PRIVACY Forum Digest Monday, 6 July 1992 Volume 01 : Issue 07

PRIVACY Forum Digest Monday, 6 July 1992 Volume 01 : Issue 07

Moderated by Lauren Weinstein ([email protected])
Vortex Technology, Topanga, CA, U.S.A.

===== PRIVACY FORUM =====

The PRIVACY Forum digest is supported in part by the
ACM Committee on Computers and Public Policy.

CONTENTS
PRIVACY Forum digest now affiliated with ACM
(Moderator--Lauren Weinstein)
PRIVACY Forum materials are available via anonymous FTP
(Moderator--Lauren Weinstein)
Re: Chronicle Crypto Article [PRIVACY 01.06] (Thomas Zmudzinski)
Monitoring In The Workplace (Bonnie J. Johnson)
CPSR Challenges Virginia SS (Dave Banisar)

*** Please include a RELEVANT "Subject:" line on all submissions! ***
*** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The PRIVACY Forum is a moderated digest for the discussion and analysis of
issues relating to the general topic of privacy (both personal and
collective) in the "information age" of the 1990's and beyond. The
moderator will choose submissions for inclusion based on their relevance and
content. Submissions will not be routinely acknowledged.

ALL submissions should be addressed to "[email protected]" and must have
RELEVANT "Subject:" lines. Submissions without appropriate and relevant
"Subject:" lines may be ignored. Subscriptions are by an automatic
"listserv" system; for subscription information, please send a message
consisting of the word "help" (quotes not included) in the BODY of a message
to: "[email protected]". Mailing list problems should be
reported to "[email protected]". All submissions included in this
digest represent the views of the individual authors and all submissions
will be considered to be distributable without limitations.

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "cv.vortex.com",
in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password. The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access. PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system. Please follow the instructions above
for getting the listserv "help" information, which now includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.

For information regarding the availability of this digest via FAX, please
send an inquiry to [email protected], call (310) 455-9300, or FAX
to (310) 455-2364.
-----------------------------------------------------------------------------

VOLUME 01, ISSUE 07

Quote for the day:

Dr. McCoy: "Why is it called the M5? Why not the M1?"

Dr. Daystrom: "Multitronic units number one through
four were not entirely successful.
This one is."

"Star Trek" (1966-1969)
Episode: "The Ultimate Computer"

----------------------------------------------------------------------

Date: Mon, 6 Jul 92 18:45 PDT
From: [email protected] (Moderator--Lauren Weinstein)
Subject: PRIVACY Forum digest now affiliated with ACM

Greetings. I'm pleased to announce that the PRIVACY Forum digest is
now supported in part by the ACM (Association for Computing Machinery)
Committee on Computers and Public Policy. This is the same committee
under whose auspices the renowned Risks Digest appears.

As its name suggests, the ACM Committee on Computers and Public Policy is
concerned with a variety of computer-related policy issues, such as risks
involving security, privacy, reliability, human safety, and financial
stability.

--Lauren--

------------------------------

Date: Mon, 6 Jul 92 19:00 PDT
From: [email protected] (Moderator--Lauren Weinstein)
Subject: PRIVACY Forum materials are available via anonymous FTP

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is now available via anonymous FTP from site
"cv.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or
"anonymous", and enter your e-mail address as the password. The typical
"README" and "INDEX" files are available to guide you through the files
available for FTP access.

