PRIVACY Forum Digest Friday, 26 June 1992 Volume 01 : Issue 06
Moderated by Lauren Weinstein (
[email protected])
Vortex Technology, Topanga, CA, U.S.A.
===== PRIVACY FORUM =====
CONTENTS
PRIVACY Briefs (Moderator--Lauren Weinstein)
PRIVACY Forum back issues now available via listserv system
(Moderator--Lauren Weinstein)
FBI Digital Telephony Proposal now in PRIVACY Forum archive
(Moderator--Lauren Weinstein)
Govt & Corp Sysops Monitoring Users & Email (Jim Warren)
Rental applications and privacy (Susie Hirsch)
Monitoring of public information sources
(Moderator--Lauren Weinstein)
Chronicle Crypto Article (Joe Abernathy)
*** Please include a RELEVANT "Subject:" line on all submissions! ***
*** Submissions without them may be ignored! ***
-----------------------------------------------------------------------------
The PRIVACY Forum is a moderated digest for the discussion and analysis of
issues relating to the general topic of privacy (both personal and
collective) in the "information age" of the 1990's and beyond. The
moderator will choose submissions for inclusion based on their relevance and
content. Submissions will not be routinely acknowledged.
ALL submissions should be addressed to "
[email protected]" and must have
RELEVANT "Subject:" lines. Submissions without appropriate and relevant
"Subject:" lines may be ignored. Subscriptions are by an automatic
"listserv" system; for subscription information, please send a message
consisting of the word "help" (quotes not included) in the BODY of a message
to: "
[email protected]". Mailing list problems should be
reported to "
[email protected]". Mechanisms for obtaining back
issues will be announced when available. All submissions included in this
digest represent the views of the individual authors and all submissions
will be considered to be distributable without limitations.
Back issues of PRIVACY Forum digests (and other related material) are now
archived and may be obtained automatically through the listserv system.
Please follow the instructions above for getting the listserv "help"
information, which now includes details regarding the "index" and "get"
listserv commands, which are used to access the PRIVACY Forum archive.
For information regarding the availability of this digest via FAX, please
send an inquiry to
[email protected], call (310) 455-9300, or FAX
to (310) 455-2364.
-----------------------------------------------------------------------------
VOLUME 01, ISSUE 06
Quote for the day:
"I am not a number! I am a free man!"
-- Number 6
"The Prisoner" television series (1968-1969)
----------------------------------------------------------------------
Date: Fri, 26 Jun 92 18:25 PDT
From:
[email protected] (Moderator--Lauren Weinstein)
Subject: PRIVACY Briefs
---
Concerns have been raised in Los Angeles over the recent revelations that
the District Attorney's office has been "secretly" videotaping the
spectators attending certain ongoing court cases. The cases in question
involve the defendants charged in the beating of a truck driver at the start
of the recent L.A. area civil unrest. The tapes have apparently been used
in an effort to determine if any of the court spectators could be matched up
with unidentified persons taped during the actual disturbances.
---
An Iowa couple has been awarded $4.3 million (with 25% going to them, and
75% going to a victims' reparations fund) after winning a privacy suit
against a motel. While having sex in a motel room, they heard a creaking
noise behind a wall, and discovered that what they had thought was a
conventional mirror was actually a "two-way" type with an 8 inch peephole
behind it, leading to an attic crawlspace. Though the motel operator said he
had not known about the mirror, and even though it was never proven that
anybody had actually been behind the mirror, the judge told the jury that
the mere existence of such an arrangement could be sufficient for conviction.
------------------------------
Date: Fri, 26 Jun 92 18:17 PDT
From:
[email protected] (Moderator--Lauren Weinstein)
Subject: PRIVACY Forum back issues now available via listserv system
Greetings. I'm pleased to announce that all PRIVACY Forum back issues, and
related privacy materials, are now available via the cv.vortex.com listserv
system. All future issues will be added to the archive as well. This
system allows you to request particular items from the archive automatically
via mail messages.
