PRIVACY Forum Digest Monday, 6 July 1992 Volume 01 : Issue 07 Moderated by Lauren Weinstein (lauren@cv.vortex.com) Vortex Technology, Topanga, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy. CONTENTS PRIVACY Forum digest now affiliated with ACM (Moderator--Lauren Weinstein) PRIVACY Forum materials are available via anonymous FTP (Moderator--Lauren Weinstein) Re: Chronicle Crypto Article [PRIVACY 01.06] (Thomas Zmudzinski) Monitoring In The Workplace (Bonnie J. Johnson) CPSR Challenges Virginia SS (Dave Banisar) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. ALL submissions should be addressed to "privacy@cv.vortex.com" and must have RELEVANT "Subject:" lines. Submissions without appropriate and relevant "Subject:" lines may be ignored. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@cv.vortex.com". Mailing list problems should be reported to "list-maint@cv.vortex.com". All submissions included in this digest represent the views of the individual authors and all submissions will be considered to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "cv.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which now includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. For information regarding the availability of this digest via FAX, please send an inquiry to privacy-fax@cv.vortex.com, call (310) 455-9300, or FAX to (310) 455-2364. ----------------------------------------------------------------------------- VOLUME 01, ISSUE 07 Quote for the day: Dr. McCoy: "Why is it called the M5? Why not the M1?" Dr. Daystrom: "Multitronic units number one through four were not entirely successful. This one is." "Star Trek" (1966-1969) Episode: "The Ultimate Computer" ---------------------------------------------------------------------- Date: Mon, 6 Jul 92 18:45 PDT From: lauren@cv.vortex.com (Moderator--Lauren Weinstein) Subject: PRIVACY Forum digest now affiliated with ACM Greetings. I'm pleased to announce that the PRIVACY Forum digest is now supported in part by the ACM (Association for Computing Machinery) Committee on Computers and Public Policy. This is the same committee under whose auspices the renowned Risks Digest appears. As its name suggests, the ACM Committee on Computers and Public Policy is concerned with a variety of computer-related policy issues, such as risks involving security, privacy, reliability, human safety, and financial stability. --Lauren-- ------------------------------ Date: Mon, 6 Jul 92 19:00 PDT From: lauren@cv.vortex.com (Moderator--Lauren Weinstein) Subject: PRIVACY Forum materials are available via anonymous FTP The PRIVACY Forum archive, including all issues of the digest and all related materials, is now available via anonymous FTP from site "cv.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. --Lauren-- ------------------------------ Date: 30 Jun 92 10:16:00 EST From: "zmudzinski, thomas" Subject: Re: Chronicle Crypto Article [PRIVACY 01.06] D E F E N S E I N F O R M A T I O N S Y S T E M S A G E N C Y Date: 30-Jun-1992 10:02 EDT From: Thomas Zmudzinski ZMUDZINSKIT Dept: DNSO/DISM Tel No: 703 285 5459 (DSN) 356 TO: JOE.ABERNATHY@HOUSTON.CHRON.COM ( REMOTE ) CC: PRIVACY@CV.VORTEX.COM ( REMOTE ) CC: EDTJDA@CHRON.COM ( REMOTE ) Subject: Re: Chronicle Crypto Article [PRIVACY 01.06] The 21 June 1992 Houston Chronicle article stated: > The matter is being considered by the House Judiciary > Committee, chaired by Rep. Jack Brooks, D-Texas, who is > writing a revision to the Computer Security Act of 1987, > the government's first pass at secure computing. ^^^^^ ^^^^ ^^ ^^^^^^ ^^^^^^^^^ Oh, come on! The 1987 Act isn't even the Government's "first pass" at _UNCLASSIFIED_ secure computing. Go check out the Computer Security Acts of 1984 and earlier! BTW, if one reads PL 100-235, one finds that it is basically an amendment to the Federal Property and Administrative Services Act of 1949(!) with some necessary updates to the NBS (NIST) charter of 1901. If you have go beyond the proper titles, why not say that it's the U.S. Government's most well known secure computing effort? ^^^^ ^^^^ ^^^^^ Tom Zmudzinski ZmudzinskiT @ UVAX.DISA.MIL Defense Information Systems Agency (703) 285-5459 ------------------------------ Date: Tue, 30 Jun 92 11:01:19 EDT From: "Bonnie J. Johnson" Subject: Monitoring In The Workplace As I was reading the Telecom Digest this am I came across the following Survey being conducted by Lorrayne Schaefer (lorrayne@smiley.mitre.org.) (703-883-5301) which I think might be interesting to us all, particularly the results! To recite the e-mail verbatim, states Lorrayne Schaefer: "For your information, this has been posted on some newsgroups a few months ago. This survey has also been distributed to various conferences over the past few months. All results will be in the form of statistical information and keywords. All participants will remain anonymous. SURVEY; MONITORING IN THE WORKPLACE The purpose of this survey is to collect data for a presentation that I will give at this year's National Computer Security Conference in October. I would like to thank you for taking the time to fill out this survey. If you have any questions, you can call me at 703-883-5301 or send me e-mail at lorrayne@smiley.mitre.org. Please send your completed survey to: Lorrayne Schaefer The MITRE Corporation M/S Z213 7525 Colshire Drive McLean VA 22102 1. What is your title? 2. What type of work does your organization do? 3. Does your organization currently monitor computer activity? (Y/N) a. If Yes, what type of monitoring does your company do (e.g., electronic mail, bulletin boards, telephone, system activity, network activity)? b. Why does your company choose to monitor these things and how is it done? 4. If you are considering (or are currently) using a monitoring tool, what exactly would you monitor? How would you protect this information? 