PRIVACY Forum Digest Sunday, 22 August 1993 Volume 02 : Issue 29 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Topanga, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy. CONTENTS Info from "Privacy Rights Clearinghouse" in PRIVACY Forum Archive (Lauren Weinstein; PRIVACY Forum Moderator) DMV vs. Fainting (Brett Glass) Call for Clipper Comments (David Sobel) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. ALL submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All submissions included in this digest represent the views of the individual authors and all submissions will be considered to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are also available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". For information regarding the availability of this digest via FAX, please send an inquiry to privacy-fax@vortex.com, call (310) 455-9300, or FAX to (310) 455-2364. ----------------------------------------------------------------------------- VOLUME 02, ISSUE 29 Quote for the day: "This tape will self-destruct in five seconds." -- IMF [Impossible Mission Force] Control (Bob Johnson) "Mission Impossible" (1966-1973) ---------------------------------------------------------------------- Date: Sun, 22 Aug 93 19:42 PDT From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Info from "Privacy Rights Clearinghouse" in PRIVACY Forum Archive Greetings. The "Privacy Rights Clearinghouse" (PRC) is an organization in which many readers of the PRIVACY Forum may be interested. While their emphasis is on California, most of their materials are relevant anywhere in the U.S., at least. To quote from their introductory text: "The Clearinghouse is a nonprofit consumer education service funded by the California Public Utilities Commission through its Telecommunications Education Trust. It is administered by the University of San Diego School of Law's Center for Public Interest Law." The PRC publishes a number of "fact sheets" which cover individual topics relating to privacy, and also operates an online bulletin board service. I'm pleased to announce that the PRIVACY Forum has made arrangements for all of the PRC fact sheets and some of their other related information to be available to the Internet and connected networks via our archive services. Information on accessing this material is below. The PRIVACY Forum is not affiliated with the PRC, so any questions regarding information contained in the PRC-related files should be directed to the PRC itself. I believe you'll find the material to be quite interesting! ==== Accessing "Privacy Rights Clearinghouse" materials from the PRIVACY Forum Archive: Via Anon FTP: From site "ftp.vortex.com": Use the appropriate filename listed below. If you include the ".Z" be sure to do a binary (image) mode transfer so that you can uncompress the file locally. If you leave off the ".Z", the file will be uncompressed for you automatically during transfer. Via e-mail: Send mail to "listserv@vortex.com" with the line: get privacy at the start of the BODY of the message, where is replaced with one of the items listed below. DO *NOT* INCLUDE THE ".Z" ON YOUR REQUEST! You may request one item per message. Example: get privacy prc.summ-1 Via gopher: From the gopher server on site "gopher.vortex.com" in the "*** PRIVACY Forum ***" area. Available PRC items in the PRIVACY Forum archive: prc.intro.Z Short Intro to the Privacy Rights Clearinghouse (PRC), 8/93 prc.summ-1.Z PRC Fact Sheet (FS) #1 -- Detailed info about PRC, 7/93 prc.cord-2.Z PRC FS #2 -- Cordless and Cellular Phone Issues, 10/92 prc.harr-3.Z PRC FS #3 -- Ending Unwanted or Harassing Calls, 6/93 prc.junk-4.Z PRC FS #4 -- Junk Mail Issues, 2/93 prc.tmkt-5.Z PRC FS #5 -- Telemarketing Issues, 3/93 prc.crdt-6.Z PRC FS #6 -- Privacy of Credit Reports, 6/93 prc.work-7.Z PRC FS #7 -- Employee Monitoring and Workplace Privacy, 3/93 prc.med-8.Z PRC FS #8 -- Privacy of Medical Information, 3/93 prc.wire-9.Z PRC FS #9 -- Wiretapping and Eavesdropping, 3/93 prc.ssn-10.Z PRC FS #10 -- Social Security Number Security, 6/93 prc.bbs-info.Z Info about the PRC Computer Bulletin Board Service, 8/93 --Lauren-- ------------------------------ Date: Mon, 16 Aug 93 10:09:51 PST From: "Brett Glass" Subject: DMV vs. Fainting [Subject field chosen by MODERATOR] In a message dated 2 August, 1993, Mel Beckman claims that only "unexplained" or "pathology-related" loss of consciousness must be reported to California's DMV. He goes on to say that loss of consciousness as a result of a trauma, heat prostration, drug overdose, or any other identifiable agent is not reportable. To determine whether this was true or not, I interviewed Celeste, a physician's nurse at Kaiser Permanente's