Date: Mon, 15 Jul 96 14:13:43 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V9#004 Computer Privacy Digest Mon, 15 Jul 96 Volume 9 : Issue: 004 Today's Topics: Moderator: Leonard P. Levine Re: Privacy of eMail Address Re: Privacy of eMail Address Re: Privacy of eMail Address Re: Privacy of eMail Address Re: Privacy of eMail Address Re: Privacy of eMail Address Computerworld From EDUPAGE: Privacy Logo Re: California Caller ID News Re: How an Innocent Download Can Lead to Prosecution Re: Privacy of eMail Address Unsolicited email REQUEST: Alternative password schemes Moderator on Break, Indeces Ready Where to Get PGP FAQ Info on CPD [unchanged since 11/22/95] ---------------------------------------------------------------------- From: gabriel@uci.edu (Gabriel B. Gonzalez) Date: 12 Jul 1996 02:56:49 GMT Subject: Re: Privacy of eMail Address Organization: University of California, Irvine References: seidel@zenith.berkeley.edu (Chris Seidel) wrote: They claimed that their e-mail address was not public information and that I was in trouble for posting it. Hogwash... just prove that anyone could have gotten it by looking it up in an e-mail adress directory; or make a comparison between an e-mail address and a street address, anyone can get either one freely. Don't sweat it. Its probably one of those nuts who claims the US gov't has put code into C compilers that puts a back door in the executable anytime one compiles PGP... ------------------------------------------------------------------------ Gabriel B. Gonzalez Information and Computer Science & Biology gabriel@uci.edu University of California, Irvine 103117.447@CompuServe.COM ------------------------------------------------------------------------ ------------------------------ From: michael@tis.com (Michael Elkins) Date: 12 Jul 1996 15:24:54 GMT Subject: Re: Privacy of eMail Address Organization: Trusted Information Systems, Inc., Los Angeles, CA References: Chris Seidel wrote: I have been unable to find anything legally definitive on the issue of publicly posting a letter that someone sends to me. Most people seem to think it is legal to post a letter that one receives. You might try reading the Copyright FAQ (misc.legal.computing is a good place to look). There is some discussion about this. In a nutshell, it is some people's interpretation of the law that any piece of e-mail or news posting that you send is copyrighted by you. So legally, you would have to have their consent to "rebroadcast" their message. There doesn't even need to be a copyright notice, because this is the default for anything that you generate. Being that I don't know the nature of what you posted, it's hard to tell whether or not any compensatory damages could be awared. I think the fee for copyright violation is something like $250, but the big $$ comes from the compensatory part (where you show that the violation caused you to lose big money). Again, I encourage you to read the Copyright FAQ for more info. I'm not a lawyer, so don't take my word for it. :-) -- Michael Elkins Trusted Information Systems, Inc. Los Angeles, CA 310-477-5828 x123 ------------------------------ From: chazl Date: 12 Jul 96 10:56:19 -0500 Subject: Re: Privacy of eMail Address They claimed that their e-mail address was not public information and that I was in trouble for posting it. So this party sent you an unsolicited piece of mail, which contained no advance restrictions as to use; you posted it publically and upon request immediately removed it from public view. It seems to me that you've behaved in a perfectly reasonable manner. I think that their email address became public information the moment they sent the mail. That's why anonymous remailers exist. Has this person given you any documentation to back up this contention? I have been unable to find anything legally definitive on the issue of publicly posting a letter that someone sends to me. Most people seem to think it is legal to post a letter that one receives. I'd agree. -- chazl 07.12.96 ------------------------------ From: Ben Hammersley Date: 12 Jul 1996 18:54:16 +0100 Subject: Re: Privacy of eMail Address Organization: Just Messing Around References: Chris Seidel writes I'm writing to inquire as to the privacy of e-mail addresses. Recently someone sent me an e-mail which I temporarily posted on my website, virtually without comment. Within an hour the person who sent me the e-mail, wrote to tell me to remove