--Lauren--

------------------------------

Date: 30 Jun 92 10:16:00 EST
From: "zmudzinski, thomas" <[email protected]>
Subject: Re: Chronicle Crypto Article [PRIVACY 01.06]

D E F E N S E I N F O R M A T I O N S Y S T E M S A G E N C Y

Date: 30-Jun-1992 10:02 EDT
From: Thomas Zmudzinski
ZMUDZINSKIT
Dept: DNSO/DISM
Tel No: 703 285 5459 (DSN) 356

TO: [email protected] ( REMOTE )

CC: [email protected] ( REMOTE )
CC: [email protected] ( REMOTE )

Subject: Re: Chronicle Crypto Article [PRIVACY 01.06]

The 21 June 1992 Houston Chronicle article stated:

> The matter is being considered by the House Judiciary
> Committee, chaired by Rep. Jack Brooks, D-Texas, who is
> writing a revision to the Computer Security Act of 1987,
> the government's first pass at secure computing.
^^^^^ ^^^^ ^^ ^^^^^^ ^^^^^^^^^
Oh, come on! The 1987 Act isn't even the Government's "first
pass" at _UNCLASSIFIED_ secure computing. Go check out the
Computer Security Acts of 1984 and earlier! BTW, if one reads
PL 100-235, one finds that it is basically an amendment to the
Federal Property and Administrative Services Act of 1949(!)
with some necessary updates to the NBS (NIST) charter of 1901.
If you have go beyond the proper titles, why not say that it's
the U.S. Government's most well known secure computing effort?
^^^^ ^^^^ ^^^^^
Tom Zmudzinski ZmudzinskiT @ UVAX.DISA.MIL
Defense Information Systems Agency (703) 285-5459

------------------------------

Date: Tue, 30 Jun 92 11:01:19 EDT
From: "Bonnie J. Johnson" <[email protected]>
Subject: Monitoring In The Workplace

As I was reading the Telecom Digest this am I came across the following
Survey being conducted by Lorrayne Schaefer ([email protected].)
(703-883-5301) which I think might be interesting to us all, particularly
the results!

To recite the e-mail verbatim, states Lorrayne Schaefer:

"For your information, this has been posted on some newsgroups a few
months ago. This survey has also been distributed to various conferences
over the past few months. All results will be in the form of statistical
information and keywords. All participants will remain anonymous.

SURVEY; MONITORING IN THE WORKPLACE

The purpose of this survey is to collect data for a presentation that
I will give at this year's National Computer Security Conference in
October. I would like to thank you for taking the time to fill out
this survey. If you have any questions, you can call me at
703-883-5301 or send me e-mail at [email protected]. Please
send your completed survey to:

Lorrayne Schaefer
The MITRE Corporation
M/S Z213
7525 Colshire Drive
McLean VA 22102

1. What is your title?
2. What type of work does your organization do?
3. Does your organization currently monitor computer activity? (Y/N)
a. If Yes, what type of monitoring does your company do (e.g.,
electronic mail, bulletin boards, telephone, system activity,
network activity)?
b. Why does your company choose to monitor these things and how
is it done?
4. If you are considering (or are currently) using a monitoring tool,
what exactly would you monitor? How would you protect this
information?
5. Are you for or against monitoring? Why/why not? Think in terms
of whether it is ethical or unethical ("ethical" meaning that it
is right and "unethical" meaning it is wrong) for an employer to
monitor an employee's computer usage. In your response, consider that
the employee is allowed by the company to use the computer and the
company currently monitors computer activity.
6. If your company monitors employees, is it clearly defined in your
company policy?
7. In your opinion, does the employee have rights in terms of being
monitored?
8. In your opinion, does the company have rights to protect its assets
by using a form of monitoring tool?
9. If you are being monitored, do you take offense? Managers: How do
you handle situations in which the employee takes offense at being
monitored?
10. What measures does your company use to prevent misuse of monitoring
in the workplace?
11. If an employee is caught abusing the monitoring tool, what would
happen to that individual? If your company is not using any form
of monitoring, what do you think should happen to an individual
who abused the tool?
12. Is it unethical to monitor electronic mail to determine if the
employee is not abusing this company resource (e.g. suppose the
employee sends personal notes via a network to others that are
not work related)? Why or why not?"

I find all the issues which Lorrayne brings up are very valid
questions and have quite frankly called the FCC for some answers on
electronic mail myself a couple years back. Telecom has come up
with guidelines on monitoring (beep tone and at least one other
person knowing they are being monitored). Any thoughts on how long
it will be for a standard to be set for e-mail?