To get an index of available materials, you should send a message to:
[email protected]
or
[email protected]
with the command:
index privacy
in the BODY of your message (as the first text in your message body).
To retrieve a particular item, follow the same procedure as above,
but use the command:
get privacy <file>
where <file> is replaced by the desired file name.
For example, to retrieve PRIVACY Forum digest Volume 01, Issue 04:
get privacy priv.01.04
As always with the listserv system, only one request may be included in a
message; any subsequent requests in a single message will be ignored.
To avoid unnecessary net traffic, please only retrieve materials that you
really need.
Thanks much.
--Lauren--
------------------------------
Date: Fri, 26 Jun 92 21:45 PDT
From:
[email protected] (Moderator--Lauren Weinstein)
Subject: FBI Digital Telephony Proposal now in PRIVACY Forum archive
A complete copy of the latest revision (May, 1992) of the FBI
Digital Telephony Proposal is now in the PRIVACY Forum archive,
under the name "fbi-tel.1".
This is the legislative proposal to require direct interception capability
in virtually all U.S. telecommunications networks and related equipment, the
transferring of telecommunications certification control from the FCC to the
Attorney General, and the explicit ability to establish a remote government
monitoring facility.
There have been comments regarding this proposal in previous issues
of the PRIVACY Forum digest.
--Lauren--
------------------------------
Date: Sun, 21 Jun 92 17:46:26 PDT
From:
[email protected] (Jim Warren)
Subject: Govt & Corp Sysops Monitoring Users & Email
Last month, I gave a morning talk to an all-day meeting of an organization
of systems administrators of mini-class, mostly-shared systems -- most of
them employed by Fortune 500 companies and government agencies.
Initially titled, "Dodging Pitfalls in the Electronic Frontier," by mutual
agreement with the organizers, we re-titled it, "Government Impacts on
Privacy and Security." However, it was the same talk. :-) It was based on
information and perspectives aired during recent California Senate Judiciary
privacy hearings, and those presented at the 1991 and 1992 conferences on
Computers, Freedom & Privacy. (I organized and chaired the first CFP and
co-authored its transcripts, available from the IEEE Computer Society Press,
714-821-8380, Order #2565.)
The talk was long; the audience attentive; the questions and discussion
extensive. The attendees were clearly and actively interested in the issues.
At one point, I asked "How many have *NOT* been asked by their management or
superiors to monitor their users and/or examine or monitor users' email."
Only about 20% held up their hands -- even though I emphasized that I was
phrasing the question in a way that those who would be proud to hold up
their hands, could to do so.
--jim
Jim Warren,
[email protected] -or-
[email protected]
MicroTimes "futures" columnist; Autodesk, Inc., Board of Directors' member
InfoWorld founder; PBS' "Computer Chronicles" founding host, blah blah blah
------------------------------
Date: Fri, 26 Jun 92 13:46 PDT
From:
[email protected] (Susie Hirsch)
Subject: Rental applications and privacy
I recently have been looking for a house to rent, and have completed rental
applications that contain a variety of personal information (social
security number, address, phone number, credit information). The market is
very competitive for rental houses in the area, so I am required to provide
a completed rental application to even be considered as the potential renter.
Submitting incomplete applications on privacy grounds will most certainly
result in the landlord simply renting the property to another applicant
who provides all the requested personal information.
Given the nature of this personal information, I wonder about the security
issues concerning rental applications. What if an application is turned
down by the property owner, and then carelessly tossed away where anyone
could find it? What recourse does an applicant have if personal information
has been misused as a result of completing a rental application? Or is this
another situation where you simply hope you won't be victimized?
How can a balance be struck between the privacy rights of the applicant,
and the owner's need to check the background and credit history of a
potential renter?
