From privacy@cv.vortex.com Fri Aug 21 02:55:09 1992 Return-Path: Received: from cv.vortex.com by csrc.ncsl.nist.gov (4.1/NIST) id AA17842; Fri, 21 Aug 92 02:54:15 EDT Posted-Date: Thu, 20 Aug 92 23:54 PDT Received-Date: Fri, 21 Aug 92 02:54:15 EDT Received: by cv.vortex.com (/\==/\ Smail3.1.25.1 #25.21) id ; Thu, 20 Aug 92 21:49 PDT Message-Id: Date: Thu, 20 Aug 92 23:54 PDT From: privacy@cv.vortex.com (PRIVACY Forum) To: privacy-forum@csrc.ncsl.nist.gov Subject: PRIVACY Forum Digest V01 #13 Status: R PRIVACY Forum Digest Thursday, 20 August 1992 Volume 01 : Issue 13 Moderated by Lauren Weinstein (lauren@cv.vortex.com) Vortex Technology, Topanga, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy. CONTENTS DAK Catalog and PhoneDisc (Stan Quayle) DNA fingerprinting data (Jerry Leichter) Motorola 'Secure Clear' Cordless Phones (Tim Tyler) CPSR Letter on Crypto Policy (David Sobel) Undergraduate course on computers, freedom, and privacy (Lance J. Hoffman) CPSR 1992 Annual Meeting (Nikki Draper) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. ALL submissions should be addressed to "privacy@cv.vortex.com" and must have RELEVANT "Subject:" lines. Submissions without appropriate and relevant "Subject:" lines may be ignored. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@cv.vortex.com". Mailing list problems should be reported to "list-maint@cv.vortex.com". All submissions included in this digest represent the views of the individual authors and all submissions will be considered to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "cv.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. For information regarding the availability of this digest via FAX, please send an inquiry to privacy-fax@cv.vortex.com, call (310) 455-9300, or FAX to (310) 455-2364. ----------------------------------------------------------------------------- VOLUME 01, ISSUE 13 Quote for the day: "My first public appearance in years, and it's all straight lines." -- Closing comment by Woody Allen at a press conference the week of August 16, 1992, discussing allegations made against him by former companion Mia Farrow. ---------------------------------------------------------------------- Date: Wed, 12 Aug 1992 09:04:28 EDT From: Stan Quayle Subject: DAK Catalog and PhoneDisc > [ DAK has their warehouse, offices, and walk-in store about 20 > minutes from my area. I've been down there a number of times to > *very carefully* buy various items. The important thing to keep > in mind about DAK is that much of their merchandise consists of > closeouts or "old versions" of items that have already been > supersceded by later versions. One would have to wonder about the > degree of data "staleness" in a DAK CD-ROM nationwide white pages > (which is what I believe this item to be). -- MODERATOR ] I called the PhoneDisc company, which makes DAK's disk. The DAK version is the "retail" version of PhoneDisc, which has last year's data, and leaves out 10,000,000 households. The "commercial" PhoneDisc is available with quarterly updates. Of course, it's $1850 per year. DAK's disk would be sufficient for my purposes, but I don't want to buy an old, slow, CD-ROM drive first. Drop by the walk-in store and see if you can buy me one without the drive, would you? ----------------- Stan Quayle N8SQ +1 614 764-4212 Internet: quayle@engclu.doh.square-d.com UUCP: osu-cis!squared!quayle Square-D Company, 5160 Blazer Parkway, Dublin, OH 43017 ------------------------------ Date: Thu, 20 Aug 92 15:45:56 EDT From: Jerry Leichter Subject: DNA fingerprinting data In a recent PRIVACY, I noted that the data used for identification by "DNA fingerprints" was different from that used to identify diseases. I've since had the chance to talk to someone who does molecular biology, and he confirmed this. In fact, he pointed out that genes useful for identification are almost certain to be useless for purposes like denying insurance. The reasoning is simple. Suppose you want to identify people with a 1 in 10^6 chance of error. If you choose a gene that only occurs in 1 in 10^6 people, for that one person, you are done - but for everyone else, you have no information. You'd need almost 10^6 genes to stand a good chance of identifying a random member of the population. On the other hand, if you can find 20 genes each of which occurs in the population independently with about 50% probability, any given combination will only occur once in 2^20 times, or about 1 in 10^6. A MUCH better approach. In general, to be useful for identification, genes have to be quite common, hence unlikely to be of significant use in predicting disease. My contact points out a related issue: As we learn more about the genetics of various diseases, we also learn more about their inheritance charateristics. (In fact, often we learn about the latter first.) Given enough information of this sort, which should be available in perhaps 10 to 20 years, you won't really need to analyze someone's DNA to make all sorts of medically signifi- cant predictions: All you'll need is data about the medical status of their parents and