PRIVACY Forum Digest Sunday, 6 March 1994 Volume 03 : Issue 06 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy. CONTENTS PRIVACY Briefs (Lauren Weinstein; PRIVACY Forum Moderator) TV Network News Seeks Victims of Privacy Problems (Lauren Weinstein; PRIVACY Forum Moderator) Re: PGP (Charlie Stross) DES Recertified for Use (Mike Winkelman) 'We {Will} Find you...' (Paul Robinson) FBI Digital Telephony and PCS mobile phones (M. Hedlund) Re: Newsday article: The Clipper Chip Will Block Crime (Brinton Cooper) Re: Newsday article: The Clipper Chip Will Block Crime (Dorothy Denning) NTIA Releases Notice of Inquiry On Privacy Issues (Beth Givens) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. ALL submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All submissions included in this digest represent the views of the individual authors and all submissions will be considered to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are also available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". For information regarding the availability of this digest via FAX, please send an inquiry to privacy-fax@vortex.com, call (818) 225-2800, or FAX to (818) 225-7203. ----------------------------------------------------------------------------- VOLUME 03, ISSUE 06 Quote for the day: "Don't get on that ship! ... 'To Serve Man', it's -- it's a COOKBOOK!" -- "The Twilight Zone" (original version: 1959-1964) Episode: "To Serve Man" ---------------------------------------------------------------------- PRIVACY Briefs (from the Moderator) --- The National Rifle Association (NRA) recently caused a storm of protest when it announced that while it would continue to keep the names of current members private, they planned to start selling the lists of names of persons who had *left* the organization within the last several years. Protests from former members apparently caused the NRA to reverse this decision, and to announce that they would keep the names of both former and present members private, for the time being in any case. --- An arrangement between National Information Bureau Ltd. (NIB) and CompuServe, Inc. will allow NIB's subscribers to access NIB's databases of DMV, credit history, workers' comp., tax, real-estate, crime and other related databases via CompuServe. The companies claim that "several levels of security" will be in place to prevent unauthorized access to these databases. ------------------------------ Date: Sun, 6 Mar 94 12:51 PST From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: TV Network News Seeks Victims of Privacy Problems Greetings. For quite sometime now, one of the three primary commercial U.S. television network news organizations has been in contact with me regarding the possibility of their devoting an evening hour (of one of their news magazine programs) to the topic of privacy concerns and problems. We've talked at some length about the issues and they're pretty well up to speed on the overall topic (they've been reading this digest for quite sometime). However, in order to produce a program with sufficient "pathos," they feel that they need on-camera interviews with an individual or individuals who have been severely "burned" by privacy problems and are willing to talk about them. Such interviews would tend to serve as "anchors" around which the discussion of issues, interviews with experts, etc. could revolve. Unless the individual privacy problem interviews can occur, the segment probably won't be produced. I've been saying for ages that the only way we can expect progress toward solving many of the problems we discuss in this digest is through raising the level of public consciousness of the issues--to help convince people that privacy affects *them*. In this day and age, television represents perhaps the most potent avenue to accomplish this. I've already pointed out to the network representative that, almost by definition, a person who has had his or her privacy invaded in the past is not terribly likely to want to go on national television and expose themselves even further! However, the hope is that some person or persons will feel strongly enough about the problems that they'd be willing to do so anyway, in the interests of helping to advance privacy issues. Are there "risks" to doing media interviews? Of course. As anyone who deals with the media frequently can tell you (myself included), once the interview is over and the tape is back in the box, you do not have any control over how the material will be used. How much of the interview will appear (if any), how it will be edited, what material will be juxtaposed with yours--all of these will be beyond your control. That's just the way it is. However, I feel that this television network is interested in providing a sympathetic