it (which I did). They then went on to file a police report against me, even though I had not commented on their letter, but had simply posted it. It really depends on what the letter said, I suppose. Still, even if the letter was harmless, the fact it was sent as an email, not as a posting to a public newsgroup _may_ signify that it was meant for your eyes only. It probably isn't illegal, but it doesn't seem very polite. What did it say? -- Ben Hammersley. The Truth is Merchandising. ben@bhammer.demon.co.uk ------------------------------ From: Mich Kabay <75300.3232@CompuServe.COM> Date: 14 Jul 96 15:32:55 EDT Subject: Re: Privacy of eMail Address Chris Seidel wrote: Most people seem to think it is legal to post a letter that one receives. [I am not a lawyer and the following is not legal advice. For legal advice consult an attorney.] FWIW, most people seem to think it is polite to request permission of the author before posting their work--including in particular materials intended for private communications. Here are some comments from a textbook on legal issues in cyberspace: For online systems, the following exclusive rights are particularly important: o The right to copy the work. o The right to make modified versions of the work (sometimes called "derivative works"). o The right to distribute the work. o The right to transmit the work. o The right to perform the work publicly. o The right to run computer programs on a computer. All of these activities [referring to a set of examples of infringement] can be fully legal, as long as all the owners of the copyrights involved give their permission. However, getting those permissions requires doing some work, and some owners may not want to permit the intended use. So we expect to continue to see such infringing uses by the lazy or dishonest, replete with ringing defenses of information freedom whenever it is suggested that they get permission when they use others' property. Taken from Rose, L. J. (1994). _NetLaw: Your Rights in the Online World_. Osborne/McGraw-Hill (New York). ISBN 0-07-882077-4. xx + 372. Index. I am not including the comments as a personal attack on you . You sound neither lazy nor dishonest. It does seem a pity, though, that if someone has studiously avoided posting _anything_ to the USENET or any other public site that you should unilaterally expose their e-mail address and thus make them liable to the floods of junk e-mail that creeps are sending through the Net. And ask yourself how _you_ might feel if your own private letter were exposed to the public without your permission. In the current on-line course on CyberLaw, the authors specifically address the question of "Fair Use" as defined in law. They state, 3. If you're copying UNPUBLISHED work -- work that the copyright owner hasn't displayed to all comers -- then your use is probably NOT FAIR. The classic example of unpublished work is a personal e- mail. You might get away with quoting several lines in some situations, but generally you can't. from Larry Lessig, David Post & Eugene Volokh, "Cyberspace-Law for Non-Lawyers" presented by the Cyberspace Law Institute and Counsel Connect. For more information about this course use URL http://www.counsel.com/cyberspace As far as the damage to the author's privacy is concerned, I suggest you do a search using DejaNews (http://www.dejanews.com) to see if the complainant has ever, in fact, posted anything to the USENET using the specific user ID you (wrongly, in my opinion) posted in public. If they have, it seems to me (as a non-lawyer) that they wouldn't have much of a case for damages even though you erred in posting without permission. Best wishes for an appropriate solution to your legal problems, -- M. E. Kabay, Ph.D. / Director of Education, National Computer Security Association ------------------------------ From: wrfuse@mab.ecse.rpi.edu (Wm. Randolph U Franklin) Date: 14 Jul 1996 21:18:58 GMT Subject: Re: Privacy of eMail Address Organization: ECSE Dept, Rensselaer Polytechnic Institute, Troy, NY, 12180 USA References: seidel@zenith.berkeley.edu (Chris Seidel) writes: I'm writing to inquire as to the privacy of e-mail addresses. Recently someone sent me an e-mail which I temporarily posted on my website, virtually without comment. Within an hour the person who sent me the e-mail, wrote to tell me to remove it (which I did). They then went on to file a police report against me, even though I had not