Date: Wed, 23 Aug 95 09:20:55 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V7#015 Computer Privacy Digest Wed, 23 Aug 95 Volume 7 : Issue: 015 Today's Topics: Moderator: Leonard P. Levine Re: Netscape Security Re: Netscape Security Re: A Netscape Story Re: A Netscape Story Re: A Netscape Story Re: An Abuse of Individual Right to Privacy? Re: An Abuse of Individual Right to Privacy? A New Newsletter Recommendation Time to Tree the Tiger in the U.S.A. Re: Information Collection at Sears Medicare leak through FOIA analysis and 9 digit ZIP Duration of Customer Relation & Customers Privacy EPIC Alert 2.09 Info on CPD [unchanged since 08/01/95] ---------------------------------------------------------------------- From: nevin@cs.arizona.edu (Nevin ":-]" Liber) Date: 19 Aug 1995 17:31:42 -0700 Subject: Re: Netscape Security Organization: University of Arizona CS Department, Tucson "It's too dang hot!" Arizona shank@netscape.com (Peter Shank) wrote: The standard way to determine the level of security of any encryption scheme is to compare the cost of breaking it versus the value of the information that can be gained. In this case he had to use roughly $10,000 worth of computing power (ballpark figure for having access to 120 workstations and a few parallel supercomputers for 8 days) to break a single message. Assuming the message is protecting something of less value than $10,000, then this information can be protected with only RC4-40 security. For information of greater value, currently available RC4-128 security should be used. This type of cost analysis is only valid *if* the user of the computing power has to make a tradeoff between using it for this purpose and other useful work. If these machines would otherwise be idle, this computing power is virtually free (imagine if everyone ran RC4-40 cracking software instead of screen savers...). Also, how much cheaper does the computing power get if you allow, say 30 days to crack a message? How much cheaper is the computing power going to be next year or the year after that (assuming the data still retains its value; more on this below)? How valuable are credit card numbers? A reasonable assumption could be the credit limit on the card. My credit limit per card is certainly well within the ballpark of the $10K cost you associate with cracking a message, and I would guess that most non-students who have the equipment to surf the Internet have a similar amount of credit available. The other aspect to determining the level of security needed is the duration that the information retains its value. My primary credit card has had the same number for the last five years, and I don't see it changing in the foreseeable future, barring someone else "stealing" it. This, combined with credit limits usually going up over time, makes this data valuable *indefinitely*. Inside the US, software can support a range of stronger encryption options, including RC4-128, which is 2^88 times harder to break. Irrelevant. How many sites on the Internet are going to want to deal with US-only transactions? The other question to ask is who exactly is assuming the risk: Netscape, Visa, or consumers directly? -- Nevin ":-)" Liber nevin@CS.Arizona.EDU (520) 293-2799 ------------------------------ From: bo774@freenet.carleton.ca (Kelly Bert Manning) Date: 21 Aug 1995 07:11:58 GMT Subject: Re: Netscape Security Organization: The National Capital FreeNet, Ottawa, Ontario, Canada "Prof. L. P. Levine" (levine@blatz.cs.uwm.edu) writes: The standard way to determine the level of security of any encryption scheme is to compare the cost of breaking it versus the value of the information that can be gained. In this case he had to use roughly $10,000 worth of computing power (ballpark figure for having access to 120 workstations and a few parallel supercomputers for 8 days) to break a single message. Assuming the message is protecting something of less value than $10,000, then this information can be protected with only RC4-40 security. For information of greater value, currently available RC4-128 security should be used. It might be prudent to take a long term perspective of the value of the asset. If it is your charge card account number and data that helps to convince someone of your identity $10,000 is about the same order of magnitude as most card credit limits. The cardholder may not be on the hook individually for bogus charges, but the credit granting institution may have something to say about using netscape with weak encryption. If the message contains information that allows an impersonator to highjack your identity and open up a number of charge accounts the total could easily run up to over $10,000. Again, you may not be on the hook for bogus charges, but if you get arrested, perhaps repeatedly and have to devote time and effort to clearing yourself the cost may be more than $10,000. I'm not being alarmist when I mention people being arrested because of actions of impersonators. It happens, sometimes repeatedly. The cost of computing goes down continuously, while inflation, if nothing else, makes the cost of everything rise. Will you still be using the same account number when the cost of decrypting individual messages drops to $1,000. How about when it drops to $100? It is becoming quite cheap to record huge amounts of data on archival quality media. A $10,000 price tag for decryption today is no guarantee that it would be archived and decrypted later when costs are much lower, or when something develops that makes it worth while for someone to expend the resources to put your data trail under the microscope.