relatives. And, of course, the insurance companies already HAVE extremely complete data of exactly this sort about just about everyone who's lived in the past 30 years, if not longer. It will be much more difficult to control their use of such data. -- Jerry ------------------------------ Date: Thu, 20 Aug 92 19:42:40 EDT From: tim@ais.org (Tim Tyler) Subject: Motorola 'Secure Clear' Cordless Phones "Why A Motorola Cordless Phone?" "Cordless phone eavesdroppers are everywhere" says pro golfer Lee Turino, spokesman for Motorola. "But with my Motorola Secure Clear~ Cordless Phone, my private conversations stay private." So says a glossy brochure (# BA-81) that Motorola's Consumer Products Division (telephone # 800/331-6456) distributes to promote their new 'secure' cordless phone product line. When I first read the cover of the brochure, I said to myself, "Wow, I wonder what sophisticated technology it must use?" Motorola has been developing and selling secure voice & data systems, from DVP & DES up to the current 'FASCINATOR' algorithm for classified military & federal government secure voice for many years. Page Two of the slick brochure provides some rhetorical questions and answers: ***************************************************************** Why Motorola Cordless Phones? Q. What is meant by Secure Clear? Secure Clear is an exclusive technology that assures you no eavesdroppers will be able to use another cordless phone, scanner or baby monitor to listen in to your cordless conversations. Q. How difficult is it to eavesdrop on someone's cordless conversation? It's not difficult at all. Simply by operating a cordless phone, scanner or baby monitor on the same channel as you're on, an eavesdropper can listen in. Security codes alone DO NOT prevent eavesdropping. Q. What are security codes and what do they do? Security codes allow the handset and base to communicate with each other. With the Secure Clear cordless phone, one of 65,000 possible codes are randomly assigned every time you set the handset in the base. This means that a neighbor cannot use his handset to link with your base and have phone calls charged to your phone number. Q. Describe the basic difference between Secure Clear and security codes. Secure Clear protects against eavesdropping. Security codes prevent the unauthorized use of your phone line. Usually all cordless phones have security codes, but not both. Q. What is the purpose of the Secure Clear demo? The Secure Clear demo is a unique feature of Motorola phones that allows you to actually experience what an eavesdropper would hear when trying to listen to your conversation. By pressing the SECURE DEMO button on the Motorola phone, you and the person on the other end will hear the same scrambled noise an eavesdropper would hear. ***************************************************************** Hmmm... I went to the Motorola Secure Clear cordless phone display at a Sears store, took a deep breath, & hit the demo button in order to hear what the "scrambled noise" which would protect a conversation from eavesdropping sounded like. White-noise like that of a digital data stream? Rapid analog time-domain scrambling? No, the scrambled "noise" sounded like inverted analog voice. That's right, they're using the 40 or 50 year old (3kHz baseband) speech inversion system --the same one which they stopped marketing for their commercial two-way radio gear about a decade ago-- to make Lee Turino & other ignorant people's "private conversations stay private." For those of you not familiar with speech inversion, it simply flip-flops the voice spectrum so that high pitched sounds are low, & vice versa. It sounds a lot like Single Side Band (SSB) transmissions, although an SSB receiver will not decode speech- inversion scrambling. Prior to 1986, several companies -- Don Nobles, Capri Electronics, etc. sold inexpensive kits or scanner add-ons which could be used to decode speech inversion. Several electronics magazines also published schematics for making your own from scratch, at a cost of about $5. After the Electronic Communications Privacy Act of 1986, it became illegal to decode or decipher encrypted communications which you weren't a legitimate party to, so the standard practice of selling these quasi-legal products as 'experimental kits' or 'for educational purposes only' became common. Today, some companies will not specifically sell a 'speech-inversion descrambler,' but instead market a 'speech inversion scrambling system' which means the kit will encode as well as decode speech inversion, although most people buy them simply to hook up to their scanners & monitor the few public safety agencies and business that (still) use speech-inversion scrambling. Yes, technically, it is a felony for you to use a speech- inversion descrambler to monitor these Motorola 'Secure Clear' cordless. Or for that matter, the new Radio Shack DUoPHONE ET-499, cordless phone which also depends on speech-inversion for privacy protection. The public utility of the ECPA has been argued about ever since before it was enacted. It is rather