Redwood City health clinic. (Because she fills out the forms, she needs to understand exactly what the law requires.) She says that a report must be filed with the DMV "ANYTIME a patient has a lapse of consciousness, or even a change in mental status (such as disorientation)." According to Celeste, the law makes no exceptions for lapses of consciousness whose cause is known. (Anaesthesia, incidentally, is not considered to be a "lapse" of consciousness.) She further stated that once the report is filed, the DMV immediately suspends the patient's license pending investigation. Since even a few days' loss of driving privileges may jeopardize the patient's job, and because the suspension appears on the patient's driving record where it can be seen by insurance companies, the report (which many doctors feel violates the confidentiality of the doctor-patient relationship) may have a devastating effect on the patient's life. I am in the process of securing permission to post the Merc's original article on the subject. I have not been able to locate the person mentioned in that article (who lost consciousness after drinking alcohol while taking a heart drug); her phone number does not appear to be listed. But the nurse's account appears to confirm what the Mercury News (and Dr. Dean Edell) have already reported: Californians can truly lose their licenses and insurance after a single fainting spell. [ Brett did ultimately receive permission from the San Jose Mercury News for inclusion of their April, 1991 article on this topic (thanks Brett!). However, due to its length and its being almost two and a half years old, I've chosen not to do so at this time. The bottom line from the article appeared to be that: 1) Recent sensationalized cases had made doctors likely to report virtually any fainting, for fear of being blamed later if they didn't file such reports. 2) A recent change in the law apparently protected doctors from any actions on the part of people who lost their licenses as a result of such reports. 3) There was a severe lack of guidelines for how such cases should be handled by DMV, or how people could prove that they were not a risk. This resulted in people who were unable to get their licenses back even when doctors later said that their one-time fainting was due to a prescription drug dosage error or other non-systemic problem. The article also implied that efforts were being made to create standards to "solve" these problems. I'm sure we'd all like to know what has happened (if anything) in the ensuing years on this topic... -- MODERATOR ] ------------------------------ Date: Tue, 17 Aug 1993 14:06:35 EST From: David Sobel Subject: Call for Clipper Comments The National Institute of Standards and Technology (NIST) has issued a request for public comments on its proposal to establish the "Skipjack" key-escrow system as a Federal Information Processing Standard (FIPS). The deadline for the submission of comments is September 28, 1993. The full text of the NIST notice follows. CPSR is urging all interested individuals and organizations to express their views on the proposal and to submit comments directly to NIST. Comments need not be lengthy or very detailed; all thoughtful statements addressing a particular concern will likely contribute to NIST's evaluation of the key-escrow proposal. The following points could be raised about the NIST proposal (additional materials on Clipper and the key escrow proposal may be found at the CPSR ftp site, cpsr.org): * The potential risks of the proposal have not been assessed and many questions about the implementation remain unanswered. The NIST notice states that the current proposal "does not include identification of key escrow agents who will hold the keys for the key escrow microcircuits or the procedures for access to the keys." The key escrow configuration may also create a dangerous vulnerability in a communications network. The risks of misuse of this feature should be weighed against any perceived benefit. * The classification of the Skipjack algorithm as a "national security" matter is inappropriate for technology that will be used primarily in civilian and commercial applications. Classification of technical information also limits the computing community's ability to evaluate fully the proposal and the general public's right to know about the activities of government. * The proposal was not developed in response to a public concern or a business request. It was put forward by the National Security Agency and the Federal Bureau of Investigation so that these two agencies could continue surveillance of electronic communications. It has not been established that is necessary for crime