Date: Wed, 19 Jun 96 18:37:41 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V8#049 Computer Privacy Digest Wed, 19 Jun 96 Volume 8 : Issue: 049 Today's Topics: Moderator: Leonard P. Levine Your Views Sought on Workplace Privacy Keystroke Recorders Re: New Chip Renews Privacy Debate Re: New Chip Renews Privacy Debate Re: New Chip Renews Privacy Debate Re: Net Finders Re: Air Force Sergeant Jailed in e-Mail Case eMail and Privacy Privacy while Downloading from Newsgroup US Export Law Marketing on the Information Highway Info on CPD [unchanged since 11/22/95] ---------------------------------------------------------------------- From: "John H. Cushman Jr." Date: 17 Jun 1996 13:21:55 -0400 Subject: Your Views Sought on Workplace Privacy Organization: The New York Times For an article in the New York Times, I am interested in hearing from people about their experiences with computer privacy issues in the workplace. I am *not* interested in e-mail privacy (we handled that in a separate article). I *am* interested in whether your employer has a policy about appropriate use of the computer, whether your use is monitored, whether there is informed consent, whether you are wasting your time at work, whether this is stealing from the employer... that kind of stuff. What are the software considerations? Pointers to other resources gratefully accepted. Thanks for the help... I only have a few days. Please reply to me, not to the list. Reply to Thanks, Jack Cushman ------------------------------ From: Devin Date: 17 Jun 1996 16:55:45 -0400 (EDT) Subject: Keystroke Recorders In a recent issue a poster spoke of getting a junk e-mail selling a disk of key recorders. The question of whether this is legal for employers to use remains to be answered. I would assume these for the most part would be legal in a company environment to insure employees didn't play games on company time, but where do we draw the line. The same employer could also snoop into your e-mail. he orginal poster said he would send the info and address to any interested parties, however when I contacted him he knew nothing of his post. If anyone else received this information would you please e-mail the company's address so that I may investigate this further. Thanking you in advance. -- Devin Knight Nystar Corp. $ @%%%%%$=Devin $ ------------------------------ From: eichin@kitten.gen.ma.us (Mark W. Eichin) Date: 17 Jun 1996 23:04:43 -0400 Subject: Re: New Chip Renews Privacy Debate References: As for Japan's constitution, I wonder what it really says. It is certainly possible that it forbids wiretapping, but I'd bet that it only means "domestically"... I don't know how they interpret "any means of communication" in this context, but you can look up the full text at http://www.ntt.jp/japan/constitution/english-Constitution.html (there are japanese versions near there as well...) ARTICLE 21: Freedom of assembly and association as well as speech, press and all other forms of expression are guaranteed. 2) No censorship shall be maintained, nor shall the secrecy of any means of communication be violated. ------------------------------ From: Jay@krusty.gtri.gatech.edu (Jay Harrell) Date: 18 Jun 1996 13:10:23 -0500 Subject: Re: New Chip Renews Privacy Debate Organization: Georgia Tech Research Institute References: bernie@fantasyfarm.com (Bernie Cosell) wrote: Oh, but were we talking about exports? Do you really believe that crypto-technology is the *ONLY* one which cannot flourish in the US unless it has an export market, too? ... In fact, things are more subtle: as far as I know, US telephone equipment doesn't work elsewhere in the world; (more examples) None of that seems to hurt the market for domestic electronic doodads [and indeed, foreign manufacturers make useless-to-their-market stuff *just* so they can export stuff to *US*!] Perhaps things are one step more subtle than Mr. Cosell realizes. Most of the products on the domestic electronics market, even the ones built by US companies, are manufactured overseas. This arrangement isn't possible for for a US company with products using encryption technology because of the export restrictions. In theory the manufacturing jobs could be moved back to the US, but in practice what happens is that the US engineering jobs are eliminated in favor of doing the engineering somewhere without the export restrictions. It isn't simply that there is a huge overseas market for encryption, but the prohibition on export _is_ harmful to the industry within the US. Let me speculate on what is really going on here [and has been going on *consistently* throughout the massive misinformation and propaganda campaign the crypto-export folk have been mounting over the last while]. US citizens are free to encrypt anything they wish however they wish. This isn't really true. US citizens