(future USA Supreme Court nominees please take note) So in conclusion, we think RC4-40 is strong enough to protect consumer-level credit-card transactions -- since the cost of breaking the message is sufficiently high to make it not worth the computer time required to do so - -- and that our customers should use higher levels of I've never had a credit card account and don't plan to, however I would never use this for banking transactions. It will be interesting to see what financial institutions think of it. security, particularly RC4-128, whenever possible. This sounds like good advice in any circumstance. ------------------------------ From: Barry Margolin Date: 20 Aug 1995 18:28:46 -0400 Subject: Re: A Netscape Story Organization: BBN Planet Corp., Cambridge, MA "Prof. L. P. Levine" writes: The geniuses at Netscape have put into their excellent software this undocumented (or poorly documented) feature to amuse me. I must ask why else they would have done it. This a an extremely common practice in the software business. Programmers like to put in little surprises like these. There's even a name for them: Easter Eggs. Just about every release of the Macintosh OS has had a few (e.g. press the appropriate, obscure combination of keystrokes or click the mouse in just the right place and the list of programmers might pop up). Why do they do it? Because programmers are creative people and they like to have fun. And users like the challenge of finding these goodies (hence the origin of the term "Easter Egg"). Have they not learned from the experience of Prodigy or Microsoft that communications software that runs in ways that the user is not warned about can easily lead the user to wonder what else is automatically installed? That undocumented stuff might well be very intrusive. Sure, it could be. But they generally aren't. They're harmless little displays that basically congratulate the user for finding a hidden treasure. Most of us recall the near disaster that faced Prodigy some years ago when a swap file they installed on the user's PC seemed to have material to be uploaded from the user's work space. The facts were finally shown to be much more benign, but the damage still echos around the net. This wasn't an "undocumented feature", it was just an accident due to the way the Prodigy software interacts with the OS. In fact, it was more the OS's fault than Prodigy's -- the Prodigy software asked the OS to create a big file for it, and the OS returned a file whose contents happened to include the data that used to be in those disk blocks. Most operating systems will clear disk blocks before allocating them to a new file, but MS-DOS doesn't. Currrently we are watching the introduction of Windows 95. Windows 95 might or might not have software that automatically reports to Microsoft just what software you are running. I suspect it does not, but we shall see. Microsoft has been extremely upfront about the Registration Wizard, which I believe is what you're talking about. Of course, if you're a conspiracy theorist (which it appears you may be) you might think they're lying through their teeth. The existence of Easter Eggs doesn't make other covert actions by communications software any more or less likely. In fact, it might even make it less likely -- vendors that are trying to steal your data are not likely to make you suspicious of them by putting other covert actions in their software. They'd want it to look as safe as possible so that you'll trust it. On the other hand, they may be putting the Easter Eggs in because they think you'll use the above logic in order to trust them. But you had them pegged right away. -- Barry Margolin BBN PlaNET Corporation, Cambridge, MA barmar@bbnplanet.com Phone (617) 873-3126 - Fax (617) 873-5124 ------------------------------ From: olcay@libtech.com (olcay cirit) Date: 21 Aug 95 09:16:49 PDT Subject: Re: A Netscape Story If you are running Netscape on your IBM type PC and you type CTRL-ALT-F you suddenly find yourself looking at "The Amazing Fish Cam" which connects to a netscape server and does something cool, I suppose. If you are running Netscape on a Sun station, and you click on a link using the middle (adjust) button on your mouse, the status bar will change to 'Mozilla' temporarily while another Netscape Window is loading. Also, if you click on the netscape logo in the about screen, you