commented on their letter, but had simply posted it. What does "virtually" mean? What did you say? The police found their complaint without merit, but I was told the person is pursuing a civil case against me (even though ALL I did was post their letter to me, I added no commentary regarding their character or any action against them). You violated his copyright in his letter. However, since you removed the page when asked, that should end the matter. Civil suits take years. How rich is this person? I hadn't meant at all to harass them, but had simply seen many websites with letters posted, and was simply posting it for information. I also post answers to queries that I post, but I mention in the query that I'll be doing that. They claimed that their e-mail address was not public information and that I was in trouble for posting it. I wish that were true, but don't think so. I have been unable to find anything legally definitive on the issue of publicly posting a letter that someone sends to me. Most people seem to think it is legal to post a letter that one receives. No. That's been definitely established wrt paper letters for a long time. Nevertheless, you may post a summary of the letter's information. ---- wrfuse@mab.ecse.rpi.edu (Wm. Randolph U Franklin) ---- Do not send commercial solications to this address. ---- PGP key available. ------------------------------ From: Steve Ulfelder Date: 12 Jul 1996 08:14:32 -0400 Subject: Computerworld Organization: Computerworld I'm editor of the In Depth section of Computerworld, a weekly publication for information systems pros. I'm putting together a story on just how much publicly available information there is on the Internet about private citizens. I'd like to speak to people who have been surprised or angered by some of the data gathered about them -- especially through the passive data gathering that occurs when you surf the Web. For instance, I know of one person who casually (honest!) visited a white-supremacist site, only to receive an email shortly thereafter asking if he wanted more info. Do you have any similar stories, or know someone who does? Please email me or call at the number below. All help is appreciated, and anonymity is respected. -- Steve Ulfelder Editor/In Depth Computerworld steve_ulfelder@cw.com 508-620-7745 ------------------------------ From: "Prof. L. P. Levine" Date: 12 Jul 1996 12:44:19 -0500 (CDT) Subject: From EDUPAGE: Privacy Logo Organization: University of Wisconsin-Milwaukee This has been taken from Edupage, 11 July 1996. Edupage, a summary of news items on information technology, is provided three times each week as a service by Educom, a Washington, D.C.-based consortium of leading colleges and universities seeking to transform education through the use of information technology. PRIVACY LOGOS The Electronic Frontier Foundation and some companies doing business over the Internet have developed a privacy rating system to be offered by a nonprofit group called eTrust, which will license logos to Web sites indicating how much privacy a person surrenders by visiting the site. (USA Today 11 Jul 96 1B) ------------------------------ From: wombat@zelazny.aquilagroup.com (Christopher M. Conway) Date: 12 Jul 1996 20:13:47 GMT Subject: Re: California Caller ID News Organization: Prickly Wombat Enterprises References: mwilson@cts.com (Marc Wilson) writes: Why? Because, to me, it's an invasion of MY privacy if YOU can call me without my knowing who you are. You're coming into MY home. If I had my way, there would be no blocking. At all. Ever. The problem is it's an invasion of privacy both ways. You have a right to refuse to accept calls with callerid blocked. Or even have them ring your phone. I have a right to refuse to give out private information. I do not have the right to *require* that your phone ring if I call with caller id blocked. You do not have the right to *require* my phone number if I attempt to call. Blocking is a sensible compromise. -- Christopher M. Conway Systems and Network Administrator wombat@aquilagroup.com Don't Tread on Me We must all hang together, or, most assuredly, we will all hang separately. I'll be post-feminist in the post-patriarchy. ------------------------------ From: dwwrmk@teleport.com (Warning!) Date: 12 Jul 1996 21:01:11 -0700 Subject: Re: How an Innocent Download Can Lead to Prosecution Organization: Teleport - Portland's Public Access (503) 220-1016 References: Articles