Computer Privacy Digest Wed, 28 Sep 94 Volume 5 : Issue: 039 Today's Topics: Moderator: Leonard P. Levine Reason 24: Capacity Requirements Re: Reason 16: Expense Top 10 Anti Clipper List Update address >>>Network Security Observations<<< Post Office Boxes Questions Re: Security of Computerized Medical Database Find E-Mail Address? Database Marketing Revisited Will Our Rights be Protected? Re: Anti-Clipper ACLU release and letter on FBI wiretap bill CPD Informaton --------------------------------------------------------------------- Housekeeping information is located at the end of this Digest. ---------------------------------------------------------------------- From: email list server Date: 26 Sep 1994 12:13:42 -0700 Subject: Reason 24: Capacity Requirements 100 Reasons to Oppose the FBI Wiretap Bill Reason 24: The FBI Wiretap bill allows the Attorney General to develop monitoring specs The proposed wiretap law says that the Attorney General will provide to telecommunications carrier associations and and standard-setting organizations a notice of "maximum capacity" required to accommodate all of the communication interceptions, pen registers, and trap and trace devices that the Attorney General estimates that government agencies may "use simultaneously." Telecommunications carriers will then be required to ensure that systems are capable of "expanding to the maximum capacity." (Proposed section 2603(a))("legal code") -> 9/25 NEWS UPDATE: Wiretap legislation slows in House. Sources say -> that Rep. Brooks unlikely to consider bill. ACLU announces opposition -> to wiretap plan. ------------------------------------------------------------------------ What To Do: Fax Senator Joe Biden (202-224-0139). If you live in California, fax Senator Diane Feinstein (202-228-3954 ) Express your concerns about the FBI Wiretap proposal. ------------------------------------------------------------------------ 100 Reasons is a project of the Electronic Privacy Information Center (EPIC) in Washington, DC. For more information: 100.Reasons@epic.org. ======================================================================== ------------------------------ From: mea@intgp1.att.com (Mark E Anderson +1 708 979 4716) Date: 26 Sep 94 20:50:00 GMT Subject: Re: Reason 16: Expense Reason 16: Wiretapping is a particularly expensive investigative method. Since 1970, the average cost per order has increased 1,100 percent. I would be a little careful about using this reason to oppose the wiretap bills. These can also be reasons to support the bills so as to reduce the costs of these wiretaps and gather more information making them more cost effective. I can think of a dozen things they could do but then again, I have a pretty devious mind. -- Mark Anderson mea@intgp1.att.com ------------------------------ From: normh@crl.com (Norman J Harman) Date: 26 Sep 1994 11:08:12 -0700 Subject: Top 10 Anti Clipper List Organization: CRL Dialup Internet Access (415) 705-6060 [login: guest] I will offer an anti Clipper/Skipjack T-shirt. They would be white with black printing and cost approximately $5.00 plus $2.90 shipping to US locations. That is the cost to produce one shirt. I am trying to spread awareness not make money. I posted a while ago asking for suggestions on what the shirts should say. One of the best ideas was from Donald Alan Whiteside. He suggested a top 10 list and provided one item for that list. I need some more. This list will be on the back of the shirt. On the front will be a "Big Brother Inside Logo and a Clipper Chip . "Top 10 reasons to Say No to Clipper" #1 "Can't trust Clinton not to read McDonalds recipes for Big Mac secret sauce." #2 "We all know its just so the FBI can get free phone sex." #3 "The spies at NSA will get eyestrain reading all of Santa's mail" #4 "Your idea here." Please send comments, suggestions, and questions to normh@crl.com. After I get a finished list I will post how to get one, about one week. A worthy cause is better if it benefits another good cause so the shirts will be silk-screened by Zerolith, part of a non-profit organization that employs, shelters, and assists homeless youth. If you would like to talk with Zerolith or donate money directly here is how to contact them. Zerolith 3075 21st Street San Francisco, CA 94110-2626 415.641.1014 voice 415.641.1474 fax -- Norman J. Harman Jr. o o Smiley Publishing normh@crl.com \__/ San Francisco, CA ------------------------------ From: nso@delphi.com Date: 27 Sep 94 04:54:18 -0500 Subject: Update address >>>Network Security Observations<<< Organization: Delphi (info@delphi.com email, 800-695-4005 voice) Announcement November 1994 NETWORK SECURITY OBSERVATIONS will be out with its inaugural issue. NETWORK SECURITY OBSERVATIONS is expected to be the leading international journal on computer network security for the science, research and professional community. Every annual volume contains five issues, each offering ample space for vigorously reviewed academic and research papers of significant and lasting importance, and a wealth of other network security information, including