are launched into a screen with all the authors and such. I don't know the documentation status of the above two, though. I truly wonder just what else Netscape does that they have not told me/us about. I hope that there are those privacy nuts out there who are watching as packets are thrown around the net. I hope that they are looking for stuff that the user did not intend to send to the author of the package. I hope that the CTRL-ALT-F is the only unadvertized special feature. This is just speculation, but I get suspicious when I connect to the Netscape Site. Could it be that Netscape hands over your email, name, system software information, traceroute info, and other things for their own personal use? Lot's of sites do this, but they are usually for testing or demonstrating these features. Or for a prank. Virtually, Olcay ------------------------------ From: Evan Rosser Date: 20 Aug 1995 19:36:28 -0400 Subject: Re: A Netscape Story Have they not learned from the experience of Prodigy or Microsoft that communications software that runs in ways that the user is not warned about can easily lead the user to wonder what else is automatically installed? That undocumented stuff might well be very intrusive. Hmm. Personally, I don't think it was any wondering about what *else* was installed in Prodigy that caused people to worry -- it was the very real presence of user data in a Prodigy file. It was documented. Certainly there was musing about what that data was being used for, but it was a specific, not vague, concern (i.e. being transmitted to Prodigy.) In this case there's nothing to lead me to believe that simply because Netscape put in a hot key for a popular page, they might be uploading my data. I am not too concerned about undocumented playful hacks. It has a long history -- i.e. "MAKE LOVE"/Not war? on DEC-20's, developers' pictures in the Mac SE ROM's, etc. As a matter of fact, there are more such things in Netscape -- try typing "about:mozilla" as a URL to load. But on a more serious note, I agree that a company that distributes communications programs in binary-only form cannot allow anything to undermine the public's trust. I guess they didn't think that tricks such as the above do. -- Evan Rosser ejr@cs.umd.edu ------------------------------ From: bo774@freenet.carleton.ca (Kelly Bert Manning) Date: 21 Aug 1995 07:20:33 GMT Subject: Re: An Abuse of Individual Right to Privacy? Organization: The National Capital FreeNet, Ottawa, Ontario, Canada Robert Shorten (shorten@nic.wat.hookup.net) writes: Well, wouldn't such a thing be like the phone book? The phone company lists names and addresses of people and doesn't ask them first whether they want to be listed (such people have to contact the phone company.) As long as they (the directory people) give clear information in their directory as to how one can be unlisted, I don't think it's an invasion of privacy. There are already paper directories that list names, addresses, phone numbers, and even places of work. But what is the coverage rate? Where I live publishing personal information about someone is prohibited by provincial Credit Reporting law unless they consent or one of a short list of conditions are met. Anyone who published my name and address would be paying me $100, perhaps for each copy of the directory. I noted in a post several months ago that the local Polk directory had a coverage rate of around 60% in a group of about 400 consecutive phone numbers in a high income residential area. It is worth keeping in mind when you look at one of these directories, or even at the phone book, that there is nothing to indicate how many are missing. All you see is the listed numbers. Do non-published phone number/address rates in the USA range from 30% in places such as Seattle to over 60% in Los Angeles? What you don't see may be quite large. ------------------------------ From: travis.winfrey@gs.com (Travis Winfrey - NY) Date: 22 Aug 95 14:14:05 EDT Subject: Re: An Abuse of Individual Right to Privacy? shorten@nic.wat.hookup.net (Robert Shorten) writes: Well, wouldn't such a thing be like the phone book? The phone company lists names and addresses of people and doesn't ask them first whether they want to be listed (such people have to contact the phone company.) As long as they (the directory people) give clear information in their directory as to how one can be unlisted, I don't think it's an invasion of privacy. There are already paper directories that list names, addresses, phone numbers, and even places of work. Your reply assumes that `brett@aa.net' will do what they said they will do when there is no special reason to assume that. In particular, privacy issues frequently are decided by what is the more profitable action, and I suspect this one would be similar. I know that if I were a high-end stereo/speaker manufacturer, I would be thrilled to correlate posts in the appropriate music group to the real, live people who can buy my expensive widgets. In many