The following document is from the PRIVACY Forum Archive at Vortex Technology, Woodland Hills, California, U.S.A. For direct web access to the PRIVACY Forum and PRIVACY Forum Radio, including detailed information, archives, keyword searching, and related facilities, please visit the PRIVACY Forum via the web URL: http://www.vortex.com ----------------------------------------------------------------------- PRIVACY Forum Digest Friday 12 June 1992 Volume 01 : Issue 04 Moderated by Lauren Weinstein (lauren@cv.vortex.com) Vortex Technology, Topanga, CA, U.S.A. ===== PRIVACY FORUM ===== CONTENTS PRIVACY Briefs (Moderator--Lauren Weinstein) Re: Encryption to make government monitoring more expensive (Jerry Leichter) Re: FBI Wiretap Proposal (Mark D. Rasch) Privacy Act Information (Mark D. Rasch) Random Encryption (John R. Levine) Bank Account Security (John R. Levine) *** Please include a MEANINGFUL "Subject:" line on all submissions! *** ----------------------------------------------------------------------------- The PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. ALL submissions should be addressed to "privacy@cv.vortex.com" and must have MEANINGFUL "Subject:" lines. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@cv.vortex.com". Mailing list problems should be reported to "list-maint@cv.vortex.com". Mechanisms for obtaining back issues will be announced when available. All submissions included in this digest represent the views of the individual authors and all submissions will be considered to be distributable without limitations. For information regarding the availability of this digest via FAX, please send an inquiry to privacy-fax@cv.vortex.com, call (310) 455-9300, or FAX to (310) 455-2364. ----------------------------------------------------------------------------- VOLUME 01, ISSUE 04 Quote for the day: "Pay no attention to that man behind the curtain!" -- The Wizard "The Wizard of Oz" (1939) ---------------------------------------------------------------------- PRIVACY Briefs (from the Moderator) --- At the recent Cryptography and Privacy Conference sponsored by CPSR (Computer Professionals for Social Responsibility), the possibility was raised by the NYNEX Legislative Counsel that the proposed FBI "wiretapping" legislation might force telephone companies to withdraw such services as "call forwarding", which can be viewed as impeding authorized wiretaps. The FBI feels that such service withdrawals should be unnecessary. --- Privacy advocates in Vermont are concerned that their new, tough law controlling abuses of credit records may be rendered ineffective by weaker, pending federal legislation that could preempt state laws. --- In South Africa, protests are beginning over a new draft law for internal security that would permit security forces to tap telephones or open mail whenever they suspect a "serious crime" has been committed. This would be a change from current law which allows such activities only when "state security" is threatened. --- A variety of sources now indicate that the California PUC is about to hand down its decision (perhaps in the next week or two) regarding Calling Number ID services within the state. Bets are that the services will be approved, but that some form of optional per-line ID blocking may well be required to be available (but whether or not such blocking will have a "premium" price is another matter). Free per-call ID blocking has already been mandated by the state legislature. Telephone companies in the state have previously been quoted as saying that it might not even be worthwhile to offer Calling Number ID if per-line blocking were allowed. This has generally been considered to be a bluff by most observers. --- The 6-month old "Computer Ethics Institute" has drawn up what it calls the "Ten Commandments of Computer Ethics." It says it is circulating these for comment within the computer industry. These include: I. Thou shalt not use a computer to harm other people. II. Thou shalt not interfere with other people's computer work. III. Thou shalt not snoop around in other people's computer files. IV. Thou shalt not use a computer to steal. V. Thou shalt not use a computer to bear false witness. ... and so on. Charlton Heston has been unavailable for comment. ------------------------------ Date: Sun, 07 Jun 92 22:23:07 PDT From: JERRY LEICHTER Subject: re: Encryption to make government monitoring more expensive In a recent Privacy Digest, Bob Leone suggests that "there's a lot to be said in favor of widespread use of even easily-broken encryption schemes". Specifically, "if the majority of e-mail traffic is routinely encrypted ... then it becomes much more expensive for the govt to engage in random snooping." This is a new version of the stupid "NSA cookies" that people used to use: Signature lines with what they thought were key words the NSA computers would look for. I guess people got bored with those; I haven't seen any in a while. Mr. Leone seems to believe that the world consists of "us" and "them". "They" are out to get "us". OK, great conspiracy theory. However, he seems to forget that WE are the ones who pay THEIR bills. If government sees the monitoring of Internet communications as important enough, it will happen - and taxes will rise to pay for it. We've got to get beyond the idea that privacy can be gained only by locking the government out. The fact of the matter is that most people have nothing to fear from the government when it comes to invasion of privacy - but they have a great deal to fear from various private agencies, like mass marketers to their neighbors. It's only an accountable, responsible government that can protect them (us) from such abuses. -- Jerry ------------------------------ Date: Tue, 09 Jun 92 11:50:00 PDT From: Rasch@DOCKMASTER.NCSC.MIL Subject: FBI Wiretap Proposal Once it becomes technologically feasible for the FBI to engage in