Date: Fri, 08 Mar 96 09:50:35 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V8#022 Computer Privacy Digest Fri, 08 Mar 96 Volume 8 : Issue: 022 Today's Topics: Moderator: Leonard P. Levine Police (ab?)use of SSN's CIA & NSA Run Anonymous Remailers Re: US Right to Anonymous Publication Re: A Far-Reaching Privacy Bill Re: A Far-Reaching Privacy Bill Re: A Far-Reaching Privacy Bill Re: 800 ANI Cordless Phone Security Re: BC NDP Membership Leaked Via Internet Re: Powerful Engines that Search Usenet EFF Statement on Leahy/Burns/Murray Crypto Bill Info on CPD [unchanged since 11/22/95] ---------------------------------------------------------------------- From: Aaron Zaugg Date: 05 Mar 1996 13:55:42 -0700 (MST) Subject: Police (ab?)use of SSN's I recently bought myself a scanner to eavesdrop on just what sort of tasks the police in my area keep themselves busy with. I've become quite alarmed however at the amount of personal information that is broadcasted over their frequencies. Most alarming is the constant barrage of social security numbers that I pick up. In most cases, officers at a traffic stop or investigation will use driver's license number to do their NCIC and PACE searches. In some cases that number is identical to their SSN (DL numbers that are not SSN's begin with a letter). However anyone here in Phoenix who does not have a driver's license or some other State ID card is in for a little treat. The SSN number they give the police will be sent over the airwaves. Usually the dispatcher will respond back in a few seconds with that person's address, want's and warrants, DMV restrictions/suspensions as well as a physical description on some occasions. In our world where its common knowledge that people can use a SSN, name, and address to take over another person's identity, I find it hard to believe the police would be so careless. Some might say that no one would want to use a criminal's identity as their own, but the fact is that many of these people who have their information broadcast have done nothing wrong now or in the past. They merely forgot to bring their papers. Another worrying factor regarding the police's use of SSN's is the possibility of mistakes in reports. For example, just today I heard an officer give a name and date of birth for someone he was investigating. The dispatcher matched the date of birth with a driver's license (I can't remember if it was local or not) and warrant. She read the physical description to the officer. The officer proceeded to say he wasn't sure that was the right information. All the dispatcher did in response to this was to tell the officer that the record she was looking at had several other aliases and "did he want the soc. for him". The officer took the SSN (as well as myself) and proceeded with his investigation. For a number that is not to be used to identify a person it certainly seems that the Phoenix Police Department (and I assume all others) have a different opinion of what that means. Does anyone know if this kind of usage is legal, and does the fact that it is being broadcasted (instead of sent directly to the officer's data terminal in the car) make the situation any different? Sheeple Sheeple everywhere. ------------------------------ From: David M Kennedy Date: 05 Mar 1996 17:05:51 -0500 Subject: CIA & NSA Run Anonymous Remailers [DMK: I don't know what an spj-l is; I'm crossposting from a military list. I'm a fed of sorts and don't have a problem with the contents below, but neither do I believe them. It should stir the pot up in CPD though.] From: owner-spj-l To: Multiple recipients of list SPJ-L Subject: CIA & NSA run remailers (fwd) Date: Monday, March 04, 1996 3:32PM I attended last weeks "Information, National Policies, and International Infrastructure" Symposium at Harvard Law School, organized by the Global Information Infrastructure Commission, the Kennedy School and the Institute for Information Technology Law & Policy of Harvard Law School. During the presentation by Paul Strassmann, National Defense University and William Marlow, Science Applications International Corporation, entitled "Anonymous Remailers as Risk-Free International Infoterrorists" the questions was raised from audience (Professor Chaarles Nesson, Harvard LAw School) - in a rather extended debate - whether the CIA and similar government agencies are involved in running anonymous remailers as this would be a perfect target to scan possibly illegal messages. Both presenters explicitly acknowledged that a number of anonymous remnailers in the US are run by government agencies scanning traffic. Marlow said that the government runs at least a dozen remailers and that the most popular remailers in France and Germany are run by the respective government agencies in these countries. In addition they mentioned that the NSA has successfully developed systems to break encrypted messages below 1000 bit of key length and strongly suggested to use at least 1024 bit keys. They said that they semselves use 1024 bit keys. I ask Marlos afterwards if these comments were off or on record, he paused then said that he can be quoted. So I thought I pass that on. It seems interesting enough, don't you think? -- Viktor Mayer-Schoenberger Information Law Project Austrian Institute for Legal Policy ------------------------------ From: glr@ripco.com (Glen L. Roberts) Date: 06 Mar 1996 21:24:50 GMT Subject: Re: US Right to Anonymous Publication Organization: Full Disclosure References: bo774@freenet.carleton.ca (Kelly Bert Manning) wrote: While anonymous