Date: Tue, 26 Sep 95 09:59:13 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V7#026 Computer Privacy Digest Tue, 26 Sep 95 Volume 7 : Issue: 026 Today's Topics: Moderator: Leonard P. Levine Caller ID Experiences Re: Grocery Purchases and my Privacy Re: Grocery Purchases and my Privacy Re: Grocery Purchases and my Privacy Local Surveillance and Web Servers Re: 20/20 Security Camera Report Re: 20/20 Security Camera Report Junk faxes & e-mail are illegal White House Plans to Consolidate fed Data Centers Re: Knowing Where you Browse? AOL and Expectations of Privacy Re: Knowing Where you Browse? Pharmanet will give your BC Address to Anyone From Crossbows to Cryptography [long] Info on CPD [unchanged since 08/01/95] ---------------------------------------------------------------------- From: Privacy Rights Clearinghouse Date: 21 Sep 1995 11:34:47 -0700 (PDT) Subject: Caller ID Experiences TO: Privacy advocates FROM: Beth Givens Privacy Rights Clearinghouse (prc@acusd.edu) University of San Diego The state of California does not now have Caller ID. But it is likely that the local phone companies will offer it in the coming months. The Privacy Rights Clearinghouse is preparing a fact sheet for consumers which describes Caller ID and discusses the various privacy issues related to the service. The purpose of the fact sheet is to help consumers make informed decisions about whether or not to subscribe to Caller ID. To help us prepare this publication, we would like to hear from people in states *with* caller ID (currently 48, we're told) about their experiences with it. Feel free to respond to any or all of the following questions: - Is Caller ID widely used in your state? Or has it been a marketplace flop? - About what percent of phone customers subscribe to it? Are these primarily businesses -- or residential customers? - Have consumers been adequately notified of their blocking options? - Have the blocking options available in your state been effective in allowing consumers to control the dissemination of their phone numbers? - Has Caller ID been used by marketers and other entities to gather phone numbers? - Has it been effective at thwarting harassing callers, or is that argument over-sold? - Do you have any "horror" stories to relate about Caller ID being used to invade privacy? For example, are there documented cases of it being used by stalkers and other types of harassers to learn the unpublished numbers of their victims? - Have domestic violence shelters and various "help" hotlines (such as AIDS and suicide prevention hotlines) noticed a "chilling effect" on the uses made of their services because of Caller ID? - Have your phone company's efforts at marketing Caller ID been above-board, or have they been misleading and manipulative? - Has the introduction of Caller ID resulted in anything which was unexpected and which surprised you -- either good or bad? Your comments are most welcome. Please email them directly to us -- prc@acusd.edu -- or if the moderator wishes, to this discussion group. FYI, when the fact sheet is completed, it will be added to our gopher and Web sites, along with the other 18 Privacy Rights Clearinghouse fact sheets currently available. Thanks for your help! ------------------------------ From: JEREMY J EPSTEIN Date: 21 Sep 1995 16:22:02 -0500 Subject: Re: Grocery Purchases and my Privacy In at least some communities, there's an easy way you can subvert the supermarket's information gathering while doing a good deed. Some churches, synagogues, schools, and other non-profit organizations sell "scrip." It works at the grocery store like cash, and no ID is required to use it. The charitable organization buys it at a 5% discount, and sells it at face price. So you're giving 5% of your grocery bill to your favorite charity, and the store isn't collecting demographic information since they don't know who you are. We've been doing this for the past few years, and I'm happy that I can do two good deeds at the same time! -- Jeremy Epstein P.S. In the Washington DC area, all of the major stores participate (Giant, Safeway, Magruders, Shoppers, Fresh Fields), mainly so your business doesn't go elsewhere! ------------------------------ From: Maryjo Bruce Date: 21 Sep 1995 13:31:29 -0700 (PDT) Subject: Re: Grocery Purchases and my Privacy If I remember correctly, somebody recently wrote that s/he had no problem with having a SSN printed on checks. I have since been peeking over shoulders and find that people do have checks with their SSN as part of the imprinted data. My bank, a small one, just installed the phone in system, and I used it a few times. Last night I pushed the wrong button, and I was led into a "check verification" area, where anybody can call to see if my check is good. Just for the fun of it, I played with it a bit. You punch in my bank account number, which is of course on my check, and then you can select any amount of money to verify. Thus, you can find my balance. I used the feature several times without hanging up, using higher and higher numbers each time and there seems to be no "three times and your are out and cut off." To use this feature, you need my account number but that is all. To access all my banking data, this system uses only the last 4 digits of my SSN. Thus, if my SSN were on my checks........ What I want to know is this: do all/most phone in systems have this check verification feature? -- Mary Jo Bruce, M.S., M.L.S. Paralegal Sunshine@netcom.com Booklover@delphi.com ------------------------------ From: mholt@freenet.vcu.edu Date: 22 Sep 1995 14:57:13 -0400 Subject: Re: Grocery Purchases and my Privacy Organization: Central Virginia's Free-Net One of the local grocery store chains here in Indianapolis is switching from an old fashioned "check cashing" card to a new "scanned" card. They euphemistically call it their "Fresh Idea" card. Not only will this new card carry my personal information for me to write a check for my purchases, it will also link "what" I buy to "who" I am. This idea has been in place at large retailors for years. Wal-Mart, for example, has a system which combines credit card and check approval into the cash register. The capability to link "who" and "what" would be irresistable to a marketing person. Is it? I don't know. But it can't be far away. (Oddls, the Wal-Mart system is, as far as approvbals go, specific to each store; you can't write checks in Glasgow KY each week and have one accepted while you're on vacation in Oklahoma City.) At first, no one at the store would admit that the main purpose of the new card was to gather market research data. I think that most of them honestly believed that the new card was simply a faster way to authorize a check. They seemed genuinely surprised when they learned that the department that was in charge of the project was NOT the accounting nor billing nor finance department, but was in fact the "Market