PRIVACY Forum Digest -- Saturday, 30 May 1992 -- Volume 1, Number 2 Moderated by Lauren Weinstein (lauren@cv.vortex.com) Vortex Technology, Topanga, CA, U.S.A. ===== PRIVACY FORUM ===== CONTENTS Privacy BRIEFS (Moderator) E-mail privacy; a cheap solution? (Charlie Stross) Personal Data (Willie Smith) The Concept of Privacy (A. Padgett Peterson) Privacy Rights (Mark Rasch) Query: Search and Seizure (Mark Rasch) *** Please include a MEANINGFUL "Subject:" line on all submissions! *** --------------------------------------------------------------------------- The PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. ALL submissions should be addressed to "privacy@cv.vortex.com" and must have MEANINGFUL "Subject:" lines. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@cv.vortex.com". Mailing list problems should be reported to "list-maint@cv.vortex.com". Mechanisms for obtaining back issues will be announced when available. All submissions included in this digest represent the views of the individual authors and all submissions will be considered to be distributable without limitations. For information regarding the availability of this digest via FAX, please send an inquiry to digest-fax@cv.vortex.com. --------------------------------------------------------------------------- VOLUME 1, NUMBER 2 ------------------------------------------------------------- Quote for the day: "We are all interested in the future, because that is where you and I will be spending the rest of our lives." -- Criswell, "Plan 9 From Outer Space" (1959) ------------------------------------------------------------- Privacy BRIEFS (from the Moderator) --- A plan is under consideration by the Justice Ministry in the Netherlands to track all vehicles via computer technology. This would include both vehicular and road sensors and would be mandatory. The plan would be to automatically detect and report offenses ranging from speeding to parking violations. Some privacy concerns, particularly regarding the ability of such a system to track the exact location of all vehicles at all times, have been raised. "People may view it as an invasion of privacy, like Big Brother," said ministry researcher Gerard de Raaf. However, he also claimed that such fears could be eased through "restrictions" on access to the collected data. --- A bill is working its way through the California legislature which would make illegal the use of "automated" speeding ticket machines. These units, which automatically detect speeders, take photos of the vehicular license plate (and in some cases the driver), then automatically issue tickets, have been undergoing considerable criticism. Concerns about the fairness of the system are numerous, including problems with driver identification, delay in tickets being issued, and the lack of consideration of extenuating circumstances. At least one police organization plans to lobby the Governor to veto the bill if it passes both houses. --- A court battle is currently raging over whether or not the White House has the right to delete backup tapes of e-mail communications that they do not consider to be covered by the federal Records Act. Similar messages, which originally had been thought to be completely deleted, played a key role in the recent Iran-Contra investigations. The White House believes that it should be able to decide on its own which items do or do not fall under the Records Act (which provides for the turning over of such materials to the National Archives). ----------------------------------- Date: Thu, 28 May 92 11:53:12 PDT From: Charlie Stross Subject: e-mail privacy; a cheap solution? I'm puzzled by the common conception on the net that e-mail is innately insecure because organization XYZ can crack any message encrypted using method ABC, and that it's not possible to use a secure encryption method because such a technique is innately expensive (both in cost and computer time) and illegal. I feel that until we -- the public -- have cheap, easy and unbreakable encryption facilities at our disposal, we will remain vulnerable to both the psychological pressure of knowing that our correspondence might be monitored and the potential danger that this is actually the case. I am particularly interested in the fact that no cheap and computationally intractible public encryption methods are in common use. Inventing a secure, computationally inexpensive, and cheap encryption device for point-to-point communications doesn't look like an obstacle. In fact, even a home-brew system should be quite effective. I know relatively little about cryptography but here's my attempt at a privacy gadget costing less than #300 that's capable of defying the governmental security agency of your choice: Take a CD-ROM drive with a device driver for playing audio CD's and randomly accessing audio tracks. Most multi-media kit should already be capable of doing this. Take a random music CD off your shelf and start playing it at a random offset; redirect the bit stream to a file. (You need to make a note of