remailers, usenet and e-mail provide a computer context to this particular discussion the root issues go back centuries, if not millenia, and a wide body of literature exists about them. Discussion of Privacy issues might be improved by building on the work of the many people who have spent a lot of time and energy considering them already. The dabate rages on about anonymousness on the net... But, no one questions the (in many cases forced) anonymousness of talk radio. Call Rush Limbaugh and you can reach a tremendous audience compared to posting on the net... and it is esentially anonymous! Nobody questions that! Why do people argue against anonymous postings/email/.... ------ Links, Downloadable Programs, Catalog, Real Audio & More on Web Full Disclosure [Live] -- Privacy, Surveillance, Technology! (Over 150 weeks on the Air!) The Net Connection -- Listen in Real Audio on the Web! http://pages.ripco.com:8080/~glr/glr.html ------ ------------------------------ From: glr@ripco.com (Glen L. Roberts) Date: 06 Mar 1996 21:25:16 GMT Subject: Re: A Far-Reaching Privacy Bill Organization: Full Disclosure References: Beth Givens wrote: California state senator Steve Peace has introduced a bill, which if it passes, will give consumers a great deal of control over their personal information. The bill reads in part: "No person or corporation may use or distribute for profit any personal information concerning a person without that person's written consent. Such information includes, but is not limited to, an individual's credit history, finances, medical history, purchases, and travel patterns." Is a newspaper that writes an article about someone distributing information about that person for a profit? ------ Links, Downloadable Programs, Catalog, Real Audio & More on Web Full Disclosure [Live] -- Privacy, Surveillance, Technology! (Over 150 weeks on the Air!) The Net Connection -- Listen in Real Audio on the Web! http://pages.ripco.com:8080/~glr/glr.html ------ ------------------------------ From: Chris Kocur Date: 06 Mar 1996 00:47:22 GMT Subject: Re: A Far-Reaching Privacy Bill Organization: JCPenney References: Beth Givens Writes, "No person or corporation may use or distribute for profit any personal information concerning a person without that person's written consent. Such information includes, but is not limited to, an individual's credit history, finances, medical history, purchases, and travel patterns." Glenn Foote wrote: With all due respect, I fail to see how this bill will do very much to protect privacy. In fact, it may do the opposite. Consider; any business has only to place a few sentences in _every_ contract, charge card slip, bank notice, loan or insurance application, etal ... which might read something like: (you) agrees that all information contained herein and/or resulting from any process and procedure hereto, shall become the exclusive property of the provider(me) and hereby provides consent for the use of that information by the provider(me) as they see fit. (you) further hereby provide consent for (me) to access all available commercial information and investigate as may deemed necessary." With that one small change to any document (and you _MUST_ sign, or go elsewhere, and there is _unlikely_ to be an "elsewhere"), they would now have full authority to gather, compile, use, share, AND sell every piece of data about you they could get their hands on. I really hope that someone can tell me that I am wrong. I'm NOT a lawyer, and it only took 60 seconds to come up with the above. I suspect someone who was really devious could much more damage to privacy rights. I wish I could tell you you were wrong, but you nailed it. Actually you came pretty close in the verbage, but some I've had to sign seemed worse. I pretty much gave away the farm when I signed up for health care insurance. As you indicated, not signing wasn't a good option as there weren't any other choices that didn't require a similar release and going without isn't a good option either. What they need to add to the bill is that no entity may require consent in order to transact business with them (with possibly some _well defined_ exceptions). IMO the bill should also require that the consent form be a seperate document and cannot be included as part of any other agreement the person may sign. -- Regards, Chris #include I can do it quick; I can do it well; I can do it cheap -- pick any two. -- Red Adair ckocur@jcpenney.com (work), ckocur@plano.net (home) ------------------------------ From: bo774@freenet.carleton.ca Date: 06 Mar 1996 09:13:15 -0600 (CST) Subject: Re: A Far-Reaching Privacy Bill Organization: University of Wisconsin-Milwaukee John R Levine (johnl@iecc.com) writes: It seems to me that a somewhat more effective approach would be to require that requests for data be accompanied by the specific purpose for which it is to be used, and that other uses require prior written permission. The trick is to make "specific" work, so they can't just use value blanket descriptions again. Quebec deals with this by making personal data non-mandatory. That, in combination with the Canada Currency Act(cash is all you ever have to provide when purchasing something, in the absence of any statutory obligation to register the sale) deals with this. Aren't there laws that override "shrink wrap" clauses? -- notice: by sending advertising/solicitations to this account you will be indicating your consent to paying me $70/hour for a minimum of 2 hours for my time spent dealing with it ------------------------------ From: johnl@iecc.com (John R Levine) Date: 05 Mar 96 21:08 EST Subject: Re: 800 ANI Organization: I.E.C.C., Trumansburg, N.Y. References: I had a debate about all this with someone on comp.dcom.telecom a couple years ago, and the debate ended with him saying that he knows more about telecom than I do, and it's just not technically feasible to implement these features in the telephone network (i.e., ANI blocking option for the caller, and call rejection option for the 800 number owner). All I can say is that, if that's the case, then the telecom industry ought to hire better design engineers. Well, if we were designing the world's telephone system de novo, there's a lot we might do differently. That's why CLID, which is new, has blocking options while ANI, which is much older, doesn't. The problem with suppressing ANI is that the ANI collected on 800 calls is the same ANI collected on normal toll calls that lets telcos compute the phone bills. The same applies for 800 calls -- on my 800 lines, calls from the U.S. are billed at one rate, while calls from Canada are billed at a different rate. Without ANI, the telco can't generate the bill. Do keep in mind that ANI data, unlike CLID, has specific restrictions put on its use, so that the only legal things to do with it are to check the phone bill and look up callers' accounts. You can't do with ANI what CLID is designed for, collecting prospect lists for junk phone calls. I suppose that there might be a billing option that blocks out the last four digits of the phone number or something like that, but with the existing legal rules in place, abuse of ANI data is already considerably less of a problem than abuse of CLID. -- John R. Levine, IECC, POB 640 Trumansburg NY 14886 +1 607 387 6869 johnl@iecc.com "Space aliens are stealing American jobs." - Stanford econ prof ------------------------------ From: cburriss@aol.com (CBurriss) Date: 07 Mar 1996 02:30:26 -0500 Subject: Cordless Phone Security Organization: America Online, Inc. (1-800-827-6364) I realize that cordless phones are not secure in general, but have a question about two different technologies. Panasonic advertises a 'scramble' feature on some of their cordless phones. Does this acutally defeat anyone but the most casual eavesdropper? More importantly, is 900 Mhz acually secure, as some advertisements claim? Just trying to keep my conversations private... ------------------------------ From: bo774@freenet.carleton.ca Date: 06 Mar 1996 09:14:18 -0600 (CST) Subject: Re: BC NDP Membership Leaked Via Internet Organization: University of Wisconsin-Milwaukee The purported membership list of the BC NDP party, currently the governing party in BC, has been released by a disgruntled wannabe leadership candidate. He recieved the document, with names, addresses, and phone numbers, via the internet. The opposition Liberal party, which is expected to win an election later this year, plans to compare the list of members with the names of civil servants hired under the NDP, in addition to reviewing appointments to government bodies. One of the news stories raised the issue of whether something purportedly recieved over the internet from an unnamed source, should be regarded as accurate. There has also been a few news stories lately about parties padding their member lists with names and phone numbers of people who have only spoken to a junk phone caller briefly and who haven't paid a membership fee, signed a membership application, or ever had the intent to become a party member. Brian Gardiner, NDP Provincial Secretary, said that he has "full confidence that our E-mail system hasn't been breached". Well then, why wouldn't access to such a sensitive party asset be audited. Why don't they have a traffic log of this chunk of data being mailed? -- notice: by sending advertising/solicitations to this account you will be indicating your consent to paying me $70/hour for a minimum of 2 hours for my time spent dealing with it ------------------------------ From: Richard Thieme Date: 07 Mar 1996 18:57:53 -0800 Subject: Re: Powerful Engines that Search Usenet Organization: Richard Thieme LifeWorks References: Al Magary wrote: The Wall St. Journal today (3/4/96, p.B1) has an article, "World-Wide Fame Is at Your Fingertips," about the adventure of powerful search engines that search both the Web and Usenet, principally Alta Vista and Open Text: It may be quite a party stunt in Silicon Valley to rate people's social status by how many hits they get in an Alta Vista search (Bill Gates, 60,000; you, zero?), but for those, like myself, who conduct all Internet business under their own name, Alta Vista's archiving of old correspondence is chilling. Al, I did the search and was also taken aback, even though it was a small thing. Things I've written (as in Wired) showed up and that's fine. But I had communicated what I thought was semi-privately within a moderated group and found every post to that group archived and available. I was introducing myself as a speaker and consultant to someone looking for one and spoke highly of my reputation. I was selling, after all. But it took me aback to see what I thought was a communication, say, in a single room to twenty people recorded on a hidden cassette recorder (as it were) and broadcast over world wide radio. Different kinds of speech carry with them implicit assumptions about speaker and listener, norms that felt violated in this case. I queried the group leader to ask why I had not been asked for permission and it had never occurred to him. Live and