PRIVACY Forum Digest Friday, 16 April 1993 Volume 02 :

PRIVACY Forum Digest Friday, 16 April 1993 Volume 02 :
Issue 12

Moderated by Lauren Weinstein ([email protected])
Vortex Technology, Topanga, CA, U.S.A.

===== PRIVACY FORUM =====

The PRIVACY Forum digest is supported in part by the
ACM Committee on Computers and Public Policy.

CONTENTS
Text of White House announcement and Q&As on clipper chip
encryption
(Clipper Chip Announcement)
Re: Personal letters (Paul Robinson)
Personal Letters (Jerry Leichter)
More on Chicago DEA Surveillance (Sarah M. Elkins)

*** Please include a RELEVANT "Subject:" line on all submissions!
***
*** Submissions without them may be ignored! ***

-----------------------------------------------------------------
------------
The PRIVACY Forum is a moderated digest for the discussion and
analysis of
issues relating to the general topic of privacy (both personal and
collective) in the "information age" of the 1990's and beyond. The
moderator will choose submissions for inclusion based on their
relevance and
content. Submissions will not be routinely acknowledged.

ALL submissions should be addressed to "[email protected]" and
must have
RELEVANT "Subject:" lines. Submissions without appropriate and
relevant
"Subject:" lines may be ignored. Subscriptions are by an automatic
"listserv" system; for subscription information, please send a
message
consisting of the word "help" (quotes not included) in the BODY of
a message
to: "[email protected]". Mailing list problems should
be
reported to "[email protected]". All submissions included
in this
digest represent the views of the individual authors and all
submissions
will be considered to be distributable without limitations.

The PRIVACY Forum archive, including all issues of the digest and
all
related materials, is available via anonymous FTP from site
"cv.vortex.com",
in the "/privacy" directory. Use the FTP login "ftp" or
"anonymous", and
enter your e-mail address as the password. The typical "README"
and "INDEX"
files are available to guide you through the files available for
FTP
access. PRIVACY Forum materials may also be obtained automatically
via
e-mail through the listserv system. Please follow the instructions
above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used
to access
the PRIVACY Forum archive. All PRIVACY Forum materials are also
available through the Internet Gopher system via a gopher server on
site "cv.vortex.com".

For information regarding the availability of this digest via FAX,
please
send an inquiry to [email protected], call (310) 455-9300,
or FAX
to (310) 455-2364.
-----------------------------------------------------------------
------------

VOLUME 02, ISSUE 12

Quote for the day:

"Three may keep a secret, if two of them are dead."

-- Benjamin Franklin, July 1735
(1706-1790)

-----------------------------------------------------------------
-----

Date: Fri, 16 Apr 93 11:07:20 EDT
From: [email protected] (Clipper Chip Announcement)
Subject: text of White House announcement and Q&As on clipper chip
encryption

Note: This file will also be available via anonymous file
transfer from csrc.ncsl.nist.gov in directory /pub/nistnews and
via the NIST Computer Security BBS at 301-948-5717.
---------------------------------------------------

THE WHITE HOUSE

Office of the Press Secretary

_________________________________________________________________

For Immediate Release April 16, 1993

STATEMENT BY THE PRESS SECRETARY

The President today announced a new initiative that will bring
the Federal Government together with industry in a voluntary
program to improve the security and privacy of telephone
communications while meeting the legitimate needs of law
enforcement.

The initiative will involve the creation of new products to
accelerate the development and use of advanced and secure
telecommunications networks and wireless communications links.

For too long there has been little or no dialogue between our
private sector and the law enforcement community to resolve the
tension between economic vitality and the real challenges of
protecting Americans. Rather than use technology to accommodate
the sometimes competing interests of economic growth, privacy and
law enforcement, previous policies have pitted government against
industry and the rights of privacy against law enforcement.

Sophisticated encryption technology has been used for years to
protect electronic funds transfer. It is now being used to
protect electronic mail and computer files. While encryption
technology can help Americans protect business secrets and the
unauthorized release of personal information, it also can be used
by terrorists, drug dealers, and other criminals.

A state-of-the-art microcircuit called the "Clipper Chip" has
been developed by government engineers. The chip represents a
new approach to encryption technology. It can be used in new,
relatively inexpensive encryption devices that can be attached to
an ordinary telephone. It scrambles telephone communications
using an encryption algorithm that is more powerful than many in
commercial use today.

