Date: Tue, 06 Sep 94 15:49:57 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V5#031 Computer Privacy Digest Tue, 06 Sep 94 Volume 5 : Issue: 031 Today's Topics: Moderator: Leonard P. Levine DSS, Now Official Editorial: Privacy & State Kiosk Project West Publishing - Permanent Injunction Regarding Legal Text Snooping on the Net Re: Post Office Boxes Re: Post Office Boxes Re: Cordless Phone Privacy Re: Cordless Phone Privacy Big Brother (not just) on the Autobahn Re: Internet White Pages Access surveillance --------------------------------------------------------------------- Housekeeping information is located at the end of this Digest. ---------------------------------------------------------------------- From: Shawn Leard <71370.2551@compuserve.com> Date: 03 Sep 94 22:11:47 EDT Subject: DSS, Now Official Notes: INFO Security News Sep/Oct 1994 DSS Dangers - Via NIST announcement as of 20 May 1994 the DSS has become official. - All federal agencies will now have to use DSS or receive a wavier. - At this point there is no "off the self" software any federal agency can purchase that uses the DSS. - Per RSA Data Security INC the DSS infringes on it's patents of the RSA algorithm. Best Regards, Shawn Leard ------------------------------ From: Peter Marshall Date: 04 Sep 1994 11:56:15 -0700 (PDT) Subject: Editorial: Privacy & State Kiosk Project ---------- Forwarded message ---------- [Note: THE OLYMPIAN is a daily in Olympia, WA, the state capitol.] from OLYMPIAN, Opinion Section, Aug.16,1994 Ed. Page Editor: Mike Oakland OUR VIEW: We Must Not Sacrifice Privacy Rights On Information Superhighway GUARD OUR PRIVACY It was a good idea gone awry. In an effort to reach out to people around the state and give them access to more state government information and services, the Department of Information Services is installng computer terminals, or kiosks, in shopping malls and other centralized locations. The notion is a good one. Residents should be able to use the display screen to gain easy access to government information from recycling programs to campground locations and new state job listings. As this state and nation race down the information superhighway, more attention simply must be paid to individual privacy rights.... The problem arose in the job listing service offered by the Department of Employment Security. Job seekers are asked to key in their Social Security numbers. Jerry Sheehan with the American Civil Liberties Union said it may be illegal for the state to ask for a Social Security number in this context. Congress has stipulated that an individual's Social Security number may only be requested under certain circumstances. In all other cases, individuals must be told that disclosing their Social Security number is strictly voluntary. Individuals also must be told what their number will be used for. The more people that have access to an individual's Social Security number, the greater chance for abuse. Many people believe that just because they are asked for a Social Security number, they must respond. That's not always the case. Alerted to the privacy problem, Employment Security officials say they now will modify the computer program so that people who want to browse through the job listings can do so without disclosing their Social Security numbers. But Deputy Commissioner Wendy Holden said Employment Security's automated system is based on the numbers. As a result, Holden said, those individuals who are seeking a specific job referral mujt be asked to disclose their Social Security Numbers. The troubling thing in the Employment Security fiasco is the fact no one thought to question the requirement that job seekers key in their Social Security numbers. In fact, it's not clear whether Employment Security even checked the laws regarding release of Social Security numbers before setting up the computer program. Think, people, think. ------------------------------ From: "Prof. L. P. Levine" Date: 05 Sep 1994 09:33:42 -0500 (CDT) Subject: West Publishing - Permanent Injunction Regarding Legal Text Organization: University of Wisconsin-Milwaukee From: Gregory Miller JD Date: 03 Sep 94 08:42:50 -0700 To: tech-law@techlaw.TechLaw.Com Friday morning, Minnesota Public Radio reported that West Publishing Co. of Eagan, Minn. has obtained a permanent injunction against On Point Solutions, Inc., a CD-ROM producer. According to the sound bite by a West attorney, OPS had produced CD-ROM's from what West claimed were copyrighted materials. According to the atty, OPS had obtained copies of West publications then tore the pages from the spine then scanned in the printed matter. OPS, apparently, deleted any material copyrighted by West then made the CD-ROM's from what was probably public domain material. West's argument seems to have been that if the scanned matter included any copyrighted material, no matter how small a part, such scanning amounted to an "unfair practice". The Court agreed and granted the injunction. If the news report is accurate, those of you attempting to sway Atty Genl Reno and others in this battle over who owns public domain material (Yes, I wrote that as I intended :-) have another point to raise. It seems that West is now claiming that its addition of copyrighted material to P.D. material makes _all the material West's. As to the scanning issue, is that really