the initial file offset of the data you're recording.) Now take the file you wish to encrypt. Run-length encode it to eliminate recurring byte sequences. Split it into chunks -- say 64 bytes -- and split the audio file into similar-sized chunks. The audio file is used as a one-time pad for a simple cypher algorithm which is applied to the target file. At the start of the file, record the offset into the CD at which the key sequence begins; for each 64-byte chunk of the key, compute a CRC and append it to the corresponding chunk of the encrypted file. To decode such an encrypted file takes just one thing; a copy of the CD which was used as the key. The offset into the key disk is obtained from the header of the encrypted file, and 64-byte chunks are read and used to decrypt the file. If the 64-byte key sequences do not match the CRC of the original key (interleaved in the encrypted file) you know you've got a badly-formed key disk. It is not possible to recover a 64-byte key from a 32-bit CRC. Run-length encoding is desirable in order to stop the bit-pattern of the key from being exposed in any sparse sections of the encrypted document. The point is, the widespread availability of music CD's gives us an incredibly cheap supply of one-time pads suitable for e-mail encryption with a high degree of integrity. The only requirement is that the recipient and the sender agree beforehand on the recording to use as a pad; this shouldn't be an obstacle to point-to-point messaging. With suitable checks, such a system should be virtually impossible to crack -- and given the ability to take a bit-stream from a CD-ROM drive and put it in a file, an encyphering/decyphering package should be so easy to write that it would be virtually impossible for any government to supress it (short of banning CD players and computers). Even if this technique is susceptible to attack using massively parallel systems with arrays of CD-ROM drives (which I doubt), CD recorders are rumored to be due on the market within the near future, and DAT drives already are; recorded atmospheric noise would make a suitably random key. The only proviso I should add is -- don't pay for your music CD's by traceable means! (Given a listing of your music collection and your recipient's collection, it would then be a trivial task to crack a message encoded using one of the few disks you both own a copy of.) Am I missing something? Is there some reason why all the heat and noise about encryption seems to be concentrated on encryption algorithms which are subject to export restrictions and may be breakable via chosen-plaintext attack, rather than on simple one-time pad systems? I think we should be told. [ While one-time systems are theoretically secure, this is only the case when the pad source is sufficiently random and *only* used once, and when an absolutely secure technique for pad distribution exists. Music CDs or CD-ROMs would be a poor choice, since they are widely available and are far from random data--they are in fact highly structured (both in their data formats and in terms of the encoded audio itself). Getting sufficiently random numbers is not trivial--radioactive decay rates are frequently mentioned as a possibility. And you never, ever want to use the same pad source more than once or you've essentially thrown any security completely out the window. Given the logistical issues involved, use of one-time pad systems is quite reasonably normally restricted to the most critical of applications. It is doubtful that most Internet communications fall into this category! Bottom line: Use of your "Sgt. Pepper's" CD as a one-time pad source is definitely not a great idea! -- MODERATOR ] ----------------------------------- Date: Thu, 28 May 92 08:35:49 PDT From: wpns@roadrunner.pictel.com (Willie Smith) Subject: Personal Data [Subject field provided by Moderator] I was struck by a thought while reading the introductory Privacy Digest, should there be some way for each individual to keep, maintain, and allow access to information about them? There would need to be some kind of authentication mechanism so people to whom I give my data to (for credit card applications for instance) would know I hadn't fudged the data, and there would have to be appropriate rules about the use of such data (once I've been approved or not for the credit card they have to dump the personal data into the bitbucket), but it seems to me that some combination of smart-card technology with cryptographic checksums and various levels of access might work. Here's a question, what kinds of data about yourself do you consider appropriate for dissemination, to whom would you release them, and under what circumstances? F'rinstance: Public data - anyone can access at any time Name Logical address (PO Box) Internet address Phone number (answering machine only?) 