Research" department. That's normal. Retail employees have no time to learn why anything happens. They seldom have any interest. And, as yoyu learned, they have no capability to change a system in place from the Home Office. What to do? I spend only cash, saving checks for rent and utility bills. Odds are that there is no economic incentive to have privacy in place. Until there is, we will continue to have this sort of thing arising. There's more money in invasion of privacy. -- ---------------------------|------------------------------------------------ Michael B. Holt | As experience teaches, the subconscious almost Richmond, Virginia | automatically weighs the odds. U.S.A. | -- Adm E. B. Fluckey ---------------------------|------------------------------------------------- ------------------------------ From: jesse@oes.amdahl.com (Jesse Mundis) Date: 21 Sep 1995 19:00:51 -0700 (PDT) Subject: Local Surveillance and Web Servers WELKER@a1.vsdec.nl.nuwc.navy.mil wrote: I contend that it is better for communities to police themselves than have an outside agency come in and do it for them. This, I agree with. However, I'm going to steer the next bit into a different subject. You have the right live in a house in the country, just like I have the right to video tape the street outside my house and show those tapes to anybody I want. I think my ego can withstand having a neighbor send a tape of me scratching my butt to "America's Funniest Home Videos". N.B.- I don't advocate "eavesdropping, snooping, searching" by anybody else; that's in a different league than the subject being discussed. This brings up an interesting question. If we grant that one has the right to video tape passer-bys on the street, how far does that right extend? If someone scratches their butt (to use your example) on the street, in front of your house, but not on your property, and that you have the right to tape it happening, that seems to imply that you have the right to view/record/whatever any "signal" (the image of the B.S. (butt-scratcher)) that enters your space. Likewise, if your neighbors are shouting so loud that you can hear them through the walls, I'd say you could equally well record or listen to that. Now, what if our B.S. is in his own house, across the street from you, with his window open. Do you have the right to tape then? If not, why not? If that is the case, it is tantamount to saying that you are responsible for ignoring some signals that reach you, to insure someone else's privacy, when they didn't care enough about it to keep the signal from you. The B.S. could have closed his blinds, and the noisy neighbors could have kept it down to the point that no sound reached you. Now then, if you do have the right to perceive a signal that reaches you (putting the onus of keeping the signal from you upon the person who wants privacy) then what do you have the right to do with a signal you receive? Experiencing it and recording it are the obvious actions, but what about enhancing or modifying it? That would lead to looking through your neighbor's window with binoculars as an acceptable behavior. All you are doing is captureing and enhancing the quality of a signal which came to you. Note that none of this would fall under the catagory of "snooping" in this set of definitions, as that implies some action on your part to aquire a signal by circumventing whatever means were employed to keep the signal from you. (i.e. the neighbor has closed the blinds. Going over there and pushing them aside would be an act of snooping.) What is all this leading to? Following the above reasoning, what about encryption on email? Obviously the person doing the encryption wants privacy, but is encrypting like pulling the blinds, or like having your window face in a direction such that only people who climb a mountain and use a telescope can see you scratching your butt? If your encrypted message (signal) passes through my machine (my space) en route to somewhere else, and I am nosey and have some large computing resources to break your encryption, am I snooping (pushing aside the blind) or just looking through an awkwardly positioned (encrypted) yet still open, window with my telescope? If this topic is a bit too philosphical for the list, just let the moderator say so, and I'll be happy to discuss this with folks in private email. [moderator: on another issue:] Anybody out there know if a browser can be remotely ordered to report its history? Not quite, but there is some cause for concern. Not all browsers do this, but I know for a fact that the Netscape client does provide to any server a "referer" field which the server logs. The referer field is the URL of the previous document you browesed. I know of no way to make any client divulge its entire history, but you could certainly build that feature into any client. Netscape's referer field is useful to track the path of people through your own pages, but it also results in server admins (or anyone with access to the log files) to find out what URL the browser just came from. So, if you were looking at http://www.naughty.com/secret.html then followed a link, OR just typed in the URL for my server, I would see a line in my logfile like: [21/Sep/1995:19:00:00 +0800] [OK-GATEWAY] [host: your.clients.machine.here referer: http://www.naughty.com/secret.html] ... where ... is what you requested from my server. Actually, looking through the log files, it seems to only log the referer field on errors, but regardless, the client provides the information to the server. -- Jesse Mundis jesse@amdahl.com Webmaster for Amdahl Any opinions expressed above are mine and do not necessarily represent the opinions policies of Amdahl Corporation. Jesse Mundis | Amdahl Corporation | Remember: jesse@oes.amdahl.com | 1250 East Arques Ave M/S 338 | Quality is job 1.1 (408) 746-4796 | Sunnyvale, CA 94088-3470 | -Heard from Maintenance ------------------------------ From: "Charlton, Alan" Date: 22 Sep 95 13:27:00 PDT Subject: Re: 20/20 Security Camera Report On September 8th ABC Television on its weekly 20/20 show produced a piece describing closed circuit TV cameras that are now being installed in England for public security purposes. The piece was introduced by Hugh Downs with the question "What is more important to you, your safety or your privacy?" Their reporter Lynn Sherr describes the system as "sweeping England" and "pervasive". She indicates that more than one hundred communities have introduced cameras in their city centers, along streets and even in private gardens. [We see views through these cameras.] Sorry if this is a bit late following your post - my newsfeed isn't too good. You might be interested to know that one of the independent TV companies in the UK recently ran a series (which might still be running - I found it patronising and thoroughly offensive and haven't watched it since) which used clips from various public area surveillance