PRIVACY Forum Digest Friday, 26 June 1992 Volume 01 : Issue 06 Moderated by Lauren Weinstein (lauren@cv.vortex.com) Vortex Technology, Topanga, CA, U.S.A. ===== PRIVACY FORUM ===== CONTENTS PRIVACY Briefs (Moderator--Lauren Weinstein) PRIVACY Forum back issues now available via listserv system (Moderator--Lauren Weinstein) FBI Digital Telephony Proposal now in PRIVACY Forum archive (Moderator--Lauren Weinstein) Govt & Corp Sysops Monitoring Users & Email (Jim Warren) Rental applications and privacy (Susie Hirsch) Monitoring of public information sources (Moderator--Lauren Weinstein) Chronicle Crypto Article (Joe Abernathy) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. ALL submissions should be addressed to "privacy@cv.vortex.com" and must have RELEVANT "Subject:" lines. Submissions without appropriate and relevant "Subject:" lines may be ignored. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@cv.vortex.com". Mailing list problems should be reported to "list-maint@cv.vortex.com". Mechanisms for obtaining back issues will be announced when available. All submissions included in this digest represent the views of the individual authors and all submissions will be considered to be distributable without limitations. Back issues of PRIVACY Forum digests (and other related material) are now archived and may be obtained automatically through the listserv system. Please follow the instructions above for getting the listserv "help" information, which now includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. For information regarding the availability of this digest via FAX, please send an inquiry to privacy-fax@cv.vortex.com, call (310) 455-9300, or FAX to (310) 455-2364. ----------------------------------------------------------------------------- VOLUME 01, ISSUE 06 Quote for the day: "I am not a number! I am a free man!" -- Number 6 "The Prisoner" television series (1968-1969) ---------------------------------------------------------------------- Date: Fri, 26 Jun 92 18:25 PDT From: lauren@cv.vortex.com (Moderator--Lauren Weinstein) Subject: PRIVACY Briefs --- Concerns have been raised in Los Angeles over the recent revelations that the District Attorney's office has been "secretly" videotaping the spectators attending certain ongoing court cases. The cases in question involve the defendants charged in the beating of a truck driver at the start of the recent L.A. area civil unrest. The tapes have apparently been used in an effort to determine if any of the court spectators could be matched up with unidentified persons taped during the actual disturbances. --- An Iowa couple has been awarded $4.3 million (with 25% going to them, and 75% going to a victims' reparations fund) after winning a privacy suit against a motel. While having sex in a motel room, they heard a creaking noise behind a wall, and discovered that what they had thought was a conventional mirror was actually a "two-way" type with an 8 inch peephole behind it, leading to an attic crawlspace. Though the motel operator said he had not known about the mirror, and even though it was never proven that anybody had actually been behind the mirror, the judge told the jury that the mere existence of such an arrangement could be sufficient for conviction. ------------------------------ Date: Fri, 26 Jun 92 18:17 PDT From: lauren@cv.vortex.com (Moderator--Lauren Weinstein) Subject: PRIVACY Forum back issues now available via listserv system Greetings. I'm pleased to announce that all PRIVACY Forum back issues, and related privacy materials, are now available via the cv.vortex.com listserv system. All future issues will be added to the archive as well. This system allows you to request particular items from the archive automatically via mail messages. To get an index of available materials, you should send a message to: privacy-request@cv.vortex.com or listserv@cv.vortex.com with the command: index privacy in the BODY of your message (as the first text in your message body). To retrieve a particular item, follow the same procedure as above, but use the command: get privacy where is replaced by the desired file name. For example, to retrieve PRIVACY Forum digest Volume 01, Issue 04: get privacy priv.01.04 As always with the listserv system, only one request may be included in a message; any subsequent requests in a single message will be ignored. To avoid unnecessary net traffic, please only retrieve materials that you really need. Thanks much. --Lauren-- ------------------------------ Date: Fri, 26 Jun 92 21:45 PDT From: lauren@cv.vortex.com (Moderator--Lauren Weinstein) Subject: FBI Digital Telephony Proposal now in PRIVACY Forum archive A complete copy of the latest revision (May, 1992) of the FBI Digital Telephony Proposal is now in the PRIVACY Forum archive, under the name "fbi-tel.1". This is the legislative proposal to require direct interception capability in virtually all U.S. telecommunications networks and related equipment, the transferring of telecommunications certification control from the FCC to the Attorney General, and the explicit ability to establish a remote government monitoring facility. There have been comments regarding this proposal in previous issues of the PRIVACY Forum digest. --Lauren-- ------------------------------ Date: Sun, 21 Jun 92 17:46:26 PDT From: jwarren@autodesk.com (Jim Warren) Subject: Govt & Corp Sysops Monitoring Users & Email Last month, I gave a morning talk to an all-day meeting of an organization of systems administrators of mini-class, mostly-shared systems -- most of them employed by Fortune 500 companies and government agencies. Initially titled, "Dodging Pitfalls in the Electronic Frontier," by mutual agreement with the organizers, we