::: Susie :::
------------------------------
Date: Fri, 26 Jun 92 19:49 PDT
From:
[email protected] (Moderator--Lauren Weinstein)
Subject: Monitoring of public information sources
Greetings. Every so often on the networks, we hear of a case where a person
sent a message (to public distribution lists or public newsgroups) which
might be interpreted as threatening to particular groups or individuals, or
discussing information that might potentially have been of a classified
nature. Sometimes the result of such a message is a visit to that author by
law enforcement officials, with a copy of the message in hand.
Usually it has turned out that the perceived threats weren't serious, or that
the information in question wasn't classified, but there was no reasonable
way to make such determinations until after some investigation.
When such events occur, there is sometimes incredulity expressed by some
segments of the network community that law enforcement officials even knew
that such public messages had been posted, and the argument is raised that
it is wrong for such "monitoring" of public information sources to be taking
place by such agencies. Some argue that law enforcement should be
restrained from making use of those kinds of information channels, even
though others can use that information freely.
I personally disagree. While obviously it is very important that such
agencies react responsibly, I believe that information openly posted to
public lists and other public forums should be available to law
enforcement officials and agencies, just as it's available to everyone
else. In fact, I'd be concerned if law enforcement didn't pay attention to
such widely available public information and public discussions.
Note that I'm talking here about *public* postings and *public*
information. The issues surrounding *private* communications
(e.g. *private* e-mail) are completely different, of course.
Some discussion of the "monitoring of public information" issues here
in the PRIVACY Forum might prove interesting.
--Lauren--
------------------------------
Date: Wed, 24 Jun 92 18:14:42 CDT
From:
[email protected] (Joe Abernathy)
Subject: Chronicle Crypto Article
This cryptography article appeared Sunday, June 21. It
is being forwarded to Risks as a way of giving back
something to the many thoughtful participants here who
helped give shape to the questions and the article.
In a companion submission, I include the scanned text of
the NSA's 13-page response to my interview request, which
appears to be the most substantial response they've
provided to date. I would like to invite feedback
and discussion on the article and the NSA document.
[ Moderator's Note: The entire NSA response document referred
to above has been placed in the PRIVACY Forum archive under
the name "nsa-chron.1". --Lauren-- ]
Please send comments to
[email protected]
Promising technology alarms government
/ Use of super-secret codes would block
legal phone taps in FBI's crime work
By JOE ABERNATHY
Copyright 1992, Houston Chronicle
Government police and spy agencies are trying to thwart
new technology that allows conversations the feds can't tap.
A form of cryptography _ the science of writing and
deciphering codes _ this technology holds the promise of
guaranteeing true privacy for transactions and communications.
But an array of federal agencies is seeking to either
outlaw or severely restrict its use, pointing out the potency
of truly secret communications as a criminal tool.
"Cryptography offers or appears to offer something that is
unprecedented,'' said Whitfield Diffie, who with a Stanford
University colleague devised public key cryptography,'' an
easily used cryptography that is at the center of the fight. "It
looks as though an individual might be able to protect
information in such a way that the concerted efforts of
society are not going to be able to get at it.
"No safe you can procure has that property; the strongest
safes won't stand an hour against oxygen lances. But
cryptography may be different. I kind of understand why the
police don't like it.''
The National Security Agency, whose mission is to
conduct espionage against foreign governments and diplomats,
sets policy for the government on matters regarding
cryptography.
But the FBI is taking the most visible role. It is backing
legislation that would address police fears by simply
outlawing any use of secure cryptography in electronic
communications.
The ban would apply to cellular phones, computer
networks, and the newer standard telephone equipment _
already in place in parts of Houston's phone system and
expected to gain wider use nationwide.
"Law enforcement needs to keep up with technology,'' said
Steve Markardt, a spokesman for the FBI in Washington.
"Basically what we're trying to do is just keep the status
quo. We're not asking for anything more intrusive than we
already have.''
He said the FBI uses electronic eavesdropping only on
complex investigations involving counterterrorism, foreign
intelligence, organized crime, and drugs. "In many of those,''
he said, we would not be able to succeed without the ability
to lawfully intercept.''
