Date: Sat, 27 Jun 92 12:39:30 EST
Errors-To: Comp-privacy Error Handler <comp-privacy-request@PICA.ARMY.MIL>
From: Computer Privacy Digest Moderator <comp-privacy@PICA.ARMY.MIL>
To: Comp-privacy@PICA.ARMY.MIL
Subject: Computer Privacy Digest V1#056
Computer Privacy Digest Sat, 27 Jun 92 Volume 1 : Issue: 056
Today's Topics: Moderator: Dennis G. Rears
Chronicle Crypto Article
Re: Can Merlins be used as bugs?
Re: privacy dilemma
Re: SSNs and Social Insurance Numbers
Re: SSNs and Social Insurance Numbers
Re: FBI Digital Telephony Proposal
Re: Social Security Numbers and Social Insurance Numbers
The Computer Privacy Digest is a forum for discussion on the
effect of technology on privacy. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy
(Moderated). Submissions should be sent to
comp-privacy@pica.army.mil and administrative requests to
comp-privacy-request@pica.army.mil.
Back issues are available via anonymous ftp on ftp.pica.army.mil
[129.139.160.200].
----------------------------------------------------------------------
Date: Wed, 24 Jun 92 18:02:18 CDT
From: Joe Abernathy <Joe.Abernathy@houston.chron.com>
Subject: Chronicle Crypto Article
This cryptography article appeared Sunday, June 21. It
is being forwarded to Risks as a way of giving back
something to the many thoughtful participants here who
helped give shape to the questions and the article.
In a companion submission, I include the scanned text of
the NSA's 13-page response to my interview request, which
appears to be the most substantial response they've
provided to date. I would like to invite feedback
and discussion on the article and the NSA document.
Please send comments to edtjda@chron.com
Promising technology alarms government
/ Use of super-secret codes would block
legal phone taps in FBI's crime work
By JOE ABERNATHY
Copyright 1992, Houston Chronicle
Government police and spy agencies are trying to thwart
new technology that allows conversations the feds can't tap.
A form of cryptography _ the science of writing and
deciphering codes _ this technology holds the promise of
guaranteeing true privacy for transactions and communica
tions.
But an array of federal agencies is seeking to either
outlaw or severely restrict its use, pointing out the potency
of truly secret communications as a criminal tool.
"Cryptography offers or appears to offer something that is
unprecedented,'' said Whitfield Diffie, who with a Stanford
University colleague devised public key cryptography,'' an
easily used cryptography that is at the center of the fight. "It
looks as though an individual might be able to protect
information in such a way that the concerted efforts of
society are not going to be able to get at it.
"No safe you can procure has that property; the strongest
safes won't stand an hour against oxygen lances. But
cryptography may be different. I kind of understand why the
police don't like it.''
The National Security Agency, whose mission is to
conduct espionage against foreign governments and diplo
mats, sets policy for the government on matters regarding
cryptography.
But the FBI is taking the most visible role. It is backing
legislation that would address police fears by simply
outlawing any use of secure cryptography in electronic
communications.
The ban would apply to cellular phones, computer
networks, and the newer standard telephone equipment _
already in place in parts of Houston's phone system and
expected to gain wider use nationwide.
"Law enforcement needs to keep up with technology,'' said
Steve Markardt, a spokesman for the FBI in Washington.
"Basically what we're trying to do is just keep the status
quo. We're not asking for anything more intrusive than we
already have.''
He said the FBI uses electronic eavesdropping only on
complex investigations involving counterterrorism, foreign
intelligence, organized crime, and drugs. "In many of those,''
he said, we would not be able to succeed without the ability
to lawfully intercept.''
The State and Commerce departments are limiting
cryptography's spread through the use of export reviews,
although many of these reviews actually are conducted by
the NSA. The National Institute of Standards and Technol
ogy, meanwhile, is attempting to impose a government
cryptographic standard that critics charge is flawed, al
though the NSA defends the standard as adequate for its
intended, limited use.