re-titled it, "Government Impacts on Privacy and Security." However, it was the same talk. :-) It was based on information and perspectives aired during recent California Senate Judiciary privacy hearings, and those presented at the 1991 and 1992 conferences on Computers, Freedom & Privacy. (I organized and chaired the first CFP and co-authored its transcripts, available from the IEEE Computer Society Press, 714-821-8380, Order #2565.) The talk was long; the audience attentive; the questions and discussion extensive. The attendees were clearly and actively interested in the issues. At one point, I asked "How many have *NOT* been asked by their management or superiors to monitor their users and/or examine or monitor users' email." Only about 20% held up their hands -- even though I emphasized that I was phrasing the question in a way that those who would be proud to hold up their hands, could to do so. --jim Jim Warren, jwarren@well.sf.ca.us -or- jwarren@autodesk.com MicroTimes "futures" columnist; Autodesk, Inc., Board of Directors' member InfoWorld founder; PBS' "Computer Chronicles" founding host, blah blah blah ------------------------------ Date: Fri, 26 Jun 92 13:46 PDT From: susie@cv.vortex.com (Susie Hirsch) Subject: Rental applications and privacy I recently have been looking for a house to rent, and have completed rental applications that contain a variety of personal information (social security number, address, phone number, credit information). The market is very competitive for rental houses in the area, so I am required to provide a completed rental application to even be considered as the potential renter. Submitting incomplete applications on privacy grounds will most certainly result in the landlord simply renting the property to another applicant who provides all the requested personal information. Given the nature of this personal information, I wonder about the security issues concerning rental applications. What if an application is turned down by the property owner, and then carelessly tossed away where anyone could find it? What recourse does an applicant have if personal information has been misused as a result of completing a rental application? Or is this another situation where you simply hope you won't be victimized? How can a balance be struck between the privacy rights of the applicant, and the owner's need to check the background and credit history of a potential renter? ::: Susie ::: ------------------------------ Date: Fri, 26 Jun 92 19:49 PDT From: lauren@cv.vortex.com (Moderator--Lauren Weinstein) Subject: Monitoring of public information sources Greetings. Every so often on the networks, we hear of a case where a person sent a message (to public distribution lists or public newsgroups) which might be interpreted as threatening to particular groups or individuals, or discussing information that might potentially have been of a classified nature. Sometimes the result of such a message is a visit to that author by law enforcement officials, with a copy of the message in hand. Usually it has turned out that the perceived threats weren't serious, or that the information in question wasn't classified, but there was no reasonable way to make such determinations until after some investigation. When such events occur, there is sometimes incredulity expressed by some segments of the network community that law enforcement officials even knew that such public messages had been posted, and the argument is raised that it is wrong for such "monitoring" of public information sources to be taking place by such agencies. Some argue that law enforcement should be restrained from making use of those kinds of information channels, even though others can use that information freely. I personally disagree. While obviously it is very important that such agencies react responsibly, I believe that information openly posted to public lists and other public forums should be available to law enforcement officials and agencies, just as it's available to everyone else. In fact, I'd be concerned if law enforcement didn't pay attention to such widely available public information and public discussions. Note that I'm talking here about *public* postings and *public* information. The issues surrounding *private* communications (e.g. *private* e-mail) are completely different, of course. Some discussion of the "monitoring of public information" issues here in the PRIVACY Forum might prove interesting. --Lauren-- ------------------------------ Date: Wed, 24 Jun 92 18:14:42 CDT From: Joe.Abernathy@houston.chron.com (Joe Abernathy) Subject: Chronicle Crypto Article This cryptography article appeared Sunday, June 21. It is being forwarded to Risks as a way of giving back something to the many thoughtful participants here who helped give shape to the questions and the article. In a companion submission, I include the scanned text of the NSA's 13-page response to my interview request, which appears to be the most substantial response they've provided to date. I would like to invite feedback and discussion on the article and the NSA document. [ Moderator's Note: The entire NSA response document referred to above has been placed in the PRIVACY Forum archive under the name "nsa-chron.1". --Lauren-- ] Please send comments to edtjda@chron.com Promising technology alarms government / Use of super-secret codes would block legal phone taps in FBI's crime work By JOE ABERNATHY Copyright 1992, Houston Chronicle Government police and spy agencies are trying to thwart new technology that allows conversations the feds can't tap. A form of cryptography _ the science of writing and deciphering codes _ this technology holds the promise of guaranteeing true privacy for transactions