Date: Wed, 13 May 92 17:10:27 EST
Errors-To: Comp-privacy Error Handler <comp-privacy-request@PICA.ARMY.MIL>
From: Computer Privacy Digest Moderator <comp-privacy@PICA.ARMY.MIL>
To: Comp-privacy@PICA.ARMY.MIL
Subject: Computer Privacy Digest V1#024
Computer Privacy Digest Wed, 13 May 92 Volume 1 : Issue: 024
Today's Topics: Moderator: Dennis G. Rears
Public Battle Over Secret Codes, John Markoff, NYTimes May 7
Oregon PUC CallerID Decision
Why hide if you have nothing to hide
Re: SSNs as Identification
Re: E-mail privacy should be independent of carrier.
NJ Caller-ID experience
The Computer Privacy Digest is a forum for discussion on the
effect of technology on privacy. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy
(Moderated). Submissions should be sent to
comp-privacy@pica.army.mil and administrative requests to
comp-privacy-request@pica.army.mil.
Back issues are available via anonymous ftp on ftp.pica.army.mil
[129.139.160.200].
----------------------------------------------------------------------
Date: Sat, 9 May 1992 16:11:11 -0400
From: Monty Solomon <monty@proponent.com>
Subject: Public Battle Over Secret Codes, John Markoff, NYTimes May 7
>From: dlv@cunyvms1.gc.cuny.edu (Dimitri Vulis, CUNY GC Math)
>Newsgroups: sci.crypt
>Subject: Public Battle Over Secret Codes, John Markoff, NYTimes May 7
>Date: 9 May 92 02:43:51 GMT
A Public Battle Over Secret Codes
By JOHN MARKOFF
THE NEW YORK TIMES, THURSDAY, MAY 7, 1992
<Who should hold the keys to the codes? In a digital age that finds more and
more information protected by elaborate coding techniques, both the
Administration and business executives are asking that question.>
An issue long relegated to testy grumbling between software engineers and
intelligence agents has suddenly grown into a public dispute between the Bush
Administration and business executives.
In a digital age that finds more and more information protected by elaborate
coding techniques, both sides are asking: Who should hold the keysto the codes?
Not the Government, say members of an increasingly militant computer and
software industry. Apple Computer, Microsoft and Sun Microsystems are among the
companies vowing to oppose Federal efforts to keep tight control on the use of
coding technology, known as encryption.
``There is really no way to control this technology,'' said nathan P. Myhrvold,
vice president for advanced technology at Microsoft. ``What are you going to
do, call up John Gotti and tell him that it's illegal to use coded technology?
All regulations do is hurt people who are trying to be law-abiding and it's a
nightmare for business users who are trying to protect information.''
Technique available to all
Once a tool only of diplomats, military officers and spies, advances encryption
techniques have become avaibale to anyone with access to cheap computer chips.
Nowadays, virtually all information can be translated into digital form and
protected ith electronic codes --- whether is it a cellular telephone
conversation, electropnic memo, medical record, corporate payroll, television
program or cash from the automated teller machine. And advances in hardware and
software have made these codes virtually uncrackable to anyone not knowing the
precise string of letters or numbers that represents the key to translating the
encypted informatiom.
A House Judiciary pantel will hear testimony on the issue today, for the second
time in nine days, as Congress ponders whether to resurrect legislation that
would give intelligence officcials a greater ability to monitor the use of
encryption by businesses and individuals.
An alternative move, favored by a growing number of industry executives, would
be to scale back Government control of computer encryption, by curtailing the
powerful National Security Agency's broad jurisdiction over the private use and
export of encryption technology. The President has vowed to veto such a bill.
In his concluding remarks at last week's hearing, Representative Jack Brooks,
Democrat of Texas, chairman of the subcommittee, indicated that business
executives would have a chance in the next session to present their case. ``We
need to examine closely the claims by industry that the current attempts by
U.S. intelligence and law-enforcement agencies to restrict this technology will
seriously impair privacy and technological development in our country'', he
said.
Working on Differences
The computer industry had been trying for months to work out its differences
quietly with the N.S.A., the secretive Pentagon branch whose job it is to
protect the military's computers and conduct global electronic intelligence
gathering. But dissent within the industry and the convening of Congressional
hearings have brought the dispute into the open.
Since the first computers appeared in the 1940's, old-line manufacturers like
I.B.M. have traditionally cooperated --- however grudgingly --- with
national-security and law-enforcement officials to keep computer codes out of
the wrong hands and the, keys in the right ones. Such cooperalion was wise in
the days when the military and the Federal Government were the largest computer
customers. And during the cold war, it was easier for the Government to defend
its policies.