"It's clear that the government is unilaterally trying to
implement a policy that it's developed,'' said Jim Bidzos,
president of RSA Data Security, which holds a key cryptog
raphy patent. "Whose policy is it, and whose interest does it
serve? Don't we have a right to know what policy they're
pursuing?''
Bidzos and a growing industry action group charge that
the policy is crippling American business at a critical
moment.
The White House, Commerce Department, and NIST
refused to comment.
The NSA, however, agreed to answer questions posed in
writing by the Houston Chronicle. Its purpose in granting the
rare, if limited, access, a spokesman said, was "to give a true
reflection'' of the policy being implemented by the agency.
"Our feeling is that cryptography is like nitroglycerin: Use
it sparingly then put it back under trusted care,'' the
spokesman said.
Companies ranging from telephone service providers to
computer manufacturers and bankers are poised to intro
duce new services and products including cryptography.
Users of electronic mail and computer networks can expect
to see cryptography-based privacy enhancements later this
year.
The technology could allow electronic voting, electronic
cash transactions, and a range of geographically separated
_ but secure _ business and social interactions. Not since
the days before the telephone could the individual claim
such a level of privacy.
But law enforcement and intelligence interests fear a
world in which it would be impossible to execute a wiretap
or conduct espionage.
"Secure cryptography widely available outside the United
States clearly has an impact on national security,'' said the
NSA in its 13-page response to the Chronicle. "Secure
cryptography within the United States may impact law
enforcement interests.''
Although Congress is now evaluating the dispute, a call by
a congressional advisory panel for an open public policy
debate has not yet been heeded, or even acknowledged, by
the administration.
The FBI nearly won the fight before anyone knew that war
had been declared. Its proposal to outlaw electronic
cryptography was slipped into another bill as an amend
ment and nearly became law by default last year before
civil liberties watchdogs exposed the move.
"It's kind of scary really, the FBI proposal being consid
ered as an amendment by just a few people in the
Commerce Committee without really understanding the
basis for it,'' said a congressional source, who requested
anonymity. "For them, I'm sure it seemed innocuous, but
what it represented was a fairly profound public policy
position giving the government rights to basically spy on
anybody and prevent people from stopping privacy infringe
ments.''
This year, the FBI proposal is back in bolder, stand-alone
legislation that has created a battle line with law enforce
ment on one side and the technology industry and privacy
advocates on the other.
"It says right on its face that they want a remote
government monitoring facility'' through which agents in
Virginia, for instance, could just flip a switch to tap a
conversation in Houston, said Dave Banisar of the Washing
ton office of Computer Professionals for Social Responsibil
ity.
Though the bill would not change existing legal restraints
on phone-tapping, it would significantly decrease the practi
cal difficulty of tapping phones _ an ominous development
to those who fear official assaults on personal and corporate
privacy.
And the proposed ban would defuse emerging technical
protection against those assaults.
CPSR, the point group for many issues addressing the way
computers affect peoples' lives, is helping lend focus to a
cryptographic counterinsurgency that has slowly grown in
recent months to include such heavyweights as AT&T, DEC,
GTE, IBM, Lotus, Microsoft, Southwestern Bell, and other
computer and communications companies.
The proposed law would ban the use of secure cryptogra
phy on any message handled by a computerized communica
tions network. It would further force service providers to
build access points into their equipment through which the
FBI _ and conceivably, any police officer at any level _
could eavesdrop on any conversation without ever leaving
the comfort of headquarters.
"It's an open-ended and very broad set of provisions that
says the FBI can demand that standards be set that industry
has to follow to ensure that (the FBI) gets access,'' said
a congressional source. "Those are all code words for if they
can't break in, they're going to make (cryptography) illegal.
"This is one of the biggest domestic policy issues facing
the country. If you make the wrong decisions, it's going to
have a profound effect on privacy and security.''
The matter is being considered by the House Judiciary
Committee, chaired by Rep. Jack Brooks, D-Texas, who is
writing a revision to the Computer Security Act of 1987, the
government's first pass at secure computing.
The recent hearings on the matter produced a notable
irony, when FBI Director William Sessions was forced to
justify his stance against cryptography after giving opening
remarks in which he called for stepped-up action to combat
a rising tide of industrial espionage. Secure cryptography
was designed to address such concerns.