obvious that the ECPA was pushed upon the ignorant, money-hungry Congress by the powerful (& wealthy) Cellular Telephone Industry Association (so the CTIA could propagate misinformation to the public, but that's another story...). I also realize that the 46/49MHz cordless phone channels are apparently allocated for analog-voice only. Despite the ECPA, it is unconscionable to me that Motorola -- who surely knows better-- would produce the slick brochure & specifically market the 'Secure Clear' line as being invulnerable to eavesdropping. Their wording unequivocally gives the impression that the 'Secure Clear' conversations are secure, not only from other cordless phone & baby monitors, which have several common frequencies, but also against communications hobbyists with scanner radios. It is bad enough that many public safety officers still think that by using the 'PL' ('Private Line~,' also known as CTCSS) setting on their Motorola two-way radios, no one else can listen in. While the 'Private Line' fiasco might be attributable to misconception on the part of the radio users, in my opinion, Motorola's Consumer Products Division has to know that there are thousands of scanner monitors who have the technical ability to defeat the speech-inversion 'Secure Clear' system. A Motorola representative at the 1992 Summer Consumer Electronics Show in Chicago confirmed this to me, with a smirk on his face. There's a big difference between Motorola's aforementioned wording & that of Radio Shack's on page 3 of their 1993 catalog: New! Voice-Scrambling Cordless Telephone DUoFONE ET-499. Cordless phones are great. But since they transmit over the airwaves, your private conversations could be monitored. Now you can enjoy cordless convenience with voice scrambling for added [emphasis theirs] privacy protection -- frequency inversion makes transmissions between the handset and base unintelligible... It's not "Motorola should know better." Motorola DOES know better. Otherwise, they wouldn't be spending time or money on true 'secure' (based on current technology, of course) communications and transmission security systems. I sure am thankful that our federal government & military users of secure-mode communications systems don't rely on Motorola's marketing department to provide factual information as to the level of security provided by Motorola equipment. Too bad that for the most part, the public does. For anyone looking for a cordless telephone that offers a decent level of privacy, take a look at some of the new cordless phones which use 900MHz. Most of the new ones not only use CVSD digital voice for the RF link, but also direct-sequence spread spectrum. By no means are these phones secure ('encoded,' yes, but 'encrypted,' no), & the Tropez 900 actually seems to generate a very weak analog harmonic in the 440MHz spectrum, but you'll be a lot better off than poor old Lee Turino. -- Tim Tyler Internet: tim@ais.org MCI Mail: 442-5735 P.O. Box 443 C$erve: 72571,1005 DDN: Tyler@Dockmaster.ncsc.mil Ypsilanti MI Packet: KA8VIR @KA8UNZ.#SEMI.MI.USA.NA 48197 ------------------------------ Date: Mon, 17 Aug 1992 14:48:18 EDT From: David Sobel Subject: CPSR Letter on Crypto Policy CPSR Letter on Crypto Policy The following is the text of a letter Computer Professionals for Social Responsibility (CPSR) recently sent to Rep. Jack Brooks, chairman of the House Judiciary Committee. The letter raises several issues concerning computer security and cryptography policy. For additional information on CPSR's activities in this area, contact banisar@washofc.cpsr.org. For information concerning CPSR generally (including membership information), contact cpsr@csli.stanford.edu. ==================================================== August 11, 1992 Representative Jack Brooks Chairman House Judiciary Committee 2138 Rayburn House Office Bldg. Washington, DC 20515-6216 Dear Mr. Chairman: Earlier this year, you held hearings before the Subcommittee on Economic and Commercial Law on the threat of foreign economic espionage to U.S. corporations. Among the issues raised during the hearings were the future of computer security authority and the efforts of government agencies to restrict the use of new technologies, such as cryptography. As a national organization of computer professionals interested in the policies surrounding civil liberties and privacy, including computer security and cryptography, CPSR supports your efforts to encourage public dialogue of these matters. Particularly as the United States becomes more dependent on advanced network technologies, such as cellular communications, the long-term impact of proposed restrictions on privacy-enhancing techniques should be carefully explored in a public forum. When we had the opportunity to testify before the Subcommittee on Legislation and National Security in May 1989 on the enforcement of the Computer Security Act of 1987, we raised a number of these issues. We write to you now to provide new information about the role of the National Security Agency in the development of the Digital Signature Standard and the recent