from the website: Article one: What Happened. Copyright 1996 by DWWatson This is what happened to Dennis Watson, a mathematics instructor at Clark College in Vancouver WA. Based on a bogus 'whistle blow', two State Auditors entered Dennis' office, served a subpoena, and confiscated his state owned computer, his state owned disks, and his personally purchased disks, even though he told them he had been asked to access the kind of material in question in order to help establish the local computing policies! They turned the computer and data over to the Washington State Patrol. An article ran in the Columbian newspaper that contained allegations of illegal images. As Dave Barry says, "Every accused person, unless he has a name like Nicholas 'Nicky the Squid' Calamari, is considered innocent until such time as his name appears in the newspaper." The State Police investigated and then the Clark County Prosecutors reviewed the case and charged Dennis with seven Class C Felonies, a situation, no doubt, propelled by the Columbian article. They assumed he had looked at everything he downloaded and they charged him with 7 counts (7 pictures out of thousands of downloads) of possessing pictures of minors (under 18) in sexually explicit acts. It took two pediatricians to determine that the individuals in the pictures were under 18. And, under the statute, the prosecutors can call a family eating ice cream cones a 'sexually explicit act' if they are nude! He was offered a plea bargain, but declined, since he could not, in good conscience, plead guilty to a crime he didn't commit! -- Article two: How you can help! Copyright 1996 by DWWatson In order to have 'equal justice under law', he needs to raise at least $60,000 and may need as much as $100,000 or more!! As you may know, money doesn't guarantee justice, but without money there is no justice. Dennis' friends have started a defense fund at a local bank in Vancouver, WA. If we netizens could each donate a small sum, even $10.00 each, he could reach this goal. Also, any amount not used would be setup as a defense fund to help with other netizens charged with crimes, as needed. Of course, larger donations would also help. Any contributions should be made out to the D.W.Watson Fund and sent to: -- John Caton, CPA 1104 Main St., Suite 200 Vancouver, WA 98660 For more information send email to dwwrmk@teleport.com ------------------------------ From: dan@dvl.co.nz (Dan Langille) Date: 13 Jul 1996 20:54:31 GMT Subject: Re: Privacy of eMail Address Organization: DVL Software Limited References: seidel@zenith.berkeley.edu (Chris Seidel) wrote: I have been unable to find anything legally definitive on the issue of publicly posting a letter that someone sends to me. Most people seem to think it is legal to post a letter that one receives. Regardless of the legality, it is commonly understood that private email is just that: private. Unless you have the consent of the author, one must not pass on an email. The easiest way to deal with it is copyright. The sender is considered the author of the email. Thus, they hold the copyright. If you forward (or indeed post that email at a website), you infringe upon their copyright. Netiquette also holds that even revealing what someone has said in a email is a no-no. All of this is quite different from the email address privacy issue. Has the person in question ever posted their address publicly? -- Dan Langille DVL Software Limited - Wellington, New Zealand ------------------------------ From: mhorne@ucla.edu (Mark Horne) Date: 15 Jul 1996 10:29:02 -0700 Subject: Unsolicited email With increasing frequency I have been receiving unsolicited email from persons attempting to sell some product or service. I suspect that my address is being culled from Usenet posts. I recall the success of a California man that sued for being added to a computer store's mailing list (based upon the handwritten a contract on the back of check). From that idea, I was thinking of adding the following line to my signature line: "Unsolicited email of a commercial nature will be read, responded to, and/or disposed of for a fee of $1,000 (USD). The transmission of an unsolicited commercial message to the above electronic mail address constitutes agreement to these terms." The difficulty I see is proving someone collected my address after this "contract" is added to my signature line. On the other hand, it may also scare off many of these junk