cases, people may not suspect anything because of their own purchases and subscriptions that lead to their being present on similar mailing lists. You can create your own examples using the many computer and consumer groups on the net. One can also create more sinister examples using stalkers or wife-beaters, but that's nowhere near as likely. However, a friend who was sexually abused by her father had her diary and many personal letters she had written subpoened for the trial. Given that type of explosive situation, it wouldn't be far-fetched for someone to try to connect xyz's posts in alt.recover.sexual-abuse to the real person, or similar confessional/support groups. This didn't happen in the trial in question, I'm simply outlining possibilities. ------------------------------ From: cpreston@alaska.net (Charles M. Preston) Date: 20 Aug 1995 11:47:33 -0800 Subject: A New Newsletter Recommendation I would like to recommend a new publication called The Jarvis Report. It is a quarterly newsletter about industrial espionage, and some technical tricks of the trade. Ray Jarvis, who puts out the newsletter, has an extensive government background in technical surveillance and he provides classes for government and private security in countermeasures and associated subjects. His stated aim is to collect and analyze verifiable instances of the theft of proprietary information, and to provide an overall look at trends and problems. All 6 sections of the July issue were either useful or entertaining. This edition includes an account of widespread electronic eavesdropping in Israel, and suggestions on balanced line detection of series telephone line transmitters. A newsletter sample (article on Israel) can be found in the Info-Sec Super Journal area at http://all.net The Jarvis Report is published by Jarvis International Intelligence, Inc., 11720 E. 21st Street, Tulsa, OK, 74129 Tel 918-437-1100 Fax 918-437-1191 Charles Preston Information Integrity cpreston@alaska.net ------------------------------ From: Bryan Nelson Date: 21 Aug 1995 21:40:41 GMT Subject: Time to Tree the Tiger in the U.S.A. Organization: Pacific Rim Network, Inc. William A. LaFreniere W.A.L. REHAB (360) 676-4766 Time to tree the tiger in the U.S.A. As most of you are probably aware, the assault of government on the rights of the individual, the taxpayer and small business has reached the crisis level. Many of us are adversely affected by intrusive government employees and regulations on a daily basis. We find ourselves unable to do anything about it because we are working people, and haven't the time to devote to the cause. The people who are waging war against us are using work-time, along with computer and telephone networks to keep ahead of our efforts to keep them at bay. We can't control their numbers, we cant fire them. We can't cut their purse strings,they hold the purse, and can weave more strings faster than we can cut them. It probably will do no good to complain about them, even to your State representatives,you will be talking to one of them over the phone. They are unionized governmentemployees. You may have thought that government employees were not allowed to unionize...think again. It's one of government's most closely guarded secrets. If thereever was a motive for the Oklahoma bombing, this was likely the reason. You may have heard rumblings about a New World Order, probably came from some union motivational speech, but don't worry, other Countrys would never let it happen. What we need to concern ourselves with, is how to extract them. It will be no easy task, as unions have had many years to write protections into the law. But extract we must, as many of you are aware, union are self-serving and self-preserving.Such influence on commerce, regulations, and the carrying out of Justice. Bill is the owner of a small business. He is one of the people who has to deal with an intrusive government on a daily basis. Regulations keep him in poverty and prevent him from being able to compete with more politically advantaged businesses. Government employees blinded by legality of their regulations,threaten to take everything he owned, and leave him on the streets of Bellingham Washington U.S.A.. You may not be as adversely affected as he is, but if you have a story to tell, or would like to form an organization to compile a list of government wrongdoings,and provide organized opposition and to Rehab the LAW, give him a call. He will call you to set up meeting times and to keep you informed on progress. Please leave your name and phone number. Here again is his business message number. (360) 676-4766 Thanks for your help and understanding -- Bill LaFreniere W.A.L. REHAB 0266 Bellingham, Washington, USA