distinguishing because scanners do nothing that cannot be done by typists. Will West's next move be to seek injunction against typing from its books even if all but a miniscule amount of the material is P.D.? Does this presage an attempt by West to claim that it can control even quotation of cases in briefs, etc., if the cases are from books, etc. that contain even a tiny fraction of West copyrighted matter? Just where are the limits of West's claims? If anyone has more info on this matter, please post. We do not entirely trust news reports, even from public radio, especially where the radio station is in the hometown of one of the litigants and the only sound bite came from the hometown atty. ________________ Corporate Office: INHERENT TECHNOLOGIES INC. Legal Information Systems & Internet Consulting 2130 SW Jefferson Street Suite 300 Portland, Oregon 97201 Telephone: + 1 503-224-6751 FAX: + 1 503-224-8872 Internet: info@inherent.com Http: //www.inherent.com Regional Office: Boston, MA. Joe Abernathy Joe_Abernathy@pcworld.com Senior Editor News (713) 666-5896 PC World (713) 666-6041 fax ------------------------------ From: glr@ripco.com (Glen Roberts) Date: 05 Sep 1994 15:49:17 GMT Subject: Snooping on the Net Organization: Ripco Internet BBS, Chicago (312) 665-0065 ------------------------------------------------------------------------ cc: Kathleen Carson, S.A., FBI, LA, CA. || Pursuant to Court Order Kenneth G. McGuire, III. S.A., FBI, LA, CA. || served August 11, 1994 Stanley E. Ornellas, S.A., FBI, LA, CA. || on Netcom Communications ------------------------------------------------------------------------ 5 U.S.C. 552b (a) Congress finds that -- (1) the privacy of an individual is directly affected by the collection, maintenance, use, and dissemination of personal information by Federal agencies; (2) the increasing use of computers and sophisticated information technology, while essential to the efficient operations of the Government, has greatly magnified the harm to individual privacy that can occur from any collection, maintenance, use or dissemination of personal information; ... (4) the right to privacy is a personal and fundamental right protected by the Constutition of the United States; and (5) in order to protect the privacy of individuals identified in information systems maintained by Federal agencies, it is necessary and proper for Congress to regulate the collection, maintenance, use and dissemination of information by such agencies. ... (e) AGENCY REQUIREMENTS -- Each agency that maintains a system of records shall -- (1) maintain in its records only such information about an individual as is relevant and necessary to accomplish a purpose of the agency required to be accomplished by statute or by executive order of the President; ... (7) maintain no record describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual about whom the record is maintained or unless pertinent to and within the scope of an authorized law enforcement activity. -- Glen L. Roberts, Editor, Full Disclosure Magazine Host Full Disclosure Live (WWCR 5,810 khz - Sundays 7pm central) email glr@rci.ripco.com for information on The Best of Full Disclosure, four volumes to blow your mind. Voice/Fax on demand: (708) 356-9646 email for uuencoded .TIF of T-Shirt Honoring the FBI ------------------------------ From: skypatrl@crl.com (Albert Zhou) Date: 03 Sep 1994 10:54:06 -0700 Subject: Re: Post Office Boxes Organization: CRL Dialup Internet Access (415) 705-6060 [login: guest] "Dennis G Rears (FSS" writes: Issue #2: Ok, you have gone to USPS and they don't have my correct address. You then try through the phone company (one of my numbers is listed) the address is most likely in the phone book. That doesn't work. You do social engineering through the electric or gas company. If the person owns property you check various tax records in communities around the PO box town. That doesn't work. You then wait untiul the person picks up the mail and follow them. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This probably won't work as this guy may pick up his mail at an odd hour and only when no one is in the lobby. If you don't stay in the lobby closely watching, you won't be able to tell who opens which box -- unless you know this person's appearance. You could, of course, send this guy a big package to that mailbox. Then you camp outside and look out for a guy carrying that big package. Then you could follow him. ------------------------------ From: ua602@freenet.victoria.bc.ca (Kelly Bert Manning) Date: 04 Sep 94 10:03:42 PDT Subject: Re: Post Office Boxes levine@blatz.cs.uwm.edu ("Prof. L. P. Levine") says: Although I don't like it from a business stand point, I am sure you will be happy to know that this has changed. You can still follow the same process for a business PO Box however the physical addresses for the PO Boxes of private citizens are no longer availible. I read a while back that private dicks and stalkers get around this by running a phoney ad using the PO box number(with details unlikely to get responses), clipping it once it's published, and then taking the add to the Postal Service as "proof" that the PO box is being used commercially. The RCMP had no trouble getting the registration details of a US Border Town PO box that a Canadian Pathologist rented a while back. Someone ordered a