New Attitude Among Companies
But lately, the younger generation of companies that grew up selling business
computers, including Apple, Microsoft and Sun, has dug in its heels. The
companies argue that Government efforts to stifle encryption, technology is not
only wrong but futile, putting American business at a disadvantage to foreign
competitors who face few constraints in creating and using encryption.
``The most important security measures in which any of us engage in our daily
business no longer have anything to do with safes, locks guards or badges,''
said Whitfield Diffie, a computer researcher at Sun Microsystems and one of the
nation's leading cryptographers. ``Modern security technology has transplanted
written signatures and the simple act of recognizing a colleague from the
traditional world of face-to-face meetings and pen-and-ink communi- cations to
a world in which digital electronic communications are the norm.''
The banking industry is also concerned about the threat of legislation, that
would force software makers to provide a ``trap door'', making it easier for
Federal agents to decipher encrypted files. The industry currently transmits
$350 trillion a year via encrypted wire transfers, and each day United States
banks transmits 350,000 encoded messages transfer ring funds to other nations.
Changing encryption techniques not only would compromise the security of
computerized banking transactions but would cost many millions of dollars, said
John Byrne, general counsel for the American Banking Association.
But Government officials see any costs or inconveniences to business as the
trade-off for maintaining law and order. ``This is a very real problem'', said
Kier Boyd, deputy assistant director of technical services of the F.B.I.
``Somebody who has a rudimentary knowledge of cryptography can generate
something on a personal computer which would give us fits as far as reading
it.''
The genie, indeed, is out of the bottle. Officials at the Information
Technology Association of America, a computer industry trade group, recently
obtained a copy of a commercial program called Cryptos written by programmers
in Moscow.
Cryptos, which runs on a standard I.B.M. personal computer, encodes data by the
two most popular techniques. One is the United States Data Encryption Standard,
whicti the N.S.A. established in 1977 to foster a commercial encryption format
that businesses could use (and the Govemment could read, as needed). The.
second is known simply as RSA, an, encryption format widely adopted for,
business use.; it was developed outside the N.S.A.'s sphere by academic
researchers. The Cryptos package, which is available in software stores in
Moscow, sells for about $200.
The encryption war between American industry and Government has been waged on
several fronts in recent months. Just last month, for instance, the Justice
Department began pressing Congress for a bill that would require telephone
companies to install equipment making wiretaps easier to conduct in today's
network. The limited introduction of encryption into the telephone network,
along with the widespread use of fiber optics and digital transmitters, has
made electronic eavesdropping much more difficult than in the days when
snoopers needed to do little more than hot-wire a copper phone line.
And it was also last month that some industry executives began charging that
the N.S.A. had played a quiet role in limiting the strength of a proposed
cryptographic standard for future cellular telephones.
Opposing Needs
``The N.S.A.'s needs run almost directly counter to the economic needs of the
country, which include the development of high-technology products based on
cryptography'', said Mare Rotenberg, national director for the Computer
Professionals for Social Responsibility, a public interest group.
Before the International Business Machines Corporation introduced its newest
family of mainframes in 1991, I.B.M. tried for more than a year to persuade the
N.S.A. to allow it to build a special piece of hardware that would
automatically encode information processed by the new computers. Finally, after
unsuccessful meetings that went as high as Adm. William O. Studeman, director
of the agency at the time, and high-ranking I.B.M. officials, the company threw
up its hands. It now submits individual license requests for each export sale
--- and is frequently turned down.
Corporate executives and industry consultants who have experience in dealing
with the N.S.A. say that despite the end of the cold war and the growing
importance of cryptography for business purposes, they expect the agency to
continue resisting any fundamental challenges to its control.
Still, industry pressure has appar ently led the agency to attempt to negotiate
a compromise with Ameri can software publishers.
The industry had originally backed trade legislation, still pending, which
would move control over cryptogra phy exports from the N.S.A. to the Commerce
Department. But because the Bush Administration has threat ened to veto the
legislation, the soft ware pubHshers have quietly attempted to arrange a deal.
But, the largest American computer makers, including I.B.M. and the Digital
Equipment Corporation, have refused to participate in the negotiations, saying
privately that the weakened RSA would not be acceotable to their customers.
The nominee for the jab of director of the N.S.A., Rear Adm. John M. McConnell,
declined to be inter viewed for this arIIcle. Michael S. Conn, chief of
information policy for agency, said thal national security. concerns with
cryptogrgaphy could not be dealt with in a public debate. But the agency, he
said, remains confident that it can ``continue to meet our mission demands in
light of advances in technology.''
---
Caption: Representative Jack Brooks of Texas is chairman of the subcommittees
hearing testimony on whether legislation should be resurrected to give
intelligence and law-enforcement officials greater ability to monitor the use
of coding technology by businesses and individuals.
