Date: Tue, 12 Mar 96 10:19:53 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V8#023 Computer Privacy Digest Tue, 12 Mar 96 Volume 8 : Issue: 023 Today's Topics: Moderator: Leonard P. Levine Re: A Far-Reaching Privacy Bill CIA & NSA Run Remailers Re: Police (ab?)use of SSN's Re: Powerful Engines that Search Usenet Re: Powerful Engines that Search Usenet Social Security Number Misuse Social Security Number Misuse Congressional Privacy Bill Info on CPD [unchanged since 11/22/95] ---------------------------------------------------------------------- From: Daniel Veditz Date: 08 Mar 1996 11:37:23 -0800 Subject: Re: A Far-Reaching Privacy Bill Organization: Borland International References: Beth Givens wrote: California state senator Steve Peace has introduced a bill, which if it passes, will give consumers a great deal of control over their personal information. The bill reads in part: "No person or corporation may use or distribute for profit any personal information concerning a person without that person's written consent. Such information includes, but is not limited to, an individual's credit history, finances, medical history, purchases, and travel patterns." This will no doubt lead to the additional disclaimer on nearly all applications and forms: "By signing this form you give us permission to use your personal data in any way we see fit." You already usually sign something very similar in doctor's offices if you are paying with insurance. -- Dan Veditz ------------------------------ From: "Prof. L. P. Levine" Date: 09 Mar 1996 07:42:36 -0600 (CST) Subject: CIA & NSA Run Remailers Organization: University of Wisconsin-Milwaukee Taken from RISKS-LIST: Risks-Forum Digest Friday 8 March 1996 Volume 17 : Issue 87 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator CIA & NSA Run Remailers Date: 08 Mar 1996 14:37:14 -0500 (EST) From: Frank Sudia Subject: CIA & NSA Run Remailers I attended last week's ``Information, National Policies, and International Infrastructure" Symposium at Harvard Law School, organized by the Global Information Infrastructure Commission, the Kennedy School, and the Institute for Information Technology Law & Policy of Harvard Law School. During the presentation by Paul Strassmann, National Defense University, and William Marlow, Science Applications International Corporation, entitled ``Anonymous Remailers as Risk-Free International Infoterrorists'', the question was raised from the audience (Professor Charles Nesson, Harvard Law School) -- in a rather extended debate -- whether the CIA and similar government agencies are involved in running anonymous remailers, as this would be a perfect target to scan possibly illegal messages. Both presenters explicitly acknowledged that a number of anonymous remailers in the US are run by government agencies scanning traffic. Marlow said that the government runs at least a dozen remailers and that the most popular remailers in France and Germany are run by the respective government agencies in these countries. In addition, they mentioned that the NSA has successfully developed systems to break encrypted messages will less than 1000-bit [public] keys and strongly suggested using at least 1024-bit keys. They said that they themselves use 1024-bit keys. I ask Marlow afterwards if these comments were off or on record, he paused then said that he can be quoted. So I thought I pass that on. It seems interesting enough, don't you think? Viktor Mayer-Schoenberger, Information Law Project, Austrian Institute for Legal Policy [Lightly edited for RISKS. By the way, don't forget that if you can monitor and compare the incoming and outgoing mail from an anonymous remailer, ``anonymous'' identities can be compromised. Beware of anonymity-bearing gifts. Also, see Matt Blaze's contribution on key lengths for symmetric crypto in RISKS-17.69. PGN ------------------------------ From: softwa19@us.net (Charles R. Smith) Date: 10 Mar 1996 17:46:20 GMT Subject: Re: Police (ab?)use of SSN's Organization: US Net, Incorporated References: Aaron Zaugg wrote: I recently bought myself a scanner to eavesdrop on just what sort of tasks the police in my area keep themselves busy with. I've become quite alarmed however at the amount of personal information that is broadcasted over their frequencies. Most alarming is the constant barrage of social security numbers that I pick up. In most cases, officers at a traffic stop or investigation will use driver's license number to do their NCIC and PACE searches. In some cases that number is identical to their SSN (DL numbers that are not SSN's begin with a [...] National Crime Information Center - (Much like the Internet but for law enforcement only) NCIC is a nation wide network of computers made up of local, state and federal systems. This system is