learn. ------------------------------ From: Stanton McCandlish Date: 05 Mar 1996 13:00:49 -0800 (PST) Subject: EFF Statement on Leahy/Burns/Murray Crypto Bill New "Encrypted Communications Privacy Act" - Enabling Electronic Envelopes ========================================================================== FOR IMMEDIATE RELEASE ELECTRONIC FRONTIER FOUNDATION +1 415 436 9333 ask@eff.org March 5, 1996 http://www.eff.org The Electronic Frontier Foundation (EFF) is encouraged to see Congressional support for lifting restrictions on encryption and affirming privacy rights for U.S. citizens. The bill introduced today by Senators Pat Leahy (D-VT), Patricia Murray (D-WA) and Conrad Burns (R-MT) is an important step in reclaiming privacy and encryption rights for society and business. The bill would legalize wide use of "electronic envelopes" to protect private information. Today this information travels on "electronic postcards" which can easily be altered or intercepted. However, the bill also includes key escrow and obstruction of justice provisions which would cause problems if enacted. "The bill provides a new opportunity to bring reason into the crypto policy debate," said EFF co-founder John Gilmore. "We support the Senators for bringing their energy into the process. The bill is a good start, and with healthy debate and modification, it could become acceptable legislation." Electronic privacy and encryption policy is extremely complex because it intertwines our constitutional rights of free speech, publication, association, and protection from self-incrimination and unreasonable search, with issues of wiretapping, spying, military security, personal privacy, and computer security. This bill would pick a new balance among these competing interests, with long-term impacts on our society and economy. EFF is committed to working with government, industry and public interest organizations to raise the level of understanding and debate in resolving these complex issues. Export Control Liberalization ----------------------------- The Encrypted Communications Privacy bill would make long-overdue changes to the export restrictions currently hampering the deployment of privacy and security "envelopes" for Windows, Unix, the Mac, and the Internet. The bill: * Moves export control of all non-military information security products, incuding encryption, to the Commerce Dept., whose rules protect constitutional rights and reflect market realities. * Requires that no license be required to export generally available mass-market software, public domain software, and computers that include such software. * Requires that export be authorized for non-military encryption software to any country where similar software is exportable from the U.S. to foreign financial institutions. * Requires that export be authorized for encryption hardware if a comparable product is available overseas. The above changes would significantly improve the nation's crypto policy. But they make detailed changes in a very complex section of the law and regulations. There is a significant risk that they will be implemented by the Administration in a different fashion than Congress intended. This happened in 1987, for example, when Congress tried to eliminate NSA meddling with civilian computers by passing the Computer Security Act. It was subverted by a series of Presidential directives and agreements among Executive Branch departments. The result today is that NSA is still in control of domestic security and privacy policy. We would encourage futher deregulation as a simpler, more effective, and far more reliable solution. The bill should simply eliminate all export controls on non-military encryption. Criminalization of Encryption and Encouragement of Key Escrow ------------------------------------------------------------- The following provisions raise serious concerns about the imbalance between the rights of the people and the desires of the goverment. EFF feels that the impact of these provisions must be closely considered, and will work to modify or remove them to better serve the public interest. The bill: * Makes it a new crime to "use encryption to obstruct justice", with 5-10 year sentences, plus fines. In plain language, this is a extra criminal charge that can be applied when police are frustrated in an investigation but happen to catch someone breaking the law in some other way. It's like Adding an extra ten-year jail term if you close your curtains while committing a crime. Americans have the right to protect their own privacy by any nonviolent means, and we expect that encryption will soon be built into all computers, phones, and networks. * Provides a legal infrastructure for key escrow, a system in which all users' keys are copied to permit government access. The Clinton Administration has been pushing key escrow to replace its failed "Clipper chip", out of fear that if Americans have real privacy they will abuse it. These provisions in the bill would encourage people to use the flawed key-copying system. Clarification and Refinement ---------------------------- The are a number of areas of the bill that would benefit from additional debate and clarification. Specifically, where the bill: * Explicitly does not mandate key escrow, but fails to prohibit the Administration from attempting to impose it with regulations. * Outlaws disclosure of others' keys except to the government, with 1-2 year sentences, plus fines, but includes a broad "good faith" exemption for when the government does something illegal or