National Security Directive on computer security authority. The information that we have gathered suggests that further hearings are necessary to assess the activities of the National Security Agency since passage of the Computer Security Act of 1987. The National Security Agency and the Digital Signature Standard Through the Freedom of Information Act, CPSR has recently learned that the NSA was the driving force behind the selection and development of the Digital Signature Standard (DSS). We believe that the NSA's actions contravene the Computer Security Act of 1987. We have also determined that the National Institute of Standards and Technology (NIST) attempted to shield the NSA's role in the development of the DSS from public scrutiny. The Digital Signature Standard will be used for the authentication of computer messages that travel across the public computer network. Its development was closely watched in the computer science community. Questions about the factors leading to the selection of the standard were raised by a Federal Register notice, 56 Fed. Reg. 42, (Aug 30, 1991), in which NIST indicated that it had considered the impact of the proposed standard on "national security and law enforcement," though there was no apparent reason why these factors might be considered in the development of a technical standard for communications security. In August 1991, CPSR filed a FOIA request with the National Institute of Standards and Technology seeking all documentation relating to the development of the DSS. NIST denied our request in its entirety. The agency did not indicate that they had responsive documents from the National Security Agency in their files, as they were required to do under their own regulations. 15 C.F.R. Sec. 4.6(a)(4) (1992). In October 1991, we filed a similar request for documents concerning the development of the DSS with the Department of Defense. The Department replied that they were forwarding the request to the NSA, from whom we never received even an acknowledgement of our request. In April 1992, CPSR filed suit against NIST to force disclosure of the documents. CPSR v. NIST, et al., Civil Action No. 92-0972-RCL (D.D.C.). As a result of that lawsuit, NIST released 140 out of a total of 142 pages. Among those documents is a memo from Roy Saltman to Lynn McNulty which suggests that there were better algorithms available than the one NIST eventually recommended for adoption. If that is so, why did NIST recommend a standard that its own expert believed was inferior? Further, NIST was required under Section 2 of the Computer Security Act to develop standards and guidelines to "assure the cost-effective security and privacy of sensitive information in federal systems." However, the algorithm selected by NIST as the DSS was purposely designed to minimize privacy protection: its use is limited to message authentication. Other algorithms that were considered by NIST included both the ability to authenticate messages and the capability to incorporate privacy-enhancing features. Was NSA's interest in communication surveillance one of the factors that lead to the NIST decision to select an algorithm that was useful for authentication, but not for communications privacy? Most significantly, NIST also disclosed that 1,138 pages on the DSS that were created by the NSA were in their files and were being sent back to the NSA for processing. Note that only 142 pages of material were identified as originating with NIST. In addition, it appears that the patent for the DSS is filed in the name of an NSA contractor. The events surrounding the development of the Digital Signature Standard warrant further Congressional investigation. When Congress passed the Computer Security Act, it sought to return authority for technical standard-setting to the civilian sector. It explicitly rejected the proposition that NSA should have authority for developing technical guidelines: Since work on technical standards represents virtually all of the research effort being done today, NSA would take over virtually the entire computer standards job from the [National Institute of Standards and Technology]. By putting the NSA in charge of developing technical security guidelines (software, hardware, communications), [NIST] would be left with the responsibility for only administrative and physical security measures -- which have generally been done years ago. [NIST], in effect, would on the surface be given the responsibility for the computer standards program with little to say about the most important part of the program -- the technical guidelines developed by NSA. Government Operation Committee Report at 25-26, reprinted in 1988 U.S. Code Cong. and Admin. News at 3177-78. See also Science Committee Report at 27, reprinted in 1988 U.S.C.A.N. 3142. Despite the clear mandate of the Computer Security Act, NSA does, indeed, appear to have assumed the lead role in the development of the DSS. In a letter to MacWeek magazine last fall, NSA's Chief of Information Policy acknowledged that the Agency "evaluated and provided candidate algorithms