------------------------------ From: NRA@MAXWEL.PH.KCL.AC.UK (Nigel Arnot) Date: 22 Aug 1995 09:35:16 GMT Subject: Re: Information Collection at Sears Organization: Dept Physics, Kings College London rathinam@worf.netins.net (Sethu R Rathinam) says: will have enough data to make a perfect duplicate of your signature. Question is, when such capability is achieved, will the companies tell you about the capability maturity - especially if you and I never asked questions when signing the "dumb" signature pads? Possible countermeasure. I have just produced a few perfectly recognisable copies of my own signature which would have *extremely* different pressure/velocity profiles, by the simple expedient of concentrating and deliberately writing slow/fast/extra heavy/light at various moments during the manufacture of the signature. If the result was just scanned in as a bitmap it would match my normal signature well enough, but the profile would be quite worthless. If I'm ever invited to sign on a pad, this is probably what I'll do. And if next time the computer can't recognise my signature, I'll let the world know what's doing on! -- Nigel. ------------------------------ From: "Prof. L. P. Levine" Date: 22 Aug 1995 10:52:23 -0500 (CDT) Subject: Medicare leak through FOIA analysis and 9 digit ZIP Organization: University of Wisconsin-Milwaukee Taken from RISKS-LIST: Risks-Forum Digest Monday 21 August 1995 Volume 17 : Issue 28 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Date: 20 Aug 1995 09:35:01 -0500 From: Quentin Fennessy Subject: Medicare leak through FOIA analysis and 9-digit ZIP I read an article on Medicare in the 20 Aug 1995 _Austin American-Statesman_. The article was evidently done for the Cox Newspaper chain. The article talks of the deterioration of the service, and also touches on that fact that a handful of doctors earn a disproportionate share of Medicare funds paid out. The article has a sidebar, which says, in short: Cox analyzed 100 million computerized Medicare payment records for the report. The information was obtained via FOIA. The doctors names were not released. Evidently there is an ongoing court case to release the doctors' names. Cox was able to identify some of the doctors. The doctor's id codes were obscured by Medicare, but the 9 digit zip codes of the doctor's offices were not. Cox was able to pinpoint individual doctors given this level of detail. Risks: If information needs to be split into private and public components then care needs to be taken for the job to be done correctly. 9-digit zip codes divide the US into fairly small areas and so can (and have) given away the store. This is not to say that I think this Medicare information should be kept secret. However, 9 digit zip codes in databases can be used to pinpoint all sorts of details about folks. Quentin Fennessy quentin.fennessy@sematech.org ------------------------------ From: larpes@katk.helsinki.fi (Gard Larpes) Date: 22 Aug 1995 06:58:50 GMT Subject: Duration of Customer Relation & Customers Privacy Organization: Helsinki University Hello does any one have some ideas concerning "Cutomers relation". I am searching ideas conserning customer relation, and its basic elements looked at it from the view of an agreement. Basic idea: A registration of an customer relation, requires an customer relation agreement between the registrator and the registrated. Questions: What are the basic elements in the customer relation? That is what sort of changes would mean, an change in the customer relation? What sort of changes would mean, that the agreement is not valid? What sort of changes could be valid, with only passiv acceptance from the registered. In finland the privacy legislation, allows registration of individuals only if there is an natural bondage between the registered and the registrator. Such an natural bondage is an customer relation. But when does an customer relation exist judicially? If registration of an customer is based on allowens from the customer, in that case there should be an sign of allowance as passiv/active agreement. An customer pre-agreement would mean an bondage, and judicially clear case. But what sort of changes in the customer relation would mean that the earlier agreement is no longer valid as base for registration? What sort of changes in the registrator company (identity, ownership) would mean an change inflikting the customer relation & it's base for registration of the customers? Interesting views & oppinions are WANTED !!! ------------------------------ From: "Dave Banisar" Date: 21 Aug 1995 16:47:56 U Subject: EPIC Alert 2.09 ============================================================= @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================= Volume 2.09 August 21, 1995 ------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, DC info@epic.org http://www.epic.org *Special Edition: Crypto* ======================================================================= Table of Contents ======================================================================= [1] "New" Crypto Policy Announced: Clipper II? [2] NIST Announcement on Key-Escrow Workshops [3] Documents: FBI & NSA Want to Ban Non-Escrowed Encryption [4] EPIC Crypto Web Pages Online [5] Upcoming