unconstitutional. * Requires disclosure of other peoples' keys to the government, under the same procedures currently used for wiretaps, searches of online records and backup tapes, and fishing expeditions in billing records. The provision does not always require adversary legal process, in which citizens can argue for their privacy before a judge, but instead relies solely on the integrity of prosecutors. * Legalizes the use any encryption "except as provided in this Act...or in any other law". EFF's Proposed Crypto-Privacy Principles ---------------------------------------- EFF's Cryptography and Privacy Policy Principles, which were originally written during the Clipper Chip debate, are the touchstone by which we measure privacy legislation and policy issues: * Private-sector access to encryption technology must not be hindered, either by regulation of what crypto may be used domestically, or by restriction on what may be exported. * Government policy on encryption usage and standards must be set in open forums with proper attention paid to public input. Secret hearings and classified algorithms have no part to play in a democratic process. * Encryption must become part of the "information infrastructure" to protect personal, commercial and governmental privacy and security. Cryptographic tools must not be crippled or weakened for the convenience of government agents, and users must be free to choose what encryption they prefer and whether and to whom they will reveal encryption keys. Law enforcement must obtain court orders, not simply administrative subpoenas to seize keys or decrypt and search encrypted information. * Government policy regarding emerging technologies like encryption must not erode Constitutional protections. In particular, any such policies must be compatible with the rights to freedom of speech, press and association, freedom from coerced self-incrimination, and freedom from unreasonable search and seizure. * Encryption will be built into all next-generation Internet, communications and computer technology. There must be no government policy equating use of encryption with evidence of criminal behavior, nor the creation of any new crime category that holds encryption users liable for making criminal investigation more difficult. * Government at all levels should explore cryptography's potential to replace identity-based or dossier-based systems - such as driver's licenses, credit cards, social security numbers, and passports - with less invasive technology. The Encrypted Communications Privacy bill at this time passes some of these tests, and we are committed to working with industry, government, and public interest organiations to address the remaining issues. Background: EFF and Crypto-Privacy Policy ----------------------------------------- The Electronic Frontier Foundation (EFF) is a nonprofit public interest organization devoted to the protection of online privacy and free expression. EFF was founded in 1990, and is based in San Francisco, California. The International Traffic in Arms Regulations (ITARs), administered by the State Department, and in the background by the National Security Agency, unreasonably treat encryption software and hardware as if they were weapons of war, like rockets and bombs. It has proven very difficult to deploy U.S.-made encryption products in an increasingly important global market due to these regulations, at a time when the need for online security systems for personal and commercial use has never been more keenly felt. EFF has for several years led efforts to fend off governmental attempts to restrict the development and public availability of secure privacy technology. In 1993-4, EFF and other civil liberties organizations successfully opposed implementation of the U.S. Administration's "Clipper" or "Skipjack" system - hardware encryption for voice and data communications in which all encryption keys are held by government for the convenience of law enforcement and intelligence agencies. In 1994, we helped ensure that crypto export became a major legislative topic, laying the groundwork for eventual liberalization of the ITARs. In 1994 and 1995 EFF opposed implementation of and helped defeat funding for the FBI's "Digital Telephony" scheme, in which up to one person on every city block could be simultaneously wiretapped. In 1995, we filed an ongoing federal lawsuit with mathematician Daniel Bernstein, challenging the constitutionality of the export control laws. Online Resources for More Information ------------------------------------- Please see EFF's Internet archives for more details on this and other issues. EFF Privacy & Encryption Archive: http://www.eff.org/pub/Privacy/ EFF Legal Issues & Policy Archive: http://www.eff.org/pub/Legal/ Action Alerts: http://www.eff.org/pub/Alerts/ Topical Index of the EFF Archive: http://www.eff.org/links.html Contact Information ------------------- The Electronic Frontier Foundation 1550 Bryant St., Suite 725 San Francisco CA 94103 USA +1 415 436 9333 (voice) +1 415 436 9993 (fax) Internet: ask@eff.org John Gilmore, Co-founder and Member of the Board gnu@eff.org +1 415 221 6524 ------------------------------ From: "Prof. L. P. Levine" Date: 02 Mar 1996 10:34:30 -0600 (CST) Subject: Info on CPD [unchanged since 11/22/95] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the Subject: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Web browsers will find it at gopher://gopher.cs.uwm.edu. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V8 #022 ****************************** .