prevention. The number of arrests resulting from wiretaps has remained essentially unchanged since the federal wiretap law was enacted in 1968. * The NIST proposal states that the escrow agents will provide the key components to a government agency that "properly demonstrates legal authorization to conduct electronic surveillance of communications which are encrypted." The crucial term "legal authorization" has not been defined. The vagueness of the term "legal authorization" leaves open the possibility that court- issued warrants may not be required in some circumstances. This issue must be squarely addressed and clarified. * Adoption of the proposed key escrow standard may have an adverse impact upon the ability of U.S. manufacturers to market cryptographic products abroad. It is unlikely that non-U.S. users would purchase communication security products to which the U.S. government holds keys. Comments on the NIST proposal should be sent to: Director, Computer Systems Laboratory ATTN: Proposed FIPS for Escrowed Encryption Standard Technology Building, Room B-154 National Institute of Standards and Technology Gaithersburg, MD 20899 Submissions must be received by September 28, 1993. CPSR has asked NIST that provisions be made to allow for electronic submission of comments. Please also send copies of your comments on the key escrow proposal to CPSR for inclusion in the CPSR Internet Library, our ftp site. Copies should be sent to . ================================================================= FEDERAL REGISTER VOL. 58, No. 145 DEPARTMENT OF COMMERCE (DOC) National Institute of Standards and Technology (NIST) Docket No. 930659-3159 RIN 0693-AB19 A Proposed Federal Information Processing Standard for an Escrowed Encryption Standard (EES) 58 FR 40791 Friday, July 30, 1993 Notice; request for comments. SUMMARY: A Federal Information Processing Standard (FIPS) for an Escrowed Encryption Standard (EES) is being proposed. This proposed standard specifies use of a symmetric-key encryption/decryption algorithm and a key escrowing method which are to be implemented in electronic devices and used for protecting certain unclassified government communications when such protection is required. The algorithm and the key escrowing method are classified and are referenced, but not specified, in the standard. This proposed standard adopts encryption technology developed by the Federal government to provide strong protection for unclassified information and to enable the keys used in the encryption and decryption processes to be escrowed. This latter feature will assist law enforcement and other government agencies, under the proper legal authority, in the collection and decryption of electronically transmitted information. This proposed standard does not include identification of key escrow agents who will hold the keys for the key escrow microcircuits or the procedures for access to the keys. These issues will be addressed by the Department of Justice. The purpose of this notice is to solicit views from the public, manufacturers, and Federal, state, and local government users so that their needs can be considered prior to submission of this proposed standard to the Secretary of Commerce for review and approval. The proposed standard contains two sections: (1) An announcement section, which provides information concerning the applicability, implementation, and maintenance of the standard; and (2) a specifications section which deals with the technical aspects of the standard. Both sections are provided in this notice. DATES: Comments on this proposed standard must be received on or before September 28, 1993. ADDRESSES: Written comments concerning the proposed standard should be sent to: Director, Computer Systems Laboratory, ATTN: Proposed FIPS for Escrowed Encryption Standard, Technology Building, room B-154, National Institute of Standards and Technology, Gaithersburg, MD 20899. Written comments received in response to this notice will be made part of the public record and will be made available for inspection and copying in the Central Reference and Records Inspection Facility, room 6020, Herbert C. Hoover Building, 14th Street between Pennsylvania and Constitution Avenues, NW., Washington, DC 20230. FOR FURTHER INFORMATION CONTACT: Dr. Dennis Branstad, National Institute of Standards and Technology, Gaithersburg, MD 20899, telephone (301) 975-2913. [ I have omitted the "Supplementary Information" that followed the Federal Registry text above, which essentially duplicated previously available information regarding Clipper basics and was fairly lengthy. -- MODERATOR ] ------------------------------ End of PRIVACY Forum Digest 02.29 ************************