PRIVACY Forum Digest Friday, 8 January 1993 Volume 02 : Issue 02 Moderated by Lauren Weinstein (lauren@cv.vortex.com) Vortex Technology, Topanga, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy. CONTENTS OECD Security Guidelines (Marc Rotenberg) On expectations of privacy (Jerry Leichter) Utility bills going to law enforcement (KitchenRN@ssd0.laafb.af.mil) Car Searches Require Probable Cause - Well Maybe Not in Florida (A. Padgett Peterson) Perot campaign raiding credit data? (KitchenRN@ssd0.laafb.af.mil) Car searches (Lynn R. Grant) Caller ID Integrity (Lynn R. Grant) CFP'93 Electronic Brochure (Bruce R. Koball) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. ALL submissions should be addressed to "privacy@cv.vortex.com" and must have RELEVANT "Subject:" lines. Submissions without appropriate and relevant "Subject:" lines may be ignored. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@cv.vortex.com". Mailing list problems should be reported to "list-maint@cv.vortex.com". All submissions included in this digest represent the views of the individual authors and all submissions will be considered to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "cv.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. For information regarding the availability of this digest via FAX, please send an inquiry to privacy-fax@cv.vortex.com, call (310) 455-9300, or FAX to (310) 455-2364. ----------------------------------------------------------------------------- VOLUME 02, ISSUE 02 Quote for the day: "Seven and a half cents, Doesn't buy a heck of a lot. Seven and a half cents, Doesn't mean a thing. But give it to me every hour, Forty hours every week, That's enough for me to be, Living like a king!" -- Chorus from "The Pajama Game" (1957) ---------------------------------------------------------------------- Date: Tue, 22 Dec 1992 14:19:51 EDT From: Marc Rotenberg Subject: OECD Security Guidelines OECD SECURITY GUIDELINES The Organization for Economic Cooperation and Development (OECD) has adopted international Guidelines for the Security of Information Systems. The Guidelines are intended to raise awareness of the risks in the use of information systems and to establish a policy framework to address public concerns. A copy of the press release and an excerpt from the Guidelines follows. For additional information or for a copy of the guidelines, contact Ms. Deborah Hurley, OECD, 2, rue Andre-Pascal, 75775 Paris Cedex 16, 33-1-45-24-93-71 (fax) 33-1-45-24-93-32 (fax). Marc Rotenberg, Director CPSR Washington office and Member, OECD Expert Group on Information System Security rotenberg@washoc.cpsr.org ============================================================= "OECD ADOPTS GUIDELINES FOR THE SECURITY OF INFORMATION SYSTEMS "The 24 OECD Member countries on 26th November 1992 adopted Guidelines for the Security of Information Systems, culminating almost two years' work by an OECD expert group composed of governmental delegates, scholars in the fields of law, mathematics and computer science, and representatives of the private sector, including computer and communication goods and services providers and users. "The term information systems includes computers, communication facilities, computer and communication networks and the information that they process. These systems play an increasingly significant and pervasive role in a multitude of activities, including national economies, international trade, government and business operation, health care, energy, transport, communications and education. "Security of information systems means the protection of the availability, integrity, and confidentiality of information systems. It is an international issue because information systems frequently cross national boundaries. "While growing use of information systems has generated many benefits, it has also shown up a widening gap between the need to protect systems and the degree of protection currently in place. Society has become very dependent on technologies that are not yet sufficiently dependable. All individuals and organizations have a need for proper information system operations (e.g. in hospitals, air traffic control and nuclear power plants). "Users must have confidence that information systems will be available and operate as expected without unanticipated failures or problems. Otherwise, the systems and their underlying technologies may not be used to their full potential and further growth and innovation may be prohibited. "The Guidelines for the Security of Information Systems will provide the required foundation on which to construct a framework for security of information systems. They are addressed to the public and private sectors and apply to all information systems. The framework will include policies, laws, codes of conduct, technical measures, management and user practices, ad public education and awareness activities at both national and international levels. "Several OECD Member countries have been forerunners in the field of security of information systems. Certain laws and organizational and technical rules are already in place. Most other countries are much farther behind in their efforts. The Guidelines will play a normative role and assist governments and the private sector in meeting the challenges of these worldwide systems. The Guidelines bring guidance and a real value-added to work in