PRIVACY Forum Digest Saturday, 26 March 1994 Volume 03 : Issue 07 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy. CONTENTS Outlawing non-(goverment) approved encryption (A. Padgett Peterson) Clipper & other countries (Konrad Van Zyl) NASA "privacy" controversy on Usenet (Jonathan McDowell) New Book From IOM On Health Data Privacy (Marc Schwartz) Tonya Harding E-Mail (Erik Nilsson) Gambling (Phil Agre) Intrusion-Detection Workshop (Teresa Lunt) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. ALL submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All submissions included in this digest represent the views of the individual authors and all submissions will be considered to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are also available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". For information regarding the availability of this digest via FAX, please send an inquiry to privacy-fax@vortex.com, call (818) 225-2800, or FAX to (818) 225-7203. ----------------------------------------------------------------------------- VOLUME 03, ISSUE 07 Quote for the day: "In the not too distant future, Next Sunday A.D. There was a guy named Joel, Not too different from you or me. He worked at Gizmonic Institute, Just another face in a red jumpsuit. He did a good job cleaning up the place, But his bosses didn't like him, So they shot him into space..." -- From original theme of "Mystery Science Theater 3000" ("MST3K") (Local Minneapolis television and cable's "Comedy Central") ---------------------------------------------------------------------- Date: Mon, 7 Mar 94 08:32:33 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Subject: Outlawing non-(goverment) approved encryption. > The Clinton administration has adopted the chip, which would allow > law enforcement agencies with court warrants to read the Clipper codes > and eavesdrop on terrorists and criminals. But opponents say that, if > this happens, the privacy of law-abiding individuals will be a risk. > They want people to be able to use their own scramblers, which the > government would not be able to decode. Lately I have been seeing too much of what IMNSHO ammounts to hype and distortion over Clipper & Company. "The Clinton Administration has adopted the chip" - for communications with the govenment of information that is considered "sensitive but unclassified", i.e. that information covered by the Privacy Act - public law 93-579. Currently much of this information (such as IRS forms) is currently being sent in the clear since no practical alternative exists. Since the information is being sent to-from the gov, who cares if the gov can tap it ? No-one has said that consenting adults cannot communicate in any form they want nor that the gov has to able to listen in easily other than in a technical sense. Book codes are still the easiest to generate and the hardest to break (unless you know what book to use). If the gov tried to it would be trivial to make anything decode to the Congressional Record and what court will be able to say that wasn't what you sent ? Point is that to outlaw general encryption is like King Canute ordering the sun to rise in the West - the sun will ignore the order and there is not much the king can do about it. For that matter, no-one claims to have broken triple-DES and that is still a gov standard. Again IMHO the amount of encryption available to the average American today is limited to whatever is on their ATM card. Clipper is not perfect but is *more* and is *good enough for government work*. Seems to me that the detractors are just trying to limit *my* choices before I get a chance to exercise then and *that* smacks of censorship. Hotly, Padgett ------------------------------ Date: Tue, 8 Mar 1994 16:18:17 GMT+2 From: "VAN ZYL KE" <9381945@info.up.ac.za> Subject: Clipper & other countries Hallo. Following two issues of comments regarding Clipper, FBI wire tapping etc. i wish to ask the following question : Have anyone considered the effect of Clipper and other such proposals and their possible implementation on other countries ? Asking that, i refer specifically to less stable countries where stable refers to politics and human rights. These countries will increasingly be using their own versions of a "digital highway" and Internet. Following the example that can be set by your goverment, it bodes ill for the privacy of citizens in less developed countries. I do not for one moment expect the U.S. to be held responsible for the abuse of I.T. in other countries or any other problems, but only raised the question from a worried citizens point of view. Thank you Konrad Van Zyl ------------------------------ Date: Sun, 13 Mar 94 13:46:02 EST From: jcm@urania.harvard.edu (Jonathan McDowell) Subject: NASA "privacy" controversy on Usenet [Subject chosen by MODERATOR] [ I requested a summary of this rather loud ongoing Usenet controversy. Mr. McDowell graciously provided the following. -- MODERATOR ] OK. Here's a very brief summary. Ken Hollis is one of several people within NASA who have responded to technical questions about the space program on the internet. He also would post various interesting things like the Houston space center house newsletter and his own compilation of future Shuttle launches (the 