Date: Sun, 30 Oct 94 12:18:00 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V5#055 Computer Privacy Digest Sun, 30 Oct 94 Volume 5 : Issue: 055 Today's Topics: Moderator: Leonard P. Levine Digitized Signatures Re: Planting "Mistakes" to Guard Copyright Re: Electronic Eavesdropping Again, Securest Cordless Phones? Driver's License in Minnesota Need Help on a Topic FTC Orders Trans Union to Stop Censorship in Cyberspace South African Consitution and Computer Privacy OTA Report on Information Security and Privacy Released Info on CPD, Contributions, Subscriptions, FTP, etc. ---------------------------------------------------------------------- From: Maryjo Bruce Date: 28 Oct 1994 07:07:54 -0700 (PDT) Subject: Digitized Signatures I don't get out much, and I may be the last person on earth to know this, but yesterday I went to Sears and bought a shovel and charged it on my Visa card. The clerk inspected my card, found it wanting because of a lack of signature on back, and told me to sign my slip with a wand on an electronic panel. He told me that as of the 15th of next month, all customers would be signing electronically. My signature appeared on the screen of the cash register, and he said it was being "sent in" to be verified. Where? He did not know. He said after the 15th the credit card companies were going to a paperless system, and only the electronic info was being kept. Each time I buy something, the system will verify my signature and immediately notify the store whether it is I or not. I said I knew it was I already. He said it was for my protection. ------------------------------ From: PHILS@RELAY.RELAY.COM (Philip H. Smith III, (703) 506-0500) Date: 28 Oct 94 10:05:59 EDT Subject: Re: Planting "Mistakes" to Guard Copyright dpaulson@cpdsc.com wrote, regarding maps with fictitious cities: Assuming the point of this is to have the fictitious city appear on the illegal copy... How does one tell an illegal copy from a legitimate one, when the legitimate copy contains the fictitious city? Well, since it's supposed to be the same technique as seeding a mailing list and watching for false hits, I assume they have people parked out in the desert, waiting for the lost tourists... ------------------------------ From: "Houston, James A." Date: 28 Oct 94 13:22:46 Subject: Re: Electronic Eavesdropping david.m.kennedy@CEORD-PM.mail.usace.army.mil writes: TEMPEST.TXT states, I believe correctly, that it is illegal to possess some types of specialized electronic eavesdropping equipment necessary to intercept tempest-type, e.g. Van Echt, emanations. *If* Winn -snip- this may sound a bit hard to believe, but the u.s. government doesn't really care who sniffs out our signals. you can go to radio shack and buy enough equipment to receive what superficially may seem to be "top secret" RF or LOS (AM/FM) signals (eaves dropping on the u.s. government in effect). in fact, it is *assumed* that the enemy is doing that on a continuous basis. the use of classified red/black encryption devices scramble the transmission such that it is totally unintelligible without the *same* encryption/decryption devices on the receiving end. we assume that the enemy is sitting within a mile of most military installations in a van with the equipment described by david kennedy. the general feeling is sniff all you want, you can't use the data anyway. you must have the correct match of encryption/decryption devices *and* the current crypto key to be able to use what you hear (are able to receive). it is illegal to possess the "encryption equipment", and especially the "key". both of which are accountable military items; theoretically impossible to buy, impossible to own. in theory that is...the john walker/pueblo incident comes to mind to throw a spin on "theory". as far as "TEMPEST" goes, if a piece of equipment has been tempest tested/verified, it does NOT emit anything, period. that's the whole idea of tempest. some things must not emit. devices that can emit are video displays, printers, etc.. sensitive areas, e.g. video displays capable of displaying top secret data are shrouded with "tempest" shields such that nothing is emitted. hope that helps some. -- jim houston jh2@scires.com ------------------------------ From: CHRISDENNIS@delphi.com Date: 28 Oct 1994 23:08:26 -0400 (EDT) Subject: Again, Securest Cordless Phones? A few weeks ago, there was a small discussion of the most secure cordless phones available to consumers. However, I don't believe much else was said other than the new Motorola "secure" phones can be easily scanned. I, and other readers I'm sure, would like to know what is the securest on the market in the 900MZ range. And preferably under $300 street! ;-) Or at least please point me in the right direction on where to look for this info. -- chrisdennis@delphi.com Innkeeper/ CyberBizman! ------------------------------ From: "Prof. L. P. Levine" Date: 29 Oct 1994 06:16:52 -0500 (CDT) Subject: Driver's License in Minnesota Organization: University of Wisconsin-Milwaukee Taken from RISKS-LIST: RISKS-FORUM Digest Friday 28 October 1994 Volume 16 : Issue 51 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Date: 27 Oct 1994 15:05:53 -0500 From: sullivan@geom.umn.edu Subject: Drivers license as universal ID? Minnesota is just introducing a new drivers license, with new security features, as well as a bar code and a magnetic stip (with full name, date of birth, and license number). The photo and signature are digitized, and presumably stored by the state as well as being printed on the card. I learned about the new licenses from an article in City Pages, a free weekly here in the Twin Cities. The new licenses are