This new technology will help companies protect proprietary
information, protect the privacy of personal phone conversations
and prevent unauthorized release of data transmitted
electronically. At the same time this technology preserves the
ability of federal, state and local law enforcement agencies to
intercept lawfully the phone conversations of criminals.

A "key-escrow" system will be established to ensure that the
"Clipper Chip" is used to protect the privacy of law-abiding
Americans. Each device containing the chip will have two unique

2

"keys," numbers that will be needed by authorized government
agencies to decode messages encoded by the device. When the
device is manufactured, the two keys will be deposited separately
in two "key-escrow" data bases that will be established by the
Attorney General. Access to these keys will be limited to
government officials with legal authorization to conduct a
wiretap.

The "Clipper Chip" technology provides law enforcement with no
new authorities to access the content of the private
conversations of Americans.

To demonstrate the effectiveness of this new technology, the
Attorney General will soon purchase several thousand of the new
devices. In addition, respected experts from outside the
government will be offered access to the confidential details of
the algorithm to assess its capabilities and publicly report
their findings.

The chip is an important step in addressing the problem of
encryption's dual-edge sword: encryption helps to protect the
privacy of individuals and industry, but it also can shield
criminals and terrorists. We need the "Clipper Chip" and other
approaches that can both provide law-abiding citizens with access
to the encryption they need and prevent criminals from using it
to hide their illegal activities. In order to assess technology
trends and explore new approaches (like the key-escrow system),
the President has directed government agencies to develop a
comprehensive policy on encryption that accommodates:

-- the privacy of our citizens, including the need to
employ voice or data encryption for business purposes;

-- the ability of authorized officials to access telephone
calls and data, under proper court or other legal
order, when necessary to protect our citizens;

-- the effective and timely use of the most modern
technology to build the National Information
Infrastructure needed to promote economic growth and
the competitiveness of American industry in the global
marketplace; and

-- the need of U.S. companies to manufacture and export
high technology products.

The President has directed early and frequent consultations with
affected industries, the Congress and groups that advocate the
privacy rights of individuals as policy options are developed.

3

The Administration is committed to working with the private
sector to spur the development of a National Information
Infrastructure which will use new telecommunications and computer
technologies to give Americans unprecedented access to
information. This infrastructure of high-speed networks
("information superhighways") will transmit video, images, HDTV
programming, and huge data files as easily as today's telephone
system transmits voice.

Since encryption technology will play an increasingly important
role in that infrastructure, the Federal Government must act
quickly to develop consistent, comprehensive policies regarding
its use. The Administration is committed to policies that
protect all Americans' right to privacy while also protecting
them from those who break the law.

Further information is provided in an accompanying fact sheet.
The provisions of the President's directive to acquire the new
encryption technology are also available.

For additional details, call Mat Heyman, National Institute of
Standards and Technology, (301) 975-2758.

---------------------------------

QUESTIONS AND ANSWERS ABOUT THE CLINTON ADMINISTRATION'S
TELECOMMUNICATIONS INITIATIVE

Q: Does this approach expand the authority of government
agencies to listen in on phone conversations?

A: No. "Clipper Chip" technology provides law enforcement with
no new authorities to access the content of the private
conversations of Americans.

Q: Suppose a law enforcement agency is conducting a wiretap on
a drug smuggling ring and intercepts a conversation
encrypted using the device. What would they have to do to
decipher the message?

A: They would have to obtain legal authorization, normally a
court order, to do the wiretap in the first place. They
would then present documentation of this authorization to
the two entities responsible for safeguarding the keys and
obtain the keys for the device being used by the drug
smugglers. The key is split into two parts, which are
stored separately in order to ensure the security of the key
escrow system.

Q: Who will run the key-escrow data banks?

A: The two key-escrow data banks will be run by two independent
entities. At this point, the Department of Justice and the
Administration have yet to determine which agencies will
oversee the key-escrow data banks.

Q: How strong is the security in the device? How can I be sure
how strong the security is?

A: This system is more secure than many other voice encryption
systems readily available today. While the algorithm will
remain classified to protect the security of the key escrow
system, we are willing to invite an independent panel of
cryptography experts to evaluate the algorithm to assure all
potential users that there are no unrecognized
vulnerabilities.