'manifest'), which has become particularly useful since the last official manifest was well over a year ago and is sadly out of date. The posting appended below appeared on the Internet group sci.space.shuttle and immediately produced lots of responses from Ken's readers and correspondents along the lines of 'this is awful, censorship, let's sue NASA'. - Jonathan [ Apparently Ken Hollis actually works for a major NASA contractor, and the contractor, after being contacted by NASA, ordered him to cease those postings. -- MODERATOR ] >From cfanews!hsdndev!wupost!cs.utexas.edu!utnut!utzoo!henry Sun Mar 13 13:40:08 1994 Newsgroups: sci.space.shuttle Path: cfanews!hsdndev!wupost!cs.utexas.edu!utnut!utzoo!henry From: henry@zoo.toronto.edu (Henry Spencer) Subject: Ken Hollis won't be posting any more Message-ID: Date: Thu, 10 Mar 1994 15:37:41 GMT Organization: U of Toronto Zoology Lines: 54 I got the following from Ken Hollis, with a request that I post it here: ----------------- Greetings and Salutations: This will most likely be my last post to the Internet group sci.space.shuttle until such time as I leave my current company and work for a different company. Shortly after I posted the most recent manifest and launch pass info, some MSFC (Marshall Space Flight Center) PAO (Public Affairs Office) personnel sent copies of these documents (or parts thereof) to the KSC (Kennedy Space Center) NASA PAO office, questioning whether or not the information in these documents should be publicly distributed. They did not understand that the launch pass and manifest files that I had put together on my own time were my (apparently misguided) attempts to create some enthusiasm about shuttle launches and get information out the Internet. One more small joy in my life gone... (of the very few left...) After talking to the NASA PAO at KSC, I asked them to make whatever changes / deletions to the documents they liked in order to allay their concerns, and I awaited the changes (and I am still awaiting changes). I was also informed that my disclaimers at the end of the document (i.e., my .sig) were not considered valid--it still "looked" official. The next contact I received was from the public affairs office in my company who had been contacted by the KSC PAO (subsequent to my conversation with KSC PAO). Bringing this to the attention of my company changed the focus of the problem from an issue of the customer to a company issue. Per my company's management directives, all questions to which I want to respond (whether these are questions posed to me personally or to "the net" at large, and whether on the net or in person) are to be cleared through my company's public affairs office, and I am to exercise good judgment while on *or* off duty in my responses. *ANY* postings from me about the shuttle must first be approved by my manager or supervisor and then by the company public affairs. I agreed to no longer reply to any sci.space.shuttle postings, with my assumption that if I fought them on this, I would have an increased chance of a layoff / job termination. I was also informed that since MSFC now has access to the Internet, they were "considering" officially answering all questions concerning NASA / shuttle. My help is not required... ------------------------------------------------------------------------ Official disclaimer : I don't talk officially for NASA, and they don't make any commitments for me. Seemed like a fair deal. Ken Hollis INTERNET: HOLLIS@TITAN.KSC.NASA.GOV SPAN/HEPnet: KSCP00::HOLLIS Dizzyclaimer: If you believe this is in any way, shape, or form actual official information or opinion,then you are probably as confused if not more so than I am...I think... ----------------- ------------------------------ Date: Tue, 22 Mar 94 10:54 EST From: SchwartzM@DOCKMASTER.NCSC.MIL Subject: New Book From IOM On Health Data Privacy I just received a new book published for the National Academy of Science's Institute of Medicine entitled "Health Data in the Information Age: Use, Disclosure and Privacy". The copyright is 1994 and is the result of a follow-on project to their 1991 publication "The Computer Based Patient Record: An Essential Technology For Health Care". This new book covers a variety of topics including the recognition of the formation of so-called Regional Health Data Networks for the purpose of tracking patient outcomes and facilitating improved access to medical data on patients. A great deal of the book deals with the significant privacy issues that will need to be addressed as we move toward the computerization of the medical record and the use of computer networks for remote consulting, including legislative approaches. Additional work covers the issues surrounding the release of health care provider specific data (hospital/physician) relative to attempts to give the public an ability to make quality of care decisions in their selections of providers. This is already being done in New York, Pennsylvania and other states in the realm of cardiac surgery and cardiology related interventions and has come under significant fire from the health care community for being, at best mis-leading to an uninformed public, at worst a significant threat to patient access to health care. The book may be ordered from National Academy