The State and Commerce departments are limiting
cryptography's spread through the use of export reviews,
although many of these reviews actually are conducted by
the NSA. The National Institute of Standards and Technology,
meanwhile, is attempting to impose a government
cryptographic standard that critics charge is flawed, although
the NSA defends the standard as adequate for its
intended, limited use.
"It's clear that the government is unilaterally trying to
implement a policy that it's developed,'' said Jim Bidzos,
president of RSA Data Security, which holds a key cryptography
patent. "Whose policy is it, and whose interest does it
serve? Don't we have a right to know what policy they're
pursuing?''
Bidzos and a growing industry action group charge that
the policy is crippling American business at a critical
moment.
The White House, Commerce Department, and NIST
refused to comment.
The NSA, however, agreed to answer questions posed in
writing by the Houston Chronicle. Its purpose in granting the
rare, if limited, access, a spokesman said, was "to give a true
reflection'' of the policy being implemented by the agency.
"Our feeling is that cryptography is like nitroglycerin: Use
it sparingly then put it back under trusted care,'' the
spokesman said.
Companies ranging from telephone service providers to
computer manufacturers and bankers are poised to introduce
new services and products including cryptography.
Users of electronic mail and computer networks can expect
to see cryptography-based privacy enhancements later this
year.
The technology could allow electronic voting, electronic
cash transactions, and a range of geographically separated
_ but secure _ business and social interactions. Not since
the days before the telephone could the individual claim
such a level of privacy.
But law enforcement and intelligence interests fear a
world in which it would be impossible to execute a wiretap
or conduct espionage.
"Secure cryptography widely available outside the United
States clearly has an impact on national security,'' said the
NSA in its 13-page response to the Chronicle. "Secure
cryptography within the United States may impact law
enforcement interests.''
Although Congress is now evaluating the dispute, a call by
a congressional advisory panel for an open public policy
debate has not yet been heeded, or even acknowledged, by
the administration.
The FBI nearly won the fight before anyone knew that war
had been declared. Its proposal to outlaw electronic
cryptography was slipped into another bill as an amendment
and nearly became law by default last year before
civil liberties watchdogs exposed the move.
"It's kind of scary really, the FBI proposal being considered
as an amendment by just a few people in the
Commerce Committee without really understanding the
basis for it,'' said a congressional source, who requested
anonymity. "For them, I'm sure it seemed innocuous, but
what it represented was a fairly profound public policy
position giving the government rights to basically spy on
anybody and prevent people from stopping privacy infringements.''
This year, the FBI proposal is back in bolder, stand-alone
legislation that has created a battle line with law enforce
ment on one side and the technology industry and privacy
advocates on the other.
"It says right on its face that they want a remote
government monitoring facility'' through which agents in
Virginia, for instance, could just flip a switch to tap a
conversation in Houston, said Dave Banisar of the Washington
office of Computer Professionals for Social Responsibility.
Though the bill would not change existing legal restraints
on phone-tapping, it would significantly decrease the practical
difficulty of tapping phones _ an ominous development
to those who fear official assaults on personal and corporate
privacy.
And the proposed ban would defuse emerging technical
protection against those assaults.
CPSR, the point group for many issues addressing the way
computers affect peoples' lives, is helping lend focus to a
cryptographic counterinsurgency that has slowly grown in
recent months to include such heavyweights as AT&T, DEC,
GTE, IBM, Lotus, Microsoft, Southwestern Bell, and other
computer and communications companies.
The proposed law would ban the use of secure cryptography
on any message handled by a computerized communications
network. It would further force service providers to
build access points into their equipment through which the
FBI _ and conceivably, any police officer at any level _
could eavesdrop on any conversation without ever leaving
the comfort of headquarters.