platform for their interviewees on this topic, and frankly, if you feel strongly enough that you want to try be of assistance, my own feeling is that you need to be willing to sit down, do the interviews, and hope for the best. And, for what it's worth, my own experiences with television interviews have been quite good to date. So, if you've had significant privacy problems (any of the broad range of topics we discuss in this digest would seem appropriate) and you're willing to go on-camera with them, send me a note (either to lauren@vortex.com or privacy@vortex.com) and I'll put you in touch with the appropriate parties. --Lauren-- ------------------------------ Date: Mon, 21 Feb 1994 12:11:16 +0000 (GMT) From: Charlie Stross Subject: re: PGP close@lunch.asd.sgi.com (Diane Barlow Close) writes: >Does PGP infringe or >doesn't it? Are there exceptions or aren't there? I wrote to Jim Bidzos >asking for clarification and he basically said that the stuff about PGP >being free and legal was pure fiction. Jim said that PGP is definitely >unlicensed and is considered infringing by the patent holders. He >responded directly to "Tansin A. Darcos & Company" and cc'd me on the >response, asking me to forward this to any newsgroup or mailing list that >might be discussing this issue: This assertion that PGP is in violation of a patent is interesting. Firstly, to the best of my knowledge the patent is only valid in the United States. Other countries have differing patent laws, and PGP is not (to the best of my knowledge) in violation of any patents filed outside the USA. Furthermore, since release 1, PGP has been developed outside the USA, where it continues to be used legally. Secondly, as far as I know the alleged patent violation is currently the subject of legal action. PKP are asserting patent violation in court; however I have not heard of any judgement in their favour, and their claim is (or was) being contested. There is allegedly some question over the validity of the patent and its applicability to PGP, and it would be prudent to let the court decide -- rather than taking the word of one of the plaintiffs as truth. Fools rush in where lawyers fear to tread ... -- Charlie SCO Technical Publications: tel. +44-(0)923-816344 x579 ------------------------------ Date: 28 Feb 94 14:41:37 EST From: Mike Winkelman <71042.3621@CompuServe.COM> Subject: DES Recertified for Use I guess in all the noise about Clipper most folks have not noticed that DES has been recertified as a standard for another 5 years. A lot can happen in five years. ------------------------------ Date: Wed, 2 Mar 1994 23:17:29 -0500 (EST) From: Paul Robinson Subject: 'We {Will} Find you...' In an article on the cover of the February 10, 1994 {Washington Technology} magazine of the same name, talks about a specialized use of biometrical information (specific details unique to a person like size, etc.) to identify them. The idea behind this is that in an airport, an infrared camera is mounted near the arriving passengers section, taking pictures of every person who is passing through the facility. This captures the 'aura' or underlying facial vascular system (pattern of blood vessels and such). In 1/30 of one second, it captures the data and forwards it via high-speed data lines to an FBI database that has stored auras of the worlds most-wanted criminals and terrorists, then matches generate an order to nab a suspect, supposedly producing "a piece of evidence that is as rock-solid as any presented to a court." Currently, infrared cameras are being attached to desktop computers to create digitized thermograms of people's faces in 1/30 of a second. The company that is working on this technology, Betae Corp, an Alexandria, VA government contractor, claims that the aura is unique for every single person. The photos in the front of the article show two clearly different thermographic images that are claimed to be from identical twins. The facial print does not change over time (and would allegedly require very deep plastic surgery to change it), retains the same basic patterns regardless of the person's health, and can be captured without the person's participation. The technology will have to show it is a better choice than current biometric techniques such as retinagrams (eye photographs, voice prints and the digital fingerprint. A Publicity-Shy Reston, VA company called Mikos holds the patent for certain technology uses of this concept. Dave Evans of Betac who has obtained certain "non exclusive" rights in the technology claims that "thermograms are the only technology he has seen in his more than two decades of security work that meet the five major criteria of an ideal identification system: They are unique for every individual, including identical twins; they identify