this area, from a national and international perspective." PRINCIPLES "1. Accountability Principle The responsibilities and accountability of owners, providers and users of information systems and other parties concerned with the security of information systems should be explicit. "2. Awareness Principle "In order to foster confidence in information systems, owners, providers and users of information systems and other parties should readily be able, consistent with maintaining security, to gain appropriate knowledge of and be informed about the existence and general extent of measures, practices and procedures for the security of information systems. "3. Ethics Principle "Information systems and the security of information systems should be provided and used in such a manner that the rights and legitimate interests of others are respected. "4. Multidisciplinary Principle "Measures practices and procedures for the security of information systems should take into account of and address all relevant consideration and viewpoints, including technical, administrative, organizational, operational, commercial, educational and legal. "5. Proportionality Principle "Security levels, costs, measures, practices and procedures should be appropriate and proportionate to the value of and degree of reliance on the information systems and to the severity, probability and extent of potential harm, as the requirements for security vary depending upon the particular information systems. "6. Integration Principle "Measures, practices and procedures for the security of information systems should be co-ordinated and integrated with each other and with other measures, practices and procedures of the organization so as to create a coherent system of security. "7. Timeliness Principle "Public and private parties, at both national and international levels, should act in a timely co-ordinated manner to prevent and to respond to breaches of information systems." "8. Reassessment Principle "The security information systems should be reassessed periodically, as information systems and the requirements for their security vary over time. "9. Democracy Principle "The security of information systems should be compatible with the legitimate use and flow of data ad information in a democratic society." [Source: OECD Guidelines for the Security of Information Systems (1992)] ------------------------------ Date: Tue, 29 Dec 92 08:53:44 EDT From: Jerry Leichter Subject: On expectations of privacy Banks today are required to report large cash transactions. One hears talk of using either specific computer-readable markers on new currency, or just OCR to read the serial numbers on old currency, as a near-future mechanism that will make it possible to track what happens to money. This is viewed with universal shock and horror as a new intrusion on our obvious traditional right to complete anonymity in cash transactions. But is there really any such traditional right? Anyone who studies a bit of history quickly discovers that for something to be widely believed to be inevitable, it really need only have been widespread for a relatively short period. I recently read "Natural Death", a Dorothy Sayers "Lord Peter Wimsy" mystery written, and set, in mid-1920's England. A woman is found murdered; on her person is a (new?) five-pound note. The police are able to use the serial number of the note to locate the bank that issued it, the bank finds the appropriate teller, and the teller recalls the person to whom she issued that note (along with two other fivers). A bit of a stretch of memory perhaps, but Sayers's writing was intended to be realistic and essentially believable. Clearly, neither Sayers nor her readers found this particular bit of police work unreasonable - or disturbing. It's easy to forget how much of what we think of as "privacy" is simply the annonymity of large-scale civilization. Sayers's bank teller could remember her customer because she didn't deal with hundreds of people she didn't know every day; in the 1920's, banks were used by the wealthy. BTW, my guess is that in modern terms that five-pound note would be worth somewhere around $100 or so. I doubt Sayers would have expected a one-pound note to be so easily traceable. -- Jerry ------------------------------ Date: Tue, 29 Dec 92 11:28:00 From: Subject: Utility bills going to law enforcement >Reports out of the San Jose, California area are expressing concern over the >apparent practice of some utility companies of routinely turning over >"unusual" utility bills to law enforcement agencies. It seems that above >average (that is, above the norm for the customer class) use of water and/or >power may be considered to be a possible indication of illegal drug >activities. At least some utility companies apparently consider consumer >utility bills to be public information and not subject to privacy >considerations. > There was an AP article in yesterday's newspaper (the Torrance, CA "Daily Breeze") which addressed this subject, quoting the "San Jose Mercury News". The article mentioned that the utilities were not only giving out usage information about water and electricity, but were also including Social Security number, place of employment, and driver's license number. In addition, the utilities were also giving out information about *the neighbors* of the people under surveillance, "for