including the one ultimately selected by NIST." Letter from Michael S. Conn to Mitch Ratcliffe, Oct. 31, 1991. By its own admission, NSA not only urged the adoption of the DSS -- it actually "provided" the standard to NIST. The development of the DSS is the first real test of the effectiveness of the Computer Security Act. If, as appears to be the case, NSA was able to develop the standard without regard to recommendations of NIST, then the intent of the Act has clearly been undermined. Congress' intent that the standard-setting process be open to public scrutiny has also been frustrated. Given the role of NSA in developing the DSS, and NIST's refusal to open the process to meaningful public scrutiny, the public's ability to monitor the effectiveness of the Computer Security Act has been called into question. On a related point, we should note that the National Security Agency also exercised its influence in the development of an important standard for the digital cellular standards committee. NSA's influence was clear in two areas. First, the NSA ensured that the privacy features of the proposed standard would be kept secret. This effectively prevents public review of the standard and is contrary to principles of scientific research. The NSA was also responsible for promoting the development of a standard that is less robust than other standards that might have been selected. This is particularly problematic as our country becomes increasingly dependent on cellular telephone services for routine business and personal communication. Considering the recent experience with the DSS and the digital cellular standard, we can anticipate that future NSA involvement in the technical standards field will produce two results: (1) diminished privacy protection for users of new communications technologies, and (2) restrictions on public access to information about the selection of technical standards. The first result will have severe consequences for the security of our advanced communications infrastructure. The second result will restrict our ability to recognize this problem. However, these problems were anticipated when Congress first considered the possible impact of President Reagan's National Security Decision Directive on computer security authority, and chose to develop legislation to promote privacy and security and to reverse efforts to limit public accountability. National Security Directive 42 Congressional enactment of the Computer Security Act was a response to President Reagan's issuance of National Security Decision Directive ("NSDD") 145 in September 1984. It was intended to reverse an executive policy that enlarged classification authority and permitted the intelligence community broad say over the development of technical security standards for unclassified government and non-government computer systems and networks. As noted in the committee report, the original NSDD 145 gave the intelligence community new authority to set technical standards in the private sector: [u]nder this directive, the Department of Defense (DOD) was given broad new powers to issue policies and standards for the safeguarding of not only classified information, but also other information in the civilian agencies and private sector which DOD believed should be protected. The National Security Agency (NSA), whose primary mission is one of monitoring foreign communications, was given the responsibility of managing this program on a day-to-day basis. H. Rep. No. 153 (Part 2), 100th Cong., 1st Sess. 6 (1987). The legislation was specifically intended to override the Presidential directive and to "greatly restrict these types of activities by the military intelligence agencies ... while at the same time providing a statutory mandate for a strong security program headed up by [NIST], a civilian agency." Id. at 7. President Bush issued National Security Directive ("NSD") 42 on July 5, 1990. On July 10, 1990, Assistant Secretary of Defense Duane P. Andrews testified before the House Subcommittee on Transportation, Aviation, and Materials on the contents of the revised NSD. The Assistant Secretary stated that the "the new policy is fully compliant with the Computer Security Act of 1987 (and the Warner Amendment) and clearly delineates the responsibilities within the Federal Government for national security systems." On August 27, 1990, CPSR wrote to the Directorate for Freedom of Information of the Department of Defense and requested a copy of the revised NSD, which had been described by an administration official at the July hearing but had not actually been disclosed to the public. CPSR subsequently sent a request to the National Security Council seeking the same document. When both agencies failed to reply in a timely fashion, CPSR filed suit seeking disclosure of the Directive. CPSR v. NSC, et al., Civil Action No. 91-0013-TPJ (D.D.C.). The Directive, which purports to rescind NSDD 145, was recently disclosed as a result of this litigation CPSR initiated against the National Security Council. The text of the Directive raises several questions concerning