Q: Whose decision was it to propose this product?

A: The National Security Council, the Justice Department, the
Commerce Department, and other key agencies were involved in
this decision. This approach has been endorsed by the
President, the Vice President, and appropriate Cabinet
officials.

Q: Who was consulted? The Congress? Industry?

A: We have on-going discussions with Congress and industry on
encryption issues, and expect those discussions to intensify
as we carry out our review of encryption policy. We have
briefed members of Congress and industry leaders on the
decisions related to this initiative.

Q: Will the government provide the hardware to manufacturers?

A: The government designed and developed the key access
encryption microcircuits, but it is not providing the
microcircuits to product manufacturers. Product
manufacturers can acquire the microcircuits from the chip
manufacturer that produces them.

Q: Who provides the "Clipper Chip"?

A: Mykotronx programs it at their facility in Torrance,
California, and will sell the chip to encryption device
manufacturers. The programming function could be licensed
to other vendors in the future.

Q: How do I buy one of these encryption devices?

A: We expect several manufacturers to consider incorporating
the "Clipper Chip" into their devices.

Q: If the Administration were unable to find a technological
solution like the one proposed, would the Administration be
willing to use legal remedies to restrict access to more
powerful encryption devices?

A: This is a fundamental policy question which will be
considered during the broad policy review. The key escrow
mechanism will provide Americans with an encryption product
that is more secure, more convenient, and less expensive
than others readily available today, but it is just one
piece of what must be the comprehensive approach to
encryption technology, which the Administration is
developing.

The Administration is not saying, "since encryption
threatens the public safety and effective law enforcement,
we will prohibit it outright" (as some countries have
effectively done); nor is the U.S. saying that "every
American, as a matter of right, is entitled to an
unbreakable commercial encryption product." There is a
false "tension" created in the assessment that this issue is
an "either-or" proposition. Rather, both concerns can be,
and in fact are, harmoniously balanced through a reasoned,
balanced approach such as is proposed with the "Clipper
Chip" and similar encryption techniques.

Q: What does this decision indicate about how the Clinton
Administration's policy toward encryption will differ from
that of the Bush Administration?

A: It indicates that we understand the importance of encryption
technology in telecommunications and computing and are
committed to working with industry and public-interest
groups to find innovative ways to protect Americans'
privacy, help businesses to compete, and ensure that law
enforcement agencies have the tools they need to fight crime
and terrorism.

Q: Will the devices be exportable? Will other devices that use
the government hardware?

A: Voice encryption devices are subject to export control
requirements. Case-by-case review for each export is
required to ensure appropriate use of these devices. The
same is true for other encryption devices. One of the
attractions of this technology is the protection it can give
to U.S. companies operating at home and abroad. With this
in mind, we expect export licenses will be granted on a
case-by-case basis for U.S. companies seeking to use these
devices to secure their own communications abroad. We plan
to review the possibility of permitting wider exportability
of these products.

[ I will, with considerable restraint, refrain from
detailed
editorializing regarding this material in this issue of
the
digest. I expect to see some spirited discussion of this
topic
in future issues, however!

A few general thoughts do seem appropriate, though.
There are
clearly several different aspects of this announcement
that
need to be carefuly considered. The first is the
technology
itself, including algorithmic security and robustness,
unit
registration issues, key distribution and management, and
so on.

Another aspect revolves around how this technology and
its use
would relate to current and future wiretap law and the
actual
interception of communications, regardless of whether or
not
intercepted data were immediately decoded.

Finally, there's the whole issue of "public trust" as it
relates to the concept of the proposed "key escrow"
system and
the conditions under which those split keys would be
assembled
and utilized.

Comments, anyone? -- MODERATOR ]

------------------------------

Date: Wed, 7 Apr 1993 03:03:09 -0400 (EDT)
From: Paul Robinson <[email protected]>
Subject: Re: Personal letters

On < Mon, 29 Mar 1993 13:24:37 (PST) > In Comp Privacy 2-11,
Steven Hodas <[email protected]>
>
> If I send a personal letter to someone do they have the right to
> disclose it to others without my consent?

No. The Copyright act of 1978 and later amendments gave statutory
protection at the federal level for the first time to unpublished
works.

> Does this vary state by state?