Conferences and Events ======================================================================= [1] "New" Crypto Policy Announced: Clipper II? ======================================================================= The Clinton Administration ended a year of silence on August 17 when it issued a long-awaited statement on the Clipper Chip and key-escrow encryption. Unfortunately, the "new" policy is merely a re-working of the old one -- the Administration remains committed to key-escrow techniques that ensure government agents access to encrypted communications. The only changes are a willingness to consider the export of 64-bit encryption (if "properly escrowed"), the possibility of private sector escrow agents to serve as key-holders, and consideration of software implementations of key-escrow technologies. As EPIC Advisory Board member Whit Diffie observed in an op-ed piece in the New York Times, the new approach won't work. "While other nations may share our interest in reading encrypted messages for law enforcement purposes, they are unlikely to embrace a system that leaves them vulnerable to U.S. spying. They will reject any system that gives decoding ability to agents in the United States." Diffie further notes that "64-bit keys are not expected to be adequate." In a statement re-printed below, the National Institute of Standards and Technology (NIST) announced two public workshops "to discuss key escrow issues." More information concerning these meetings can be obtained from Arlene Carlton at NIST, (301) 975-3240, fax: (301) 948-1784, e-mail: carlton@micf.nist.gov. ======================================================================= [2] NIST Announcement on Key-Escrow Workshops ======================================================================= EMBARGOED FOR RELEASE: NIST 95-24 3 p.m. EDT, Thursday, Aug. 17, 1995 Contact: Anne Enright Shepherd COMMERCE'S NIST ANNOUNCES (301) 975-4858 PROCESS FOR DIALOGUE ON KEY ESCROW ISSUES Furthering the Administration's commitment to defining a workable key escrow encryption strategy that would satisfy government and be acceptable to business and private users of cryptography, the Commerce Department's National Institute of Standards and Technology announced today renewed dialogue on key escrow issues. A Sept. 6-7 workshop will convene industry and government officials to discuss key escrow issues, including proposed liberalization of export control procedures for key escrow software products with key lengths up to 64 bits, which would benefit software manufacturers interested in building secure encryption products that can be used both domestically and abroad. Key escrow encryption is part of the Administration's initiative to promote the use of strong techniques to protect the privacy of data and voice transmissions by companies, government agencies and others without compromising the government's ability to carry out lawful wiretaps. In a July 1994 letter to former Rep. Maria Cantwell, Vice President Gore said that the government would work on developing exportable key escrow encryption systems that would allow escrow agents outside the government, not rely on classified algorithms, be implementable in hardware or software, and meet the needs of industry as well as law enforcement and national security. Since that time, discussions with industry have provided valuable guidance to the Administration in the development of this policy. For example, many companies are interested in using a corporate key escrow system to ensure reliable back-up access to encrypted information, and the renewed commitment should foster the development of such services. Consideration of additional implementations of key escrow comes in response to concerns expressed by software industry representatives that the Administration's key escrow policies did not provide for a software implementation of key escrow and in light of the needs of federal agencies for commercial encryption products in hardware and software to protect unclassified information on computer and data networks. Officials also announced a second workshop at which industry is invited to help develop additional Federal Information Processing Standards for key escrow encryption, specifically to include software implementations. This standards activity would provide federal government agencies with wider choices among approved key escrow encryption products using either hardware or software. Federal Information Processing Standards provide guidance to agencies of the federal government in their procurement and use of computer systems and equipment. Industry representatives and others interested in joining this standards-development effort are invited to a key escrow standards exploratory workshop on Sept. 15 in Gaithersburg, Md. This workshop is an outgrowth of last year's meetings in which government and industry officials discussed possible technical approaches to software key escrow encryption. The Escrowed Encryption Standard, a Federal