PRIVACY Forum Digest Saturday, 16 July 1994 Volume 03 : Issue 14 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy. CONTENTS New National ID Card Proposal (David Banisar) PrivacyGuard/CUC Int'l, Inc. (William E. Carroll) Privacy & "Discovery" (N. R. Sterling) Re: Newsgroup censorship (Marc Horowitz) USACM Calls for Clipper Withdrawal (US ACM, DC Office) ACM Releases Crypto Study (US ACM, DC Office) Re: Thank you, France Telecom (Peter Kaiser) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. ALL submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All submissions included in this digest represent the views of the individual authors and all submissions will be considered to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are also available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". For information regarding the availability of this digest via FAX, please send an inquiry to privacy-fax@vortex.com, call (818) 225-2800, or FAX to (818) 225-7203. ----------------------------------------------------------------------------- VOLUME 03, ISSUE 14 Quote for the day: "Pardon me boy, is this the Transylvania station?" -- Dr. Frederick Frankenstein (Gene Wilder) "Young Frankenstein" (1974) ---------------------------------------------------------------------- Date: Tue, 12 Jul 1994 20:11:46 -0500 From: David Banisar Subject: New National ID Card Proposal CBS Evening News just reported that Clinton has "tenatively signed off" on a National ID card recommended to him by a commission on immigration reform. The obstensive reason for the card is for employment and immigration. Each card will contain a name, photo, mag stripe with info and a "verified SSN." It was supported by Senator Alan Simpson of Wyoming, a long-time supporter of id cards. Gov. Pete Wilson of California has apparently offered to make California a test-bed for the proposal. The proposal was opposed by Xavier Beccera, a Congressman from California. A previous effort to impose a national id card was rejected by Congress in 1986. EPIC is working with Privacy International to investigate this report. PI has led successful campaigns aginst national id cards in Australia, New Zealand, and the Phillipines. In Australia, the PI-led campaign led to the dissolution of both houses of the federal Parliament in 1987 after hundrends of thousands marched in protest. The Australian campaign brought together groups from all parts of the political spectrum from the Communist Party to the Libertarian Alliance, farmers and conservation groups, rock stars, academics, large businesses such as banks and mining corporations, but the overwhelming support came from the public who created the biggest civil protest in Australian history. David Banisar (banisar@epic.org) Electronic Privacy Information Center 666 Penn. Ave, SE #301, Washington, DC 20003 202-544-9240 (v) 202-547-5482 (f) [ I would urge avoiding emotional reactions to this report until such a time as it has been verified as fact and the details of any proposal and/or related proposed legislation are known. -- MODERATOR ] ------------------------------ Date: Fri, 08 Jul 1994 14:27:24 EDT From: NGMF93A@prodigy.com (MR WILLIAM E CARROLL) Subject: PrivacyGuard/CUC Int'l, Inc. I've received a solicitation from CUC International, Inc., of Trumbull, CT, which is apparently related to my GTE Mastercard. Essentially, they're selling a $49 annual membership in PrivacyGuard. They will provide 4 things: 1) Your credit report, 2) Your driving report, 3) Your social security record, & 4) Your medical history (disclosing who has asked to see this file). I know that I can get my credit report free from TRW, my driving report from the state, my social security record from the Fed. gov't., without spending $49. What intrigues me, however, is the availibility of the medical file. How does one go about obtaining a copy of his medical file? [ There appears to be a very large Mastercard related solicitation for "PrivacyGuard" in progress nationwide. The "medical file" they're referring to is apparently at least one of the medical insurance intercompany databases which relate to medical claim history. -- MODERATOR ] ------------------------------ Date: Sat, 02 Jul 1994 06:40:00 -0500 (EST) From: NRSST5@vms.cis.pitt.edu Subject: PRIVACY & "DISCOVERY" PRIVACY & "DISCOVERY" Most people equate the term "discovery" with expressions such as, "Eureka!" Indeed, in the everyday, non-legal world both words more often than not have a salutary connotation. In the nether world of litigation, however, the word discovery takes on a more ominous meaning. There in the twilight zone of motions, pleadings, body attachments, executions, appeals, petitions, and the like, stands the spector of "Discovery," looming larger in some cases than in others, but always loitering in the background, available as a powerful tool capable of prying loose closely guarded secrets that most prudent people would deem private and inviolate. While this paper is not intended to be all encompassing, nor is it intended to provide or replace professional advice which should be sought for details concerning any specific jurisdiction, it will nonetheless set forth a few examples of privacy invasion through the legal process known as "discovery" in order to provide a springboard for further research by those who may be inclined to do so. To begin, telephone records are often the subject of discovery. A subpoena is obtained (either free, in Federal Court, or for a nominal fee of a dollar or so in State Court) and served upon the telephone company, setting forth a deposition