---
Box: The Encryption Tug-of-War
As compyters left the lboratory and entered mainstream business life, the need
for privacy of electronic data and communications followed. researchers and the
Government's national security apparatus have wrestled over standards and
secrecy ever since.
1976 Public key approach is proposed
Martin E. Hellman of Stanford University and his colleagues, Whitfield Diffie
and Ralph Merkle, conceive a new, moe practical way to protect information. One
mathematical key that can be made public is used to encode the information, but
a second, secret key is needed to decypher it.
1977 D.E.S. becomes national standard
The National Bureau of Standards and the National Security Agency define the
first public national encryption standard, known as the Data Encryption
Standard. because the N.S.A. shortened the standard's proposed mathematical
key, some cryptographers say it could be broken by powerful computers.
1978 Government clapms down on researcher
Using an obscure patent law provision, the N.S.A. orders a University of
Wisconsin computer scientist, George I. Davida, to keep secret all details of a
computer security device he has dveloped or face two years in jail and a
$10,000 fine.
1980 Security review of reserach papers begins
A groups of United States mathematicians and computer scientists decide to
voluntarily submit cryptography reserach papers to the N.S.A. for review before
they are published in scientific journals.
1991 Scientists partly crack the code
Two Israeli scientists, Adi Shamir and Eli Bhiman, develop the first
mathematical technique capable of breaking the D.E.S. code under certain
limited circumstances.
1991 Industry attempts a compromise
Software executives propose a deal with the N.S.A. that would allow export of a
scaled-down version of a popular encryption format for business users. I.B.M.
and othe industry critics refuse to participatein the negotiations, saying the
compromises would make codes too easy to crack. The N.S.A. has not yet reaches
a decision on the proposal.
Dimitri Vulis
CUNY GC Math
DLV@CUNYVMS1.BITNET DLV@CUNYVMS1.GC.CUNY.EDU
Disclaimer: my Usenet postings don't necessarily represent anyone's views,
especially my own and/or CUNY's.
------------------------------
Subject: Oregon PUC CallerID Decision
Date: Tue, 12 May 92 8:11:08 PDT
From: peter marshall <rocque@seanews.wa.com>
In its CallerID, etc. proceeding, the OPUC issued a decision on 5/6/92,
according to which CallerID may be offered only with free call and line-
blocking for all customers, provision of line-blocking deactivation, and
required offering of Call Trace and Selective Call Rejection as these
capabilities are available to telcos.
In dealing with "sale of Caller ID information," the PUC Order also noted
that "CLASS...technology would allow a utility to set up another data base
to keep track of incoming calls for specific numbers and then sell the list
of calls to the receiving party or to a third party." The decision also
observed that the FCC's CPNI rules "prohibit US West from recording calls
to a specific receiving party and selling the list to a third party without
the customer's consent." But, noting that "both privacy interests would
suffer from sales to third parties," the Commission also stated it would
"announce a regulatory policy for all of Oregon's telecommunications
utilities." In doing so, the OPUC observed that "In a sale to a third
party, the utility would perform a monitoring function which has a 'big
brother' flavor to it. The monitoring would involve a breach of trust
because the utility would be using information...for another purpose."
Peter Marshall
------------------------------
From: "Wm. Randolph Franklin" <wrf@ecse.rpi.edu>
Subject: Why hide if you have nothing to hide
Date: Tue, 12 May 92 16:39:50 -0400
I'll answer a slightly different question, i.e., "If you have committed
no crime...", since "If you have nothing to hide..." is ambiguous. Hope
this is ok.
1. Although you have done nothing illegal, your legal acts may have a
positive correlation with a crime. So you're guilty until you prove
yourself innocent.
Now, this has always been somewhat true; you might have a good
explanation for walking up to strangers' doors and trying to see if
they're locked, but you're in trouble until you give it. What's
different is that with database matching, the government can spend very
little money to cause you a lot of trouble. The equilibrium has
shifted. Since you don't want examples, I won't provide them, but this
does happen.
2. There are crimes that almost everyone does, but which almost no one
is charged with. More information in the hands of government gives them
the power of selective enforcement against their enemies.
3. There are things that are perfectly legal, but which are socially
objectionable or controversial. If you had an abortion, would you want
your name and number publicized? You didn't commit a crime, but now the
antis can phone you at 3am and call you a murderer.
4. Back to correlations: Medically the term "abortion" covers most or
all pregnancies that end very early, which is, I think, 10% or more of
all pregnancies. Do you want to receive those 3am calls because you
had a spontaneous abortion, and the anti who read your medical file
missed the word "spontaneous", or didn't know the medical definition of
abortion?