cameras. There was absolutely no jouranlistic merit to it, and no real message came through - it was simply egregious voyeurism. Personally, although I possibly have some qualms about the use to which such recordings might be put, I'd rather they were there, if only to observe and act on some of the hideous things which go on in the UK every day. -- Regards, Alan Charlton European Approvals Consultant ------------------------------ From: malamb@ix.netcom.com (Michael Lamb ) Date: 23 Sep 1995 04:23:51 GMT Subject: Re: 20/20 Security Camera Report Organization: Netcom the system with that in the US where most cameras are installed by private parties for business reasons but points out that one such camera provided a picture of what might well have been the truck from my understanding, the camera that may have provided evidence in the OKC bombing was a camera integral to an automatic teller machine. This is very routine in the US as a business security measure and a personal security measure for their customers. However, I have just seen a documentary on a town in the UK where the police are installing cameras on strategic points throughout their town. Personally, as an ex police officer, I have no objection to this. I could see where others might though. ------------------------------ From: prvtctzn@aol.com (Prvt Ctzn) Date: 25 Sep 1995 00:30:08 -0400 Subject: Junk faxes & e-mail are illegal Organization: America Online, Inc. (1-800-827-6364) Unsolicited advertisements that are sent to you by e-mail, or to your fax machine are illegal, ... and you can sue the sender for $500 in your states small claims court pursuant to 47 USC 227 (b)(1)(C). [aka the TCPA] The only restriction is that the ad must be sent to someone who did not give the sender permission to send it, or that does not have an existing business relationship with the sender (such relationships may be terminated, for the purposes of this law, by telling a firm not to solicit you). The law defines a fax machine as equipment that can receive signals over regular telephone lines, convert it to text, and transcibe it to paper. So a computer-modem-printer system is a fax machine, by law. I am about to sue AOL for just such a violation, in that I had told them I did not want such ads, and they subsequently sent one to me by e-mail. Stay tuned for my next report. Or you can find out more by calling 1-800-CUT-JUNK and joining Private Citizen, Inc. ------------------------------ From: "Jim Tyson" Date: 22 Sep 1995 9:13:18 Subject: White House Plans to Consolidate fed Data Centers The Executive Office of the President of the United States, Office of Management and Budget is issuing a bulletin to the heads of federal agencies that requires them to " consolidate" Federal Data Centers as a cost cutting measure. (This has been reported on the front page of Government Computer News for September 18, 1995). I have a copy of a 9/6/95 draft for the OMB bulletin. The OMB plan involves a very aggressive timetable ("[r]educe the total number of Federal data centers during the next 24 months ..."), and appears to be based in part on a fairly wild (to someone in the information technology business) and hardly supportable assertion that "Industry experience suggests operational savings of between 30 percent and 50 percent from consolidation .." . It strikes me that a large-scale consolidation of Federal data centers greatly increases the likelihood and risks of "big brother" style electronic monitoring and control of information about individuals. OMB's bulletin is based on a National Performance Review committee's report on "Consolidation of Federal Data Centers", which suggests that a first effort should concentrate on consolidating data centers within departments, to be followed up by a consolidation of data centers across all departments. Imagine the Federal government operating consolidated computer systems that span the various electronic databases for Social Security, IRS, Medicare, Justice Department, etc., etc. The potential for abuse is staggering. It strikes me that the public just might prefer to keep Federal data centers "Balkanized" as a privacy protection, even if it comes at some cost of "efficiency". It further concerns me that the original NPR report on consolidation was labelled "Official Government Use - Not for Public Release" on every page when it was issued in February 1995. (This document is currently accessible from a government Internet server). Why should such planning be kept secret from the public? ------------------------------ From: hedlund@best.com (M. Hedlund) Date: 22 Sep 1995 12:16:20 -0700 Subject: Re: Knowing Where you Browse? Organization: Precipice "Prof. L. P. Levine" wrote Your note is the first I have heard about this. I am aware that my browser does keep a history list, but know only that the remote site gets a report from the system about my site, not my personal account. In all likelihood, the author is referring to Netscape's session-state proposal, which can be found on the web at . The proposal provides a set of headers for web clients (browsers) and servers to exchange for the purpose of maintaining information about a particular client over the course of a browsing session. Please note that these headers can be used by any server (through a CGI script -- a custom server process), but to my knowledge have only been implemented in Netscape itself (version 1.1 and higher) -- that is, no other browser uses them (yet). The cookie mechanism is best explained at the URL given above, but I'll try to summarize it. HTTP/1.0 clients (most browsers in use today) send request headers (similar to the 'To:' and 'Subject:' headers of mail and news messages) with each request they make to a web server. These headers describe the nature of the request and also provide some information about the client. (See the _draft_ HTTP/1.0 specification, at , for more information. See also on what information is given to CGI scripts.) Similarly, a web server uses response headers to describe the nature of its response and to describe the object or document it is returning. Under the cookie proposal, any server (or CGI script) may issue a "Set-Cookie" header with its response to a client. The set-cookie response header asks that the client return some _cookie_, or piece of information the next time it visits a specified _realm_. Netscape 1.1 and higher will then return that cookie for any future request matching the parameters of _realm_. If you are concerned about this issue, take a look at the definition of realm -- basically, they try to prevent you from making the realm anything other than the whole or a part of your own domain. For example, I would be able to issue cookies for any request to *.best.com, but not for any request to *.com. Your list of active cookies is kept in the "magic cookie" file -- in your home directory on a unix system, or in your System Folder:Preferences:Netscape