are free to use encryption only as long as they are on US soil when they encryp and on US soil when they decrypt. A US citizen cannot encrypt the files on their laptop, travel overseas with that laptop and software and decrypt those same files. This isn't misinformation, just a fact. Where the market is, I suspect, is in multi-national corporations. That's where the *big* bucks are. Exactly, so why should we continue keeping US companies away from that market? And if we allow some US companies to get rich in that market, some of the technology they develop will eventually make it's way into consumer goods as well. Then we all will be able to afford good encryption. only thing that'll change is that RSA Inc and a few other crypto-producers will get very very rich. A noble cause to be sure, so keep thumping that drum!!! I will always fight for the opportunity for US engineers to get rich, even if those engineers don't happen to be me. It's bad enough we export our low-paying jobs; we don't need to export our high paying jobs too. -- Jay Harrell Atlanta Georgia ------------------------------ From: bgold@platinum.com (Barry Gold) Date: 19 Jun 1996 14:53:12 -0700 Subject: Re: New Chip Renews Privacy Debate I think Bernie Cosell is missing the point. Yes, US Citizens can get strong encryption -- triple DES, IDEA, RSA, and PGP. In many cases they can get them for free. (PGP is freeware for non-commercial use.) But those products aren't very convenient, and they aren't integrated into other tools. If I want to send an encrypted message, I must put the message into a file, encrypt the file, make sure it's in ascii format, and include the resulting encrypted file in my mail. If I receive an encrypted and/or signed message, I must save it to a file and decrypt and/or signature check the file. This is only moderately inconvenient for me, an experienced Unix user. At that, it means that I don't _routinely_ encrypt messages to other people, even if I happen to know their public keys.(1) But for a relatively naive user of a PC, this will probably mean they never use encryption products at all. Having to go into a DOS shell, then figure out how to include the encrypted result in their message... Windows sells so well because most people don't want to have to deal with all that stuff! And if they _do_ all that stuff, the result likely will be a mess that can only be handled by mime-compatible mail-agents. Based on the mail I receive from Eudora users, it looks like the default is to send any included file in base-64 format (instead of just including the ASCII in show-ascii format). The only way that _convenient_ tools for encrypted mail will get developed is if there's a sufficiently large (or sufficiently rich) market for them. So, yes, it's a marketing ploy by RSA. An important one for those of us who want to see encryption used routinely. Public Key Partners/Viacrypt want to be able to sell to multinational corporations, who won't buy unless they can use the _same_ product in US and foreign locations, freely carry it around in their laptops, etc. So I want to see RSA (and other crypto manufacturers) win this one because I want to see those products being sold -- cheap -- in every computer store. At first there will be expensive ones for use by multinationals. Then medium-sized businesses will want it so they can use the internet to compete with their multinational rivals. Then smaller businesses... and eventually(2) it will be convenient enough for the home user. This applies even more strongly to voice telephony. Scrambling voice (etc.) in real time practically demands a specialized hardware component in or directly connected with the telephone. Such units won't become cheap and easy to use _until_ they can be sold to the people with the largest economic need for protection against industrial espionage -- the large multinationals. Then their customers and suppliers will need them, and eventually we'll see scramblers for your home phone(3) for prices competitive with an answering machine. And what's best and cutest, is that if this campaign succeeds [as it might well], then there will be *nothing* that will have changed for US citizens. We will be no more secure or 'private' than we were... Except that we'll be able to buy reasonably priced, _convenient_, _fast_ crypto devices instead of command-line based freeware programs. (1) And it's _important_ that messages be routinely encrypted. That way, any eavesdroppers can't just devote their resources to the encrypted messages on the theory that those are the ones that matter. If only "significant" messages are encrypted, eavesdroppers can do traffic analysis on them, if nothing else. Also, the inevitable march of increased CPU power means that today's "securely" encrypted messages will eventually become readable. If only "significant" messages are encrypted, eavesdroppers will just brute-force them all as soon as computing power becomes cheap enough. If _routine_ messages are encrypted, it will be expensive to brute-force the messages and we will gain a few more years before it becomes practical to break _every_ message every archived. (2) 2-3 years, based on the recent history of software cycles. (3) or your cordless or cellular phone, where encryption is even more important given the problem of routine eavesdropping on the airwaves. ------------------------------ From: glr@ripco.com (Glen L. Roberts) Date: 18 Jun 1996 13:49:06 GMT Subject: Re: Net Finders Organization: Full Disclosure References: Hugh Giblin wrote: One of the "net finders" IAF picked up my email address from guess where? Ironies of ironies, yep, the Computer Privacy Digest. Is there no place sacred in this world for privacy? We maintain a database of people who don't want junk email, and offer to clean others lists for free. http://pages.ripco.com:8080/~glr/nojunk.html I don't suppose we'll have any luck getting places like IAF to clean their database... -- Links to Rogue Web Sites: http://pages.ripco.com:8080/~glr/rogue The Bastard PR Firm -- Censor the Net Now: http://pages.ripco.com:8080/~glr/bastard.html ------------------------------ From: jhlawton@cs.unh.edu (James H. Lawton) Date: 18 Jun 1996 15:29:21 GMT Subject: Re: Air Force Sergeant Jailed in e-Mail Case Organization: Computer Science Department, University of New Hampshire References: [Note from Matthew Gaylor: . . . As a result, an Air Force master sergeant will spend the next three months in jail for using his office computer to exchange sexually explicit stories, jokes and comments with other consenting adults. hermit@cats.UCSC.EDU (William R. Ward) writes: Well one peculiarity with the military is that it's a 24-hour-a-day job. You get time off, but you are still using your employer's facilities. I think that what you do in your free time should to a certain extent entitle you to some privacy; i.e. the master sergeant should be punished badly for doing that stuff on duty, but off duty I think the restrictions should be lessened. The point here is the use of government equipment, not when it was done. All DoD computers are required to display the following: * * * * W A R N I N G * * * * DOD COMPUTER SYSTEMS ARE PROVIDED FOR THE PROCESSING OF OFFICIAL U.S. GOVERNMENT INFORMATION ONLY. USE OF THIS SYSTEM IS RESTRICTED TO AUTHORIZED USERS. SYSTEM WILL BE MONITORED TO ENSURE INFORMATION SECURITY, SYSTEM INTEGRITY, AND THE LIMITATION OF USE TO OFFICIAL PURPOSES. THE USE OF DOD COMPUTER SYSTEMS CONSTITUTES CONSENT TO MONITORING AS AN INTEGRAL PART OF SYSTEM MANAGEMENT. INFORMATION DERIVED FROM SYSTEM MONITORING MAY BE USED AS A BASIS FOR ADMINISTRATIVE, DISCIPLINARY, OR CRIMINAL PROCEEDINGS. IF YOU DO NOT CONSENT TO CONTINUED MONITORING OR ARE NOT AN AUTHORIZED USER OF THIS SYSTEM, EXIT THIS SYSTEM NOW. * * * * YOUR USE OF THIS SYSTEM IS BEING MONITORED * * * * The basic rule is: if its not government business, you can't do it on a government computer. There is very little grey area. -- ===================================================================== James H. Lawton jhlawton@cs.unh.edu "When the first link of the chain is forged, the first speech censured, the first thought forbidden, the first freedom denied, it chains us all irrevocably" ===================================================================== ------------------------------ From: "Prof. L. P. Levine" Date: 18 Jun 1996 14:07:20 -0500 (CDT) Subject: eMail and Privacy Organization: University of Wisconsin-Milwaukee Recently the Media has discovered that e-Mail is less private than a postcard. The have been shocked to note that not only is the transmission of electronic message all done in the clear and is searchable by anyone on the appropriate backbone, but even worse, the system generally used by most people is owned by their employer. The business ethics at most establishments is such that managers have no qualms about reading employee e-Mail, even as they have no problems listening in at the business phone. Regular readers here are not shocked or surprised and have examined various legislative approaches to the problem. These are all good ideas and efforts should continue. However, I want to talk here about a technical solution that is well within reach of any well connected network citizen. I will address two products that are now both free and freely available, although other solutions with modest cost may well be a better approach for others. I am not endorsing the products but use them only as examples. One is called PGPn123 and is available by contacting alpha1@znet.com . That product is used in conjunction with PGP (Pretty Good Privacy) and easily allows any window product on