individuals without their knowing participation; they perform IDs on the fly; they are invulnerable to counterfeiting or disguises; they remain reliable no matter the subject's health or age," the article said. Only retinal photos are equivalent, but potential assasins aren't likely to cooperate in using them. Right now it takes about 2-4K per thermograph, (it says '2-4K of computer memory' but I suspect they mean disk space) and that's not really a problem for a PC-Based system of 2000 or so people going to and from a building; it's another magnitude of hardware to handle millions of aircraft travelers in airports. Also, infrared cameras are not cheap, in the $35,000 to $70,000 range, which, for the moment is likely to keep small law enforcement facilities from thermographing all persons arrested the way all persons arrested are routinely fingerprinted. But we can expect the price to come down in the future. The writer apparently had to agree with Evans not to raise privacy and security issues in the article, it says, since first they have to show the technology works. But even it raised questions: - The technology could be a powerful weapon in a "big brother" arsenal, with cameras in front of many stores and street corners, scanning for criminals or anyone on the government's watch list? - Does the government have the right to randomly photograph people for matching them against a criminal database? - What guarantees do we have that thermographs are actually unique for every person, or that the system is foolproof? - What is the potential for blackmail, with thermographs to prove people were in compromising places and positions? There are also my own points - While this can be used to protect nuclear power plants against infiltration by terrorists (as one example it gives), what is to stop it, for example, to be used to find (and silence or eliminate) critics and dissidents? I wouldn't give China 30 seconds before it would use something like this to capture critics such as the victims of Tianamen Square. - Long history indicates that better technology is not used to improve capture of criminals who violate the lives and property of other private parties, it is used to go after whatever group the government opposes. That's why people who defend themselves with guns against armed criminals in places where gun controls are in effect, can expect to be treated harsher than the criminal would have been. Existence of criminals supports the need for more police and more police-state laws; defending oneself against criminals shows the ineffectiveness of those laws. --- Paul Robinson - Paul@TDR.COM ------------------------------ Date: Tue, 1 Mar 1994 13:37:46 -0800 (PST) From: "M. Hedlund" Subject: FBI Digital Telephony and PCS mobile phones {Cross-posted to RISKS & EFF} This article elaborates on part of the EFF statement issued last week concerning the FBI's proposed Digital Telephony wiretap bill. The EFF condemned the bill, which enlarges law enforcement powers of surveillance, granted by wiretap laws, by adding tracking ability. Addressed herein is point two of the EFF statement, concerning the surveillance of mobile communica- tors, such as cellular phones, Personal Communications Services (PCS) and laptop computers. PCS mobile phones create severe privacy risks for future phone users, especially under the FBI's proposal; and these risks strongly support the EFF's position. The FBI asserts that their proposal adapts existing wiretap laws to account for emerging communications technologies. Wiretap laws have not adequately covered mobile communications, and the FBI is correct to assume that some revisions will be necessary to adequately balance law enforcement needs with the privacy rights of mobile phone users. Their proposed revisions, however, do not simply provide for wiretap; instead, the FBI seeks to expand wiretap laws, allowing law enforcement officers to track the signalling information of mobile communcations users. The EFF believes that the FBI proposal would create an enormous hole in the privacy rights of individuals suspected of crimes. Their statement notes: It is conceivable that law enforcement could use the signalling information to identify the location of a target.....This provision takes a major step beyond current law in that it allows for a tap and/or trace on a *person*, as opposed to mere surveillance of a phone line. This fear is completely realistic. It is not simply "conceivable" that the FBI's proposal would allow law enforcement to surveil the location of a target -- positioning technology is a planned part of PCS networks, one of the technological advances anticipated by the proposal. Similar positioning technology is planned for cellular phones, as well. PCS advances cellular phone technology