f:MagicCookie on a Mac. It's a text file -- you can read it using BBEdit or simpletext. In short, the answer to the question is no, your history list is not public*, but Netscape 1.1 and higher allow a provider to build a server-maintained history list of your travels at _their_ site. (In fact, it appears Netscape does so on their home site -- see your MagicCookie file.) If you later provide personal information (for instance, buy a book or fill out a survey) at a site employing cookies, this "clicktrail" can be associated with you personally. [*Note: your history list may be semi-public on a multi-use system if file permissions are not set correctly.] M. Hedlund [n.b.: I tend to post and mail my responses to news articles.] ------------------------------ From: rseoeg@site33.ping.at (Chris Mathews) Date: 23 Sep 1995 11:09:00 +0100 Subject: AOL and Expectations of Privacy Organization: RSE Moss-Jusefowytsch OEG To: /comp/dcom/telecom From: news@news.fmso.navy.mil Subject: Re: AOL and Expectations of Privacy Date: Fr 22.09.95, 13:29 (received: 23.09.95) Last week I attended a Network Security Workshop sponsored by a Navy activity. Most of the presentations concerned hardware and software means of keeping systems secure from hackers and other evildoers. One presentation germaine to this thread was presented by a Navy lawyer. The 4th Amendment to the Constitution and the Electronic Communications Privacy Act provide protections against monitoring of private communications but they are not absolute. The 4th Amendment says "The right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause ..." This sounds good, but the JAG lawyer went on to point out the following exceptions to the amendment: * Consent. If the AOL TOS that you agreed to says that they may monitor your communications and that by signing the TOS you agree to such monitoring, then you are out of luck. * Reasonable Expectation of Privacy. If you don't have a reasonable expection of privacy, then you can't object to being monitored. DOD and many BBS sysops use this exception by displaying a warning banner everytime you logon to the system. * Judicial Warrant The ECPA, the law that allows the cellular phone industry to claim that cell phone calls are private, also has exceptions built into it. * Judicial warrant * 18 usc SECTION 2511(2)(A)(I). SYSOP may monitor "in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or the protection of the rights or property of the provider". The interpretation given to the above extract from 18USC2511 is that SYSOPs have a wide latitude in administratively monitoring the activity on their systems. It could extend as far as running a keystroke monitor on one of my users to determine what he/she was doing that was causing unusually high consumption of system resources or repeatedly trying to access areas that they weren't supposed to. However, the lawyer emphasized that everything the sysop did should be in a defensive mode. Once a sysop determines that illegal activity may be taking place, he or she should immediately cease any monitoring and notify law enforcement personnel. SYSOPs duties do not include gathering evidence. David B. Hultberg, Director david_b_hultberg@nslc.fmso.navy.mil Information Resources Management dave.hultberg@paonline.com Naval Sea Logistics Center http://www.nslc.fmso.navy.mil P.O. Box 2060 (717) 790-4507 or DSN 430-4507 Mechanicsburg, PA 17055-0795 (717) 790-2915 or DSN 430-2915(FAX) --- Press any key to continue ## CrossPoint v3.02 ## ------------------------------ From: shields@tembel.org (Michael Shields) Date: 24 Sep 1995 20:57:37 -0000 Subject: Re: Knowing Where you Browse? Organization: Tembel's Hedonic Commune Prof. L. P. Levine wrote: If it becomes clear that my browser can be ordered to report history to the remote site by some command at that end then I (and many others) will want to know it. No, but you can get close. It's a standard part of HTTP to report a Referer: header when a link is followed, which gives the URL of the page which contained the link; in this way the server logs often show how a page was found. Netscape has also invented a nonstandard called `cookies', which can be used to generate detailed per-user trails. Netscape cookies, while sold as making CGI programming easier (for Netscape client users only), could easily be used to track a user's movements between and within cooperating sites; Apache already has code to do this within one server. -- Shields. ------------------------------ From: bo774@freenet.carleton.ca (Kelly Bert Manning) Date: 23 Sep 1995 19:34:24 GMT Subject: Pharmanet will give your BC Address to Anyone Organization: The National Capital FreeNet My first experience of Pharmanet gave me a minor sense of relief, since the "is your address ..." question was an old PO box I haven't used for 5 years. With a couple of days reflection I've become quite alarmed about the apparent absence of any protection for home addresses in Pharmanet. It appears that anyone who presents themselves at a pharmacy, and recites the magic recipie of name and birthdate, will be given your address. Passing a phoney prescription(or one obtained under subtrefuge) is a relatively minor additional offence to add one if a stalker or abusive former partner is planning to attack a woman. The "audit trail" facility also seems to pose as many risks as it may solve. How is Pharmanet going to know that someone who shows up and demands to see who has been looking at their familiy's profile isn't an abusive former husband/boyfriend/etc. The list of who had been filling their prescriptions is a good starting point to start checking unavoidable public records to track them down. How much more ifnormation is going to have to be added to this little system to try and cobble on after the fact privacy protection? Why the hell does a pharmacist need to know where people live anyway? There is no medical reason for him to have your address. If you don't choose to give it to him he had no damn business pulling it out of government records. If he can ever come up with a medical reason for needing to know(he screwed up and used methadone solution instead of distilled water to mix up an antibotic suspension) then that would be the time to start looking up your address. ------------------------------ From: turf@netcom.com (Brian McInturff) Date: 23 Sep 1995 17:54:57 GMT Subject: From Crossbows to Cryptography [long] Organization: NETCOM On-line Communication Services (408 261-4700 guest) This is an old speech I liked. Skip over the technical parts on PGP if you are not interested in them. They go on for a few paragraphs. Keep in mind, when the guy is talking about the Berlin Wall and those archvillian Soviets, that the speech was given in 1987. >>>>> From liber_pgp >From Crossbows to Cryptography: Thwarting the State Via Technology, a transcript of a speech given by Chuck Hammill in 1987, which details many of the