security patches and other technical information supplied by manufacturers, related governmental docu- ments (international), discussions about ethics and privacy aspects, the Clipper chip and other cryptologic issues, viruses, privacy enhanced mail, protocols, harmonization of computer security evaluation criteria, information security management, access management, transborder data flow, edi security, risk analysis, trusted systems, mission critical applications, integrity issues, computer abuse and computer crime, etc. etc. If and when appropriate reports of major international conferences, congresses and seminars will be included, as well as information made available by governments, agencies, and international and supra national organizations. Network Security Observations is published in the English language, and distributed Worldwide. The publication does NOT feature commercial announcements. National and international organizers of dedicated conferences, etc. can offer calls for papers and invitations to participate. Relevant posting from other publishers announcing new relevant books, etc are welcomed as well. NETWORK SECURITY OBSERVATIONS provides the in depth and detailed look that is essential for the network system operator, network system administrator, edp auditor, legal counsel, computer science researcher, network security manager, product developer, forensic data expert, legislator, public prosecutor, etc., including the wide range of specialists in the intelligence community, the investigative branches and the military, the financial services industry and the banking community, the public services, the telecom industry and the computer industry itself. Subscription applications by email or fax before November 1, 1994 are entitled to a special rebated subscription rate. Special academic/educational discounts, and rebates for governmental personnel, and other special groups, are available upon request. Network Security Observations is a not-for-profit journal, and therefore we are sorry to reject requests for trial orders. For further information please contact: by email> NSO@delphi.com Or by fax> +1 202 429 9574 Or alternatively you can write to: Network Security Observations Suite 400 1825 I Street, NW Washington DC, 20006 United States ------------------------------ From: Mark Mullins Date: 27 Sep 1994 02:39:00 +0000 (GMT) Subject: Post Office Boxes Organization: The Courts of Chaos * Jacksonville AR USA * 501-985-0059 Hi, I am not sure if this has been discussed on this newsgroup, so forgive me if it has. I have used a PO Box for several years due to privacy concerns. I am a SWF, and don't want my home address readily accessible. WELL, I just learned that all one has to do to attain the home address of a PO Box holder is fill out a form and pay two bucks. Most people don't know this anyway (though more will now!) but I think that this is very uncool. Strongly agreed Professor!! Although I don't like it from a business stand point, I am sure you will be happy to know that this has changed. You can still follow the same process for a business PO Box however the physical addresses for the PO Boxes of private citizens are no longer availible. My question to you Professor, Is there a way for one to find out WHO paid the $2 fee to find out your home address?? Is the information recorded permanently?? How long does it take to find this information out?? I can see where it wouldn't take long for the wrong individual with this information to put it to the wrong use.. :-( -- . SLMR 2.1a . Money talks.. But all mine ever says is GOODBYE!! :( ------------------------------ From: Richard Goldstein Date: 27 Sep 1994 06:01:12 -0700 (PDT) Subject: Questions Re: Security of Computerized Medical Database I am a statistician and I sit on the Human Studies Committee (IRB) of a local HMO. I have been assigned as primary reviewer for our committee for a recently submitted protocol dealing with security issues on the HMO's computerized patient data base. (Note: this may not need committee approval under Federal rules, but it does under local rules.) I am requesting some help regarding issues I should be asking about and guidance on literature. Brief explanation of project: the current computerized medical record has two sections (I am oversimplifying some issues here, without, I hope, being misleading): a coded section that can be searched via computer and a text section that currently cannot be automatically searched. The HMO has entered into an agreement with a 'local' university (about 90 miles away) to attempt to develop tools for exploiting clinical text data (e.g., access, search, extract, manipulate the text portion of the record). The process includes providing the university with example records (size of sample not known), where the records have been 'sanitized'. "The sanitization process has three stages: 1. automated masking or identifiers such as addresses and telephone numbers in ... extract headers as created [at the HMO] 2. automated masking of medical record numbers 3. automated masking of