the Administration's compliance with the Computer Security Act: 1. The new NSD 42 grants NSA broad authority over "national security systems." This phrase is not defined in the Computer Security Act and raises questions given the expansive interpretation of "national security" historically employed by the military and intelligence agencies and the broad scope that such a term might have when applied to computer systems within the federal government. If national security now includes international economic activity, as several witnesses at your hearings suggested, does NSD 42 now grant NSA computer security authority in the economic realm? Such a result would clearly contravene congressional intent and eviscerate the distinction between civilian and "national security" computer systems. More critically, the term "national security systems" is used throughout the document to provide the Director of the National Security Agency with broad new authority to set technical standards. Section 7 of NSD 42 states that the Director of the NSA, as "National Manager for National Security Telecommunications and Information Systems Security," shall * * * c. Conduct, *approve*, or endorse research and development of techniques and equipment to secure national security systems. d. Review and *approve* all standards, techniques, systems, and equipment, related to the security of national security systems. * * * h. Operate a central technical center to evaluate and *certify* the security of national security telecommunications and information systems. (Emphasis added) Given the recent concern about the role of the National Security Agency in the development of the Digital Signature Standard, it is our belief that any standard-setting authority created by NSD 42 should require the most careful public review. 2. NSD 42 appears to grant the NSA new authority for information security. This is a new area for the agency; NSA's role has historically been limited to communications security. Section 4 of the directive provides as follows: The National Security Council/Policy Coordinating Committee (PCC) for National Security Telecommuni- cations, chaired by the Department of Defense, under the authority of National Security Directives 1 and 10, assumed the responsibility for the National Security Telecommunications NSDD 97 Steering Group. By authority of this directive, the PCC for National Security Telecommunications is renamed the PCC for National Security Telecommunications and Information Systems, and shall expand its authority to include the responsibilities to protect the government's national security telecommunications and information systems. (Emphasis added). Thus, by its own terms, NSD 42 "expands" DOD's authority to include "information systems." What is the significance of this new authority? Will it result in military control of systems previously deemed to be civilian? 3. NSD 42 appears to consolidate NSTISSC (The National Security Telecommunications and Information Systems Security Committee) authority for both computer security policy and computer security budget determinations. According to section 7 of the revised directive, the National Manager for NSTISSC shall: j. Review and assess annually the national security telecommunications systems security programs and budgets of Executive department and agencies of the U.S. Government, and recommend alternatives, where appropriate, for the Executive Agent. NTISSC has never been given budget review authority for federal agencies. This is a power, in the executive branch, that properly resides in the Office of Management and Budget. There is an additional concern that Congress's ability to monitor the activities of federal agencies may be significantly curtailed if this NTISSC, an entity created by presidential directive, is permitted to review agency budgets in the name of national security. 4. NSD 42 appears to weaken the oversight mechanism established by the Computer Security Act. Under the Act, a Computer Systems Security and Privacy Advisory Board was established to identify emerging issues, to inform the Secretary of Commerce, and to report findings to the Congressional Oversight Committees. Sec. 3, 15 U.S.C. Sec. 278g-4(b). However, according to NSD 42, NSTISSC is established "to consider technical matters and develop operating policies, procedures, guidelines, instructions, and standards as necessary to implement provisions of this Directive." What is the impact of NSTISSC authority under NSD 42 on the review authority of the Computer Systems Security and Privacy Advisory Board created by the Computer Security Act? Conclusion Five years after passage of the Computer Security Act, questions remain about the extent of military involvement in civilian and private sector computer security. The acknowledged role of the National Security Agency in the development of the proposed Digital Signature Standard appears to violate the congressional intent that NIST, and not NSA, be responsible for developing security standards for civilian agencies. The DSS experience suggests that one of the