technical aspects of PGP. Please note that the following speech was made by Chuck Hammill in 1987. Address all letters to his address, given at the end of this document. -- Russell FROM CROSSBOWS TO CRYPTOGRAPHY: THWARTING THE STATE VIA TECHNOLOGY Given at the Future of Freedom Conference, November 1987 You know, technology--and particularly computer technology--has often gotten a bad rap in Libertarian cir- cles. We tend to think of Orwell's 1984, or Terry Gilliam's Brazil, or the proximity detectors keeping East Berlin's slave/citizens on their own side of the border, or the so- phisticated bugging devices Nixon used to harass those on his "enemies list." Or, we recognize that for the price of a ticket on the Concorde we can fly at twice the speed of sound, but only if we first walk thru a magnetometer run by a government policeman, and permit him to paw thru our be- longings if it beeps. But I think that mind-set is a mistake. Before there were cattle prods, governments tortured their prisoners with clubs and rubber hoses. Before there were lasers for eavesdropping, governments used binoculars and lip-readers. Though government certainly uses technology to oppress, the evil lies not in the tools but in the wielder of the tools. In fact, technology represents one of the most promis- ing avenues available for re-capturing our freedoms from those who have stolen them. By its very nature, it favors the bright (who can put it to use) over the dull (who can- not). It favors the adaptable, who are quick to see the merit of the new, over the sluggish (who cling to time- tested ways). And what two better words are there to de- scribe government bureaucracy than "dull" and "sluggish"? One of the clearest, classic triumphs of technology over tyranny I see is the invention of the man-portable crossbow. With it, an untrained peasant could now reliably and lethally engage a target out to fifty meters--even if that target were a mounted, chain-mailed knight. (Unlike the longbow, which, admittedly was more powerful, and could get off more shots per unit time, the crossbow required no formal training to utilize. Whereas the longbow required elaborate visual, tactile and kinesthetic coordination to achieve any degree of accuracy, the wielder of a crossbow could simply put the weapon to his shoulder, sight along the arrow itself, and be reasonably assured of hitting his tar- get.) Moreover, since just about the only mounted knights likely to visit your average peasant would be government soldiers and tax collectors, the utility of the device was plain: With it, the common rabble could defend themselves not only against one another, but against their governmental masters. It was the medieval equivalent of the armor- piercing bullet, and, consequently, kings and priests (the medieval equivalent of a Bureau of Alcohol, Tobacco and Crossbows) threatened death and excommunication, respec- tively, for its unlawful possession. Looking at later developments, we see how technology like the firearm--particularly the repeating rifle and the handgun, later followed by the Gatling gun and more advanced machine guns--radically altered the balance of interpersonal and inter-group power. Not without reason was the Colt .45 called "the equalizer." A frail dance-hall hostess with one in her possession was now fully able to protect herself against the brawniest roughneck in any saloon. Advertise- ments for the period also reflect the merchandising of the repeating cartridge rifle by declaring that "a man on horseback, armed with one of these rifles, simply cannot be captured." And, as long as his captors were relying upon flintlocks or single-shot rifles, the quote is doubtless a true one. Updating now to the present, the public-key cipher (with a personal computer to run it) represents an equiv- alent quantum leap--in a defensive weapon. Not only can such a technique be used to protect sensitive data in one's own possession, but it can also permit two strangers to ex- change information over an insecure communications channel--a wiretapped phone line, for example, or skywriting, for that matter)--without ever having previously met to exchange cipher keys. With a thousand-dollar com- puter, you can create a cipher that a multi-megabuck CRAY X-MP can't crack in a year. Within a few years, it should be economically feasible to similarly encrypt voice communi- cations; soon after that, full-color digitized video images. Technology will not only have made wiretapping obsolete, it will have totally demolished government's control over in- formation transfer. I'd like to take just a moment to sketch the mathemat- ics which makes this principle possible. This algorithm is called the RSA algorithm, after Rivest, Shamir, and Adleman who jointly created it. Its security derives from the fact that, if a very large number is the product of two very large primes, then it is extremely difficult to obtain the two prime factors from analysis of their product. "Ex- tremely" in the sense that if primes p and q have 100 digits apiece, then their 200-digit product cannot in gen- eral be factored in less than 100 years by the most powerful computer now in existence. The "public" part of the key consists of (1) the prod- uct pq of the two large primes p and q, and (2) one fac- tor, call it x , of the product xy where xy = {(p-1) * (q-1) + 1}. The "private" part of the key consists of the other factor y. Each block of the text to be encrypted is first turned into an integer--either by using ASCII, or even a simple A=01, B=02, C=03, ... , Z=26 representation. This integer is then raised to the power x (modulo pq) and the resulting integer is then sent as the encrypted message. The receiver decrypts by taking this integer to the (secret) power y (modulo pq). It can be shown that this process will always yield the original number started with. What makes this a groundbreaking development, and why it is called "public-key" cryptography," is that I can openly publish the product pq and the number x , while keeping secret the number y --so that anyone can send me an encrypted message, namely x a (mod pq) , but only I can recover the original message a , by taking what they send, raising it to the power y and taking the result (mod pq). The risky step (meeting to exchange cipher keys) has been eliminated. So people who may not even trust each other enough to want to meet, may still reliably ex- change encrypted messages--each party having selected and disseminated his own pq and his x , while maintaining the secrecy of his own y. Another benefit of this scheme is the notion of a "dig- ital signature," to enable one to authenticate the source of a given message. Normally, if I want to send you a message, I raise my plaintext a to your x and take the result (mod your pq) and send that. However, if in my message, I take the plaintext a and raise it to my (secret) power y , take the result (mod my