email operators. Comments? -- mhorne@ucla.edu ------------------------------ From: Matt Perez - Journalist <8patches@cftnet.com> Date: 13 Jul 1996 12:34:08 -0400 Subject: REQUEST: Alternative password schemes Organization: Independent journalism for professional publishers References: <199607120132.UAA06458@blatz.cs.uwm.edu> Florida's Department of Labor in Tallahassee has a Web server to allow job hunters access to state positions. Application forms are filled out on a Web page, but they require entering your social security number and a password. The webmasters are open to suggestions for identifying job seekers without requiring transfers of SSNs over an unsecured server. If anyone has a suggestion, please send them via e-mail when you post them to the list. I'll create a digest to send to the webmasters in Tallahassee, and if the moderator suggests it, I'll post it back to the digest. Potential solutions could involve: -- cost-efficient encryption/scrambling -- securing the server -- using non-SSN passwords (how does that work?) -- using automated telephone confirmations Key point: DOL needs the SSNs to track progress of individual job seekers. -- =^==========^==========^============|> ^^Matt Perez^^^8patches@cftnet.com^^|>> ^"Cruisin' at the speed of life"^^^^|>>> ^^Saint Petersburg, Florida^^^^^^^^^|>> =^==========^==========^============|> ------------------------------ From: "Prof. L. P. Levine" Date: 15 Jul 1996 13:42:50 -0500 (CDT) Subject: Moderator on Break, Indeces Ready Organization: University of Wisconsin-Milwaukee Your esteemed moderator will be out of touch with reality (having no access to a terminal) until July 22nd. There will be a one week hiatus in any work in the Computer Privacy Digest. Indeces to volume 8 (Jan 1 - Jun 30 1996) by author and by subject are available via gopher, ftp or http as 00namelist and 00subjectlist in volume8. Access is through: http://www.uwm.edu:80/org/comp-privacy/ for net browsers, and through: ftp.cs.uwm.edu at /pub/comp-privacy for ftp and gopher usrs. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ From: mpj@csn.net (Michael Johnson) Date: 13 Jul 1996 01:27:07 -0600 Subject: Where to Get PGP FAQ Organization: The Web of Trust WHERE TO GET THE PRETTY GOOD PRIVACY PROGRAM (PGP) FAQ Revised 28 June 1996 Disclaimer -- I haven't recently verified all of the information in this file, and much of it is probably out of date. For questions not covered here, please read the documentation that comes with PGP, get one of the books mentioned below, or search for other relevant FAQ documents at rtfm.mit.edu and on the alt.security.pgp comp.security.pgp comp.security.pgp.ressources news group. A NOTE FROM THE FAQ MAINTAINERS Peter Herngaard is taking over the maintenance of this FAQ until further notice. Some of you sent me (Mike Johnson) corrections and suggestions for this FAQ, and I stored them away on my hard disk to edit from. Then, Windows 95 got indigestion (induced by a sound card) and destroyed all of the data in that partition. If you suggested changes and they aren't in this FAQ, please send them to Peter Herngaard . WHAT IS THE LATEST VERSION OF PGP? Viacrypt PGP (commercial version): 2.7.1 (4.0 is due out Real Soon Now) MIT & Philip Zimmermann (freeware, USA-legal): 2.6.2 Staale Schumacher's International variant: 2.6.3i for non-USA (2.6.3ai source code only); 2.6.3 for USA WHERE CAN I GET VIACRYPT PGP? Just call 800-536-2664 and have your credit card handy. WHERE IS PGP ON THE WORLD WIDE WEB? U.S. only availability: PGP: http://web.mit.edu/network/pgp-form.html PGPfone: http://web.mit.edu/network/pgpfone International availability: PGP and PGPfone: http://www.ifi.uio.no/pgp/ WHERE CAN I FTP PGP IN NORTH AMERICA? If you are in the USA or Canada, you can get PGP by following the instructions in any of: ftp://net-dist.mit.edu/pub/PGP/README ftp://ftp.csn.net/mpj/README.MPJ ftp://miyako.dorm.duke.edu/pub/GETTING_ACCESS ftp://ftp.csua.berkeley.edu/pub/cypherpunks/pgp/ ftp://ftp.gibbon.com/pub/pgp/README.PGP ftp://ftp.wimsey.bc.ca/pub/crypto/software/README WHERE IS PGP ON COMPUSERVE? GO NCSAFORUM. Follow the instructions there to gain access to Library 12: Export Controlled. AOL Go to the AOL software library and search "PGP" or ftp from ftp://ftp.csua.berkeley.edu/pub/cypherpunks/pgp or another site listed above. It is possible to get PGP from ftp sites with hidden directories with the following trick: (1) View the README file with the hidden directory name in it, then quickly (2) Start a new ftp connection, specifiying the hidden directory name with the ftp site's address, like ftp.csn.net/mpj/I_will_not_export/crypto_xxxxxxx (where the xxxxxxx is replaced with the current character string). WHAT BULLETIN BOARD SYSTEMS CARRY PGP? MANY BBS carry PGP. The following carry recent versions of PGP and allow free downloads of PGP. US 303-343-4053 Hacker's Haven, Denver, CO 303-772-1062 Colorado Catacombs BBS, Longmont CO 8 data bits, 1 stop, no parity, up to 28,800 bps. Use ANSI terminal emulation. For free access: log in with your own name, answer the questions. 