Information Processing Standard for use by federal agencies and available for use by others, specifies use of a Key Escrow chip (once referred to as "Clipper chip") to provide strong encryption protection for sensitive but unclassified voice, fax and modem communications over telephone lines. Currently, this hardware-based standard is the only FIPS-approved key escrow technique. NIST officials anticipate proposing a revision to the Escrowed Encryption Standard to allow it to cover electronic data transmitted over computer networks. Under this revised federal standard, the Capstone chip and other hardware-based key escrow techniques developed for use in protecting such electronic data also will be approved for use by federal agencies. As a non-regulatory agency of the Commerce Department's Technology Administration, NIST promotes U.S. economic growth by working with industry to develop and apply technology, measurements and standards. ======================================================================= [3] Documents: FBI & NSA Want to Ban Non-Escrowed Encryption ======================================================================= On a related note ... Declassified government documents recently obtained by EPIC show that key federal agencies concluded more than two years ago that the "Clipper Chip" key-escrow initiative will only succeed if alternative security techniques are outlawed. The information is contained in several hundred pages of material concerning Clipper and cryptography EPIC obtained from the FBI under the Freedom of Information Act. The conclusions contained in the documents appear to conflict with frequent Administration claims that use of key-escrow technology will remain "voluntary." Critics of the government's initiative, including EPIC, have long maintained that government-sanctioned key- escrow encryption techniques would only serve their stated purpose if made mandatory. According to the FBI documents, that view is shared by the Bureau, the National Security Agency (NSA) and the Department of Justice (DOJ). In a "briefing document" titled "Encryption: The Threat, Applications and Potential Solutions," and sent to the National Security Council in February 1993, the FBI, NSA and DOJ concluded that: Technical solutions, such as they are, will only work if they are incorporated into *all* encryption products. To ensure that this occurs, legislation mandating the use of Government-approved encryption products or adherence to Government encryption criteria is required. Likewise, an undated FBI report titled "Impact of Emerging Telecommunications Technologies on Law Enforcement" observes that "[a]lthough the export of encryption products by the United States is controlled, domestic use is not regulated." The report concludes that "a national policy embodied in legislation is needed." Such a policy, according to the FBI, must ensure "real-time decryption by law enforcement" and "prohibit[] cryptography that cannot meet the Government standard." The FBI conclusions stand in stark contrast to public assurances that the government does not intend to prohibit the use of non- escrowed encryption. Testifying before a Senate Judiciary Subcommittee on May 3, 1994, Assistant Attorney General Jo Ann Harris asserted that: As the Administration has made clear on a number of occasions, the key-escrow encryption initiative is a voluntary one; we have absolutely no intention of mandating private use of a particular kind of cryptography, nor of criminalizing the private use of certain kinds of cryptography. The newly-disclosed information suggests that the architects of the key-escrow program -- NSA and the FBI -- have always recognized that key-escrow must eventually be mandated. Coming to light on the eve of the announcement of a "new" Administration policy, the FBI documents raise significant questions as to the government's long-term strategy on the cryptography issue. Scanned images of several key documents are available via the World Wide Web at http://www.epic.org/crypto/ban/fbi_dox/ ======================================================================= [4] EPIC Crypto Policy Web Pages Online ======================================================================= EPIC is now making available an extensive series of pages on cryptography policy. Each page highlights an area of controversy and provides links to key documents. Materials include formerly secret government documents obtained under FOIA by EPIC and CPSR, reports from the Office of Technology Assessment, the General Accounting Office and others on cryptography. Topics include: o Efforts to ban cryptography o The Clipper Chip o The Digital Signature Standard o The Computer Security Act of 1987 The pages are available at http://www.epic.org/crypto/ More pages will become available soon. ======================================================================= [5] Upcoming Privacy Related Conferences and Events ======================================================================= Advanced