The emergence of the international marketplace is
shaping much of the debate on cryptography. American
firms say they can't compete under current policy, and that
in fact, overseas firms are allowed to sell technology in
America that American firms cannot export.
"We have decided to do all further cryptographic develop
ment overseas,'' said Fred B. Cohen, a noted computer
scientist. "This is because if we do it here, it's against the law
to export it, but if we do it there, we can still import it and
sell it here. What this seems to say is that they can have it,
but I can't sell it to them _ or in other words _ they get the
money from our research.''
A spokeswoman for the the Software Publishers Associa
tion said that such export controls will cost $3-$5 billion in
direct revenue if left in place over the next five years. She
noted the Commerce Department estimate that each $1
billion in direct revenue supports 20,000 jobs.
The NSA denied any role in limiting the power of
cryptographic schemes used by the domestic public, and
said it approves 90 percent of cryptographic products
referred to NSA by the Department of State for export
licenses. The Commerce Department conducts its own
reviews.
But the agency conceded that its export approval figures
refer only to products that use cryptology to authenticate a
communication _ the electronic form of a signed business
document _ rather than to provide privacy.
The NSA, a Defense Department agency created by order
of President Harry Truman to intercept and decode foreign
communications, employs an army of 40,000 code-breakers.
All of its work is done in secret, and it seldom responds to
questions about its activities, so a large reserve of distrust
exists in the technology community.
NSA funding is drawn from the so-called "black budget,''
which the Defense Budget Project, a watchdog group,
estimates at $16.3 billion for 1993.
While the agency has always focused primarily on foreign
espionage, its massive eavesdropping operation often pulls
in innocent Americans, according to James Bamford, author
of "The Puzzle Palace," a book focusing on the NSA's
activities. Significant invasions of privacy occurred in the
1960s and 1970s, Bamford said.
Much more recently, several computer network managers
have acknowledged privately to the Chronicle that NSA has
been given access to data transmitted on their networks _
without the knowledge of network users who may view the
communications as private electronic mail.
Electronic cryptology could block such interceptions of
material circulating on regional networks or on Internet _
the massive international computer link.
While proponents of the new technology concede the need
for effective law enforcement, some question whether the
espionage needs of the post-Cold War world justify the
government's push to limit these electronic safeguards on
privacy.
"The real challenge is to get the people who can show
harm to our national security by freeing up this technology
to speak up and tell us what this harm is,'' said John
Gillmore, one of the founders of Sun Microsystems.
"When the privacy of millions of people who have cellular
telephones, when the integrity of our computer networks
and our PCs against viruses are up for grabs here, I think the
battleground is going to be counting up the harm and in the
public policy debate trying to strike a balance.''
But Vinton Cerf, one of the leading figures of the Internet
community, urged that those criticizing national policy
maintain perspective.
"I want to ask you all to think a little bit before you totally
damn parts of the United States government,'' he said.
"Before you decide that some of the policies that in fact go
against our grain and our natural desire for openness, before
you decide those are completely wrong and unacceptable, I
hope you'll give a little thought to the people who go out
there and defend us in secret and do so at great risk.''
------------------------------
From: jharuni@micrognosis.co.uk (Jonathan Haruni)
Subject: Re: Can Merlins be used as bugs?
Summary: Probably.
Organization: Micrognosis International, London
Date: Fri, 26 Jun 1992 10:15:20 GMT
Daniel P. B. Smith (dpbsmith@world.std.com) writes:
>Our office AT&T Merlin systems offer a built-in speakerphone mode
> ... [and lots of other features besides -ed] ...
>Potentially, it seems as if the system could be
>used to eavesdrop on offices. The phone installer assured me that
>this was impossible (translation: if there IS a way, they don't tell
>him how). But I wonder if there are really engineered protections,
>or whether eavesdropping is simply not a feature supported by the
>"standard" software. Could a hacker reprogram it somehow? ...
I worked once in an office that had an old phone system (not a PABX,
but one where each extension had a button for each CO line), and every
extension was a handsfree phone. Each extension could be dialled as an
intercom, and the dialled extension would ring once (unless the ringer
had broken :-() and then its microphone was switched on AUTOMATICALLY.