each segment of each member's name everywhere these segments occur in the ... extract" There are some known problems with this masking (e.g., regarding the occurrence of names in the record other than than of the particular patient). My problem is that I have no idea how much faith, trust, etc. to put into the "automated masking" process. Of particular help would be guidance on what questions to ask about this process to help make decisions about whether it is sufficient (guidance on literature would also be appreciated). I note also that the people on the project appear to be unaware of the possibility of identifying patients via combinations of coded information. As a statistician, I am aware of some of the large literature on this question, especially with respect to Census information. However, I am not familiar with recent literature on this question or with computer algorithms; further, I am not aware of any literature dealing specifically with this question for medical records (except that I do have a copy of the 9/93 publication from the Office of Technology Assessment entitled _Protecting Privacy in Computerized Medical Information_; however, this is not a technical publication). Another question relates to what we should be asking about the security of the university computer; we have been told that the center "has implemented data access security by granting electronic access to [HMO] data only to researchers designated as members of the [HMO] project." However, we have been provided with NO details; again, what questions should we be asking and how do we interpret the responses. I should mention that our committee very strongly opposes any movement of hmo data outside the hmo, but in rare circumstances we have agreed when we were satisfied with the security situation (usually a stand-alone computer in a room that could easily be locked). Any help or advice would be greatly appreciated and should, preferably, be sent directly to me at "richgold@netcom.com". If desired, I could post a summary of the resulting responses to this group. -- TIA, Rich Goldstein ------------------------------ From: levinson@sunbow.dab.ge.com (Dave Levinson) Date: 27 Sep 1994 13:57:37 GMT Subject: Find E-Mail Address? Organization: Martin Marietta Does anyone know how to locate someones E-Mail address. He is an old high school buddy and has a unique last name. Thanks.. -- Dave tha Wave ------------------------------ From: hedlund@reed.edu (M. Hedlund) Date: 28 Sep 1994 01:08:20 -0700 Subject: Database Marketing Revisited Organization: Northwest Nexus Inc. I received the following survey today. I admit that I am just as concerned about the accumulation of marketing data as the next comp.society.privacy reader; but maybe, when the battle seems bleak, we should pause and consider the nature of our opposition. Just for laughs. "SHOPPING SURVEY "In order to help us provide First Interstate Bank Cardholders like you with valuable services, please answer the following questions. [...] "7) Are you... ? (Check all that apply.) [ ] Male [ ] Female" ------------------------------ From: drdave@access3.digex.net (David Schurman) Date: 25 Sep 1994 15:34:46 -0400 Subject: Will Our Rights be Protected? Organization: Express Access Online Communications, Greenbelt, MD USA I'd like to ask the help of the users while I research the question of privacy in data/telecommunications. There are privacy concerns specific to but not limited to the First and Forth Amendment to the constitution. First Amendment: "Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press, or the right of the people peaceably to assemble, and to petition the government for a redress of grievances." Fourth Amendment: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized." The issue in my mind is that, with the increase of the transfer of information by computer and other electronic means; Are the issues of privacy and security being adequately addressed by means of the Clipper Chip and Encryption? Are our rights under these amendments being protected? What violations of these and other rights will be committed by those in the government under the guise of "protecting" those rights. I would be interested to have some insightful discussion on these and other related topics. -- David Schurman <<< drdave@access.digex.net >>> ------------------------------ From: olcay@libtech.com (olcay cirit) Date: 27 Sep 94 07:22:47 PDT Subject: Re: Anti-Clipper Heres an idea: Clip Clipper Skip Skipjack -------------- Slip Clipjack -- Olcay (| Olcay Cirit |) "Note that I have taken special measures to |) ----------------- (| restrain the computer to the desk in the (| olcay@libtech.com |) case that it may explode" - Olo ------------------------------ From: ACLU Information Date: 26 Sep 1994 17:52:45 -0400 Subject: ACLU release and letter on FBI wiretap bill ACLU NEWS RELEASE ACLU Opposes FBI Wiretap Access Bill; Legislation Would Create Dangerous Precedent For IMMEDIATE RELEASE September 26, 1994 Contact: Barry Steinhardt BarryS @ aclu.org or Kathy Parrent, 212-944-9800, ext. 424 The American