Surveillance Technologies. Sept. 4, 1995. Copenhagen, Denmark. Sponsored by Privacy International and EPIC. Contact pi@privacy.org. http://www.privacy.org/pi/conference/ 17th International Conference of Data Protection and Privacy Commissioners. Copenhagen, Denmark. September 6-8, 1995. Sponsored by the Danish Data Protection Agency. Contact Henrik Waaben, +45 33 14 38 44 (tel), +45 33 13 38 43 (fax). InfoWarCon '95. September 7-8, 1995. Arlington, VA. Sponsored by NCSA and OSS. Email: 74777.3033@compuserve.com. Business and Legal Aspects of Internet and Online Services. Sept. 14-15. New York City. Sponsored by National Law Journal and New York Law Journal. Contact: (800)888-8300, ext. 6111, or (212)545-6111. The Good, the Bad, and the Internet: A Conference on Critical Issues in Information Technology. October 7-8. Chicago, Ill. Sponsored by CPSR. Contact cpsr@cpsr.org or http://www.cs.uchicago.edu/discussions/cpsr/annual 18th National Information Systems Security Conference. Oct. 10-13. Baltimore, MD. Sponsored by NSA and NIST. Contact: 301-975-3883. Managing the Privacy Revolution. Oct. 31 - Nov. 1, 1995. Washington, DC. Sponsored by Privacy & American Business. Speakers include Mike Nelson (White House) C.B. Rogers (Equifax) and Marc Rotenberg (EPIC). Contact Alan Westin 201/996-1154. 22nd Annual Computer Security Conference and Exhibition. Nov. 6-8, Washington, DC. Sponsored by the Computer Security Institute. Contact: 415-905-2626. Global Security and Global Competitiveness: Open Source Solutions. Nov. 7-9. Washington, D.C. Sponsored by OSS. Contact: Robert Steele oss@oss.net. 11th Annual Computer Security Applications Conference: Technical papers, panels, vendor presentations, and tutorials that address the application of computer security and safety technologies in the civil, defense, and commercial environments. Dec. 11-15, 1995, New Orleans, Louisiana. Contact Vince Reed at (205)890-3323 or vreed@mitre.org. Computers Freedom and Privacy '96. March 27-30. Cambridge, Mass. Sponsored by MIT, ACM and WWW Consortium. Contact cfp96@mit.edu or http://www-swiss.ai.mit.edu/~switz/cfp96 Australasian Conference on Information Security and Privacy June 24-26, 1996. New South Wales, Australia. Sponsored by Australasian Society for Electronic Security and University of Wollongong. Contact: Jennifer Seberry (jennie@cs.uow.edu.au). (Send calendar submissions to Alert@epic.org) ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. To subscribe, send the message: SUBSCRIBE CPSR-ANNOUNCE Firstname Lastname to listserv@cpsr.org. You may also receive the Alert by reading the USENET newsgroup comp.org.cpsr.announce. Back issues are available via http://www.epic.org/alert/ or FTP/WAIS/Gopher/HTTP from cpsr.org /cpsr/alert/ and on Compuserve (Go NCSA), Library 2 (EPIC/Ethics). ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues relating to the National Information Infrastructure, such as the Clipper Chip, the Digital Telephony proposal, medical record privacy, and the sale of consumer data. EPIC is sponsored by the Fund for Constitutional Government and Computer Professionals for Social Responsibility. EPIC publishes the EPIC Alert and EPIC Reports, pursues Freedom of Information Act litigation, and conducts policy research on emerging privacy issues. For more information, email info@epic.org, WWW at HTTP://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. (202) 544-9240 (tel), (202) 547-5482 (fax). The Fund for Constitutional Government is a non-profit organization established in 1974 to protect civil liberties and constitutional rights. Computer Professionals for Social Responsibility is a national membership organization of people concerned about the impact of technology on society. For information contact: cpsr-info@cpsr.org If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003. Your contributions will help support Freedom of Information Act litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and funding of the National Wiretap Plan.. Thank you for your support. ------------------------ END EPIC Alert 2.09 ------------------------ _________________________________________________________________________ Subject: EPIC Alert 2.09 _________________________________________________________________________ David Banisar (Banisar@epic.org) * 202-544-9240 (tel) Electronic Privacy Information Center * 202-547-5482 (fax) 666 Pennsylvania Ave, SE, Suite 301 * HTTP://epic.org Washington, DC 20003 * ftp/gopher/wais cpsr.org ------------------------------ From: "Prof. L. P. Levine" Date: 11 Aug 1995 09:39:43 -0500 (CDT) Subject: Info on CPD [unchanged since 08/01/95] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the SUBJECT: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit or append to the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Mosaic users will find it at gopher://gopher.cs.uwm.edu. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V7 #015 ****************************** .