No. Prior to the 1978 law, an unpublished work was subject to the
protection of the common law of the state in question. The new law
expressly excludes states from having any jurisdiction over
unpublished
works and voids any "common law copyright" which might have
existed.
All works are automatically protected under federal law.

> If it's prohibited, is it a civil or a criminal issue?

Civil.

> If it is permitted doesn't that suggest that we have greater
privacy
> protection for electronic communciation because the ECPA would
prohibit
> that kind of disclosure?

I think you are confusing things. The ECPA gives to Electronic
mail the
same protections which are available for telephone conversations -
the
protection against interception by third parties or the use of
intercepted
E-Mail by law enforcement personnel without a warrant, i.e. what
the laws
against wiretapping and recording of telephone calls, the ECPA
provides to
the same extent to E-Mail.

The ECPA does not apply to the sender or recipient of the message.
It only
applies to anyone who may see a message prior to its delivery to
the
designated mailbox or delivery point. It applies to the E-Mail
providers
who carry the message and to anyone who delivers it.

I am also posting this to the Risks Digest for a reason which has
to do
with another issue which almost no one has noticed. As of April 1,
1988,
the United States became a member of the Berne Union for the
Protection of
Literary Works. This treaty is most famous as the reason companies
would
simultaneously publish a book in Canada in order to obtain
protection
under the Berne Convention.

As of four years ago, that process was no longer necessary because
the
U.S. is now a member of the Berne Union. The most significant
issue under
Berne (I refer to this as "It Berne's me up") is that there are no
formalities or requirements of notification in order for a work to
obtain copyright protection.

What this means is that copyright notices became totally optional
after
April 1, 1988 for all works first published on or after that date.
In
theory, if you obtained a computer program from someone which
simply had
his name and address on it, and wanted to use it, you would have to
find
out if the person who wrote it wanted anything to license it. You
can be
sued, and lose, and the other party can collect damages, even
though the
work has no indication of copyright notice.

I live just outside of Washington, DC and the Copyright office is
just a
20 minute train ride away. A frightening fact is that despite the
treaty
having been around for more than four years, the Copyright office
still
does not have copies of the text of the treaty. They have copies
of the
Phonolog Convention (for protection of sound recordings) and they
have
copies of the Universal Copyright Convention (which instituted the
C in
a circle copyright notice.) But Berne is conspicuously absent. It
makes
me wonder what things are stated in this treaty that are so bad
that
nobody wants people to know what it says. (The last time I tried
to get
a copy was about a year ago, but that still was 3 years after
implementation and the Copyright Office STILL did not have copies
of the
text of the treaty. It makes me wonder why.

Just remember this little piece of information. A treaty, once
ratified
by the Senate, has the force and effect of an amendment to the
Constitution of the United States and can override its provisions.
Think
about that some time.
-----
Paul Robinson -- [email protected]

------------------------------

Date: Sat, 10 Apr 93 08:18:52 EDT
From: Jerry Leichter <[email protected]>
Subject: Personal Letters

In a recent issue of the Privacy Digest, Steven Hodas asks:

If I send a personal letter to someone do they have the right
to
disclose it to others without my consent?

There is no one answer to this question.

The COPYRIGHT on a personal letter certainly remains with you, the
author.
This means that the recipient may not make additional copies of the
letter.

The status of the physical letter itself is more complicated. The
question,
when it comes up at all, arises when someone famous dies and his
heirs try
to collect up his old letters. I believe they have the right to do
so.
However, before you start worrying that you have to save every
letter you've
ever received, you certainly have no positive duty to preserve
property that
belongs to someone else and that he has handed to you with no
pre-conditions.
The only issue is: If you HAVE saved it, can the author insist
that you
return it? The answer may be yes in some circumstances.

Finally, as to the status of the IDEAS in the letter, as opposed to
the
particular WORDS chosen: With a few exceptions (such as classified
material,
or information overheard on a non-broadcast radio frequency), there
are no
restrictions on the use of ideas or knowledge. Neither copyright
protection,
nor questions of the ownership of the physical letter, have any
bearing on the
protection of the ideas described.

I should note, however, that ethics, courtesy, and common practice
among
ethical, curteous people is to treat the contents of a private
letter as just
that, a private communication of words and ideas that belong to
their author,
not to be used except in ways that the author clearly intended. It
may be
EASIER to ask forgiveness than permission, but it's certainly NICER
to ask
permission!