What are groups thoughts on some of the questions?

I will send an e-mail to Lorrayne requesting a copy of the results
in October and pass them along to the group if there
is any interest.

------------------------------

Date: Sat, 4 Jul 1992 17:16:20 EDT
From: Dave Banisar <[email protected]>
Subject: CPSR Challenges Virginia SS

CPSR Challenges Virginia SSN Practice

PRESS RELEASE

June 30, 1992

CPSR Challenges Virginia SSN Practice

WASHINGTON, DC -- A national public interest organization has
filed a "friend of the court" brief in the federal court of appeals,
calling into question the Commonwealth of Virginia's practice of
requiring citizens to provide their Social Security numbers in order to
vote. Computer Professionals for Social Responsibility (CPSR) alleges
that Virginia is violating constitutional rights and creating an
unnecessary privacy risk.

The case arose when a Virginia resident refused to provide his
Social Security number (SSN) to a county registrar and was denied the
right to register to vote. Virginia is one of a handful of states that
require voters to provide an SSN as a condition of registration. While
most states that require the number impose some restrictions on its
public dissemination, Virginia allows unrestricted public inspection of
voter registration data -- including the SSN. Marc A. Greidinger, the
plaintiff in the federal lawsuit, believes that the state's registration
requirements violate his privacy and impose an unconstitutional burden
on his exercise of the right to vote.

The CPSR brief, filed in the Fourth Circuit Court of Appeals in
Richmond, supports the claims made by Mr. Greidinger. CPSR notes the
long-standing concern of the computing community to design safe
information systems, and the particular effort of Congress to control
the misuse of the SSN. The organization cites federal statistics
showing that the widespread use of SSNs has led to a proliferation of
fraud by criminals using the numbers to gain driver's licenses, credit
and federal benefits. The CPSR brief further describes current efforts
in other countries to control the misuse of national identifiers, like
the Social Security number.

Marc Rotenberg, the Director of the CPSR Washington Office said
that "This is a privacy issue of constitutional dimension. The SSN
requirement is not unlike the poll taxes that were struck down as
unconstitutional in the 1960s. Instead of demanding the payment of
money, Virginia is requiring citizens to relinquish their privacy rights
before being allowed in the voting booth."

CPSR argues in its brief that the privacy risk created by
Virginia's collection and disclosure of Social Security numbers is
unnecessary. The largest states in the nation, such as California, New
York and Texas, do not require SSNs for voter registration. CPSR points
out that California, with 14 million registered voters, does not need to
use the SSN to administer its registration system, while Virginia, with
less than 3 million voters, insists on its need to demand the number.

David Sobel, CPSR Legal Counsel, said "Federal courts have
generally recognized that there is a substantial privacy interest
involved when Social Security numbers are disclosed. We are optimistic
that the court of appeals will require the state to develop a safer
method of maintaining voting records."

CPSR has led a national campaign to control the misuse of the
Social Security Number. Earlier this year the organization testified
at a hearing in Congress on the use of the SSN as a National
Identifier. CPSR urged lawmakers to respect the restriction on the SSN
and to restrict its use in the private sector. The group also
participated in a federal court challenge to the Internal Revenue
Service's practice of displaying taxpayers' SSNs on mailing labels. CPSR
is also undertaking a campaign to advise individuals not to disclose
their Social Security numbers unless provided with the legal reason for
the request.

CPSR is a national membership organization, with 2,500 members,
based in Palo Alto, CA. For membership information contact CPSR, P.O.
Box 717, Palo Alto, CA 94303, (415) 322-3778, [email protected].

For more information contact:

Marc Rotenberg, Director
David Sobel, Legal Counsel
CPSR Washington Office
(202) 544-9240
[email protected]
[email protected]

Paul Wolfson, attorney for Marc A. Greidinger
Public Citizen Litigation Group
(202) 833-3000

------------------------------

End of PRIVACY Forum Digest 01.07
************************