'Friends&Family' data - anyone I want to tell Physical address (street address) Phone number (the one I answer) License plate number Tax data - IRS, state tax folks only Income from all sources SSN (ha!) To some extent, this is pretty much the way it works now, except every company I've ever done financial business with has my SSN, and someone with the right resources can map Internet Address --> Physical Address --> What I paid for my house. On the other hand, maybe this is a technological solution to a non-tech problem, and we all know those don't work. Besides, what would TRW et al do with themselves? Hey, can I get a list of the subscribers to the Privacy Digest? :+) Willie Smith wpns@pictel.com [ While I know you meant it as a joke, it's worth pointing out at this juncture that the Privacy Digest subscriber list is considered confidential and is not available. Natch. -- MODERATOR ] ----------------------------------- Date: Thu, 28 May 92 08:36:41 PDT From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: The Concept of Privacy [Subject field provided by Moderator] The concept of privacy is a transitory one and has never truely existed outside of our thoughts (else we would not need a judicial system). For all of recorded history there have existed cyphers and secret writings (though not always intentional, EBCDIC is not encryption) to maintain the privacy of those thoughts. Never has privacy been considered a "right" available without effort, just until recent times, the collection of extensive data about individuals had been a localized phenomena resricted to narrow regimes (and even there required the cooperation of the individuals or at least a lack of any wholesale organized resistance). Today, the distributed nature of information gathering, coupled a vested interest by governments (for taxation) and institutions (for credit purposes) makes it nearly impossible to avoid any records. However, this is not to say that a measure of privacy is impossible since the current records keeping is demonstrably fallable, and while it is impossible to avoid records being made at all, it is possible to generate conflicting ones such that determination of the true record becomes impossible. For example, my true E-Mail address begins @tccslr... this is an alias address that will always reach me, however, the mail server does not use this when generating the return address for my mail, instead it pick up the system name that the mail came from, in this case @hobbes... There are several other non-generic names that could have been used since I could have sent the mail from any of a number of different systems. I realize that this sounds more like a RISK, so I will not go into the difficulty of making an automated system use a generic name that is not transmitted, rather it is the multiple identities that becomes the privacy issue: for my E-Mail, padgett@tccslr... is the same as padgett@hobbes... is the same as ... yet to a computer each is a different individual. For some time I received multiple copies of a newsletter simply because at some point it had picked up more than one of my addresses. In this case it took manual intervention to remove all but one. In the same way, today so much information is collected for each individual that it is impossible to sort automatically when conflicts occur or the same individual is recorded more than once. This becomes particularly bothersome when two companies consolodate and the same individual is recorded in each slightly differently.i This can be used by the individual to perform his/her own classification much like a "canary trap". If mail comes for "Padsett" I know that the source is one airline's data base. Another database thinks I am "Ashley P." Yet another thinks of me as "Patrick". GIGO. Rather than being annoyed, for some years I have been amused by it and over the years (this is not a short term occupation) have been interested in the propagation of such multiple identities. Warmly, Padgett ----------------------------------- Date: Wed, 20 May 92 13:52:00 PDT From: Rasch@DOCKMASTER.NCSC.MIL Subject: Privacy Rights [Subject field provided by Moderator] There has been a lot of talk on the net, (and off the net) about whether or not it is legal or proper for a system administrator to capture keystrokes of intruders/trespassers who are using their system to break into the systems of others. We all remember Cliff Stoll's expliots in "The Cookoo's Egg" where he traced the German Hackers through LBL by keystroke capture, and then notified downstream users that they were being attacked. Several people (and organizations) have taken the position that keystroke capture both violates privacy rights and constitutes illegal electronic surveillence. I believe that, with respect to *intruders* both these arguments are specious. Fourth Amendment The principal protection against *governmental* intrusions into privacy rights is the Fourth Amendment to the constitution which provides that: The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. It is important to note that this only applies to searches performed by the government. Burdeau v. McDowell, 256 U.S. 465, 475 (1921) even if the government is not acting in a law enforcement capacity