and communications. But an array of federal agencies is seeking to either outlaw or severely restrict its use, pointing out the potency of truly secret communications as a criminal tool. "Cryptography offers or appears to offer something that is unprecedented,'' said Whitfield Diffie, who with a Stanford University colleague devised public key cryptography,'' an easily used cryptography that is at the center of the fight. "It looks as though an individual might be able to protect information in such a way that the concerted efforts of society are not going to be able to get at it. "No safe you can procure has that property; the strongest safes won't stand an hour against oxygen lances. But cryptography may be different. I kind of understand why the police don't like it.'' The National Security Agency, whose mission is to conduct espionage against foreign governments and diplomats, sets policy for the government on matters regarding cryptography. But the FBI is taking the most visible role. It is backing legislation that would address police fears by simply outlawing any use of secure cryptography in electronic communications. The ban would apply to cellular phones, computer networks, and the newer standard telephone equipment _ already in place in parts of Houston's phone system and expected to gain wider use nationwide. "Law enforcement needs to keep up with technology,'' said Steve Markardt, a spokesman for the FBI in Washington. "Basically what we're trying to do is just keep the status quo. We're not asking for anything more intrusive than we already have.'' He said the FBI uses electronic eavesdropping only on complex investigations involving counterterrorism, foreign intelligence, organized crime, and drugs. "In many of those,'' he said, we would not be able to succeed without the ability to lawfully intercept.'' The State and Commerce departments are limiting cryptography's spread through the use of export reviews, although many of these reviews actually are conducted by the NSA. The National Institute of Standards and Technology, meanwhile, is attempting to impose a government cryptographic standard that critics charge is flawed, although the NSA defends the standard as adequate for its intended, limited use. "It's clear that the government is unilaterally trying to implement a policy that it's developed,'' said Jim Bidzos, president of RSA Data Security, which holds a key cryptography patent. "Whose policy is it, and whose interest does it serve? Don't we have a right to know what policy they're pursuing?'' Bidzos and a growing industry action group charge that the policy is crippling American business at a critical moment. The White House, Commerce Department, and NIST refused to comment. The NSA, however, agreed to answer questions posed in writing by the Houston Chronicle. Its purpose in granting the rare, if limited, access, a spokesman said, was "to give a true reflection'' of the policy being implemented by the agency. "Our feeling is that cryptography is like nitroglycerin: Use it sparingly then put it back under trusted care,'' the spokesman said. Companies ranging from telephone service providers to computer manufacturers and bankers are poised to introduce new services and products including cryptography. Users of electronic mail and computer networks can expect to see cryptography-based privacy enhancements later this year. The technology could allow electronic voting, electronic cash transactions, and a range of geographically separated _ but secure _ business and social interactions. Not since the days before the telephone could the individual claim such a level of privacy. But law enforcement and intelligence interests fear a world in which it would be impossible to execute a wiretap or conduct espionage. "Secure cryptography widely available outside the United States clearly has an impact on national security,'' said the NSA in its 13-page response to the Chronicle. "Secure cryptography within the United States may impact law enforcement interests.'' Although Congress is now evaluating the dispute, a call by a congressional advisory panel for an open public policy debate has not yet been heeded, or even acknowledged, by the administration. The FBI nearly won the fight before anyone knew that war had been declared. Its proposal to outlaw electronic cryptography was slipped into another bill as an amendment and nearly became law by default last year before civil liberties watchdogs exposed the move. "It's kind of scary really, the FBI proposal being considered as an amendment by just a few people in the Commerce Committee without really understanding the basis for it,'' said a congressional source, who requested anonymity. "For them, I'm sure it seemed innocuous, but what it represented was a fairly profound public policy position giving the government rights to basically spy on anybody and prevent people from stopping privacy infringements.'' This year, the FBI proposal is back in bolder, stand-alone legislation that has created a battle line with law enforce ment on one side and the technology industry and privacy advocates on the other. "It says right on its face that they want a remote government monitoring facility'' through which agents in Virginia, for instance, could just flip a switch to tap a conversation in Houston, said Dave Banisar of the Washington office of Computer Professionals for Social Responsibility. Though the bill would not change existing legal restraints on phone-tapping, it would significantly decrease the practical difficulty of tapping phones _ an ominous development to those who fear official assaults on personal and corporate privacy. And the proposed ban would defuse emerging technical protection