a PC to decrypt, encrypt and sign documents as well as to maintain the public and private keysets. It offers nothing for the PGP user except for ease of use and makes encryption a snap (well actually a click :-)). The other product is a free e-Mail service offered by a company who can be contacted via their URL at http://www.juno.com or via e-Mail at president@juno.com . The cost of the e-Mail service, they claim, is borne by advertisers who present a small 1x3 advertising graphic while the program is running. They require that you fill out a questionaire when you subscribe allowing you to present yourself as whatever sort of consumer you feel is appropriate. They do not offer any other internet access except this e-Mail capability but what they do offer works. Once per day I make a local call which picks up whatever is in my out-box and delivers whatever they have waiting. It is not interactive and ties up my phone for a minute or two. Neither of these products is needed. PGP works just fine but many folks find it hard to use; its command line approach differs strongly with the point a click nature of the systems many use. E-Mail is available from other sources. Here in Milwaukee a service called Omnifest (omnifest.uwm.edu) costs $25.00/year and I am sure other places have inexpensive service available too. My point is this: With services like the two described above I now regularly get and send public passkeys, put them on my PGP keyring, use the editor supplied by Juno to write e-Mail, click to the PGPn123 encrypter, encrypt the e-Mail for the reader I am corresponding with and e-Mail off the encrypted message. The folks at Juno know who I am writing to but not what I say. All clear material is contained in my home computer, no one sees the passwords or keyrings. Similarly, people who wish to correspond in private with me send me their public keys, get mine and my boss and my government know nothing about my illicit affairs or what I think of my Governor, President or present employer. There is no reason to assume that all of my e-Mail comes from where I work any more than that all of my regular e-Mail comes from that place or that my only phone is in the office. I am the Moderator of CPD but I sign myself len_levine@juno.com here. ------------------------------ From: beardawg@usa.pipeline.com () Date: 18 Jun 1996 22:36:56 GMT Subject: Privacy while Downloading from Newsgroup Organization: PSINet/Pipeline USA Let me admit right upfront - I'm a newbie. That said - Who, other than my ISP, has access to what I may be downloading from the newsgroups? I know about "cookies" on the web, but I haven't read anything about downloading privacy. If indeed it is not private, then is there anonymous download software available? Any info is appreciated. -- beardawg "be true to yourself, to one else will be" ------------------------------ From: "Glenn Benson" Date: 19 Jun 1996 15:40:05 +0200 Subject: US Export Law Organization: Siemens AG, Neu_Perlach-Munich-Germany-Europe. I am trying to understand US export law and its motivations. It is fairly easy to locate the wording of US law but I am having some trouble identifying its intention. Is the law really intended to prevent non-US residents from obtaining access to high-grade cryptography? Is the law's intention to control domestic use of cryptography? Does the government have an official position defining intent? What is the current status of US-implemented applications that invoke a cryptography API, e.g., Microsoft's CryptoAPI? Can these applications be exported? -- Glenn.Benson@zfe.siemens.de +49 89 636 50 583 ------------------------------ From: Rose M Daitsman Date: 19 Jun 1996 11:48:37 -0500 (CDT) Subject: Marketing on the Information Highway New tools for marketing products are ready for sale. However, the price of convenience of renting videos by computer and making purchases of clothing, appliances,etc. via tv is a serious loss of privacy. The insidious aspect of this is that people will voluntarily accept opening their lives, habits, idiosyncracies, tastes, needs to the marketers who will no doubt take advantage and manipulate on a one-to-one basis so that people will not know their own mind. It will be difficult to distinguish between one's own reason and will and that of someone who wants your dollars. The "information highway" is about to become the parking lot for a "global mall". How do we change it? ------------------------------ From: "Prof. L. P. Levine" Date: 14 Jun 1996 13:19:56 -0500 (CDT) Subject: Info on CPD [unchanged since 11/22/95] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the Subject: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Web browsers will find it at gopher://gopher.cs.uwm.edu. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V8 #049 ****************************** .