by integrating mobile communications with other phone networks, and by expanding the services and quality mobile phones can offer. Most PCS proposals involve three forms of mobility: terminal mobility, the ability to make and receive calls at any location, and the ability of the phone network to track the location of the mobile phone; personal mobility, the ability of the user to be reach- able by a single phone number at all times; and service mobility, the ability of the user to access CLASS(sm)-like features, such as Call Waiting and Caller ID, from any phone they use. The FBI proposal requires phone companies, when presented with a wiretap order, to transmit the content and the signalling, or "call setup information," from the tapped phone to law enforcement officers. With a wireline phone, such as a residence phone line, call setup information would comprise only the originating and dialled phone numbers, as well as billing information (such as the residence address) for the call. Because of the wireless aspect of PCS, however, call setup information for a PCS phone includes very detailed information on the location and movement of the caller. PCS mobile phones will connect with the phone network via "microcells," or very small receivers similar to those used for cellular phones. While a cellular network uses cells with up to an 8 to 10 mile radius, PCS networks will use microcells located on every street corner and in every building. The call setup information for a PCS call would include the microcell identi- fier -- a very specific means of locating the user. An order for a PCS wiretap would allow law enforcement officers to receive a detailed, verifiable, continuous record of the location and movement of a mobile phone user. These phones are also likely to "feature" automatic registration: whenever the PCS mobile phone is on (in use or able to receive calls), it will automatically register itself with the nearest microcell. Law enforce- ment agencies, able to track this registration, would have the equivalent of an automatic, free, instantaneous, and undetectable global positioning locator for anyone suspected of a crime. PCS tries to improve on cellular phone privacy and security by incorporating cryptographic techniques. Encryption could not only create a secure phone conversation, but could also (coupled with use of a PIN number) insure that only a valid subscriber could make calls on a particular phone, preventing fraudulent calls on stolen phones. An additional phone-to -network authentication could prevent fraudulent calling through a "masquerade" phone designed to simulate a user's registration. But the FBI proposal would require that such encryption be defeatable in wiretap circumstances. As the proposal stands, this form of weak encryp- tion is distinguishable from the Clipper Chip because the phone companies, not a key escrow arrangement, enable law enforcement access; but it is entirely possible that the Clipper Chip could be used as the encrypting device. In either circumstance, PCS encryption could be compromised by careless or malicious law enforcement officials. Perhaps it is time for Phil Zimmerman and ViaCrypt to begin work on PGPCS -- and let us all hope we are so lucky. The cellular phone market is tremendous, and analysts believe that the PCS market, incorporating both voice and data communications, will be even larger. Coupled with the FBI's Digital Telephony proposal, PCS raises many privacy and security risks, making the EFF's condemnation of the FBI proposal all the more appropriate. CLASS is a service mark of Bell Communications Research (Bellcore). For more information: * Bellcore Special Report SR-INS-002301, "Feature Description and Functional Analysis of Personal Communications Services (PCS) Capabilities," Issue 1, April 1992. Order from Bellcore, (800) 521-CORE (2673), $55.00. * GAO report GAO/OSI-94-2, "Communications Privacy: Federal Policy and Actions," November 1993. Anonymous FTP to cu.nih.gov, in the directory "gao-reports". * EFF documents, available via anonymous FTP or gopher: ftp://ftp.eff.org/pub/EFF/Policy/Digital_Telephony ]\/[. ]-[edlund ------------------------------ Date: Tue, 1 Mar 94 18:46:58 GMT From: Brinton Cooper Subject: Re: Newsday article: The Clipper Chip Will Block Crime In discussing the Clipper controversy, Denning says, of those who oppose the government's access to Clipper-encrypted communications: > The Clinton administration has adopted the chip, which would allow > law enforcement agencies with court warrants to read the Clipper codes > and eavesdrop on terrorists and criminals. But opponents say that, if > this happens, the privacy of law-abiding individuals will be a risk. > They want people to be able to use their own scramblers, which the > government would not be able to decode. > > If the opponents get their way, however, all communications on the > information highway would be immune from lawful interception. Not too many Clipper proponents have publicly and forcefully stated a belief that use non-Clipper encryption in communications should be outlawed. That is precisely what Denning says in the foregoing, however. The belief is that private citizens should NOT be able to use their own scramblers "which the government would not be able to decode." What ever happened to the First Amendment to the Constitution? Apparently, the study of US History is no longer practiced. The ultimate enemy is not, and never has been, "the criminal;" it is government. Alas, they listen but do not hear. _B ------------------------------ Date: Tue, 1 Mar 94 14:18:21 EST From: denning@chair.cosc.georgetown.edu (Dorothy Denning) Subject: Re: Newsday article: The Clipper Chip Will Block Crime > In discussing the Clipper controversy, Denning says, of those who oppose > the government's access to Clipper-encrypted communications: > > > The Clinton administration has adopted the chip, which would allow > > law enforcement agencies with court warrants to read the Clipper codes > > and eavesdrop on terrorists and criminals. But opponents say that, if > > this happens, the privacy of law-abiding individuals will be a risk. > > They want people to be able to use their own scramblers, which the > > government would not be able to decode. > > > > If the opponents get their way, however, all communications on the > > information highway would be immune from lawful interception. > > > Not too many Clipper proponents have publicly and forcefully stated > a belief that use non-Clipper encryption in communications should be > outlawed. That is precisely what Denning says in the foregoing, > however. The belief is that private citizens should NOT be able to use > their own scramblers "which the government would not be able to decode." > I did not say that other forms of encryption should be outlawed and that is not my position or the position of the government. The opponents of Clipper are urging the government to drop Clipper. If the government does that, then Clipper will not even be a choice. Thus, there will be no communications encrypted with Clipper, and hence all encrypted communications will be immune from lawful interception (unless the encryption scheme is weak). Dorothy Denning ------------------------------ Date: Thu, 3 Mar 1994 17:44:28 -0800 (PST) From: "BETH GIVENS, PRIVACY RIGHTS CLEARINGHOUSE 619-260-4806" Subject: NTIA RELEASES NOTICE OF INQUIRY ON PRIVACY ISSUES 3/3/94 Important NTIA proceeding on privacy. Please post and otherwise distribute. Thanks. ============================================= NTIA RELEASES NOTICE OF INQUIRY ON PRIVACY ISSUES CONTACT: Larry Williams (202) 482-1551 MARCH 1, 1994 The National Telecommunications and Information Administration (NTIA) is undertaking a comprehensive review of privacy issues relating to private sector use of telecommunications-related personal information associated with the National Information Infrastructure (NII). Public comment is requested on issues relevant to such a review. After analyzing the comments, NTIA will issue a report and make recommendations as needed. The inquiry will focus on potential uses of personal information generated by electronic communications, including interactive multimedia, cable television and telephony. NTIA is studying the issues that arise when such telecommunications- related information is used to create detailed dossiers about individuals. NTIA seeks to determine whether any overarching privacy principles can be developed that would apply to all firms in the telecommunications sector. In addition, NTIA is soliciting comment on other countries' actions to ensure the privacy of information transmitted over telecommunications networks, and to ascertain how any U.S. policies in this area will affect the international arena. The Notice of Inquiry and Request for Comments appears in Part IX of the February 11, 1994, Federal Register and is also available on the NTIA Bulletin Board at (202) 482-1199. Set communications parameters to no parity, 8 data bits and 1 stop. Go into the menu "Teleview-Public Notices and Comments." File size is 48,514 bytes or about 18 pages of text. Internet users can telnet into the BBS at ntiabbs.ntia.doc.gov. Comments should be filed on or before March 30, 1994. NTIA is accepting comments in writing or posted electronically via its BBS. If you have further questions, please contact Carol E. Mattey or Lisa I. Leidig at the Office of Policy Analysis and Development, NTIA, 202-482-1880. ------------------------------ End of PRIVACY Forum Digest 03.06 ************************