copy of the birth certificate for a long dead child whose death was recorded at one of the hospitals where the pathologist was on staff. Despite FTA/NAFTA many business and individuals in the US still seem to have a reluctance to deal with Canadian companies. Many Vancouver, BC companies overcome this easily by renting a Blaine, Washington, bag service PO box number. The service for finding out the owner details doesn't seem to be widely used, or this deception wouldn't be very effective. I see that former moderator D. Rears has replied to some questions that came to my mind, but I couldn't followup it directly because the Freeport mail sender got a memory fault from the " and non-standard mail ID. I also rented a mail box before I moved the last time, and haven't had any trouble. Canada Post doesn't send out mail to the contact address. For a phone number I use my work number, which doesn't appear in any published directory (apart from briefly showing up on my employer's anonymous gopher server before I asked them to desist). The main question that comes to mind is whether the Postal Service or any other body would consider pursuing this and filing charges to be a useful expenditure of limited public resources, without any other evidence of illegal activity or intent. If they do file, is it something that is likely to get a conviction from a jury, what kind of conviction is it(misdemeanor or felony), what kind of sentence would it get, and what are the likely future consequences in terms of employment screening, etc? In Canada the Canada Post Corp. has a long term policy of refusing to provide door to door delivery to new houses, and even terminating door to door delivery where it can. If you start to get mail at one of these group box addresses, even for a brief period, it should be relatively easy to continue to get it there, even if you move. These come in 2 flavours. The older one started out as a Rural Group Box service. Anyone can register at a "Rural" green box using any address, even a vacat field or lot, with no check. Canada Post Corp. has also restricted service at real POs to commercial accounts, privatizing retail service to individuals to things called Retail Postal Outlets. In the Victoria Area there are about 70 of these for a population of 300,000. All have to offer PO boxes as part of the service and many are located in malls and other areas which are realatively secure and where security staff would probably deal with someone who hangs around watching a box without spending any money. ------------------------------ From: morris@grian.cps.altadena.ca.us (Mike Morris) Date: 04 Sep 1994 20:09:22 GMT Subject: Re: Cordless Phone Privacy Organization: College Park Software, Altadena, CA Shawn Leard <71370.2551@compuserve.com> writes: I am in the process of pondering over purchasing one of these 900 MHz cordless phones and was wondering if anyone has any recommendation? What I am mainly looking for besides good reception is a very solid & secure Tx between the handset and the base. This being unlike the normal cordless phones that Tx in the 400 MHz band and offer so called secure Tx that can still be picked up and understood with a normal scanner. Correction: The normal ones transmit in the 40-50mhz area. Unless you can find one that scrambles or encrypts, you will always have the snooper-via-scanner problem with any radio-based phone. Even the newer scanners that have cellular designed out will still hear the 900 mhz cordless phones. Good rule of thumb: If the phone has an antenna, don't say anything that you don't want published on the front page of the L.A. Times. -- Mike Morris WA6ILQ | This space intentionally left blank. PO Box 1130 | Arcadia, CA. 91077 | All opinions must be my own since nobody pays 818-447-7052 evenings | me enough to be their mouthpiece... ------------------------------ From: Shawn Leard <71370.2551@compuserve.com> Date: 04 Sep 94 22:46:55 EDT Subject: Re: Cordless Phone Privacy From: tim@umcc.umcc.umich.edu (Tim Tyler) Newsgroups: rec.radio.scanner,alt.radio.scanner,alt.privacy, alt.toys.hi-tech,talk.politics.crypto Subject: Motorola 'Secure-Clear' Cordless Phones (repost) Date: 07 Jul 1994 01:43:26 -0400 Organization: UMCC, Ann Arbor, MI, USA In the last several weeks, I've noticed some questions & discussion concerning Motorola's 'Secure-Clear' line of cordless phones. Below is a REPOST of something I originally wrote & posted a few years ago. I assume Motorola is still using the voice-inversion technology for their 'Secure-Clear' line, although I'm not sure if they're continuing to misinform the public about the level of protection offered by its primitive & weak transmission-security method. ******************************************************************* "Why a Motorola Cordless Phone?" "Cordless phone eavesdroppers are everywhere" says pro golfer Lee Trevino, spokesman for Motorola. "But with my Motorola Secure Clear Cordless Phone, my private conversations stay private." So says a glossy brochure (# BA-81) that Motorola's Consumer Products Division (telephone # 800/331-6456) distributes to promote their new 'secure' cordless phone product line. When I first read the cover of the brochure, I said to myself, "Wow, I wonder what sophisticated technology it must use?" Motorola has been developing and selling secure voice & data systems, from