costs of permitting technical standard setting by the Department of Defense is a reduction in communications privacy for the public. The recently released NSD 42 appears to expands DOD's security authority in direct contravention of the intent of the Computer Security Act, again raising questions as to the role of the military in the nation's communications network. There are also questions that should be pursued regarding the National Security Agency's compliance with the Freedom of Information Act. Given the NSA's increasing presence in the civilian computing world, it is simply unacceptable that it should continue to hide its activities behind a veil of secrecy. As an agency of the federal government, the NSA remains accountable to the public for its activities. We commend you for opening a public discussion of these important issues and look forward to additional hearings that might address the questions we have raised. Sincerely, Marc Rotenberg, Director CPSR Washington Office ------------------------------ Date: Thu, 20 Aug 92 18:24:47 EDT From: "Lance J. Hoffman" Subject: Undergraduate course on computers, freedom, and privacy For those in the Washington DC area, I am offering an interdisciplinary undergraduate credit course in the fall on computers, freedom, and privacy. It is described below. If you are a non-degree student (i.e., not currently enrolled at the university) and wish to enrolling, call (202) 994-5000 after August 28 and select the "Quick Admit" option of the voicemail and you will be connected, they tell me, to a human. THE GEORGE WASHINGTON UNIVERSITY School of Engineering and Applied Science Department of Electrical Engineering and Computer Science CS701 - FREEDOM AND PRIVACY IN THE COMPUTER AGE Tuesdays 3:30-6:00 p.m., Phillips Hall T414B Prof. Lance J. Hoffman Fall 1992 This interdisciplinary course is being offered to all university students (and walk-ins). It does not carry graduate credit, and you need not be a matriculated student to take it. No prior computer experience is required and it will not teach anyone much about "how to" use or build computers. It is a social impact course with lots of videotapes, guest lecturers, class discussion, etc. A term project and final exam are both required. COURSE DESCRIPTION: Computers are changing our daily lives and raising new issues of privacy, freedom of speech, search and seizure, access to personal and governmental information, professional responsibilities, ethics, criminality, and law enforcement. This course examines these using written and videotape proceedings of recent major conferences which spanned many disciplines. TEXT: Proceedings of the First Conference on Computers, Freedom, and Privacy, IEEE Press, 1991 Proceedings of the Second Conference on Computers, Freedom, and Privacy, ACM Press, 1992 may or may not be available in time. If the printed book is not available, you will download the file from the network and print it out to read (we will teach you how to do this). "CS 701 Readings", available from the GWU Bookstore Videotapes assigned to view before class are available on reserve in the Gelman Library. *TENTATIVE* LECTURES Meeting Date Number 1 9/1 Overview. Administrative matters. 2 9/8 Getting on the Internet from GWU. Using anonymous FTP. Downloading and uploading. Network services. Using IBM PCs to do the upcoming crypto exercises. A layman's introduction to cryptography 3 9/15 Network promises and behavoir 4 9/22 Free Speech and the Public Phone Net 5 9/29 Digital telephony. Cryptography for Everyone 6 10/6 Who Holds the Keys? 7 10/13 Who's in your genes? 8 10/20 A Data Protection Board?/Third Party Use 9 10/27 Privacy and Intellectual Freedom in the Digital Library 10 11/3 Electronic Voting: The Promises and the Fears 11 11/10 Caller ID and Other Telco Issues 12 11/17 Computers in the Workplace 13 11/24 International Implications 14 12/1 Project Presentations 15 12/8 Project Presentations -- Professor Lance J. Hoffman Department of Electrical Engineering and Computer Science The George Washington University Washington, D. C. 20052 (202) 994-4955 fax: (202) 994-0227 hoffman@seas.gwu.edu ------------------------------ Date: Tue, 18 Aug 1992 15:22:45 PDT From: Nikki Draper Subject: CPSR 1992 Annual Meeting ************************************************************************ COMPUTER PROFESSIONALS FOR SOCIAL RESPONSIBILITY 1992 ANNUAL MEETING OCTOBER 17TH AND 18TH STANFORD UNIVERSITY PALO ALTO, CALIFORNIA ************************************************************************ In the heat of a presidential campaign, CPSR asks computer professionals to take a critical look at how politics affects technology and how technology affects the political process. Computer scientists from across the country will rigorously examine this years techno - speak to find the substance amid the line noise. Our annual meeting is open to everyone who has an interest in computers, communication, and our role as citizens in a high-tech society. Computer Professionals for Social Responsibility is a national alliance of professionals dedicated to promoting the responsible use of computer technology, ensuring that information technology plays a positive role in society. *********************************************************************** SATURDAY, OCTOBER 17TH 8 a.m. - 9 a.m. Registration and Continental Breakfast 9:00 - 9:15 Welcome 9:15 - 10:45 Teledemocracy & Citizen Participation: Beyond the Electronic Town Meeting Electronic media allow politicians and the general public to communicate in new ways. An election year look at the dangers and the opportunities of electronic democracy. 