the wiretaps, it doesn't matter whether it is "difficult" or "trivial" to perform them. Ultimately, once the technological barriers are removed, the only effective limitations illegal wiretaps are the threat of effective sanctions. This points out the distinction between the POWER to do wiretaps (which the legislation addresses) and the AUTHORITY to do them (which is addressed in other legislation). Of course, a further issue is the COST of the technology employed. Before the advent of digital telephone communications, and after the passage of Title III (the federal wiretap law), I'm not sure that there was a *significant* problem with the FBI engaging in illegal electronic surveillance. There hasn't been a lot of litigation about this. However, once you are willing to recognize that, in appropriate (read court authorized) circumstances law enforcement are permitted to engage in electronic surveillance, you ultimately put your trust in the government that they won't abuse this power. This trust may prove to be misguided at some point, and the issue may need to be redressed at that juncture. A more vexing problem is that of other unauthorized wiretaps. Once you make it technologically possible to engage in electronic surveillance by software, you practically invite phrackers to abuse the system. Already we have seen instances of individuals breaking into telephone systems to reroute or retrieve telephone calls. (e.g. Poulsen, Mitnick, Doucette). Meanwhile, market forces are encouraging companies to place a greater premium on computer and telecommunications security. By imposing liability on companies for inadequate security, the law forces companies to seek out new encryption technologies, which ultimately will frustrate some of the purposes of the proposed FBI legislation. While the more advanced criminals will use this encryption technology (it is already available in the STU -III encrypted telephones) the vast majority will simply use the telephones as they are. All in all, the FBI proposal simply attempts to preserve the technological status quo. If you are concerned about illegal activity by the government, the redress is not in technology, but in other restraints against government. (Would you deny all police officers guns or nightsticks because they may abuse them?) Mark D. Rasch Arent Fox Kintner Plotkin & Kahn 1050 Connecticut Avenue, N.W. Washington, D.C. 20530 (202) 857-6154 Rasch@dockmaster.ncsc.mil [ Moderator's Note: I see no reason why *both* technological constraints *and* "other restraints" should not be applied in such delicate situations. Even though there are laws against theft we still put locks on our doors. Most people do this not because they assume that everyone is dishonest, nor on the (false) assumption that locks represent 100% security. Rather, locks present an additional layer of protection that can have positive effects in many routine situations. The same rationale would seem to apply to the issue under discussion. --Lauren-- ] ------------------------------ Date: Tue, 09 Jun 92 22:02:00 PDT From: Rasch@DOCKMASTER.NCSC.MIL Subject: Privacy Act Information I just got this interesting tidbit of information. A friend of mine is a physician who ordered medication from Eli Lilly corporation for a patient of hers. This was done under a special program whereby indigent patients can receive free medication. The doctor filled out all the forms properly, but refused to put her own (not the patient's) social security information on the form. When the patient failed to get the prescription for over a month, the doctor called to inquire why. She was told that the patient would not receive the medication unless and until the DOCTOR provided the DOCTOR's SSN. This was for internal recordkeeping (e.g. marketing) purposes. I believe that this is illegal, but am not sure. Any thoughts? Mark D. Rasch ------------------------------ Date: Wed, 10 Jun 92 12:52:03 PDT From: johnl@iecc.cambridge.ma.us (John R. Levine) Subject: random encryption >Of course the entire question is academic since generating masses of random >digits is one thing that computers are *really*good*at* ... Actually, computers are really lousy at generating random digits unless they're malfunctioning. The pseudo-random numbers with which we are all familiar are in fact 100% deterministic. A credible urban legend reports that one time some benighted PDP-11 Unix system administrator wrote a program to generate "random" passwords and assigned them to all of his users. Unfortunately, the PDP-11's random number generator only had a 16 bit seed meaning that there were only 64K possible passwords, so it was easy to break them all by exhaustive search. Secure encrypted communication is expensive, and we need to figure out how much we're willing to spend on it. There are also social issues to consider, e.g. messages sent through MCI Mail are considerably more secure than those sent through the Internet because they use a small homogeneous set of machines none of which are administered by college undergraduates. ------------------------------ Date: Wed, 10 Jun 92 12:52:03 PDT From: johnl@iecc.cambridge.ma.us (John R. Levine) Subject: bank account security On the topic of bank account security, some banks are more with it than others. My bank has a nice touch-tone account information system. The user ID is your ATM card number, which is unrelated to any account number. After you enter the card number (actually, just the last 8 digits since the leading digits are the same for all of its cards) the computer voice randomly asks you to enter one of the digits of your PIN, e.g. "now, enter the, third, digit of your PIN." This scheme seems to me fairly secure without being overbearing. I seem to be the only customer who ever uses it because they've never advertised it. ------------------------------ End of PRIVACY Forum Digest 01.04 ************************