produced (for $1.29 apiece) by Deluxe (the check printers). About 4000 drivers had to go back to have their pictures retaken because they were transmitted at night from one computer to another over "incompatible phone lines" [whatever that means] and billions of bits went "screaming into the ether". Deluxe blames a subcontractor. Since the magstripe can hold about 256bytes, there have been discussions about what else might be stored there. Things like a list of cars and guns registered in your name, perhaps. Or, people receiving food stamps or welfare might use their license to obtain their benefits, either at a food-store cashier or from an ATM. Don Gemberling, director of MN's Public Information Policy Analysis Divison, evidently did raise the privacy issues during the planning process, noting that a "universal personal identifier ... has been consistently resisted in this country". Alice Gonzalo (assistant director of DVS, the state Driver and Vehicle Services Division) notes that DVS already sells driver's license information, sorted by different fields. (One could buy a list of Minnesotans over 6'3", for instance.) There is already a national database of drivers with commercial licenses, called AAMVANET, and there are plans to expand this to all drivers. In Wisconsin, a driver's license can be suspended for failure to pay fines unrelated to driving (like library fines). MN dept of Administration's Bob Schroeder says In my opinion, the driver's license has nothing to do with driving. How many times have you pulled it out because an officer asked you for it? You pull it out much more because someone at a store of a check-cashing place wants to know who you are. It has less to do with driving and more to do with being a universal identifier, a way for you to be identified over the long term. Business really relies on the state to establish this sort of identifier for them. -- John Sullivan sullivan@geom.umn.edu ------------------------------ From: rravi@tam2000.tamu.edu (ravi) Date: 29 Oct 1994 17:35:44 GMT Subject: Need Help on a Topic Organization: Texas A&M University, College Station, Tx I am doing a graduate paper on the "Ethical and moral issues on the proposed Information Superhighway". I am plannning to include privacy issues and intellectual property rights issues relating to the info. superhighway. If anybody could help me with some materials regarding this subject, I would be very grateful. Also, any leads to any ftp sites or anyother sources of information are also welcome. If you have some information regarding this..please email to "rravi@tamaix.tamu.edu" or "rravi@tam2000.tamu.edu". -- (rravi@tamaix.tamu.edu) (rravi@tam2000.tamu.edu) Faith,faith,faith in ourselves Faith in God This is the secret of greatness. ------------------------------ From: "Prof. L. P. Levine" Date: 30 Oct 1994 06:06:26 -0600 (CST) Subject: FTC Orders Trans Union to Stop Organization: University of Wisconsin-Milwaukee Taken from EPIC Alert Volume 1.06 October 28, 1994 Published by the Electronic Privacy Information Center (EPIC) Washington, DC (Alert@epic.org) FTC Orders Trans Union to Stop Selling Credit Reports to Marketers The Federal Trade Commission on October 18 ordered Trans Union, one of the nation's largest credit bureaus, to stop selling consumer credit information in its files to direct marketers in violation of the Fair Credit Reporting Act (FCRA). This decision follows a year after TRW, another large credit bureau, signed a consent decree with the FTC to limit selling credit information. Equifax, the other large credit bureau, also stopped voluntarily selling credit info for marketing last year. Trans Union, through its Transmark target marketing division, created lists of individuals based on credit-related criteria and then sold the information to companies to use for target marketing. The Commission ruled that target marketing was illegal under the FCRA because the law requires that the consumer initiate the transaction before the information can be released. It also found that the companies had full access to consumers' names and were aware of the criteria under which the names had been chosen from the Trans Union database, which is also an illegal disclosure of credit information. Trans Union has said they will appeal and plan to continue selling the information in the meanwhile. Under a newly passed law, Trans Union must ask for a stay of the order after 60 days before they can continue selling the information. Ed. Mierwizinski, Consumer Program Director of US Public Interest Research Group's Washington Office hailed the FTC's actions "its a good decision. I predict if they try and appeal, they will loose." ------------------------------ From: "Prof. L. P. Levine" Date: 28 Oct 1994 07:31:05 -0500 (CDT) Subject: Censorship in Cyberspace Organization: University of Wisconsin-Milwaukee Taken from CPSR-GLOBAL Transcribed and relayed to me by a Netter: CENSORSHIP IN CYBERSPACE by Mitt Jones Freedom of expression for one person is a violation of the First Amendment for another. The age-old censorship debate - what material should be banned and what will be the cost of liberty - has now spread to the information superhighway, the once freewheeling, no-holds-barred place also known as cyberspace. Online services such as Prodigy, which have long enforced its own standards, are now tightening the censorship reigns even more. For example, supervisors recently expanded the use of its "George Carlin" software, which weeds out dozens of objectionable words. Things are heating up even more on the Internet. Recently, the Simon Wiesenthal Center, a Los Angeles institute devoted to exposing anti-Semitism, submitted