DVP & DES up to the current 'FASCINATOR' algorithm for classified military & federal government secure voice for many years. Page Two of the slick brochure has some rhetorical questions and answers: ***************************************************************** Why Motorola Cordless Phones? Q. What is meant by Secure Clear? Secure Clear is an exclusive technology that assures you no eavesdroppers will be able to use another cordless phone, scanner or baby monitor to listen in to your cordless conversations. Q. How difficult is it to eavesdrop on someone's cordless conversation? It's not difficult at all. Simply by operating a cordless phone, scanner or baby monitor on the same channel as you're on, an eavesdropper can listen in. Security codes alone DO NOT prevent eavesdropping. Q. What are security codes and what do they do? Security codes allow the handset and base to communicate with each other. With the Secure Clear cordless phone, one of 65,000 possible codes are randomly assigned every time you set the handset in the base. This means that a neighbor cannot use his handset to link with your base and have phone calls charged to your phone number. Q. Describe the basic difference between Secure Clear and security codes. Secure Clear protects against eavesdropping. Security codes prevent the unauthorized use of your phone line. Usually all cordless phones have security codes, but not both. Q. What is the purpose of the Secure Clear demo? The Secure Clear demo is a unique feature of Motorola phones that allows you to actually experience what an eavesdropper would hear when trying to listen to your conversation. By pressing the SECURE DEMO button on the Motorola phone, you and the person on the other end will hear the same scrambled noise an eavesdropper would hear. ***************************************************************** Hmmm... I went to the Motorola Secure Clear cordless phone display at a Sears store, took a deep breath, & hit the demo button in order to hear what the "scrambled noise" which would protect a conversation from eavesdropping sounded like. White-noise like that of a digital data stream? Rapid analog time-domain scrambling? No, the scrambled "noise" sounded like inverted analog voice. That's right, they're using the 40 or 50 year old (3kHz baseband) speech inversion system --the same one which they stopped marketing for their commercial two-way radio gear about a decade ago-- to make Lee Trevino's & other ignorant people's "private conversations stay private." For those of you not familiar with speech inversion, it simply flip-flops the voice spectrum so that high pitched sounds are low, & vice versa. It sounds a lot like Single Side Band (SSB) transmissions, although it is somewhat tricky to get a SSB receiver to decode speech-inversion scrambling. Prior to 1986, several companies -- Don Nobles, Capri Electronics, etc., sold inexpensive kits or scanner add-ons that could be used to decode speech inversion. Several electronics magazines also published schematics for making your own from scratch, at a cost of about $5. After the Electronic Communications Privacy Act of 1986, it became illegal to decode or decipher encrypted communications which you weren't a legitimate party to, so the standard practice of selling these quasi-legal products as 'experimental kits' or 'for educational purposes only' became common. Today, some companies will not specifically sell a 'speech-inversion descrambler,' but instead market a 'speech inversion scrambling system' which means the kit will encode as well as decode speech inversion, although most people buy them simply to hook up to their scanners & monitor the few public safety agencies and business that (still) use speech-inversion scrambling. Yes, technically, it is a felony for you to use a speech-inversion descrambler to monitor these Motorola 'Secure Clear' cordless. Or for that matter, the new Radio Shack DUoPHONE ET-499, cordless phone that also depends on speech-inversion for privacy protection. The public utility of the ECPA has been argued about ever since before it was enacted. It is rather obvious that the ECPA was pushed upon the ignorant, money-hungry Congress by the powerful (& wealthy) Cellular Telephone Industry Association (so the CTIA could propagate misinformation to the public, but that's another story...). I also realize that the 46/49MHz cordless phone channels are apparently allocated for analog-voice only. Despite the ECPA, it is unconscionable to me that Motorola --who surely knows better-- would produce the slick brochure & specifically market the 'Secure Clear' line as being invulnerable to eavesdropping. Their wording unequivocally gives the impression that the 'Secure Clear' conversations are secure, not only from other cordless phone & baby monitors, which have several common frequencies, but also against communications hobbyists with scanner radios. It is bad enough that many public safety officers still think that by using the 'PL' ('Private Line,' also known as CTCSS) setting on their Motorola two-way radios, no one else can listen in. While the 'Private Line' fiasco might be attributable to misconception on the part of the radio users, in my opinion, Motorola's Consumer Products Division has to know that there are thousands of scanner monitors who have the technical ability to defeat the