date, i.e., a date in which the telephone company must appear and turn over any telephone records designated in the subpoena. Usually these records consist of any notes made in the billing and service departments by telephone company personnel during their conversations with the subscriber. The records also include a copy of any initial application made by the subscriber together with copies of the subscriber's bills. These bills generally include the precise times and telephone numbers of every single toll call placed through the use of the subscriber's telephone or phone credit card during the past five (5) years, and sometimes longer. Next, discovery of bank records follows pretty much the same process, and produces the customer's account application, including social security number, together with the records of each and every transaction with the bank since the account was opened. If it is a checking account, the bank is required to produce copies of every check processed, front and back, together with copies of every money order, check or draft deposited to the account. With such information in hand, the telephone records may be examined in the light of the subscriber's toll calls, and each number listed as a number called on such toll records may then be subjected to further discovery or other routine forms of investigation, determining the identity of the subscriber of each toll listed number and what their relationship is to the subject of the initial discovery. The details gleaned from such labors are then combined with the results of any investigation concerning each payee and each endorser of every check, which reveals among other things, who the bank customer pays money to, e.g., credit card companies (with credit card numbers usually appearing on the memo line, written by the unsuspecting maker of the check), personal loan payements, grocery store bills, car payments, magazine subscriptions, allowance money for kids in college, and whatever else the checks may have been written for. The checks also often include driver's license or other personal identification information written on the backs by the merchants who cash them. Now even the slovenly investigator can set up phone banks for the purpose of contacting all of the persons and places enumerated above, and can do so with ease, building piece by piece a profile of the telephone subscriber and bank customer and using such information to harass the subject's friends and family and business associates under the guise of discovery. Deep pocket litigators especially can run roughshod over the rights of most people, who are usually unable financially to mount and maintain a monumental defense or even secure a protective order from the court. Indeed, in many instances sub rosa machinations are employed without the victims even being aware that such discovery procedures have been used against them. While this paper touches only a few surface aspects of legal discovery vis-a-vis privacy invasion, the information is provided as a tocsin to alert those with an interest in such matters to do further study on the subject in order to better protect their own privacy interests. (c) 1994 N. R. Sterling IN%"nrsst5@vms.cis.pitt.edu" Electronic distribution rights only are hereby granted to Privacy Forum. Readers seeking further information may contact the author directly at the above email address. ------------------------------ Date: Sun, 03 Jul 94 20:06:07 EDT From: Marc Horowitz Subject: re: Newsgroup censorship >> What is the basis for viewing the entire constellation of Usenet newgroups >> as a single entity, which one must take whole (alt.sex.bestiality along with >> sci.physics.research) or not all? The only thing the two have in common >> is the technology used to deliver them - about what Physical Review Letters >> and Spread Legs have in common. A different view is that censoring particular newsgroups requires some effort (not much, certainly, but some). I would not say that a school should be required to seek out every single newsgroup it can find, nor should it be required to carry traffic which strains its resources (alt.binaries.pictures.erotica vs alt.sex.stories), but a university should not actively remove certain newsgroups from circulation. A similar analogy might be the telephone system here at MIT. A student cannot call a 900 number from a dorm phone, but can call 800 numbers. The phone system here could be programmed to disallow students from calling certain 800 numbers advertised on late-night TV, but this is not done. I think this behavior could be compared to a policy of not carrying certain newsgroups, and both would be wrong. Marc [ Response from the MODERATOR: I think that the original analogy holds up pretty well. I'll bet the magazine rack down at the MIT bookstore doesn't carry the same wide variety of sex-oriented magazines probably available at public stands within feet of campus. The choice of "publications" which are appropriate to a particular venue can most certainly be legitimately contrained by concerns other than volume. The fear of public outcry over "University providing pornography to students over campus computer system--government funds being used to promote pornography!" is a real one, regardless of how one feels about the topic personally. Censorship does not enter the picture automatically when you can't get everything, everywhere. Individuals can always get their own accounts on public systems, and choose service providers willing to carry such material--just as they can go to public bookstores and magazine racks rather than