comparative purposes." A spokesdrone for Pacific Gas & Electric (PG&E), the Northern California utility, said that the practice was just their way of being "a good corporate citizen and caring about the community. Nobody regarded it as a particular problem." The article also quoted a PG&E memo which stated corporate policy of honoring all requests from law enforcement personnel, whether they have a search warrant or not. ------------------------------ Date: Tue, 29 Dec 92 22:13:34 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: "Car Searches Require Probable Cause" - Well Maybe Not in Florida >From: mbeckman@mbeckman.mbeckman.com (Mel Beckman) >I'm certain many will respond to this. The answer is that no, the officer >may not search your car without a warrant, and he can't get a warrant >unless he has probable cause. Probable cause has been specifically determined >to exclude such logic as "anyone who won't consent is hiding something" >or "he looks guilty". It requires specific evidence that a crime may have >been committed (e.g. bullet holes in the trunk). Well I live less than 50 miles from Volusia County (Daytona) where this seems to have had some interesting interpretations. According to the Orlando Sentinel (newspaper), on stops of "suspected couriers" a request was made to search the vehicle. If refused a "drug sniffing" dog was summoned who often seems to bark or wag his tail or whatever. Apparently this constitutes "probable cause" and a search was then performed. Interestingly, one of the courier "profiles" mentioned as suspect was driving *under* the speed limit (65 mph on I-95 in most places). Warmly, Padgett ------------------------------ Date: Mon, 04 Jan 93 10:11:00 From: Subject: Perot campaign raiding credit data? Over the weekend, several news reports announced that the FBI is investigating the Ross Perot campaign for illegally using stolen computer codes to obtain credit reports on campaign workers. Former Perot workers, Equifax (the credit reporting company), and Orix Consumer Leasing in Secaucus, NJ have admitted to reporters' questions that they have spoken to the FBI, but the FBI refuses to discuss the matter. There are also reports that the Secret Service and the Federal Trade Commission are also involved in the investigation. Equifax said that at least seventeen credit files of former Perot campaign workers may have been accessed, using the security code of Orix Consumer Leasing. Orix says that they never requested the reports, and they believe that their security codes had been stolen. ------------------------------ Date: Mon, 4 Jan 93 12:41 EST From: Lynn R Grant Subject: Car searches The other day I got stopped by a State Trooper (for very mildly speeding), and he asked me if I would open my briefcase, which was lying on the seat next to me. I asked him what he was looking for. He said, "I just want to make sure you don't have a gun in there, so you don't shoot me while I'm walking back to my car." Although he may not have been able to force me to open it without a warrent. I did not feel too bad about opening it for him, especially considering the number of cops that have been getting shot on routine stops lately. And anyway, a cop who isn't nervous about you shooting him is less likely to accidently shoot you. I don't know what I would have done if I had been carrying something illegal in my bag. Lynn Grant ------------------------------ Date: Mon, 4 Jan 93 13:22 EST From: Lynn R Grant Subject: Caller ID Integrity Much has been written about the pros and cons of the loss of privacy caused by caller ID, but I haven't seen anything about how much you can trust the information provided by caller ID. This could be important when billing systems are connected with caller ID. For example, my local cable TV system connects the two for requesting pay-per-view movies. If you want to see the movie that is showing on channel 51, you dial a special 800 number that ends in -5151. The system gets your phone number from caller ID and uses it to look up your account. It then sends something over the TV cable to unlock your descrambler for that channel, and adds $4.95 to your cable TV bill (not your phone bill). If it were possible to send out a fake phone number, it would be possible to harrass someone by charging a bunch of movies to his bill. If this scheme was used for billings for larger-ticket items, the consequenses could be much greater. My understanding is that caller ID sends the number information as a burst of 1200 baud information between the first and second rings. I also understand that caller and callee are connected between rings, though I don't know if they are connected during the data burst. (I base this second assumption on an article I saw in a 1983 phone phreak newsletter about avoiding toll charges by not answering the phone and talking between the rings.) Would it be possible for a caller to send his own 1200 baud data burst, which would garble the phone company's data so that no number was recognized? Or could he send a burst right after the phone company's, so that the number changed before it was read by the callee? Lynn Grant Grant @ dockmaster.ncsc.mil [ Since technical followups to the above message would tend to move outside the charter of this digest, your moderator will insert himself into the flow at this point with some brief answers to the questions posed