against those assaults. CPSR, the point group for many issues addressing the way computers affect peoples' lives, is helping lend focus to a cryptographic counterinsurgency that has slowly grown in recent months to include such heavyweights as AT&T, DEC, GTE, IBM, Lotus, Microsoft, Southwestern Bell, and other computer and communications companies. The proposed law would ban the use of secure cryptography on any message handled by a computerized communications network. It would further force service providers to build access points into their equipment through which the FBI _ and conceivably, any police officer at any level _ could eavesdrop on any conversation without ever leaving the comfort of headquarters. "It's an open-ended and very broad set of provisions that says the FBI can demand that standards be set that industry has to follow to ensure that (the FBI) gets access,'' said a congressional source. "Those are all code words for if they can't break in, they're going to make (cryptography) illegal. "This is one of the biggest domestic policy issues facing the country. If you make the wrong decisions, it's going to have a profound effect on privacy and security.'' The matter is being considered by the House Judiciary Committee, chaired by Rep. Jack Brooks, D-Texas, who is writing a revision to the Computer Security Act of 1987, the government's first pass at secure computing. The recent hearings on the matter produced a notable irony, when FBI Director William Sessions was forced to justify his stance against cryptography after giving opening remarks in which he called for stepped-up action to combat a rising tide of industrial espionage. Secure cryptography was designed to address such concerns. The emergence of the international marketplace is shaping much of the debate on cryptography. American firms say they can't compete under current policy, and that in fact, overseas firms are allowed to sell technology in America that American firms cannot export. "We have decided to do all further cryptographic develop ment overseas,'' said Fred B. Cohen, a noted computer scientist. "This is because if we do it here, it's against the law to export it, but if we do it there, we can still import it and sell it here. What this seems to say is that they can have it, but I can't sell it to them _ or in other words _ they get the money from our research.'' A spokeswoman for the the Software Publishers Association said that such export controls will cost $3-$5 billion in direct revenue if left in place over the next five years. She noted the Commerce Department estimate that each $1 billion in direct revenue supports 20,000 jobs. The NSA denied any role in limiting the power of cryptographic schemes used by the domestic public, and said it approves 90 percent of cryptographic products referred to NSA by the Department of State for export licenses. The Commerce Department conducts its own reviews. But the agency conceded that its export approval figures refer only to products that use cryptology to authenticate a communication _ the electronic form of a signed business document _ rather than to provide privacy. The NSA, a Defense Department agency created by order of President Harry Truman to intercept and decode foreign communications, employs an army of 40,000 code-breakers. All of its work is done in secret, and it seldom responds to questions about its activities, so a large reserve of distrust exists in the technology community. NSA funding is drawn from the so-called "black budget,'' which the Defense Budget Project, a watchdog group, estimates at $16.3 billion for 1993. While the agency has always focused primarily on foreign espionage, its massive eavesdropping operation often pulls in innocent Americans, according to James Bamford, author of "The Puzzle Palace," a book focusing on the NSA's activities. Significant invasions of privacy occurred in the 1960s and 1970s, Bamford said. Much more recently, several computer network managers have acknowledged privately to the Chronicle that NSA has been given access to data transmitted on their networks _ without the knowledge of network users who may view the communications as private electronic mail. Electronic cryptology could block such interceptions of material circulating on regional networks or on Internet _ the massive international computer link. While proponents of the new technology concede the need for effective law enforcement, some question whether the espionage needs of the post-Cold War world justify the government's push to limit these electronic safeguards on privacy. "The real challenge is to get the people who can show harm to our national security by freeing up this technology to speak up and tell us what this harm is,'' said John Gillmore, one of the founders of Sun Microsystems. "When the privacy of millions of people who have cellular telephones, when the integrity of our computer networks and our PCs against viruses are up for grabs here, I think the battleground is going to be counting up the harm and in the public policy debate trying to strike a balance.'' But Vinton Cerf, one of the leading figures of the Internet community, urged that those criticizing national policy maintain perspective. "I want to ask you all to think a little bit before you totally damn parts of the United States government,'' he said. "Before you decide that some of the policies that in fact go against our grain and our natural desire for openness, before you decide those are completely wrong and unacceptable, I hope you'll give a little thought to the people who go out there and defend us in secret and do so at great risk.'' ------------------------------ End of PRIVACY Forum Digest 01.06 ************************