the ones on campus. When materials which are legal to distribute become unavailable in a manner which makes them difficult or impossible to get at all, *then* censorship indeed can become a significant factor. -- MODERATOR ] ------------------------------ Date: Thu, 30 Jun 1994 16:35:37 +0000 From: "US ACM, DC Office" Subject: USACM Calls for Clipper Withdrawal U S A C M Association for Computing Machinery, U.S. Public Policy Committee * PRESS RELEASE * Thursday, June 30, 1994 Contact: Barbara Simons (408) 463-5661, simons@acm.org (e-mail) Jim Horning (415) 853-2216, horning@src.dec.com (e-mail) Rob Kling (714) 856-5955, kling@ics.uci.edu (e-mail) COMPUTER POLICY COMMITTEE CALLS FOR WITHDRAWAL OF CLIPPER COMMUNICATIONS PRIVACY "TOO IMPORTANT" FOR SECRET DECISION-MAKING WASHINGTON, DC - The public policy arm of the oldest and largest international computing society today urged the White House to withdraw the controversial "Clipper Chip" encryption proposal. Noting that the "security and privacy of electronic communications are vital to the development of national and international information infrastructures," the Association for Computing Machinery's U.S. Public Policy Committee (USACM) added its voice to the growing debate over encryption and privacy policy. In a position statement released at a press conference on Capitol Hill, the USACM said that "communications security is too important to be left to secret processes and classified algorithms." The Clipper technology was developed by the National Security Agency, which classified the cryptographic algorithm that underlies the encryption device. The USACM believes that Clipper "will put U.S. manufacturers at a disadvantage in the global market and will adversely affect technological development within the United States." The technology has been championed by the Federal Bureau of Investigation and the NSA, which claim that "non-escrowed" encryption technology threatens law enforcement and national security. "As a body concerned with the development of government technology policy, USACM is troubled by the process that gave rise to the Clipper initiative," said Dr. Barbara Simons, a computer scientist with IBM who chairs the USACM. "It is vitally important that privacy protections for our communications networks be developed openly and with full public participation." The USACM position statement was issued after completion of a comprehensive study of cryptography policy sponsored by the ACM (see companion release). The study, "Codes, Keys and Conflicts: Issues in U.S Crypto Policy," was prepared by a panel of experts representing various constituencies involved in the debate over encryption. The ACM, founded in 1947, is a 85,000 member non-profit educational and scientific society dedicated to the development and use of information technology, and to addressing the impact of that technology on the world's major social challenges. USACM was created by ACM to provide a means for presenting and discussing technological issues to and with U.S. policymakers and the general public. For further information on USACM, please call (202) 298- 0842. ============================================================= USACM Position on the Escrowed Encryption Standard The ACM study "Codes, Keys and Conflicts: Issues in U.S Crypto Policy" sets forth the complex technical and social issues underlying the current debate over widespread use of encryption. The importance of encryption, and the need for appropriate policies, will increase as networked communication grows. Security and privacy of electronic communications are vital to the development of national and international information infrastructures. The Clipper Chip, or "Escrowed Encryption Standard" (EES) Initiative, raises fundamental policy issues that must be fully addressed and publicly debated. After reviewing the ACM study, which provides a balanced discussion of the issues, the U.S. Public Policy Committee of ACM (USACM) makes the following recommendations. 1. The USACM supports the development of public policies and technical standards for communications security in open forums in which all stakeholders -- government, industry, and the public -- participate. Because we are moving rapidly to open networks, a prerequisite for the success of those networks must be standards for which there is widespread consensus, including international acceptance. The USACM believes that communications security is too important to be left to secret processes and classified algorithms. We support the principles underlying the Computer Security Act of 1987, in which Congress expressed its preference for the development of open and unclassified security standards. 2. The USACM recommends that any encryption standard adopted by the U.S. government not place U.S. manufacturers at a disadvantage in the global market or adversely affect technological development within the United States. Few other nations are likely to adopt a standard that includes a classified algorithm and keys escrowed with the U.S. government. 3. The USACM supports changes in the process of developing Federal Information Processing Standards (FIPS) employed by the National Institute of Standards and Technology. This process is currently predicated on the use of such standards solely to support Federal procurement. Increasingly, the standards set through the FIPS process directly affect non-federal organizations and the public at large. In the case of the EES, the vast majority of comments solicited by NIST opposed the standard, but were openly ignored. The USACM recommends that the standards process be placed under the Administrative Procedures Act so that citizens may have the same opportunity to challenge government actions in the area of information processing standards as they do in other important aspects of Federal agency policy making. 