a summary of a massive dossier of cyberspace hatemongering to the FCC. The three-year investigation, sparked by tips from users, portrays the Internet as an unchecked haven for bigots. One file, called Homobash, describes shooting a gay person in the face with a gun; a graphic titled Monkey pictures African-Americans copulating with animals and suggests that such acts account for the rise of AIDS. Says Rabbi Abraham Cooper, associate dean of the Wiesenthal Center: "It may be time for the FCC to place a cop on the information superhighway." But because networks are so new, no one knows who's to play Big Brother. The FCC, which regulates radio and TV, has no jurisdiction over computers. So the dossier summery has been turned over to the Justice Department, which seemingly doesn't know exactly what to do about online hatemongering either. The problem is twofold: There's no mechanism to regulate online services and no legal precedent has yet been set for cyberspace, the way it has for publishing, broadcasting, and speech. The issue with the Internet is whether it should be treated as a broadcast system (subject to government regulation) or as a phone or mail system that simply passes along information. "It's complicated even more because Internet comprises private e-mail and public databases and bulletin boards," adds Internet founder Vinton G. Cerf. Then there's the issue of whether online providers and the thousands of entities connected to the Internet are defined as commercial or private. If they are seen as private carriers, many will have a hard time defending the enforcement of their standards and will be held legally responsible for the content of discussion groups and forums. The issue is muddled further by the numerous types of services available, including e-mail. Cerf, also the president of the Internet Society, says that his organization has drafted guidelines of suggested behavior for its users and providers, but critics argue that this will do little to curb hatemongering and sexually explicit materials. For the time being, however, no mechanism exists to restrict the free flow of information on the Internet, and at press time, the Justice Department has yet to announce any other form of regulation. -- HOME-OFFICE COMPUTING, November 1994, p.18. forward by Ken Wang ken or ken@iba.co.ZA ------------------------------ From: "Prof. L. P. Levine" Date: 29 Oct 1994 06:33:33 -0500 (CDT) Subject: South African Consitution and Computer Privacy Organization: University of Wisconsin-Milwaukee Taken from Computer underground Digest Wed Oct 26, 1994 Volume 6 : Issue 93 ISSN 1004-042X TK0JUT2@MVS.CSO.NIU.EDU Date: 24 Oct 1994 22:58:17 -0500 (CDT) From: David Smith Subject: South African Consitution and computer privacy Saw this posted elsewhere, just passing along this lawyers request for information. ---------- Forwarded message ---------- Date--Mon, 24 Oct 1994 17:18:52 GMT South Africa has a new Bill of Rights which guarantees the right to privacy and protects all persons against unreasonable and unjustified search and seizure of their personal property or the violation of private communications. I am currently involved in research into the impact of this constitutional right on computer law. In particular, I am looking at whether a state agency can obtain a list of files from a person's account which they suspect contains illegal material such as pirated software or pornography (illegal in South Africa). Does the state agency need to obtain a search warrant or the user's permission before searching his/her account even if their suspicion is a reasonable one? The crisp legal issue is this: Does the seizure of computer files or a list of those files out of an individual's account, without a warrant or without the user's permission, violate the constitutional right to procedural due process and the right to privacy? I would like references to reported judgements on this issue, especially cases that have dealt with this on a constitutional law basis. If possible, it would be most useful if I could be e-mailed actual copies of the judgements. Reported decisions from any jurisdiction would be useful. Thank you in advance. -- Mr Ron Paschke Department of Procedural and Clinical Law University of Natal Durban South Africa email: paschke@law.und.ac.za ------------------------------ From: "Prof. L. P. Levine" Date: 29 Oct 1994 06:33:33 -0500 (CDT) Subject: OTA Report on Information Security and Privacy Released Organization: University of Wisconsin-Milwaukee Taken from Computer underground Digest Wed Oct 26, 1994 Volume 6 : Issue 93 ISSN 1004-042X TK0JUT2@MVS.CSO.NIU.EDU Date: 27 Sep 1994 13:54:43 CDT From: mdexter@ops.ota.gov (Dexter, Martha Dir.,Info/Pub) September 23, 1994 [The Office of Technology Assessment report "Information Security and Privacy in Network Environments" is now available. The report was released on September 23, 1994. Ordering information and details about electronic access are at the end of this message.] As electronic transactions and records become central to everything from commerce and tax records to health care, new concerns arise for the security and privacy of networked information. These concerns, if not properly resolved, threaten to limit networking's full potential in terms of participation and usefulness, says the congressional Office of Technology Assessment (OTA) in a report released today. Some 20 to 30 million people worldwide can exchange messages over the Internet. Every day U.S. banks transfer about $1 trillion among themselves, and New York markets trade an average of $2 trillion in securities. Nearly all of these transactions pass over information