314-896-9309 The KATN BBS 317-887-9568 Computer Virus Research Center (CVRC) BBS, Indianapolis, IN Login First Name: PGP Last Name: USER Password: PGP 501-791-0124, 501-791-0125 The Ferret BBS, North Little Rock, AR Login name: PGP USER Password: PGP 506-457=0483 Data Intelligence Group Corporation BBS 508-668-4441 Emerald City, Walpole, MA 601-582-5748 CyberGold BBS 612-690-5556, !CyBERteCH SeCURitY BBS! Minneapolis MN 914-667-4567 Exec-Net, New York, NY 915-587-7888, Self-Governor Information Resource, El Paso, Texas 909-681-6221 ATTENTION to Details (ATD BBS) All lines v.32bis/14.4KBPS minimum DE +49-781-38807 MAUS BBS, Offenburg - angeschlossen an das MausNet +49-521-68000 BIONIC-BBS Login: PGP NL +31-26-3890037 Viber BBS, NOTB HOST Gelderland 8 data bits, 1 stop, no parity, up to 28,800 bps. (ISDN soon) Use ANSI terminal emulation. For free access: log in with your own name, answer the questions. Latest vesion and other tools: FILE AREA: [NOTB] - PGP WHERE CAN I FTP PGP CLOSE TO ME? DE ftp://ftp.cert.dfn.de/pub/pgp/ IT ftp://idea.sec.dsi.unimi.it/pub/security/crypt/PGP FI ftp://ftp.funet.fi/pub/crypt/pgp/ NL ftp://ftp.nl.net/pub/crypto/pgp ftp.nic.surfnet.nl/surfnet/net-security/encryption/pgp NO ftp://menja.ifi.uio.no/pub/pgp/ NZ ftp://ftphost.vuw.ac.nz SE ftp://leif.thep.lu.se TW ftp://nctuccca.edu.tw/PC/wuarchive/pgp/ UK ftp://ftp.ox.ac.uk/pub/crypto/pgp HOW CAN I GET PGP BY EMAIL? If you have access to email, but not to ftp, send a message saying "help" to ftpmail@decwrl.dec.com or mailserv@nic.funet.fi WHERE CAN I GET MORE PGP INFORMATION? http://www.csn.net/~mpj http://www.mit.edu:8001/people/warlord/pgp-faq.html http://www.eff.org/pub/EFF/Issues/Crypto/ITAR_export/cryptusa_paper.ps.gz ftp://ds.internic.net/internet-drafts/draft-pgp-pgpformat-00.txt ftp://ds.internic.net/internet-drafts/draft-ietf-pem-mime-08.txt http://www-mitpress.mit.edu/mitp/recent-books/comp/pgp-source.html http://web.cnam.fr/Network/Crypto/(c'est en francais) http://web.cnam.fr/Network/Crypto/survey.html(en anglais) http://www2.hawaii.edu/~phinely/MacPGP-and-AppleScript-FAQ.html http://www.pgp.net/pgp http://www.sydney.sterling.com:8080/~ggr/pgpmoose.html http://www.ifi.uio.no/pgp/ http://inet.uni-c.dk/~pethern/privacy.html WHAT ARE SOME GOOD PGP BOOKS? Protect Your Privacy: A Guide for PGP Users by William Stallings Prentice Hall PTR ISBN 0-13-185596-4 US $19.95 PGP: Pretty Good Privacy by Simson Garfinkel O'Reilly & Associates, Inc. ISBN 1-56592-098-8 US $24.95 E-Mail Security: How to Keep Your Electronic Mail Private "Covers PGP/PEM" by Bruce Schneier Wiley Publishing The Computer Privacy Handbook: A Practical Guide to E-Mail Encryption, Data Protection, and PGP PRivacy Software by André Bacard Peachpit Press ISBN 1-56609-171-3 US $24.95 800-283-9444 or 510-548-4393 THE OFFICIAL PGP USER'S GUIDE by Philip R. Zimmerman MIT Press April 1995 - 216 pp. - paper - US $14.95 - ISBN 0-262-74017-6 ZIMPP Standard PGP documentation neatly typeset and bound. PGP SOURCE CODE AND INTERNALS by Philip R. Zimmerman April 1995 - 804 pp. - US $55.00 - 0-262-24039-4 ZIMPH How to Use PGP, 61 pages, (Pub #121) from the Superior Broadcasting Company, Box 1533-N, Oil City, PA 16301, phone: (814) 678-8801 (about US $10-$13). IS PGP LEGAL? Pretty Good Privacy is legal if you follow these rules: Don't export PGP from the USA except to Canada, or from Canada except to the USA, without a license. If you are in the USA, use either Viacrypt PGP (licensed for commercial use) or MIT PGP using RSAREF (limited to personal, noncommercial use). Outside of the USA, where RSA is not patented, you may prefer to use a version of PGP (2.6.3i) that doesn't use RSAREF to avoid the restrictions of that license. If you are in a country where the IDEA cipher patent holds in software (including the USA and some