speech-inversion 'Secure Clear' system. A Motorola representative at the 1992 Summer Consumer Electronics Show in Chicago confirmed this to me, with a smirk on his face. There's a big difference between Motorola's aforementioned wording & that of Radio Shack's on page 3 of their 1993 catalog: New! Voice-Scrambling Cordless Telephone DUoFONE ET-499. Cordless phones are great. But since they transmit over the airwaves, your private conversations could be monitored. Now you can enjoy cordless convenience with voice scrambling for added [emphasis theirs] privacy protection -- frequency inversion makes transmissions between the handset and base unintelligible... It's not "Motorola should know better." Motorola DOES know better. Otherwise, they wouldn't be spending time or money on truly 'secure' (based on current technology, of course) communications and transmission security systems for the government. I sure am thankful that our federal government & military users of secure-mode communications systems don't rely on Motorola's marketing department to provide factual information as to the level of security provided by Motorola equipment. Too bad that for the most part, the public does. For anyone looking for a cordless telephone that offers a decent level of privacy, take a look at some of the new cordless phones that use the 900MHz band. Most of the new ones not only use CVSD digital voice for the RF link, but also direct-sequence spread spectrum. By no means are these phones secure ('encoded,' yes, but 'encrypted,' generally not), despite some of the wording in their owner's manuals. Some of the Tropez 900 models actually seems to generate a very weak analog harmonic in the 440MHz spectrum, but you'll still be a lot better off than poor Lee Trevino! Tim Tyler ------------------------------ From: John Medeiros <71604.710@compuserve.com> Date: 05 Sep 94 21:50:19 EDT Subject: Big Brother (not just) on the Autobahn The "newsgroup: sci.military, Subject: AF News Svc 30 Aug 94" article states: Rome Laboratory entered into an agreement in July with federal and New York transportation agencies to pioneer development of an automated traffic monitoring system. The system will assist traffic managers in planning for --- and relieving --- congestion on major U.S. highways. The system will make use of advanced signal processing, neural network and distributed systems technology, all of which are major technology areas to Rome Laboratory. By employing video sensors, processors, communications services, and a closed-loop feedback system to monitor expressway traffic, So? This has been an everyday part of life on the freeways of Los Angeles. Minus of course, a "neural network and distributed systems technology" which will further automate the current system. Oh, and it still doesn't work! But the federal government will keep spending money on it. ------------------------------ From: "David A. Honig" Date: 06 Sep 1994 11:30:11 -0700 Subject: Re: Internet White Pages Organization: UC Disneyland, in the Kingdom of Bren Paul Robinson writes: In alt.sex.stories is an article entitled "The Engineer: Scorched Earth" which, if it hopefully has expired by now, is the kind of thing that gives a bad name to Internet. I have a copy of the article as The Internet is a form of media. Do books that you don't like give a "bad name" to Gutenberg's press? well as my own replies to it, and I'll send it on to anyone that wants to read it. Let me warn you, if you have any decency at all the story will sicken you. The damn thing facinated me the way a mongoose fascinates a rattlesnake, however. If I wanted to list the worst, most There are no rattlesnakes where mongoose are found. There are cobras, and they are food items. -- David A. Honig, informivore ------------------------------ From: Date: 06 Sep 1994 07:27:58 -0400 Subject: Access surveillance Organization: Faculty of Information Studies I hope some members of the list will be able to give us assistance on this question. We would like to find examples of institutional policies relating to privacy/confidentiality issues with respect to electronic (transaction) records created by the use of building access cards which contain personal ID on their magnetic strip. This seems to be a topic which has not received much attention in the literature. We are also interested in examples of institutional policies dealing with privacy issues related to other aspects of electronic surveillance especially dealing with transaction records. If your institution has such policies, we would appreciate receiving a copy or information on how we could get a copy. PLEASE REPLY TO ME NOT THE LIST (I am not a current subscriber). Thanks, Diane Henderson Faculty of Information Studies University of Toronto 140 St. George St. Toronto, Ont. Canada M5S lAl Phone (416) 978-7071 Fax (416) 978-5762 hender@fis.utoronto.ca ------------------------------ The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. Back issues are available via anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The archives are in the directory "pub/comp-privacy". People with gopher capability can access the library at gopher.cs.uwm.edu. Mosaic users will find it at gopher://gopher.cs.uwm.edu. Archives are also held at ftp.pica.army.mil [129.139.160.133]. End of Computer Privacy Digest V5 #031 ****************************** .