.gov) wrote: Some years ago, in order to protect my privacy, I registered my phone under the name "Mehitabel DeCatte" (pronounced "Mehitabel the cat"). Having such a "nom de phone" was legal and was cheaper than having an unlisted number. Our cat, Mehitabel, did live at our residence with Ok, for all of you who do something like this, how? When I tried to get a different name for my phone, I was told it wasn't possible. They wanted either my Soc Sec Number, which I wouldn't give out, or my drivers license, presented in person, so that they could verify my identity. They wouldn't let me use a fake name, and in fact, I asked directly, and was told it wasn't possible. I have my phone listed under a fictious name and the phone company (NYTel/NYNEX) didn't blink an eye. The only thing I had to do was to make sure that it was an unreasonable one such as John Doe, Richard Roe; it had to be reasonable sounding. However, I checked my phone book and found lots of John Doe's ... NYNEX/NYTel seems to be pretty cool about identities. When i signed up for phone service, I didn't have to give any SSN, drivers license number, etc etc. For all I could see, I could have made up a name like John Doe, Jane Smith, etc etc. ------------------------------ From: stanley@skyking.oce.orst.edu (John Stanley) Date: 21 Mar 1994 22:21:08 GMT Subject: Re: IRS Purchase Order Organization: Coastal Imaging Lab, Oregon State University Prof. L. P. Levine wrote: [Great for identifying anonymous callers who request information on whether illegal acts must be declared, and other such revealing queries? PGN] By the time the IRS has targeted you to put one of these things on your line, I think you have more to worry about than making anonymous calls to the IRS. They already know who you are. ------------------------------ From: Ron Bean Date: 21 Mar 1994 20:54:33 -0600 (CST) Subject: Re: IRS Purchase Order The Internal Revenue Service intends to procure 28 remote telephone data collection units, including software. The unit must be no larger than 5.9x1.5x3.2 inches. Where did they get these dimensions from? Why not 6x1.5x3? ------------------------------ From: SchwartzM@DOCKMASTER.NCSC.MIL Date: 22 Mar 94 10:56 EST Subject: New Book From IOM On Health Data Privacy I just received a new book published for the National Academy of Science's Institute of Medicine entitled "Health Data in the Information Age: Use, Disclosure and Privacy". The copyright is 1994 and is the result of a follow-on project to their 1991 publication "The Computer Based Patient Record: An Essential Technology For Health Care". This new book covers a variety of topics including the recognition of the formation of so-called Regional Health Data Networks for the purpose of tracking patient outcomes and facilitating improved access to medical data on patients. A great deal of the book deals with the significant privacy issues that will need to be addressed as we move toward the computerization of the medical record and the use of computer networks for remote consulting, including legislative approaches. Additional work covers the issues surrounding the release of health care provider specific data (hospital/physician) relative to attempts to give the public an ability to make quality of care decisions in their selections of providers. This is already being done in New York, Pennsylvania and other states in the realm of cardiac surgery and cardiology related interventions and has come under significant fire from the health care community for being, at best mis-leading to an uninformed public, at worst a significant threat to patient access to health care. The book may be ordered from National Academy Press at 1-800-624-6242 and is priced at $39.95. It is a major work in this area and I would strongly urge its reading to anyone interested. Marc Schwartz Director of Clinical Services Summit Medical Minneapolis, MN 55447 Voice: 612-473-3250 Internet: SchwartzM at dockmaster.ncsc.mil ------------------------------ End of Computer Privacy Digest V4 #045 ****************************** .