PRIVACY Forum Digest Friday, 20 November 1992 Volume 01 : Issue 26

PRIVACY Forum Digest Friday, 20 November 1992 Volume 01 : Issue 26

Moderated by Lauren Weinstein ([email protected])
Vortex Technology, Topanga, CA, U.S.A.

===== PRIVACY FORUM =====

The PRIVACY Forum digest is supported in part by the
ACM Committee on Computers and Public Policy.

CONTENTS
Re: Wire Taps, Key Management, and Privacy (Dorothy Denning)
SURVEY RESULTS: Is Big Brother Watching You? (Lorrayne Schaefer)

*** Please include a RELEVANT "Subject:" line on all submissions! ***
*** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The PRIVACY Forum is a moderated digest for the discussion and analysis of
issues relating to the general topic of privacy (both personal and
collective) in the "information age" of the 1990's and beyond. The
moderator will choose submissions for inclusion based on their relevance and
content. Submissions will not be routinely acknowledged.

ALL submissions should be addressed to "[email protected]" and must have
RELEVANT "Subject:" lines. Submissions without appropriate and relevant
"Subject:" lines may be ignored. Subscriptions are by an automatic
"listserv" system; for subscription information, please send a message
consisting of the word "help" (quotes not included) in the BODY of a message
to: "[email protected]". Mailing list problems should be
reported to "[email protected]". All submissions included in this
digest represent the views of the individual authors and all submissions
will be considered to be distributable without limitations.

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "cv.vortex.com",
in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password. The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access. PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system. Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.

For information regarding the availability of this digest via FAX, please
send an inquiry to [email protected], call (310) 455-9300, or FAX
to (310) 455-2364.
-----------------------------------------------------------------------------

VOLUME 01, ISSUE 26

Quote for the day:

Psychiatrist: "Tell me Harold, what do you do for fun?
What activity gives you a different sense of
enjoyment from the others?
What do you find fulfilling?
What gives you that special satisfaction?"

Harold: "I go to funerals."

-- G. Wood and Bud Cort
"Harold and Maude" (1972)

----------------------------------------------------------------------

Date: Thu, 19 Nov 92 17:57:01 EST
From: [email protected] (Dorothy Denning )
Subject: Re: Wire Taps, Key Management, and Privacy

In PRIVACY Forum Digest V01 #25, Brinton Cooper writes:

In RISKS DIGEST 13.87, Dorothy Denning .. spoke of the high costs of lawful
surveillance and asserted, "Much of this is related to organized crime,"
perhaps a scare tactic?

Actually the majority of taps goes to narcotics investigations. After
that comes racketeering and gambling. According to the FBI, the
hierarchy of Organized Crime has been neutralized or destabilized
through the use of electronic surveillance, and thirty odd years of
successes would be reversed if the ability to conduct court-authorized
electronic surveillance was lost. I believe this represents an honest
assessment of what they see would happen.

Her solution involves nongovernmental "key centers" which,
presumably, would not give out keys to anyone without a properly
executed court order.

By way of context, I'm looking for a way to balance our national
interests for privacy and security with those for effective law
enforcement. This is one idea I proposed. I am not pushing it as "the
solution". In any case, the idea was for users to register their keys
with a trustee (key center). Or, using a technique invented by Silvio
Micali, you could split your key into parts and register each part with
a different trustee. Law enforcement would have to take a court order
to each trustee in order to get the pieces and reconstruct the key.

She cites that the "...phone companies are so fussy about court
orders that they send them back if the semicolons aren't right...,"
apparently believing that the rights of the citizens are thereby
protected. For the following reasons, this is a politically naive
position.

1. It provides that our right to protection from illegal governmental
search and seizure and/or illegal eavesdropping rests on the good will
and integrity of a phone company!

Your statement does not follow from what I said. I said the phone
companies are fussy. I know of no cases where the phone companies
assisted with unauthorized taps. If you do, please cite. They could
go out of business if they didn't respect the rights of their
customers. Even so, your right to protection does not rest entirely on
the phone company. Title 18 makes tapping without a court order
illegal.

Crypto will make it much more difficult for anyone to tap illegally. If
the keys are registered with a trustee other than the phone company, someone
would have to subvert both the trustee and the phone company (to get the
bits).