5. Are you for or against monitoring? Why/why not? Think in terms of whether it is ethical or unethical ("ethical" meaning that it is right and "unethical" meaning it is wrong) for an employer to monitor an employee's computer usage. In your response, consider that the employee is allowed by the company to use the computer and the company currently monitors computer activity. 6. If your company monitors employees, is it clearly defined in your company policy? 7. In your opinion, does the employee have rights in terms of being monitored? 8. In your opinion, does the company have rights to protect its assets by using a form of monitoring tool? 9. If you are being monitored, do you take offense? Managers: How do you handle situations in which the employee takes offense at being monitored? 10. What measures does your company use to prevent misuse of monitoring in the workplace? 11. If an employee is caught abusing the monitoring tool, what would happen to that individual? If your company is not using any form of monitoring, what do you think should happen to an individual who abused the tool? 12. Is it unethical to monitor electronic mail to determine if the employee is not abusing this company resource (e.g. suppose the employee sends personal notes via a network to others that are not work related)? Why or why not?" I find all the issues which Lorrayne brings up are very valid questions and have quite frankly called the FCC for some answers on electronic mail myself a couple years back. Telecom has come up with guidelines on monitoring (beep tone and at least one other person knowing they are being monitored). Any thoughts on how long it will be for a standard to be set for e-mail? What are groups thoughts on some of the questions? I will send an e-mail to Lorrayne requesting a copy of the results in October and pass them along to the group if there is any interest. ------------------------------ Date: Sat, 4 Jul 1992 17:16:20 EDT From: Dave Banisar Subject: CPSR Challenges Virginia SS CPSR Challenges Virginia SSN Practice PRESS RELEASE June 30, 1992 CPSR Challenges Virginia SSN Practice WASHINGTON, DC -- A national public interest organization has filed a "friend of the court" brief in the federal court of appeals, calling into question the Commonwealth of Virginia's practice of requiring citizens to provide their Social Security numbers in order to vote. Computer Professionals for Social Responsibility (CPSR) alleges that Virginia is violating constitutional rights and creating an unnecessary privacy risk. The case arose when a Virginia resident refused to provide his Social Security number (SSN) to a county registrar and was denied the right to register to vote. Virginia is one of a handful of states that require voters to provide an SSN as a condition of registration. While most states that require the number impose some restrictions on its public dissemination, Virginia allows unrestricted public inspection of voter registration data -- including the SSN. Marc A. Greidinger, the plaintiff in the federal lawsuit, believes that the state's registration requirements violate his privacy and impose an unconstitutional burden on his exercise of the right to vote. The CPSR brief, filed in the Fourth Circuit Court of Appeals in Richmond, supports the claims made by Mr. Greidinger. CPSR notes the long-standing concern of the computing community to design safe information systems, and the particular effort of Congress to control the misuse of the SSN. The organization cites federal statistics showing that the widespread use of SSNs has led to a proliferation of fraud by criminals using the numbers to gain driver's licenses, credit and federal benefits. The CPSR brief further describes current efforts in other countries to control the misuse of national identifiers, like the Social Security number. Marc Rotenberg, the Director of the CPSR Washington Office said that "This is a privacy issue of constitutional dimension. The SSN requirement is not unlike the poll taxes that were struck down as unconstitutional in the 1960s. Instead of demanding the payment of money, Virginia is requiring citizens to relinquish their privacy rights before being allowed in the voting booth." CPSR argues in its brief that the privacy risk created by Virginia's collection and disclosure of Social Security numbers is unnecessary. The largest states in the nation, such as California, New York and Texas, do not require SSNs for voter registration. CPSR points out that California, with 14 million registered voters, does not need to use the SSN to administer its registration system, while Virginia, with less than 3 million voters, insists on its need to demand the number. David Sobel, CPSR Legal Counsel, said "Federal courts have generally recognized that there is a substantial privacy interest involved when Social Security numbers are disclosed. We are optimistic that the court of appeals will require the state to develop a safer method of maintaining voting records." CPSR has led a national campaign to control the misuse of the Social Security Number. Earlier this year the organization testified at a hearing in Congress on the use of the SSN as a National Identifier. CPSR urged lawmakers to respect the restriction on the SSN and to restrict its use in the private sector. The group also participated in a federal court challenge to the Internal Revenue Service's practice of displaying taxpayers' SSNs on mailing labels. CPSR is also undertaking a campaign to advise individuals not to disclose their Social Security numbers unless provided with the legal reason for the request. CPSR is a national membership organization, with 2,500 members, based in Palo Alto, CA. For membership information contact CPSR, P.O. Box 717, Palo Alto, CA 94303, (415) 322-3778, cpsr@csli.stanford.edu. For more information contact: Marc Rotenberg, Director David Sobel, Legal Counsel CPSR Washington Office (202) 544-9240 rotenberg@washofc.cpsr.org sobel@washofc.cpsr.org Paul Wolfson, attorney for Marc A. Greidinger Public Citizen Litigation Group (202) 833-3000 ------------------------------ End of PRIVACY Forum Digest 01.07 ************************