Civil Liberties Union today called on the House Judiciary Committee to reject the FBI Wiretap Access Bill, H.R. 4922, which would require private electronics manufacturers to insure that the FBI can wiretap using developing telecommunications technologies. In a letter sent to Congressman Jack Brooks, Chair of the House Judiciary Committee, the ACLU stated that the bill "... creates a dangerous and unprecedented presumption that government not only has the power, subject to warrant to intercept private communications, but that it can require private parties to create special access. It is as if the government had required all builders to construct new housing with an internal surveillance camera for government use." "Moreover, the FBI has not borne the burden of proving why such an extraordinary requirement is necessary..." the letter said. A copy of the full letter with the ACLU's detailed objections follows. ___________________________________________________________________________ September 22, 1994 Honorable Jack Brooks Congressman, State of Texas 2449 Rayburn House Office Building Washington, D.C. 20515-4309 Dear Congressman Brooks: We are writing to you to express the ACLU's opposition to the FBI-Wiretap Access Bill, H.R. 4922. While we were not actively involved in Subcommittee deliberations, we have reviewed the legislation and we have several major concerns. The principal problem remains that any digital telephone bill which mandates that communications providers make technological changes for the sole purpose of making their systems wiretap-ready creates a dangerous and unprecedented presumption that government not only has the power, subject to warrant, to intercept private communications, but that it can require private parties to create special access. It is as if the government had required all builders to construct new housing with an internal surveillance camera for government use. Even if such use were triggered only by a judicial warrant, such a requirement would be strongly resisted by the American people. H.R. 4922 establishes a similar requirement, and is without precedent. Moreover, the FBI has not borne the burden of proving why such an extraordinary requirement is necessary. In 1993, there were fewer than 1,000 wiretaps authorized and many of them failed to yield any substantive evidence while intercepting many innocent conversations. It is far from clear that digital telephones will substantially obstruct legitimate law enforcement efforts. Without further public discussion and debate, the public will not have a sufficient opportunity to weigh the loss of privacy against the FBI's claims. There has been no opportunity to learn the full extent of the types of investigations that the FBI claims were precluded because of a restriction on their public dissemination. Yet, based on these secret assertions, 91 such incidents were cited by the FBI. On those slim assertions, the public's loss of privacy in digital communications is all but assured and taxpayers will be asked to pay an extraordinary price. H.R. 4922 authorizes $500 million over the next four years to reimburse telecommunications carriers for the costs that would be imposed by the bill. Even if you accept these cost estimates -- the industry puts the real cost in the billions -- we will spending $125 million or $125,000 per wiretap, for the fewer than 1,000 taps that will be conducted each year. As you know, the ACLU has the greatest respect for Congressman Edwards and Senator Leahy. Both have been tireless champions for civil liberties. The Edwards/Leahy proposal is an improvement over earlier versions offered by the FBI and we applaud their efforts to add new privacy protections. The proposed expansion of the Electronic Communications Privacy Act to cordless phones and the requirement that a court order be obtained for transactional data from electronic communication providers both are steps forward and merit separate consideration by the Congress. But they cannot and should not be traded for the unprecedented intrusion represented by H.R. 4922. In several respects, H.R. 4922 is still too broad in its application. For example, earlier versions of the bill would have applied directly to on-line communication and information services such as internet providers, America On Line, Compuserve, Prodigy etc. H.R. 4922 would apply directly only to "telecommunications carriers" such as the Regional Bell Operating Companies. But this provision does not narrow the scope of the bill as much as it might seem. First, with the new presumption that the government is entitled to require private manufacturers to insure its ability to wiretap, law enforcement will undoubtedly be back in future years insisting that this limitation thwarts its efforts and will seek to broaden the coverage to other information providers. Once the basic principle of H.R. 4922 is accepted, what arguments remain to resist its expansion. The limited application of H.R. 4922 is surely temporary; what matters is the basic requirement, not its immediate application. More importantly, law