New Jersey v. T.L.O., 469 U.S. 325, 336 (1985). Thus, to the extent a sysop is not a "government agent" the Fourth Amendment is not implicated. Also, in order for there to be a Fourth Amendment violation, the individual must have exhibited an actual subjective expectation of privacy (Katz v. U.S., 389 U.S. 347, 361 (1967) (Harlan, J., concurring)) and society must be prepared to recognize that expectation as objectively reasonable. An intruder should have niether a subjective expectation of privacy, nor should society recoganize any expectation of privacy as "reasonable." Thus, if you break into my system, I should be able not only to kick you off, but also to monitor what you do on my system. Finally, the general sanction for violation of the Fourth Amendment is suppression of the illegally seized evidence and its fruits. Weeks v. U.S., 232 U.S. 383, 398 (1914) (federal search); Mapp v. Ohio, 367 U.S. 643, 655 (1961) (state search). Thus, a private keystroke capture of an intruder would not violate the Fourth Amendment. Electronic Surveillance In 1986 Congress amended the Electronic Communications Privacy Act to prohibit the unlawful interception of electronic communications, including e-mail and the like. In general, the law, contained in Title 18 of the United States Code, Section 2511, prohibits the interception of wire, oral or electronic communications. HOWEVER, there are several provisions which would permit keystroke monitoring in certain circumstances. First, 18 U.S.C. 2511(2)(a)(i) notes that: It shall not be unlawful under this chapter for an operator of a switchboard, or an officer, employee, or agent of a provider of wire or electronic communication service [bbs operator] . . . to intercept, disclose or use that communication in the normal course of his employment while engaged in any activity which is necessarily incident to the rendition of his service or to the protection of the rights or property of the provider of that service, except that a provider of wire communication service to the public shall not utilize service observing or random monitoring except for mechanical or service quality control checks. While this statute is not a model of clarity, and fails to define key terms like what is a *provider* of electronic communication service (the network administrator? the sysop?) it appears to permit electronic interception and keystroke capture it this is necessary to protect the rights and property of the provider of the service. If the intruder is breaking in to the computer of *another* (not the provider) and the provider can easily terminate this unauthorized use, then it could be argued that the keystroke capture is not necessary to protect *his* property. However, the statute uses the term "necessarily incident to . ." not "neccesary to" and, in light of the strong possibility of downstream liability to the provider for somehow permitting the intruder to use his system to break into another's, a strong argument can be made that keystroke monitoring of intruders is reasonable, prudent, and necessarily incident to the protection of rights and property. In addition, 18 U.S.C. 2510(13) defines a "user" of electronic communications as: any person or entity who - (A) uses an electronic communication service; and (B) is duly authorized by the provider of such service to engage in such use. Since an intruder is not authorized to use the service, he is not a "user" entitled to protection under the statute. Finally, while warning banners are helpful to demonstrate a lack of authorization to use a particular system, they are not required to demonstrate a lack of authorization any more than "No trespassing" signs are necessary to demonstrate a lack of authorization for an individual to, for example, break into your house. (a simplistic analogy admittedly) This is, of course, only part of the story. Many states have privacy statutes, and their own definitions of illegal electronic interception, and this does not address potential civil liability to users for excessive keystroke capture. However, I believe that if keystroke monitoring is accomplished in a reasonable and prudent fashion, it would not run afoul of either the constitutional or statutory provisions. Let the trespasser beware!!! Mark Rasch, Esq. Arent Fox Kintner Plotkin & Kahn Internet: Rasch @ catwalk.dockmaster.mil The views expressed herein are mine, and mine alone. ----------------------------------- Date: Tue, 19 May 92 15:40:00 PDT From: Rasch@DOCKMASTER.NCSC.MIL Subject: Search and Seizure [Subject field provided by Moderator] My name is Mark Rasch, and I am a lawyer at the firm of Arent Fox in Washington, D.C. (formerly with the Department of Justice) I am interested in participating in the privacy forum, and am especially interested in issues pertaining to search and seizure laws as they relate to computerized information or electronic communications. Does anybody have any useful information on the subject? ----------------------------------- End of PRIVACY Forum Digest Volume 1, Number 2