Press at 1-800-624-6242 and is priced at $39.95. It is a major work in this area and I would strongly urge its reading to anyone interested. Marc Schwartz Director of Clinical Services Summit Medical Minneapolis, MN 55447 Voice: 612-473-3250 Internet: SchwartzM at dockmaster.ncsc.mil ------------------------------ Date: Wed, 23 Mar 1994 11:13:11 -0800 From: erikn@goldfish.mitron.tek.com (Erik Nilsson) Subject: Extracted [by MODERATOR] from CPSR/PDX 7 #2: Tonya Harding E-Mail [ Extracted from CPSR/PDX Vol. 7 #2; March 1994 -- MODERATOR ] [b 1] TONYA HARDING'S E-MAIL WAS HACKED BY DAVE BARRY, OTHER REPORTERS Accessory-after-the-fact and former skater Tonya Harding was the victim of hacking by an unknown number of reporters, including syndicated columnist Dave Barry, according to a variety of print and net sources. The Dallas Morning News reported on February 24th that Michelle Kaufman of the Detroit Free Press, Ann Killion of the San Jose Mercury News and Jere Longman of The New York Times read Ms. Harding's e-mail access code off of her credentials from a television close-up, and guessed her password. Alex Johnson of the Knight-Ridder/Tribune News Service reports that soon afterward, Dave Barry admitted to hacking Ms. Harding's e-mail account himself. Mr. Barry vigorously defended his actions. saying that reporters do such things "... all the time." Mr. Barry's editor at the Miami Herald also defended Mr. Barry's actions, likening them to watching the dismemberment of chickens on television. The Mercury News backed Ms. Killion's actions. The Times had no comment. Heath Meriwether, executive editor of the Detroit Free Press, took a somewhat less permissive attitude. "Obviously, it's something we don't approve of," said Mr. Meriwether. It's against our policy, and Michelle [Kaufman] regrets it. It shouldn't have been done. But in my opinion, Michelle is a fine reporter with great integrity. She realizes she made a mistake. We're reviewing it and will be apologizing to Tonya [Harding]." Hacking into e-mail accounts has been sufficient to earn criminal charges for US hackers in the past. While US law may well not apply to a property crime in Norway, the spectacle of reporters claiming it was no big deal to do something that people are serving prison sentences for in the US was disquieting to posters to groups such as JOURNET and alt.2600. The Detroit News provided a bizarre postscript to events when they ran a story on involvement by their rival Detroit paper, the Detroit Free Press. The story included a Detroit Free Press photo of Ms. Kaufman that, according to some sources, was obtained when the News hacked the Free Press on-line photo archive. Thanks to Marsha Woodbury, Alex Johnson, Chris Hawley, and Jeff Johnson for several postings on this story. ------------------------------ Date: Sat, 19 Mar 1994 09:04:47 -0800 From: Phil Agre Subject: Gambling [ Extracted from RISKS-FORUM Digest; Tuesday 22 March 1994; Volume 15 : Issue 68 -- MODERATOR ] For those with an interest in risks, the technology supplement to Forbes magazine, Forbes ASAP, is a regular smorgasbord. The 10/25/93 issue, for example, includes an article about Bally's casinos' use of customer databases to optimize their investments in "comping", the practice of offering free drinks, hotel rooms, plane tickets, and what-not to high rollers. Given enough information about an individual's bets (regardless of whether they win), a straightforward economic calculation can decide which level of comping is optimal. (The full reference is: David H. Freedman, Odds man in [Bally's Atlantic City casino], Forbes ASAP, 25 October 1993, pages 33-35.) The problem is getting the information into the computer. The Bally's casino accomplishes this in two ways. At roulette tables and the like, they simply have someone watch the game and enter bets into a portable computer. (This computer can also determine how much credit to extend to a given customer.) At the slot machines, they give each player a card with a magnetic strip that goes into the machine for as long as the player is playing. (They also offer a strap to keep the card attached to your wrist, so you don't walk away from the machine without it.) The risks, of course, are obvious. Rational gamblers can take advantage of competition between casinos, choosing the best comping deal. But many people are addicted to gambling, and these innovations also make it easy for an addict on a binge to gamble away the maximum possible sum. Furthermore, as the article points out, "the riot of blinking lights, the clacking of spinning wheels, the absence of outside views or public phones -- all of this encourages the otherwise solidly grounded visitor to lose track of time and space, not to mention financial common sense". Profit margins are high, and investors are pleased. The analogy to data-intensive marketing of cigarettes (see Risks 15.62) is strong. What's next? How about a frequent drinker's club for premium brands of liquor? Or individualized advice for children, based on detailed family demographics, about how to shame their parents into buying them expensive toys? It wouldn't be that hard. You could actually get a toy to do the explaining. Each product from a given toy company would contain a single chip with a small