enforcement will still have the opportunity to intercept on-line communications over the internet or commercial on-line networks, by tapping into the facilities of the telecommunications companies. As critics of the earlier versions had noted the coverage of the on-line providers was largely redundant. All these communications still pass over telephone lines. Law enforcement does not need access at every point in a telecommunication in order to intercept it. Access at any one point is sufficient and that would be readily available since ultimately on-line communications must travel over the public switched telephone network which the bill requires be wiretap ready. Moreover, given the commingled nature of digital communication lines, it is inevitable that more private information from third parties will be intercepted than would be the case with analog phones, and the minimization requirements in the bill will not prevent this. In the end, this proposal will make our telecommunications structure more, not less vulnerable. In its original form the FBI Digital Telephony proposal would have given the power to the Attorney General to impose standards on communication providers which would guarantee that their systems were wiretap-ready. Essentially, this would have created a centralized wiretapping system that threatened the privacy of the entire nation and was dependent for its security on a few select people. This raised the real concern that if electronic communications service providers must design their systems to allow and ensure FBI access, then the resulting mandatory "back doors" may become known to and be exploited by "criminals." The new proposal contains the same risks. It would have the technical standards developed by the industry, through trade associations or standard-setting bodies, in consultation with the Attorney General. But it contains a "safe harbor" provision, which protects a carrier from sanction if it is in compliance with standards created by this approach. The safe harbor provision virtually guarantees that the standards developed through the industry-based process will be adopted by all. Whether the standards are directly imposed by government or created by concerted industry action, in consultation with the government, makes little difference. The result is the same. A centralized wiretapping capacity with all of its vulnerabilities will still be created. Finally, we have grave concerns about the encryption provisions. The Edwards/Leahy version has been described as "neutral" on encryption. The bill provides that telecommunications providers do not need to decrypt data, unless they hold the key. In the short term, this is an improvement over the earlier versions of the bill which would have created obligations to decrypt, but there are at least two longer term problems. First, is the new presumption that industry has the affirmative responsibility to create special technical capacity for the government to snoop. Can there be any real doubt that the FBI will be back in the years to come asserting that its ability to intercept communications has been thwarted by easily available encryption and that an industry obligation, analogous to the new obligation to provide wiretap capacity, must be created. Secondly, in some cases the telecommunications providers may well hold the key -- particularly as they expand the services they provide to their customers. H.R. 4922 proposes a radical and expensive change in our telecommunications structure. The threats it poses, now and prospectively, are real, but the need for it far less than evident or proven. We urge that your Committee not rush into consideration of this far reaching measure with so little time left in the session. We thank you for your consideration of our views and we would be happy to sit down with you to discuss these issues. Sincerely, Ira Glasser Laura Murphy Lee --endit-- The ACLU urges interested persons to contact the following members of Congress immediately: Rep. Jack Brooks Sen. Howard Metzenbaum (202) 225-6565 (voice) (202) 224-7494 (voice) (202) 225-1584 (fax) (202) 224-5474 (fax) ============================================================= ACLU Free Reading Room | A publications and information resource of the gopher://aclu.org:6601 | American Civil Liberties Union National Office mailto:infoaclu@aclu.org | "Eternal vigilance is the price of liberty" ------------------------------ From: "Prof. L. P. Levine" Date: 26 Sep 1994 12:45:51 -0500 (CDT) Subject: CPD Informaton Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions generally are acknowledged within 24 hours of submission. An article is printed if it is relevant to the charter of the digest. If selected, it is printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the subject line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit or append to the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Mosaic users will find it at gopher://gopher.cs.uwm.edu. Older archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V5 #039 ******************************