In that office, nobody minded this intrusion. It was a very friendly
environment with very little privacy to begin with. People were usually
away from their desks, but within voice range. So when the receptionist
had to pass through a call, she just dialled the extension, shouted
"Oi, Joe!" and Joe shouted "WHAT?!?" without having to drop everything.
These phones did have one redeeming feature, though, which was an on/off
switch hardwired to the microphone. From your description of your phone
system, it sounds like you have the dangerous feature (a microphone that
can be switched on remotely without warning) and you don't have the
safety feature (a switch). Is that true ? When you press the loudspeaker
button, does it seem like a software action turns on the speaker and mic,
or is it a click-on, click-off switch that is obviously local to the
extension ? If it does seem like a software action, is there a separate
mic control switch ? The answer to you question: If the mic is turned
on by software and there is no safety switch, then OF COURSE it could
be hacked to be used for spying on you. The installation engineer
didn't write the software, and won't know about such things, as you
pointed out.
If you are in an atmosphere where you are really worried about being spied
upon, and you don't care too much about using handsfree, perhaps you could
arrange to shorten the life of your microphone. (Soldered joints aren't
what they used to be, after all.....darn things keep breaking!!!!) But
then, if people are really trying to spy on you, this will probably just
pique their interest. Consider counterespionage techniques instead.
Right, I'm getting carried away....
Jon.
------------------------------
From: John Artz <jartz@bassoon.mitre.org>
Subject: Re: privacy dilemma
Reply-To: jartz@mitre.org
Organization: The MITRE Corporation, McLean, Va
Date: Fri, 26 Jun 1992 13:55:57 GMT
In article <comp-privacy1.55.5@pica.army.mil>, samsung!ulowell!willow.ulowell.edu!welchb@uunet.uu.net writes:
|> Here is a similar dilemma. We received a receipt for a property
|> tax bill on a postcard (because it was a cheap, computer-generated way
|> for the town). I agree that the tax assessment for all property in the
|> town is publicly available, and should be. Yet, it seemed to be an
|> offense against the American idea of politeness and privacy to think that
|> someone could simply read my taxes off a postcard. I felt I was being
|> singled out for special mistreatment, whereas I would not feel so if
|> they obtained my payment from a list of all payments.
|> --
|> Brendan Welch, UMass/Lowell, W1LPG, welchb@woods.ulowell.edu
That is my point exactly. Nobody wants to be singled out, but if such
information is readily available on everyone it becomes much less of
an issue.
John M. Artz, Ph.D.
jartz@mitre.org
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A crisis is just the end of an illusion. -- Gerald Weinberg
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
------------------------------
From: Mike Johnston <shearson!jenny!mjohnsto@uunet.uu.net>
Subject: Re: SSNs and Social Insurance Numbers
Organization: Lehman Brothers
Date: Fri, 26 Jun 1992 16:48:08 GMT
Apparently-To: uunet!comp-society-privacy
In article <comp-privacy1.55.6@pica.army.mil> flint@gistdev.gist.com (Flint Pellett) writes:
> If anyone really knows about SSN's, I'd love to know what plans
> exist for them in the future. They only have 9 digits, and since
> we have 250,000,000 people (or more-- I haven't kept track)
> currently alive in this country, that indicates that most likely
> 20 to 25% of the available numbers are in use by persons currently
> living. I would guess that within the next 100 years that we'll
> run out of 9 digit numbers that haven't already been used: do they
> plan on re-using the numbers of deceased people, (a big potential
> problem, I would think, since estates often live on a long time
> after the person), or are they going to go to 10 digits and break
> computer programs all over the place?
I'm hardly an expert, but I would think that with the U.S. population
expansion at a relatively low rate compared to other countries (3% I've
heard quoted) it'll take a long time before the other 750 million
numbers are used.