microprocessor, a simple RF receiver, some memory, and a speech synthesis device. When the toy goes through the checkout, an RF device built into the cash register downloads the toy with a demographic profile of the family derived from credit files pulled up through the purchase transaction. Then, as the child plays with the toy, the toy explains to the child the virtues of various other toys from the same company, along with suggestions for persuasion tactics that consumer research has shown to work well on parents in that particular market segment. If the toys can send as well as receive wireless data transmissions then newer toys can reprogram the older ones. Better yet, the child's videogame system, which will surely get its software over phone lines in the near future, could also download all of the child's other toys with new sales pitches, based on records of whether the previous pitches worked, as well as the latest market research and television and movie product tie-ins. Phil Agre, UCSD ------------------------------ Date: Thu, 10 Mar 94 11:25:41 -0800 From: Teresa Lunt Subject: INTRUSION-DETECTION WORKSHOP THIRTEENTH INTRUSION-DETECTION WORKSHOP May 19-20, 1993 SRI International Menlo Park, California, USA You are invited to attend a two-day workshop on intrusion detection to be held at SRI International in Menlo Park, California on May 19-20, 1993, which are the Thursday and Friday following the 1994 IEEE Symposium on Research in Security and Privacy in Oakland, California. This will be the thirteenth in a series of intrusion-detection workshops. The workshop will consist of several short presentations as well as discussion periods. If you have any progress to report on an intrusion-detection project or some related work that would be appropriate for a short presentation, please indicate the title and a paragraph describing your proposed talk on the enclosed form. You can also indicate there your suggestions for discussion topics. Please email the completed form to Liz Luntzel at luntzel@csl.sri.com If you and/or your colleagues wish to attend, please RSVP via email using the attached form. For other questions, please email Liz at luntzel@csl.sri.com or call her at 415-859-3285. You can also send us a fax at 415-859-2844. There will be a $100 charge for the workshop. This fee includes lunches in SRI's International Dining Room. Please sendg your check to Liz Luntzel, EL248, SRI International, Computer Science Laboratory, 333 Ravenswood Avenue, Menlo Park, California 94025. The workshop will begin at 9am and will conclude at 5pm on Thursday, and will be from 9am to 2pm on Friday. -------------------------------------------------------------------------- DIRECTIONS TO SRI SRI is located at 333 Ravenswood Avenue in Menlo Park. The workshop will be held in room IS109, which is in the International Building. To get to SRI: >From Highway 101: >From I-101, take Willow Road (Menlo Park) west to Middlefield Road (approx. 1 mile). Turn right onto Middlefield Road. Go one block and turn left onto Ravenswood Avenue. SRI Building A (red brick building) is 1/4 mile up Ravenswood Avenue, on the left. The address is 333 Ravenswood Avenue. >From I-280: >From I-280, take Sand Hill Road (east towards Menlo Park). Follow Sand Hill Road to Junipero Serra and turn left. Bear right at the next light, and turn right at the stop sign onto Santa Cruz. Take Santa Cruz to El Camino and turn right. Then take the first left, onto Ravenswood. Cross the railroad tracks. SRI is at 333 Ravenswood, on the right. If you continue along Ravenswood toward Middlefield, you will come to the conference parking area at the corner of Ravenswood and Middlefield. >From Central Expressway: >From Central Expressway, go north towards Menlo Park all the way to where it merges with El Camino Real. Continue north on El Camino, staying in the right lane, for a few blocks, and turn right onto Ravenswood Ave. Cross the railroad tracks, and after the first light look for SRI on your right. SRI is at 333 Ravenswood. Visitors may park in the small visitors lot in front of Building A or in the conference parking area at the corner of Ravenswood and Middlefield (where there is lots of space). The workshop will be held in the International Building, the white concrete structure on Ravenswood to the East (closer to Middlefield) of Building A. Visitors should sign in at International Building --- from the parking lot go up the steps and across the courtyard. ----------------------------- cut here ------------------------------------ PLEASE RSVP USING THIS FORM to luntzel@csl.sri.com Thirteenth Intrusion-Detection Workshop May 19-20 SRI International Menlo Park, CA Yes! I will attend the Intrusion-Detection Workshop May 19-20 at SRI. I am sending a check for $100 to Liz Luntze, EL248, SRI International, Computer Science Laboratory, 333 Ravenswood Avenue, Menlo Park, California 94025. Please complete the following: Name: Title: Affiliation: Address: Check one: I will present a talk. I will not present a talk. Please complete the following: Title of Talk: Abstract: Suggestions for Discussion Topics: ----------------------------------------------------------------------------- ------------------------------ End of PRIVACY Forum Digest 03.07 ************************