countries in Europe), make sure you are licensed to use the IDEA cipher commercially before using PGP commercially. (No separate license is required to use the freeware PGP for personal, noncommercial use). For direct IDEA licensing, contact Ascom Systec: Erhard Widmer, Ascom Systec AG, Dep't. CMVV Phone +41 64 56 59 83 Peter Hartmann, Ascom Systec AG, Dep't. CMN Phone +41 64 56 59 45 Fax: +41 64 56 59 90 e-mail: IDEA@ascom.ch Mail address: Gewerbepark, CH-5506 Maegenwil (Switzerland) Viacrypt has an exclusive marketing agreement for commercial distribution of Philip Zimmermann's copyrighted code. (Selling shareware/freeware disks or connect time is OK). This restriction does not apply to PGP 3.0, since it is a complete rewrite by Colin Plumb. If you modify PGP (other than porting it to another platform, fixing a bug, or adapting it to another compiler), don't call it PGP (TM) or Pretty Good Privacy (TM) without Philip Zimmermann's permission. IMPORTANT: Please note that there is an official distribution site for MIT PGP and another for the International version: WorldWideWeb references: U.S/Canada non-commercial use: http://web.mit.edu/network/pgp-form.html Norway/International non-commercial use: http://www.ifi.uio.no/pgp/ U.S. commercial use: http://www.viacrypt.com WHAT IS PHILIP ZIMMERMANN'S LEGAL STATUS? Philip Zimmermann was under investigation for alleged violation of export regulations, with a grand jury hearing evidence for about 28 months, ending 11 January 1996. The Federal Government chose not to comment on why it decided to not prosecute, nor is it likely to. The Commerce Secretary stated that he would seek relaxed export controls for cryptographic products, since studies show that U. S. industry is being harmed by current regulations. Philip endured some serious threats to his livelihood and freedom, as well as some very real legal expenses, for the sake of your right to electronic privacy. The battle is won, but the war is not over. The regulations that caused him so much grief and which continue to dampen cryptographic development, harm U. S. industry, and do violence to the U. S. National Security by eroding the First Ammendment of the U. S. Constitution and encouraging migration of cryptographic industry outside of the U. S. A. are still on the books. If you are a U. S. Citizen, please write to your U. S. Senators, Congressional Representative, President, and Vice President pleading for a more sane and fair cryptographic policy. WHERE CAN I GET WINDOWS & DOS SHELLS FOR PGP? http://www.dayton.net/~cwgeib ftp://menja.ifi.uio.no/pub/pgp/pc/msdos//apgp22b3.zip http://alpha.netaccess.on.ca/~spowell/crypto/pwf31.zip ftp://ftp.netcom.com/pub/dc/dcosenza/pgpw40.zip ftp://ftp.firstnet.net/pub/windows/winpgp/pgpw40.zip http://www.eskimo.com/~joelm(Private Idaho) ftp://ftp.eskimo.com/~joelm http://www.xs4all.nl/~paulwag/security.htm http://www.LCS.com/winpgp.html http://netaccess.on.ca/~rbarclay/index.html http://netaccess.on.ca/~rbarclay/pgp.html ftp://ftp.leo.org/pub/comp/os/os2/crypt/gcppgp10.zip ftp://ftp.leo.org/pub/comp/os/os2/crypt/pmpgp.zip http://iquest.com/~aegisrc WHAT OTHER FILE ENCRYPTION (DOS, MAC) TOOLS ARE THERE? PGP can do conventional encryption only of a file (-c) option, but you might want to investigate some of the other alternatives if you do this a lot. Alternatives include Quicrypt and Atbash2 for DOS, DLOCK for DOS & UNIX, Curve Encrypt (for the Mac), HPACK (many platforms), and a few others. Quicrypt is interesting in that it comes in two flavors: shareware exportable and registered secure. Atbash2 is interesting in that it generates ciphertext that can be read over the telephone or sent by Morse code. DLOCK is a no-frills strong encryption program with complete source code. Curve Encrypt has certain user-friendliness advantages. HPACK is an archiver (like ZIP or ARC), but with strong encryption. A couple of starting points for your search are: U.S. only availability: ftp://ftp.csn.net/mpj/qcrypt11.zip ftp://ftp.csn.net/mpj/README ftp://ftp.miyako.dorm.duke.edu/pub/GETTING_ACCESS International availability: ftp://ftp.informatik.uni-hamburg.de/pub/virus/crypt/file/ ftp://idea.sec.dsi.unimi.it/pub/crypt/code/ HOW DO I SECURELY DELETE FILES (DOS)? If you have the Norton Utilities, Norton WipeInfo is pretty good. I use DELETE.EXE in del110.zip, which is really good at deleting existing files, but doesn't wipe "unused" space. US ftp://ftp.csn.net/mpj/public/del120.zip