above, in hopes of making such followups unnecessary! As a practical matter, "spoofing" of caller ID (CNID) systems should not be a significant problem in modern, properly implemented systems. The ID information is indeed transmitted between the first and second rings (using standard Bell 202 modem tones at 1200 bps). However, modern switching systems (e.g. ESS/digital) do not normally establish a voice path from the caller to the callee until the callee has gone "off-hook"--that is, answered the phone. Prior to such systems, (e.g. "step-by-step" and "crossbar" switching) there were indeed situations where 2-way voice paths were in place before the call was answered. It was such situations that made the infamous "black box" toll fraud device possible when used in conjunction with those pre-ESS/digital switches--but normally not usable with modern switching systems. Most CNID decoders are based on ICs which are implemented with circuits that specifically look for data between the appropriate rings. The ring signal is a particular voltage reference, not just an audio tone that could be easily spoofed, even if a voice path *did* exist prior to call answer, so a properly designed CNID box will not pay any attention to audio on the line after the call has been answered. The bottom line is that CNID boxes should be safe from remote spoofing of the sort you discuss when connected to modern, properly designed switching equipment--assuming that a spoofer didn't have direct *physical* access to the actual wire pairs leading to the customer (if they did have such access, they could not only wreak havoc with CNID but also monitor and intercept communications, of course). Finally, it's worth noting that most billing systems based on caller number (e.g. cable company ordering, pizza delivery, etc.) do *not* use the CNID system at all, but rather rely on a different system called ANI (Automatic Number Identification) which almost always involves passing the caller number over a special dedicated circuit--not "in-band" with the voice call setup in the manner of CNID. -- MODERATOR ] ------------------------------ Date: Thu, 7 Jan 1993 17:05:04 -0800 From: Bruce R Koball Subject: CFP'93 Electronic Brochure CFP'93 The Third Conference on Computers, Freedom and Privacy 9-12 March 1993 San Francisco Airport Marriott Hotel, Burlingame, CA The CFP'93 will assemble experts, advocates and interested people from a broad spectrum of disciplines and backgrounds in a balanced public forum to address the impact of computer and telecommunications technologies on freedom and privacy in society. Participants will include people from the fields of computer science, law, business, research, information, library science, health, public policy, government, law enforcement, public advocacy and many others. Some of the topics in the wide-ranging CFP'93 program will include: ELECTRONIC DEMOCRACY - looking at how computers and networks are changing democratic institutions and processes. ELECTRONIC VOTING - addressing the security, reliability, practicality and legality of automated vote tallying systems and their increasing use. CENSORSHIP AND FREE SPEECH ON THE NET - discussing the problems of maintaining freedom of electronic speech across communities and cultures. PORTRAIT OF THE ARTIST ON THE NET - probing the problems and potential of new forms of artistic expression enabled by computers and networks. DIGITAL TELEPHONY AND CRYPTOGRAPHY - debating the ability of technology to protect the privacy of personal communications versus the needs of law enforcement and government agencies to tap in. HEALTH RECORDS AND CONFIDENTIALITY - examining the threats to the privacy of medical records as health care reform moves towards increasing automation. THE MANY FACES OF PRIVACY - evaluating the benefits and costs of the use of personal information by business and government. THE DIGITAL INDIVIDUAL - exploring the increasing capabilities of technology to track and profile us. GENDER ISSUES IN COMPUTING AND TELECOMMUNICATIONS - reviewing the issues surrounding gender and online interaction. THE HAND THAT WIELDS THE GAVEL - a moot court dealing with legal liability, responsibility, security and ethics of computer and network use. THE POWER, POLITICS AND PROMISE OF INTERNETWORKING - covering the development of networking infrastructures, domestically and worldwide. INTERNATIONAL DATA FLOW - analyzing the issues in the flow of information over the global matrix of computer networks and attempts to regulate it. The conference will also offer a number of in-depth tutorials on subjects including: * Information use in the private sector * Constitutional law and civil liberties * Investigating telecom fraud * Practical data inferencing * Privacy in the public and private workplace * Legal issues for sysops * Access to government information * Navigating the Internet INFORMATION For more information on the CFP'93 program and advance registration call, write or email to: CFP'93 INFORMATION 2210 SIXTH STREET BERKELEY, CA 94710 (510) 845-1350 cfp93@well.sf.ca.us A complete electronic version of the conference brochure with more detailed descriptions of the sessions, tutorials, and registration information is also available via anonymous ftp from sail.stanford.edu in the file: pub/les/cfp-93 ------------------------------ End of PRIVACY Forum Digest 02.02 ************************