tied to DMV information in all 50 states, holding plate, driver, Vehicle ID number and other auto related data. It is also tied to the FBI crime information center which contains wanted information and all criminal histories. It has access to all boat registration, plane registration and fire-arms registrations. Other users of NCIC information are the IRS, CIA, NSA, BATF, and most state welfare and taxation agencies. NCIC has been used by an Arizona law enforcement official to find his ex-girl friend and kill her. NCIC assisted a drug gang in Pennsylvania identify narcotics agents. NCIC has been used by Private Detectives to obtain information for political purposes. Most NCIC data is available only through special terminals and passwords hooked up to this private network. However, even after data is transmitted over a secure network, local dispatchers pass this data to front line officers over open radio systems. This fault has been used here in Virginia to obtain clean names and SSNs for criminals to buy guns. Some agencies with NCIC computers also have connections to the Internet, leaving them open for possible hacker attack. I fought what seemed like an endless battle with state officials here in Virginia in 1994 to NOT hook any NCIC systems or data to the Net. Although, the natural inclination was to join the crowd, I was finally able to convince them that doing so was risk not worth taking. This was done during the State mandated Internet study when I questioned Maryland Officials about security. They admitted that their SAILOR (a public Internet connection) system had been used to penetrate the computers of a U.S. nuclear power plant. In November, 1993, a local couple was murdered in their home in what was discovered later to be a drug related crime. The police were able to catch the killers because they found the couple's stolen car outside an apartment complex. However, during the stake-out, the police used their radio for a NCIC inquiry. A local TV station overheard the call and put their live TV broadcast van on the spot in minutes. The police were able to catch the two killers while dodging the TV reporters. Fortunately, no one was killed. Ten days later I demonstrated to Commander Lew Moore, head of Communications for Chesterfield County Police, my on-line ciphering software. I demonstrated secure data, graphics and VOC (voice) file transfer, and playback, noting the fact that he had 100 cellular phones and 30 laptops already available. I even pointed out proudly that it could be used with packet radio modems easily adapted to his radios. I even offered to let them have the software for free. His response... "Well, that's nice but I really don't know what we would use it for." SOURCES: NCIC details of operation, disclaimer, size and on-line agencies: NCIC Users Manual - FBI, J.Edgar Hoover Bld., Washington, D.C. NCIC abuses: John P. McPartlin, "GAO: FBI BREACH IS AN INSIDE JOB", Information Week, Sept. 9th, 1993 Winn Schwartau, "INFORMATION WARFARE", Thunder's Mouth Press, 1994 ISBN 1-56025-080-1 Use of SAILOR to penetrate US nuclear reactor computer - Barbara G. Smith, Manager Maryland State Library SAILOR Internet Project. VA INTERNET STUDY COMMITTEE MEETING, August 25, 1994, Summary of Minutes (Call Va. Dept of Information Technology for complete minutes at 804-344-5550) -- 1 if by land, 2 if by sea. Paul Revere - encryption 1775. Charles R. Smith SOFTWAR - Richmond, VA http://www.ultimate.org/2292/ ------------------------------ From: wb8foz@netcom.com (David Lesher) Date: 10 Mar 1996 15:27:45 GMT Subject: Re: Powerful Engines that Search Usenet Organization: NRK Clinic for habitual NetNews Abusers - Beltway Annex References: Richard Thieme writes: But I had communicated what I thought was semi-privately within a moderated group and found every post to that group archived and available. [...] But it took me aback to see what I thought was a communication, say, in a single room to twenty people recorded on a hidden cassette recorder (as it were) and broadcast over world wide radio. You POSTED something, & expected it to be private? Me thinks you need to relearn some basic lessons re: Usenet. It's total purpose is to make public your statements. If you wanted to say something privately --- why did you not email the desired recipient? -- A host is a host from coast to coast.................wb8foz@nrk.com & no one will talk to a host that's close...........