NL ftp://basement.replay.com/pub/replay/pub/security/del120.zip UK ftp://ftp.demon.co.uk/pub/ibmpc/security/realdeal.zip WHAT DO I DO ABOUT THE PASS PHRASE IN MY WINDOWS SWAP FILE? The nature of Windows is that it can swap any memory to disk at any time, meaning that all kinds of interesting things could end up in your swap file. ftp://ftp.firstnet.net/pub/windows/winpgp/wswipe.zip WHERE DO I GET PGPfone(tm)? PGPfone is in beta test for Macintosh and Windows'9 users. The MIT has shut down their ftp distribution of PGPfone for Macintosh and Windows'95, so within the U.S/Canada you must obtain PGPfone using a WorldWideWeb browser. U.S. only availability: http://web.mit.edu/network/pgpfone International availability: DK ftp://ftp.datashopper.dk/pub/users/pethern/pgp/ NL ftp://basement.replay.com/pub/replay/pub/voice/ NO ftp://menja.ifi.uio.no/pub/pgp/mac/ ftp://menja.ifi.uio.no/pub/pgp/windows/ WHERE DO I GET NAUTILUS? Bill Dorsey, Pat Mullarky, and Paul Rubin have come out with a program called Nautilus that enables you to engage in secure voice conversations between people with multimedia PCs and modems capable of at least 7200 bps (but 14.4 kbps is better). See: U.S. only availability: ftp://ripem.msu.edu/pub/crypt/GETTING_ACCESS ftp://ripem.msu.edu/pub/crypt/other/nautilus-phone-0.9.2-source.tar.gz ftp://ftp.csn.net/mpj/README ftp://miyako.dorm.duke.edu/pub/GETTING_ACCESS International availability: ftp://ftp.ox.ac.uk/pub/crypto/misc ftp://basement.replay.com/pub/replay/pub/voice/ The official Nautilus homepage is at: http://www.lila.com/nautilus/ HOW DO I ENCRYPT MY DISK ON-THE-FLY? Secure File System (SFS) is a DOS device driver that encrypts an entire partition on the fly using SHA in feedback mode. Secure Drive also encrypts an entire DOS partition, using IDEA, which is patented. Secure Device is a DOS device driver that encrypts a virtual, file-hosted volume with IDEA. Cryptographic File System (CFS) is a Unix device driver that uses DES. CryptDisk is a ShareWare package for Macintosh that uses strong IDEA encryption like PGP. U.S. only availability: ftp://ftp.csn.net/mpj/README ftp://miyako.dorm.duke.edu/mpj/crypto/disk/ International availability: http://www.cs.auckland.ac.nz/~pgut01/sfs.html ftp://ftp.informatik.uni-hamburg.de/pub/virus/crypt/disk/ ftp://ftp.nic.surfnet.nl/surfnet/net-security/encryption/disk/ ftp://ftp.ox.ac.uk/pub/crypto/misc/ ftp://menja.ifi.uio.no/pub/pgp/mac/ ftp://basement.replay.com/pub/replay/pub/disk/ WHERE IS PGP'S COMPETITION? RIPEM is the second most popular freeware email encryption package. I like PGP better for lots of reasons, but if for some reason you want to check or generate a PEM signature, RIPEM is available at ripem.msu.edu. There is also an exportable RIPEM/SIG. U.S. only availability: ftp://ripem.msu.edu/pub/GETTING_ACCESS International availability: ftp://idea.sec.dsi.unimi.it/pub/crypt/code/ HOW DO I PUBLISH MY PGP PUBLIC KEY? Send mail to one of these addresses with the single word "help" in the subject line to find out how to use them. These servers sychronize keys with each other. There are other key servers, too. pgp-public-keys@keys.pgp.net pgp-public-keys@keys.de.pgp.net pgp-public-keys@keys.no.pgp.net pgp-public-keys@keys.uk.pgp.net pgp-public-keys@keys.us.pgp.net WWW interface to the key servers: http://www.pgp.net/pgp/www-key.html http://www-swiss.ai.mit.edu/~bal/pks-toplev.html For US $20/year or so, you can have your key officially certified and published in a "clean" key database that is much less susceptible to denial-of-service attacks than the other key servers. Send mail to info-pgp@Four11.com for information, or look at http://www.Four11.com/ Of course, you can always send your key directly to the parties you wish to correspond with by whatever means you wish. CAN I COPY AND REDISTRIBUTE THIS FAQ? Yes. Permission is granted to distribute unmodified copies of this FAQ. Please e-mail comments to Peter Herngaard Look for the latest html version of this FAQ at http://inet.uni-c.dk/~pethern/getpgp.html ------------------------------ From: "Prof. L. P. Levine" Date: 15 Jul 1996 13:43:37 -0500 (CDT) Subject: Info on CPD [unchanged since 11/22/95] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the Subject: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Web browsers will find it at gopher://gopher.cs.uwm.edu. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V9 #004 ****************************** .