pq), then raise that result to your x (mod your pq) and send this, then even after you have normally "decrypted" the message, it will still look like garbage. However, if you then raise it to my public power x , and take the result (mod my public pq ), so you will not only recover the ori- ginal plaintext message, but you will know that no one but I could have sent it to you (since no one else knows my secret y). And these are the very concerns by the way that are to- day tormenting the Soviet Union about the whole question of personal computers. On the one hand, they recognize that American schoolchildren are right now growing up with com- puters as commonplace as sliderules used to be--more so, in fact, because there are things computers can do which will interest (and instruct) 3- and 4-year-olds. And it is pre- cisely these students who one generation hence will be going head-to-head against their Soviet counterparts. For the Soviets to hold back might be a suicidal as continuing to teach swordsmanship while your adversaries are learning ballistics. On the other hand, whatever else a personal computer may be, it is also an exquisitely efficient copying machine--a floppy disk will hold upwards of 50,000 words of text, and can be copied in a couple of minutes. If this weren't threatening enough, the computer that performs the copy can also encrypt the data in a fashion that is all but unbreakable. Remember that in Soviet society publicly ac- cessible Xerox machines are unknown. (The relatively few copying machines in existence are controlled more inten- sively than machine guns are in the United States.) Now the "conservative" position is that we should not sell these computers to the Soviets, because they could use them in weapons systems. The "liberal" position is that we should sell them, in the interests of mutual trade and cooperation--and anyway, if we don't make the sale, there will certainly be some other nation willing to. For my part, I'm ready to suggest that the Libertarian position should be to give them to the Soviets for free, and if necessary, make them take them . . . and if that doesn't work load up an SR-71 Blackbird and air drop them over Moscow in the middle of the night. Paid for by private sub- scription, of course, not taxation . . . I confess that this is not a position that has gained much support among members of the conventional left-right political spectrum, but, af- ter all, in the words of one of Illuminatus's characters, we are political non-Euclideans: The shortest distance to a particular goal may not look anything like what most people would consider a "straight line." Taking a long enough world-view, it is arguable that breaking the Soviet govern- ment monopoly on information transfer could better lead to the enfeeblement and, indeed, to the ultimate dissolution of the Soviet empire than would the production of another dozen missiles aimed at Moscow. But there's the rub: A "long enough" world view does suggest that the evil, the oppressive, the coercive and the simply stupid will "get what they deserve," but what's not immediately clear is how the rest of us can escape being killed, enslaved, or pauperized in the process. When the liberals and other collectivists began to at- tack freedom, they possessed a reasonably stable, healthy, functioning economy, and almost unlimited time to proceed to hamstring and dismantle it. A policy of political gradualism was at least conceivable. But now, we have patchwork crazy-quilt economy held together by baling wire and spit. The state not only taxes us to "feed the poor" while also inducing farmers to slaughter milk cows and drive up food prices--it then simultaneously turns around and sub- sidizes research into agricultural chemicals designed to in- crease yields of milk from the cows left alive. Or witness the fact that a decline in the price of oil is considered as potentially frightening as a comparable increase a few years ago. When the price went up, we were told, the economy risked collapse for want of energy. The price increase was called the "moral equivalent of war" and the Feds swung into action. For the first time in American history, the speed at which you drive your car to work in the morning be- came an issue of Federal concern. Now, when the price of oil drops, again we risk problems, this time because Ameri- can oil companies and Third World basket-case nations who sell oil may not be able to ever pay their debts to our grossly over-extended banks. The suggested panacea is that government should now re-raise the oil prices that OPEC has lowered, via a new oil tax. Since the government is seeking to raise oil prices to about the same extent as OPEC did, what can we call this except the "moral equivalent of civil war--the government against its own people?" And, classically, in international trade, can you imag- ine any entity in the world except a government going to court claiming that a vendor was selling it goods too cheaply and demanding not only that that naughty vendor be compelled by the court to raise its prices, but also that it be punished for the act of lowering them in the first place? So while the statists could afford to take a couple of hundred years to trash our economy and our liberties--we certainly cannot count on having an equivalent period of stability in which to reclaim them. I contend that there exists almost a "black hole" effect in the evolution of nation-states just as in the evolution of stars. Once free- dom contracts beyond a certain minimum extent, the state warps the fabric of the political continuum about itself to the degree that subsequent re-emergence of freedom becomes all but impossible. A good illustration of this can be seen in the area of so-called "welfare" payments. When those who sup at the public trough outnumber (and thus outvote) those whose taxes must replenish the trough, then what possible choice has a democracy but to perpetuate and expand the tak- ing from the few for the unearned benefit of the many? Go down to the nearest "welfare" office, find just two people on the dole . . . and recognize that between them they form a voting bloc that can forever outvote you on the question of who owns your life - and the fruits of your life's labor. So essentially those who love liberty need an "edge" of some sort if we're ultimately going to prevail. We obvi- ously can't use the altruists' "other-directedness" of "work, slave, suffer, sacrifice, so that next generation of a billion random strangers can live in a better world." Recognize that, however immoral such an appeal might be, it is nonetheless an extremely powerful one in today's culture. If you can convince people to work energetically for a "cause," caring only enough for their personal welfare so as to remain alive enough and healthy enough to continue working--then you have a truly massive reservoir of energy to draw from. Equally