5. Even if you have committed a crime, should the government have
infinite powers to catch you? Even though today's leaders would never
be abusive, the power we give them to match databases etc., will still
be available to the next, perhaps less perfect, administration.
--------
Wm. Randolph Franklin
Internet: wrf@ecse.rpi.edu (or @cs.rpi.edu) Bitnet: Wrfrankl@Rpitsmts
Telephone: (518) 276-6077; Telex: 6716050 RPI TROU; Fax: (518) 276-6261
Paper: ECSE Dept., 6026 JEC, Rensselaer Polytechnic Inst, Troy NY, 12180
------------------------------
Date: Wed, 13 May 1992 7:56:21 -0400 (EDT)
From: "Dave Niebuhr, BNL CCD, 516-282-3093" <NIEBUHR@bnlcl6.bnl.gov>
Subject: Re: SSNs as Identification
michael.scott.baldwin@att.com writes:
>Several people have written to me challenging my statement that SSN's
>are only divulged for ex-employees.
[... test deleted ...]
>Dave Neibuhr writes:
>| My employer specifically states that, when logging into a computer system,
>| no personal identification whatsoever is to be used as a method of access
>| any system. This includes employee id number.
>I assume you keep records of which logins belong to which employees though.
>If my login is "mike", isn't that "personal identification" of some sort?
Not if it is something that is totally ficticious and we have a lot of
users who for some reason, use initials, the name of a project that they
work on, etc.
My name, being difficult to spell because of the placement of the various
letters can come out in quite a few variations and it would take a lot of
digging to find anything about me. With a SSN, the list is narrowed down to
one single individual
If anyone tried to do any checking based on the spelling above, it
wouldn't compute since it is misspelled.
Dave
Dave Niebuhr Internet: niebuhr@bnl.gov / Bitnet: niebuhr@bnl
Brookhaven National Laboratory Upton, NY 11973 (516)-282-3093
------------------------------
From: Steve Barber <cmcl2!panix.com!sbarber@uunet.uu.net>
Subject: Re: E-mail privacy should be independent of carrier.
Date: Wed, 13 May 1992 12:30:09 GMT
In <comp-privacy1.21.6@pica.army.mil> mrose@kali.stsci.edu (Mike Rose) writes:
>work. The way I see it, if I'm doing something so private that I
>choose to use a public access host, then my employer shouldn't be
>paying me to do it.
This answer assumes a particular type of working environment, where every
thing you do while on the employer's premises is necessarily directed at
work related tasks. I don't know about the rest of you, but when I'm
working on a straight yearly salary, I get to manage my own time. I often
take care of personal matters while at work, some of which I like to keep
private. While I have never had an employer I distrusted enough to take
the measures I described (I would probably find another job first), not
everyone is so mobile. As e-mail becomes more ubiquitous, perhaps this
scenario will become more common, at least with the laws the way they are.
-Steve
--
Steve Barber sbarber@panix.com
"The direct deed is the most meaningful reflection." - Bill Evans
The above is not a legal advice. It is, at best, a discussion of
generalities. Consult your attorney before acting in a specific situation.
------------------------------
Date: Wed, 13 May 92 10:22 EDT
From: michael.scott.baldwin@att.com
Subject: NJ Caller-ID experience
Jack Decker writes:
Some early jurisdictions offered Caller-ID with no blocking at all.
As experience with the system grew, per-call blocking became
commonplace. Then jurisdictions began mandating the per-line blocking
for a fee be offered. Bills now are pending in jurisdictions without
blocking to offer at least per-call blocking.
NJ Bell was one of the first companies to offer Caller-ID (was it *the* first?)
over 2 years ago. To this day, we do *not* have per-call or per-line blocking,
and as far as I know, there are no pending bills or mandates for such. By now,
we have lots of experience with Caller-ID here, and I have not heard an uproar
about its terrible invasion of privacy. Actually, you *can* block Caller-ID
by placing an operator-assisted call (e.g., calling card), but that's not the
same as *67. So tell me: why is it that NJ Bell, with one of the oldest
implementations and the most experience with Caller-ID, not gotten around
to offering "commonplace" per-call or "mandated" per-line blocking? Hmm.
[Moderator's Note: NJ Bell was able to push it through the Board of
Public Utilites without blocking. The last time I moved (Apr 91) NJ Bell
told me that blocking would not be available in the forseeable future.
They will only offer it if they have to. I would have sent in a letter
to the Board of Public Utilities asking for blocking but since I have
set up an alternate way to protect my identify when I call I decided it
was not worth the hassle. _Dennis ]
------------------------------
End of Computer Privacy Digest V1 #024
******************************