"It's an open-ended and very broad set of provisions that
says the FBI can demand that standards be set that industry
has to follow to ensure that (the FBI) gets access,'' said
a congressional source. "Those are all code words for if they
can't break in, they're going to make (cryptography) illegal.
"This is one of the biggest domestic policy issues facing
the country. If you make the wrong decisions, it's going to
have a profound effect on privacy and security.''
The matter is being considered by the House Judiciary
Committee, chaired by Rep. Jack Brooks, D-Texas, who is
writing a revision to the Computer Security Act of 1987, the
government's first pass at secure computing.
The recent hearings on the matter produced a notable
irony, when FBI Director William Sessions was forced to
justify his stance against cryptography after giving opening
remarks in which he called for stepped-up action to combat
a rising tide of industrial espionage. Secure cryptography
was designed to address such concerns.
The emergence of the international marketplace is
shaping much of the debate on cryptography. American
firms say they can't compete under current policy, and that
in fact, overseas firms are allowed to sell technology in
America that American firms cannot export.
"We have decided to do all further cryptographic develop
ment overseas,'' said Fred B. Cohen, a noted computer
scientist. "This is because if we do it here, it's against the law
to export it, but if we do it there, we can still import it and
sell it here. What this seems to say is that they can have it,
but I can't sell it to them _ or in other words _ they get the
money from our research.''
A spokeswoman for the the Software Publishers Association
said that such export controls will cost $3-$5 billion in
direct revenue if left in place over the next five years. She
noted the Commerce Department estimate that each $1
billion in direct revenue supports 20,000 jobs.
The NSA denied any role in limiting the power of
cryptographic schemes used by the domestic public, and
said it approves 90 percent of cryptographic products
referred to NSA by the Department of State for export
licenses. The Commerce Department conducts its own
reviews.
But the agency conceded that its export approval figures
refer only to products that use cryptology to authenticate a
communication _ the electronic form of a signed business
document _ rather than to provide privacy.
The NSA, a Defense Department agency created by order
of President Harry Truman to intercept and decode foreign
communications, employs an army of 40,000 code-breakers.
All of its work is done in secret, and it seldom responds to
questions about its activities, so a large reserve of distrust
exists in the technology community.
NSA funding is drawn from the so-called "black budget,''
which the Defense Budget Project, a watchdog group,
estimates at $16.3 billion for 1993.
While the agency has always focused primarily on foreign
espionage, its massive eavesdropping operation often pulls
in innocent Americans, according to James Bamford, author
of "The Puzzle Palace," a book focusing on the NSA's
activities. Significant invasions of privacy occurred in the
1960s and 1970s, Bamford said.
Much more recently, several computer network managers
have acknowledged privately to the Chronicle that NSA has
been given access to data transmitted on their networks _
without the knowledge of network users who may view the
communications as private electronic mail.
Electronic cryptology could block such interceptions of
material circulating on regional networks or on Internet _
the massive international computer link.
While proponents of the new technology concede the need
for effective law enforcement, some question whether the
espionage needs of the post-Cold War world justify the
government's push to limit these electronic safeguards on
privacy.
"The real challenge is to get the people who can show
harm to our national security by freeing up this technology
to speak up and tell us what this harm is,'' said John
Gillmore, one of the founders of Sun Microsystems.
"When the privacy of millions of people who have cellular
telephones, when the integrity of our computer networks
and our PCs against viruses are up for grabs here, I think the
battleground is going to be counting up the harm and in the
public policy debate trying to strike a balance.''
But Vinton Cerf, one of the leading figures of the Internet
community, urged that those criticizing national policy
maintain perspective.
"I want to ask you all to think a little bit before you totally
damn parts of the United States government,'' he said.
"Before you decide that some of the policies that in fact go
against our grain and our natural desire for openness, before
you decide those are completely wrong and unacceptable, I
hope you'll give a little thought to the people who go out
there and defend us in secret and do so at great risk.''
------------------------------
End of PRIVACY Forum Digest 01.06
************************