clearly, this is just the sort of ap- peal which tautologically cannot be utilized for egoistic or libertarian goals. If I were to stand up before you tonight and say something like, "Listen, follow me as I enunciate my noble "cause," contribute your money to support the "cause," give up your free time to work for the "cause," strive selflessly to bring it about, and then (after you and your children are dead) maybe your children's children will actu- ally live under egoism" - you'd all think I'd gone mad. And of course you'd be right. Because the point I'm trying to make is that libertarianism and/or egoism will be spread if, when, and as, individual libertarians and/or egoists find it profitable and/or enjoyable to do so. And probably only then. While I certainly do not disparage the concept of poli- tical action, I don't believe that it is the only, nor even necessarily the most cost-effective path toward increasing freedom in our time. Consider that, for a fraction of the investment in time, money and effort I might expend in try- ing to convince the state to abolish wiretapping and all forms of censorship--I can teach every libertarian who's in- terested how to use cryptography to abolish them unilaterally. There is a maxim, a proverb, generally attributed to the Eskimoes, which very likely most Libertarians have al- ready heard. And while you likely would not quarrel with the saying, you might well feel that you've heard it often enough already, and that it has nothing further to teach us, and moreover, that maybe you're even tired of hearing it. I shall therefore repeat it now: If you give a man a fish, the saying runs, you feed him for a day. But if you teach a man how to fish, you feed him for a lifetime. Your exposure to the quote was probably in some sort of a "workfare" vs. "welfare" context; namely, that if you genuinely wish to help someone in need, you should teach him how to earn his sustenance, not simply how to beg for it. And of course this is true, if only because the next time he is hungry, there might not be anybody around willing or even able to give him a fish, whereas with the information on how to fish, he is completely self sufficient. But I submit that this exhausts only the first order content of the quote, and if there were nothing further to glean from it, I would have wasted your time by citing it again. After all, it seems to have almost a crypto-altruist slant, as though to imply that we should structure our ac- tivities so as to maximize the benefits to such hungry beggars as we may encounter. But consider: Suppose this Eskimo doesn't know how to fish, but he does know how to hunt walruses. You, on the other hand, have often gone hungry while traveling thru walrus country because you had no idea how to catch the damn things, and they ate most of the fish you could catch. And now suppose the two of you decide to exchange information, bartering fishing knowledge for hunting knowledge. Well, the first thing to observe is that a transaction of this type categorically and unambiguously refutes the Marxist premise that every trade must have a "winner" and a "loser;" the idea that if one person gains, it must necessarily be at the "expense" of another person who loses. Clearly, under this scenario, such is not the case. Each party has gained some- thing he did not have before, and neither has been dimin- ished in any way. When it comes to exchange of information (rather than material objects) life is no longer a zero-sum game. This is an extremely powerful notion. The "law of diminishing returns," the "first and second laws of thermodynamics"--all those "laws" which constrain our possi- bilities in other contexts--no longer bind us! Now that's anarchy! Or consider another possibility: Suppose this hungry Eskimo never learned to fish because the ruler of his nation-state had decreed fishing illegal. Because fish contain dangerous tiny bones, and sometimes sharp spines, he tells us, the state has decreed that their consumption--and even their possession--are too hazardous to the people's health to be permitted . . . even by knowledgeable, willing adults. Perhaps it is because citizens' bodies are thought to be government property, and therefore it is the function of the state to punish those who improperly care for govern- ment property. Or perhaps it is because the state gener- ously extends to competent adults the "benefits" it provides to children and to the mentally ill: namely, a full-time, all-pervasive supervisory conservatorship--so that they need not trouble themselves with making choices about behavior thought physically risky or morally "naughty." But, in any case, you stare stupefied, while your Eskimo informant re- lates how this law is taken so seriously that a friend of his was recently imprisoned for years for the crime of "pos- session of nine ounces of trout with intent to distribute." Now you may conclude that a society so grotesquely oppressive as to enforce a law of this type is simply an affront to the dignity of all human beings. You may go far- ther and decide to commit some portion of your discretion- ary, recreational time specifically to the task of thwarting this tyrant's goal. (Your rationale may be "altruistic" in the sense of wanting to liberate the oppressed, or "egoistic" in the sense of proving you can outsmart the oppressor--or very likely some combination of these or per- haps even other motives.) But, since you have zero desire to become a martyr to your "cause," you're not about to mount a military campaign, or even try to run a boatload of fish through the blockade. However, it is here that technology--and in particular in- formation technology--can multiply your efficacy literally a hundredfold. I say "literally," because for a fraction of the effort (and virtually none of the risk) attendant to smuggling in a hundred fish, you can quite readily produce a hundred Xerox copies of fishing instructions. (If the tar- geted government, like present-day America, at least permits open discussion of topics whose implementation is re- stricted, then that should suffice. But, if the government attempts to suppress the flow of information as well, then you will have to take a little more effort and perhaps write your fishing manual on a floppy disk encrypted according to your mythical Eskimo's public-key parameters. But as far as increasing real-world access to fish you have made genuine nonzero headway--which may continue to snowball as others re-disseminate the information you have provided. And you have not had to waste any of your time trying to convert id- eological adversaries, or even trying to win over the unde- cided. Recall Harry Browne's dictum from "Freedom in an Unfree World" that the success of any endeavor is in general inversely proportional to the number of people whose persua- sion is necessary to its fulfilment. If you look at history, you cannot deny that it has