10:45 - 11:00 Break 11:00-12:30 The Politics of Cryptography Cryptography is a means of ensuring the privacy and integrity of electronically transmitted information. The military/intelligence establishment has traditionally restricted the development and dissemination of this technology. With the end of the Cold War and the rapid expansion of the electronic network, government policy in cryptography has come to the forefront. This panel examines the current issues. Moderated by David Sobel, Legal Counsel for CPSR. 12:30 - 2:00 Lunch break 2:00 - 3:30 Everything's Digital! Media Convergence: Hope, Hell, or Hype? Big industry players are promoting multimedia convergence as the next technological frontier. There's smoke, but is there fire? As all forms of information congeal into a digital soup, convergence raises issues of ownership, authorship, integrity and access. Is convergence television to the 10th power, a consumer nightmare, or a true vision of a new creativity? Moderated by Amy Pearl of Sun Microsystems. 3:30-3:45 Break 3:45-5:00 Envisioning Technology Policy in a Democratic Society How do we translate our vision of technology's promise into democratic reality? A panel of activists looks at the development of American technology policy and asks the crucial question: Is it the vision thing or deep doodoo? CPSR Board member, Jim Davis moderates. 5:00-7:30 Break 7:30-8:30 No Host Bar at Ming's Villa 8:30-10:30 Banquet at Ming's Villa Dave Liddle of Interval Research speaks on Computing in the 21st Century. Announcement and presentation of the Norbert Wiener Award for Social and Professional Responsibility in Computing. SUNDAY, OCTOBER 18TH 8 a.m. - 9 a.m. Continental Breakfast 9:00 - 9:15 Welcome 9:15- 10:30 CPSR: How We Have Impact and Why We Win For over a decade, CPSR has had an important impact on national, international, state and local technology policy. To continue our success, CPSR activists share case studies of our of public policy successes. By understanding why we win, we can maximize our impact in the future. 10:30-10:45 Break 10:45-12:15 Organizing for the Future A plenary discussion of CPSR's program areas - defining the issues, building consensus, and setting the agenda. 12:15-2 p.m. Lunch 2:00-3:00 CPSR Working Groups Break out groups, based on the morning's plenary, allow participants to chart CPSR's plans on key program issues: civil liberties, privacy, 21st Century, reliability and risk, workplace issues, and more. 5 minute break 3:00 - 4:00 Leadership Development Workshops Break out sessions on leadership development, organizing on the net, chapter development, and more. 4:00-4:15 Break 4:15-5:30 Reports, evaluation, and President's message. *********************************************************************** Name _____________________________________________________ Address ___________________________________________________ City__________________________State ________Zip Code_________ Telephone__________________________________________________ Important: Registration is on a first come, first serve basis. We expect these events will sell out, so it is important that you return the registration form as soon as possible to guarantee places at the meeting and banquet. EARLY REGISTRATION (received by 10/9/92) CPSR Member Meeting and banquet $85 Meeting only $45 Banquet only $40 Nonmember Meeting and banquet $95 Meeting only $50 Banquet only $45 By adding $40 for a one-year CPSR membership, you can become eligible for member prices. CPSR also offers a sliding scale fee for registration to the meeting. If you are interested, call the National Office at 415-322-3778, for details or send us email at cpsr@csli.stanford.edu LATE REGISTRATION (received after 10/9/92) CPSR Member Meeting and banquet $95 Meeting only $50 Banquet only $45 Nonmember Meeting and banquet $105 Meeting only $55 Banquet only $50 I want a vegetarian dinner at the Banquet. _____YES ______NO BRING SOMEONE WHO IS NOT A CPSR MEMBER TO THE ANNUAL MEETING, AND GET $5.00 OFF YOUR REGISTRATION FEE!! I can't attend the Annual Meeting, but I want to support the work of CPSR. I've enclosed a tax deductible contribution to help create a successful organization. Total enclosed $___________ Please send me _____ brochures to hand out to my friends and colleagues. Make check payable to CPSR. Mail to: CPSR P.O. Box 717, Palo Alto, CA 94301 For more information on CPSR call 415-322-3778 or send email to cpsr@csli.stanford.edu ------------------------------ End of PRIVACY Forum Digest 01.13 ************************