(v)301 56 LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead........vr vr vr vr.................20915-1433 ------------------------------ From: bodafu@CAM.ORG (David L. Bergart) Date: 11 Mar 1996 19:41:10 GMT Subject: Re: Powerful Engines that Search Usenet Organization: Communications Accessibles Montreal, Quebec Canada References: magary@news-e2c.gnn.com (Al Magary) wrote: but for those, like myself, who conduct all Internet business under their own name, Alta Vista's archiving of old correspondence is chilling. Were you not aware that Usenet is a public forum? What's the difference between *anyone* being able to see your posting today, and anyone being able to see it in a few months? How is this chilling? If you want privacy, there are established methods. The chilling part for me is that I can post "I agree, let's do it" in response to the question "Does anyone here in comp.lang.c want to develop a new C compiler?", and then someone else can cross post a reply to alt.pedophilia.drool and make it look like I'm agreeing to something completely different in a newsgroup I've never read or posted to. A sophisticated user would catch the misrepresentation, but the naive guy who's thinking of hiring me, and who does a search for my name on DejaNews won't understand. -- ____D__a__v__i__d_____B__e__r__g__a__r__t___________________________________ bodafu@cam.org ------------------------------ From: crissiet@ix.netcom.com (SETH SKLAREY) Date: 12 Mar 1996 03:24:38 -0800 Subject: Social Security Number Misuse To: Chris Hibbert I was very impressed with your overview of the mis-use of social security number requests. Here in Florida they put it into the driver license records, (which are public records & open to everyone), were used as a mortgage broker's license number(since changed and the man I spoke to at the State Comptroller's office who issues mortgage broker's license swas very aware of the topic and they have since changed their policy. However, contractors who go to pull permits in the Miami, Florida area are required to provide it, and it is required by state law (which I think is unconstitutional and conflicts with federal law and which I want to challenge) when renewing occupational licenses. They also require FEIN's for occupational licenses if the business is a corporation, but I don't know of any prohibition against this although there should be for the same obvious reasons. When I approached the ACLU about filing a suit 2 years ago they said I would not prevail. However, lately they seem more receptive. The question is WHAT IS THE FEDERAL PENALTY if a GOVERNEMENTAL agency refuses to issue a license or permit if you refuse to give your number? Also, if you open a bank account, like a checking account that does not pay interest, do you still have to give the number? The last time I requested new phone service the local phone co. (BellSouth) asked for the number, but backed down when I refused, but they said their policy is to require a possibly higher deposit to those individuals. Any further information you run across on this subject will be appreciated and I will likewise forward any to you. I am also considering filing suit against credit reporting agencies and Check verification companies to force them to remove my social security number from their records under the Florida Right to Privacy Amendment in the Fla Constitution. -- SETH SKLAREY crissiet@ix.netcom.com ------------------------------ From: anonymous Date: 10 Mar 1996 21:03:25 -0600 Subject: Social Security Number Misuse [moderator: this user requested anonymity, I am posting this under my own userid.] I remember a discussion back when I was sitting in Administrative Law class some years ago to the effect that, technically, the SSN authorizing legislation prohibits the use of SSNs for ANY purpose, including driver's licenses. If I remember correctly, that's still on the books, though widely disregarded. I got onto this issue a few years back when UNIPAC started allowing "dial-up student loan account access". They allow you to call in and get your current balance and payment record via a phone system, using your SSN as your account number. I went a few dozen rounds with UNIPAC over this--I found it disturbing that anyone who had my SSN could essentially do an unauthorized credit check on me--and eventually forced them to change my account number after threatening to sue. The policy as a whole, I believe, is still in place. I encourage you to stick with this, though. MY SSN, for example, is also my driver's license number, my university employee number, student loan account number, and, as of recently, my local "business registration" number. The potential for abuse is outrageous . . . and maybe the CPD is a way to bring this issue to light. I assume the student loan information is what your are most interested in. After the normal routine of going through numerous representatives and supervisors several times to finally get a pledge of action, my student loans were sold about two weeks ago to Sallie Mae. As of the time of sale, they hadn't actually done anything about the account password, so I'm a little curious as