networks. The report "Information Security and Privacy in Network Environments" focuses on safeguarding unclassified information in networks, not on the security or survivability of networks themselves, or on the reliability of network services to ensure information access. Appropriate safeguards must account for--and anticipate-- technical, institutional, and social changes that increasingly shift responsibility for safeguarding information to the end users, says OTA. The laws currently governing commercial transactions, data privacy, and intellectual property were largely developed for a time when telegraphs, typewriters, and mimeographs were the commonly used office technologies and business was conducted with paper documents sent by mail. Technologies and business practices have dramatically changed, but the law has been slower to adapt, says OTA. Information safeguards, especially those based on cryptography, are achieving new prominence. OTA emphasizes that decisions about cryptography policy will affect the everyday lives of most Americans because cryptography will help ensure the confidentiality and integrity of health records and tax returns, speed the way to electronic commerce, and manage copyrighted material in electronic form. Congress has a vital role in formulating national cryptography policy, says OTA, and more generally in safeguarding electronic information and commercial transactions and protecting personal privacy in a networked society. A field of applied mathematics/computer science, cryptography is the technique of concealing the contents of a message by a code or a cipher. The message is unintelligible without special knowledge of some secret (closely held) information, the key that "unlocks" the encrypted text and reveals the original text. Key management is fundamental to security. It includes generation of the encryption key or keys, as well as their storage, distribution, cataloging, and eventual destruction. The federal government still has the most expertise in cryptography, says OTA. As a developer, user, and regulator of safeguard technologies, the federal government faces a fundamental tension between two important policy objectives: fostering the development and widespread use of cost- effective safeguards; and--through use of federal standards and export controls--controlling the proliferation of commercial safeguard technologies that can impair U.S. signals-intelligence and law-enforcement capabilities. The concern is reflected in the ongoing debates over key- escrow encryption and the government's Escrowed Encryption Standard (EES). The Clinton Administration announced the "escrowed-encryption" initiative, often called the "Clipper chip," in 1993. This type of encryption is intended to allow easy decryption by law enforcement when the equivalent of a wiretap has been authorized. The Department of Commerce issued the EES, developed by the National Security Agency (NSA), as a federal information processing standard for encrypting unclassified information in February 1994. The initiative in general and the EES in particular have seen intense public criticism and concern, OTA reports. The controversy and unpopularity stem in large part from privacy concerns and the fact that government-designated "escrow agents" will hold the users' cryptographic keys. Congress has asked the National Research Council (NRC) to conduct a major study, expected to be available in 1996, which would support a broad review of cryptography. OTA presents several options for congressional consideration in the course of such a review. Because the timing of the NRC review is out of phase with the government's implementation of key-escrow encryption, one option would be to place a hold on further deployment of key-escrow encryption, pending a congressional policy review. An important outcome of a broad review of national cryptography policy, says OTA, would be the development of more open processes to determine how cryptography will be deployed throughout society, including the development of infrastructures to support electronic commerce and network use of copyrighted materials. More openness would build trust and confidence in government operations and leadership and allow for public consensus-building. OTA examines and offers policy options for congressional consideration in three areas: 1) cryptography policy, including federal information processing standards and export controls; 2) guidance on safeguarding unclassified information in federal agencies; and 3) legal issues and information security, including electronic commerce, privacy, and intellectual property. Requesters for the report are the Senate Committee on Governmental Affairs and the House Subcommittee on Telecommunications and Finance. OTA is a nonpartisan analytical agency that serves the U.S. Congress. Its purpose is to aid Congress with the complex and often highly technical issues that increasingly affect our society. ------------------------------ From: "Prof. L. P. Levine" Date: 26 Sep 1994 12:45:51 -0500 (CDT) Subject: Info on CPD, Contributions, Subscriptions, FTP, etc. Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions generally are acknowledged within 24 hours of submission. An article is printed if it is relevant to the charter of the digest. If selected, it is printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the subject line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit or append to the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Mosaic users will find it at gopher://gopher.cs.uwm.edu. Older archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V5 #055 ****************************** .