been dramatically shaped by men with names like Washington, Lincoln, . . . Nixon . . . Marcos . . . Duvalier . . . Khadaffi . . . and their ilk. But it has also been shaped by people with names like Edison, Curie, Marconi, Tesla and Wozniak. And this latter shaping has been at least as per- vasive, and not nearly so bloody. And that's where I'm trying to take The LiberTech Project. Rather than beseeching the state to please not en- slave, plunder or constrain us, I propose a libertarian net- work spreading the technologies by which we may seize freedom for ourselves. But here we must be a bit careful. While it is not (at present) illegal to encrypt information when government wants to spy on you, there is no guarantee of what the fu- ture may hold. There have been bills introduced, for exam- ple, which would have made it a crime to wear body armor when government wants to shoot you. That is, if you were to commit certain crimes while wearing a Kevlar vest, then that fact would constitute a separate federal crime of its own. This law to my knowledge has not passed . . . yet . . . but it does indicate how government thinks. Other technological applications, however, do indeed pose legal risks. We recognize, for example, that anyone who helped a pre-Civil War slave escape on the "underground railroad" was making a clearly illegal use of technology--as the sovereign government of the United States of America at that time found the buying and selling of human beings quite as acceptable as the buying and selling of cattle. Simi- larly, during Prohibition, anyone who used his bathtub to ferment yeast and sugar into the illegal psychoactive drug, alcohol--the controlled substance, wine--was using technol- ogy in a way that could get him shot dead by federal agents for his "crime"--unfortunately not to be restored to life when Congress reversed itself and re-permitted use of this drug. So . . . to quote a former President, un-indicted co- conspirator and pardoned felon . . . "Let me make one thing perfectly clear:" The LiberTech Project does not advocate, participate in, or conspire in the violation of any law--no matter how oppressive, unconstitutional or simply stupid such law may be. It does engage in description (for educa- tional and informational purposes only) of technological processes, and some of these processes (like flying a plane or manufacturing a firearm) may well require appropriate li- censing to perform legally. Fortunately, no license is needed for the distribution or receipt of information it- self. So, the next time you look at the political scene and despair, thinking, "Well, if 51% of the nation and 51% of this State, and 51% of this city have to turn Libertarian before I'll be free, then somebody might as well cut my goddamn throat now, and put me out of my misery"--recognize that such is not the case. There exist ways to make your- self free. If you wish to explore such techniques via the Project, you are welcome to give me your name and address--or a fake name and mail drop, for that matter--and you'll go on the mailing list for my erratically-published newsletter. Any friends or acquaintances whom you think would be interested are welcome as well. I'm not even asking for stamped self- addressed envelopes, since my printer can handle mailing la- bels and actual postage costs are down in the noise compared with the other efforts in getting an issue out. If you should have an idea to share, or even a useful product to plug, I'll be glad to have you write it up for publication. Even if you want to be the proverbial "free rider" and just benefit from what others contribute--you're still welcome: Everything will be public domain; feel free to copy it or give it away (or sell it, for that matter, 'cause if you can get money for it while I'm taking full-page ads trying to give it away, you're certainly entitled to your capitalist profit . . .) Anyway, every application of these principles should make the world just a little freer, and I'm certainly willing to underwrite that, at least for the forseeable fu- ture. I will leave you with one final thought: If you don't learn how to beat your plowshares into swords before they outlaw swords, then you sure as HELL ought to learn before they outlaw plowshares too. --Chuck Hammill THE LIBERTECH PROJECT 3194 Queensbury Drive Los Angeles, California 90064 310-836-4157 hammill@netcom.com [The above LiberTech address was updated December 1992, with the permission of Chuck Hammill, by Russell Whitaker] Those interested in the issues raised in this piece should participate in at least these newsgroups: alt.privacy alt.security.pgp comp.org.eff.talk sci.crypt A copy of the RSA-based public key encryption program, PGP 2.1 (Pretty Good Privacy), can be obtained at various ftp sites around the world. One such site is gate.demon.co.uk, where an MS-DOS version can be had by anonymous ftp as pgp22.zip in /pub/pgp. Versions for other operating systems, including UNIX variants and Macintosh, are also available. Source code is also available. Here's the blurb for PGP, by the way: - ---------------------- Quote ---------------------------------------- PGP (Pretty Good Privacy) ver 2.2 - RSA public-key encryption freeware for MSDOS, protects E-mail. Lets you communicate securely with people you've never met, with no secure channels needed for prior exchange of keys. Well featured and fast! Excellent user documentation. PGP has sophisticated key management, an RSA/conventional hybrid encryption scheme, message digests for digital signatures, data compression before encryption, and good ergonomic design. Source code is free. Filenames: pgp22.zip (executable and manuals), pgp22src.zip (sources) Keywords: PGP, Pretty Good Privacy, RSA, public key, encryption, privacy, authentication, signatures, email - ---------------------- End Quote ------------------------------------- Russell Earl Whitaker whitaker@eternity.demon.co.uk Communications Editor AMiX: RWhitaker EXTROPY: The Journal of Transhumanist Thought Board member, Extropy Institute (ExI) -----BEGIN PGP SIGNATURE----- Version: 2.2 iQCVAgUBK922PYTj7/vxxWtPAQEbkgQAsgOxCtZjdZMZuRfm05nwm2ObsoLH/cFh aHRnb6dmp1o+4+yxaR+BO4fpRAtNMMOhn6WUSOoUJz1qqqkghfolYRu/TeCdr9du irrb7tCwndKsQC+wcTI/Q4+cmq3HrRRTnaIWYjmfaqXPEYRODVFDXc409umVGRJb 5IgXfNgaz78= =T1vu -----END PGP SIGNATURE----- -----END PGP SIGNATURE----- ----------------------------------------------------------------------------- ------------------------------ From: "Prof. L. P. Levine" Date: 11 Aug 1995 09:39:43 -0500 (CDT) Subject: Info on CPD [unchanged since 08/01/95] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the SUBJECT: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit or append to the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Mosaic users will find it at gopher://gopher.cs.uwm.edu. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V7 #026 ****************************** .