to whether there was any connection. (This is, by the way, the fourth time this has happened in four years, every time resulting in new structuring, new payments books and the inevitable several months of correcting mailing addresses. Their administrative nightmares are stories for another list though . . .). I have already contacted Sallie Mae and asked for the brochures on their version of the dial-in account maintenance program, but have yet to receive them. Fortunately, I kept copies of all the letters written to UNIPAC . . .. Sallie Mae could also, I notice from the fine print, turn around and grant maintenance of the account back to UNIPAC . . .. This adventure is far from over. Also, I will be opening a domain of my own in the next month, and hosting a variety of Web sites. One of the sites I'm putting together is an activist-oriented site: concise summaries of selected issues of public concern, links to the five to ten top sites on that subject (enough to provide a full, but not overly biased, overview) and finally links at the end of each page for emailing or otherwise contacting appropriate governmental officials to request action. I'd love to dedicate a page to the issue of the legality of the use of SSNs as identification #s. If you come across material in addressing this issue, or generate any that is available or could be made available via the Web, please don't hesitate to forward it. I've also forwarded the copy of the RRE mailing with your recent message to a number of net lawyers, and should I get anything useful from them in re the original authorizing legislation, I'll pass it along (I am, BTW, a lawyer by training but Webmaster by profession--hence the interest in putting together such a site in the first place). And finally, I follow your newsgroup on a sporadic basis (as much as I can follow any of them anymore) and appreciate your work. ------------------------------ From: softwa19@us.net (Charles R. Smith) Date: 08 Mar 1996 02:13:13 GMT Subject: Congressional Privacy Bill Organization: US Net, Incorporated The following commentary was written by the editor of the Richmond Times-Dispatch. It was published on page A16 in today's (March 7, 1996) edition of the Richmond-Times Dispatch. It is used with permission. **************************************************************** Good For Goodlatte Privacy, as Americans once knew it, probably is forever gone. Now that most records are kept in computers instead of written files, there simply is no way to protect them from prying eyes. Want to lie awake nights? Consider how many clerks (how many of them minimum-wagers?) can peruse your bank account, your health insurance claims, your driving record, your tax returns, even your personnel file. Yet, instead of trying to protect citizens from such intrusion, federal law enforcement agencies want to gain greater - indeed ensured - access to all electronic communications. How? By preventing the sale of any encryption software (which allows computer users to encode data so others can't decipher it) unless the government is provided the key to unscramble it. The FBI argues that it will be handicapped in fighting crime without the capacity to so monitor all computer exchanges - and perhaps it will be. But law enforcement also is hampered because police officers aren't given keys to every home and the freedom to enter at will. Would the FBI suggest changing that? Thank goodness for Bob Goodlatte. This week Virginia's 6th District Congressman introduced his Security and Freedom through Encryption (SAFE) Act, which would give Americans the freedom to use any encryption device they choose - not merely those accessible at will by government snoops. It is good, thoughtful legislation that his colleagues should support. Goodlatte's bill ought to be unnecessary. In better days, such government surveillance would have been unthinkable. Far from being pressured to forfeit their rights for the pie-crust promise of reducing crime, early Americans were warned against doing so. "They that give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." Modern Americans would do well to remember those words by Ben Franklin. Happily, Bob Goodlatte has. **************************************************************** -- "1 if by land, 2 if by sea." Paul Revere - encryption 1775 Charlie Smith SOFTWAR Richmond, VA http://www.ultimate.org/2292/ ------------------------------ From: "Prof. L. P. Levine" Date: 02 Mar 1996 10:34:30 -0600 (CST) Subject: Info on CPD [unchanged since 11/22/95] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the Subject: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Web browsers will find it at gopher://gopher.cs.uwm.edu. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V8 #023 ****************************** .