3. Court orders, search warrants, and the like protect citizens only
when the information or evidence gathered is to be used in court against
a suspect. If information is being gathered for political purposes,
blackmail, or other subversion of law (Watergate, Iran-Contra, the
Italian bank scandal, etc), the purloined information will never see a
public forum but can still do great harm to innocent persons. Thus, the
constraints of court orders are obviated.

I expect that most of this information is not being obtained by wiretapping.
It is popular to suggest it is and difficult to refute. If someone
in law enforcement is found to be tapping without a court order, they
could be convicted of violating Title 18.

But in any case, it will be very difficult for LE to intercept without a
court order with the new digital technologies and crypto.

The FBI needs to fund its own R&D from its own budget, just as the
rest of the government at all levels must do. There is talent that can
"red team" modern telecommunications and find trapdoors when necessary.

Are you suggesting that it would be better for the FBI to break the
cryptosystems than go through a trustee with a court order?

Dorothy Denning

------------------------------

Date: Fri, 13 Nov 92 09:16:56 EST
From: [email protected]
Subject: SURVEY RESULTS: Is Big Brother Watching You?

[ These results refer to a survey originally seen here in the
PRIVACY Forum on Monday, 6 July 1992 (Volume 01 : Issue 07).
The survey size was reported as 100 people. The original
survey introduction is included below. -- MODERATOR ]

---

The purpose of this survey is to collect data for a presentation that I
will give at this year's National Computer Security Conference in October.
I would like to thank you for taking the time to fill out this survey. If
you have any questions, you can call me at 703-883-5301 or send me email at
[email protected]. Please send your completed survey to:

Lorrayne Schaefer
The MITRE Corporation
M/S Z213
7525 Colshire Drive
McLean, VA 22102

1. What is your title?

Engineer 31% Manager 14%
Computer Scientist 25% Systems Administrator 10%
Administrator 4% Student 10%
Not Provided 2% Professor 3%
Author 1%

2. What type of work does your organization do?

Education 24% Software Development 19%
Hardware Development 15% Research 11%
Not Provided 6% Other 8%
Government 6% System Administration 2%
Telephone 5% System Development 2%
Network Development 2%

3. Does your organization currently monitor computer activity? (Yes/No)

Yes 67%
No 32%
Unknown 1%

If yes, what type of monitoring does your company do (e.g., electronic
mail, bulletin boards, telephone, system activity, network activity)?

All 16% System Activity 17%
Bulletin Boards 4% Network Activity & Other 12%
Other 3% Telephone Usage 7%
E-mail 2% System & Network Activity 5%
Unknown 1% N/A 1%

4. If you are considering (or are currently) using a monitoring tool,
what exactly would you monitor? How would you protect this
information?

System Usage 17% N/A 43%
Accounting 5% Nothing 11%
Everything 4% Network Traffic 10%
Don't Know 3% Other 2%
Bulletin Board 1% Security 3%
E-mail 1%

5. Are you for or against monitoring? Why/why not? Think in terms of
whether it is ethical or unethical ("ethical" meaning that it is
right and "unethical" meaning it is wrong) for an employer to
monitor an employee's computer usage. In your response, consider
that the employee is allowed by the company to use the computer and
the company currently monitors computer activity.

Against 52%
For 47%
N/A 1%

6. If your company monitors employees, is it clearly defined in your
company policy?

N/A 35%
No 34%
Yes 31%

7. In your opinion, does the employee have rights in terms of being
monitored?

Yes 90%
No 8%
Don't Know 2%

8. In your opinion, does the company have rights to protect its as
sets by using a form of monitoring tool?

Yes 91%
No 6%
Don't Know 3%

9. If you are being monitored, do you take offense? Managers: How do
you handle situations in which the employee takes offense at being
monitored?

No 42%
Yes 36%
N/A 22%

10. What measures does your company use to prevent misuse of monitoring in
the workplace?

None 36% Don't Know 17%
N/A 22% Policy 6%
Control of Information 4% Security 6%
Honor System 4% Warnings 3%
Other 2%

11. If an employee is caught abusing the monitoring tool, what would
happen to that individual? If your company is not using any form of
monitoring, what do you think should happen to an individual who
abused the tool?

Reprimand 64% Don't Know 17%
N/A 10% Termination 5%
Nothing 4%

12. Is it unethical to monitor electronic mail to determine if the
employee is not abusing this company resource (e.g., suppose the
employee sends personal notes via a network to others that are not
work related)? Why or why not?

No 49%
Yes 49%
N/A 2%

------------------------------

End of PRIVACY Forum Digest 01.26
************************