If it is permitted doesn't that suggest that we have greater
privacy
protection for electronic communciation because the ECPA would
prohibit that kind of disclosure?

Not as I understand the ECPA. The ECPA prohibits the provider of
electronic
communications services from reading OTHER PEOPLE'S messages, just
because
they happen to be physically present on a computer system owned by
the
provider. It also limits the government from similarly reading
such messages
except in certain circumstances. The analogy is to restrictions on
what the
post office can do to read your mail.

I don't believe the INTENDED RECIPIENT of an electronic message is
in any way
limited by the ECPA.

To look at one last issue: There is always a slightly fuzzy area
for misde-
livered messages, but that's nothing new - physical mail has been
delivered to
the wrong mailbox since time immemorial. The widespread use of FAX
machines,
which, to use an old computer joke, can make more mistakes in a
second than
the entire population of the US could make using paper and pencil
in a
century, has made this much more common. There have been cases of
law offices
accidentally faxing important documents to "the other side". The
general
result in these cases, as far as I can tell, is that the accidental
recipient
has to "return" the FAX to the sender if the sender somehow finds
out and asks
for it, but there's nothing the sender can do to keep the
accidental receiver
from using any information gleaned from his lucky find. (In the
particular
case of law offices, legal ethics may place additional obligations
on the
accidental recipient; for example, he may be required to tell the
sender, or
perhaps the court. But these are special cases, and the legal
ethics experts
can argue about them for hours.)
-- Jerry

------------------------------

Date: Thu, 8 Apr 1993 11:23:39 PDT
From: [email protected]
Subject: More on Chicago DEA Surveillance

forwarded with permission (from libernet via homebrew). Roger adds
"At a
recent Chicago Beer Society homebrew meeting we heard from two
other
homebrewers who got the same treatment as the two who were
interviewed by
WBBM-TV; their stories were probably not interesting to WBBM
because they
had nothing additional to tell. The point, though, is that they're
doing
this to MANY people. CBS, both at its local outlets like WBBM
Chicago,
and at the network level on 60 minutes, has been doing an admirable
job
of publicizing the abuses inherent in the siezure laws."

Regards,

Sarah Elkins ([email protected])
----------------------------------------------------------------
Date: Mon, 22 Mar 1993 22:46:20 CST
From: "Roger Deschner " <[email protected]>
Subject: HomeBrew Store Staked out by Feds

This story was on WBBM-TV, Channel 2, Chicago's CBS station, on
this
evening's 10 O'Clock News.

Starting a week ago, the Drug Enforcement Administration has been
watching Chicago Indoor Garden Supply of Streamwood, IL, from a
camera
somewhat ineptly camouflaged as an electric transformer on a
utility pole
across the street. This store does 70% of its business in
homebrewing
suppies, and has become one of the favorite suppliers to Chicago
area
homebrewers. Two homebrewers were interviewed by Channel 2 who had
been
followed home from the store by the Federalies, and had their homes
ransacked for drugs. When Ch.2's news truck parked in front of a
nearby
storefront the DEA has been using as a staging location, an
"interesting"
scene unfolded with a Ch.2 reporter not getting very many answers
from
the Feds, who tried in vain to keep their cover. (Note: Ch.2 did
obscure their faces as per standard practice when showing
undercover
agents.) Then a swarm of Streamwood Police Dept. cars came, sirens
and
lights going, to try to chase away the Ch.2 news crew.

The whole slant of the story was that this was a case of the DEA
going
too far in "Operation Green Merchant", where they are going after
stores
in Suburban Chicago which they suspect are supplying marijuana
growers
with lights, fertilizer, etc. The presumption is that if they
follow
enough homebrewers and other purchasers of perfectly legal
merchandize
home from this store, eventually they'll find drugs in somebody's
house,
and then they can sieze and close the store. Since they have an
officer
assigned full-time to follow customers of this store home, they
figure
the odds are in their favor.

Channel 2 Chicago is to be complimented for broadcasting this
story, and
for emphasizing several times during it that homebrewing is legal.
Watch
for further developments - WBBM-TV generally does a good job of
following
up on stories of this sort.

------------------------------

End of PRIVACY Forum Digest 02.12

Downloaded From P-80 International Information Systems 304-744-2253