4. The USACM urges the Administration at this point to withdraw the Clipper Chip proposal and to begin an open and public review of encryption policy. The escrowed encryption initiative raises vital issues of privacy, law enforcement, competitiveness and scientific innovation that must be openly discussed. 5. The USACM reaffirms its support for privacy protection and urges the administration to encourage the development of technologies and institutional practices that will provide real privacy for future users of the National Information Infrastructure. ------------------------------ Date: Thu, 30 Jun 1994 16:34:47 +0000 From: "US ACM, DC Office" Subject: ACM Releases Crypto Study Association for Computing Machinery PRESS RELEASE __________________________________________________ Thursday, June 30, 1994 Contact: Joseph DeBlasi, ACM Executive Director (212) 869-7440 Dr. Stephen Kent, Panel Chair (617) 873-3988 Dr. Susan Landau, Panel Staff (413) 545-0263 COMPUTING SOCIETY RELEASES REPORT ON ENCRYPTION POLICY WASHINGTON, DC - A panel of experts convened by the nation's foremost computing society today released a comprehensive report on U.S. cryptography policy. The report, "Codes, Keys and Conflicts: Issues in U.S Crypto Policy," is the culmination of a ten-month review conducted by the panel of representatives of the computer industry and academia, government officials, and attorneys. The 50-page document explores the complex technical and social issues underlying the current debate over the Clipper Chip and the export control of information security technology. "With the development of the information superhighway, cryptography has become a hotly debated policy issue," according to Joseph DeBlasi, Executive Director of the Association for Computing Machinery (ACM), which convened the expert panel. "The ACM believes that this report is a significant contribution to the ongoing debate on the Clipper Chip and encryption policy. It cuts through the rhetoric and lays out the facts." Dr. Stephen Kent, Chief Scientist for Security Technology with the firm of Bolt Beranek and Newman, said that he was pleased with the final report. "It provides a very balanced discussion of many of the issues that surround the debate on crypto policy, and we hope that it will serve as a foundation for further public debate on this topic." The ACM report addresses the competing interests of the various stakeholders in the encryption debate -- law enforcement agencies, the intelligence community, industry and users of communications services. It reviews the recent history of U.S. cryptography policy and identifies key questions that policymakers must resolve as they grapple with this controversial issue. The ACM cryptography panel was chaired by Dr. Stephen Kent. Dr. Susan Landau, Research Associate Professor in Computer Science at the University of Massachusetts, co-ordinated the work of the panel and did most of the writing. Other panel members were Dr. Clinton Brooks, Advisor to the Director, National Security Agency; Scott Charney, Chief of the Computer Crime Unit, Criminal Division, U.S. Department of Justice; Dr. Dorothy Denning, Computer Science Chair, Georgetown University; Dr. Whitfield Diffie, Distinguished Engineer, Sun Microsystems; Dr. Anthony Lauck, Corporate Consulting Engineer, Digital Equipment Corporation; Douglas Miller, Government Affairs Manager, Software Publishers Association; Dr. Peter Neumann, Principal Scientist, SRI International; and David Sobel, Legal Counsel, Electronic Privacy Information Center. Funding for the cryptography study was provided in part by the National Science Foundation. The ACM, founded in 1947, is a 85,000 member non-profit educational and scientific society dedicated to the development and use of information technology, and to addressing the impact of that technology on the world's major social challenges. For general information, contact ACM, 1515 Broadway, New York, NY 10036. (212) 869-7440 (tel), (212) 869-0481 (fax). Information on accessing the report electronically will be posted soon in this newsgroup. ------------------------------ Date: Thu, 30 Jun 94 10:44:15 MET DST From: Peter Kaiser Subject: RE: Thank you, France Telecom > When you push the redial button, > what number is redialed: the last number that was dialed using your card > or the last number that was dialed on that phone? Same airport, same phones: the redial button seems to have no effect when I insert my card in a phone where I wasn't the last user. So perhaps it works only when it recognizes "this card is the last card used in this phone". But there are other possibilities -- a timeout period, for instance. And what happens when you insert a depleted card? People discard them; can they still be used to get the last numbers they were used for? I'm made uneasy by hidden, undocumented, and unexplained features. Even if it were to turn out that the algorithm for REDIAL were, for instance, "permit REDIAL only if the card in this phone is the last one previously used, and within the last five minutes", I still don't like it that the phone system has hidden features. They certainly aren't explained in the phone enclosures. ___Pete kaiser@acm.org +33 92.95.62.97 FAX +33 92.95.50.50 ------------------------------ End of PRIVACY Forum Digest 03.14 ************************