If you really want to talk about software all over the place breaking,
ponder that in many places a 5 digit julian scheme is used ( YYDDD ) so
that dates can be relatively simply added and subtracted. What happens
on on Jan 1, 2000? Yup, all of a sudden the pattern wraps around from
99365 to 00000. The results are pretty predictable. All I'll say is
let's hope the SSA doesn't use this to calculate benefit
elegibility....
MJ
--
Michael R. Johnston mjohnsto@jenny.shearson.com
Lehman Brothers (212) 464-3061
"I was a reporter, and this worried me a great deal and I could not understand
how the devil I had gotten myself into such a fix." - Hesse
------------------------------
From: bear@tigger.cs.Colorado.EDU (Bear Giles)
Subject: Re: SSNs and Social Insurance Numbers
Organization: National Oceanic & Atmospheric Adminstration / Boulder Labs
Date: Sat, 27 Jun 1992 03:07:08 GMT
In article <comp-privacy1.55.6@pica.army.mil> flint@gistdev.gist.com (Flint Pellett) writes:
>
>If anyone really knows about SSN's, I'd love to know what plans
>exist for them in the future. They only have 9 digits, and since
>we have 250,000,000 people (or more-- I haven't kept track)
>currently alive in this country, that indicates that most likely
>20 to 25% of the available numbers are in use by persons currently
>living. I would guess that within the next 100 years that we'll
>run out of 9 digit numbers that haven't already been used: do they
>plan on re-using the numbers of deceased people, (a big potential
>problem, I would think, since estates often live on a long time
>after the person), or are they going to go to 10 digits and break
>computer programs all over the place?
If they add one digit, they'll certainly add a second (for a checksum
since SSNs are used so widely now).
But you make two interesting assumptions: first, that the U.S.
Government will care about the fact that other organizations use
the SSN as an identifier (SSN records could probably be freed within
a few years of person's death); and second that the new number will
only be used in the U.S. With a North American Free Trade union
you could make a good point for a NAFTU-SSN... if not a global SSN
(since it is likely people will change countries much more in the
future).
Bear Giles
bear@fsl.noaa.gov
------------------------------
From: "Glenn R. Stone" <gs26@prism.gatech.edu>
Subject: Re: FBI Digital Telephony Proposal
Date: 26 Jun 92 17:51:19 GMT
Reply-To: glenns@eas.gatech.edu
Organization: The Group W Bench
In comp.society.privacy banisar@washofc.cpsr.org (Dave Banisar) writes:
>The following is the latest version of the FBI Digital Telephony Proposal,
>introduced in May 1992. This version removes the previous language that
>authorized the FCC to set standards and now places it solely in the hands
>of the Attorney General.
Question: Does the Attorney General's office come under FEMA (the Federal
Emergency Management As.., err, Agency)? If it does, we have REAL cause
for concern.... q.v. some recent posts concerning FEMA in misc.headlines
that explain how the President can basically arbitrarily declare a state
of emergency and take over a whole host of things, including PTT services.
If this stuff is already in place when (IF? c'mon, who are you kidding?)
said emergency happens... well, use your imagination and scare yourself.
(BTW, I have independent corroboration on the aforementioned articles
in misc.headlines, from someone who used to have a clearance.... )
Question #2: Is someone running a lobby against this measure? If not,
would someone like to? I don't have the time to run it, but I'll certainly
put my John Hancock on any petition opposing it....
[Moderator's Note: Does anybody know of an organized effort against
this? Anyone willing to start one? I would presume makers of the
equipment are against it. _Dennis]
-- Glenn R. Stone (glenns@eas.gatech.edu)
I'm not in the book, ya'know, and I'm ding dang dong glad of it! -- Gopher
------------------------------
From: Hans Mulder <hansm@cs.kun.nl>
Subject: Re: Social Security Numbers and Social Insurance Numbers
Organization: University of Nijmegen, The Netherlands
Date: Fri, 26 Jun 1992 23:52:54 GMT
In <comp-privacy1.55.2@pica.army.mil> lance@unix386.Convergent.COM (Lance Norskog) writes:
>I'm pretty sure the last digit is not a check digit.
Depends on whether you mean an SS# (American) or an SI# (Canadian).
Both are 9 digits. The last digit of an SI# is the check digit.
SS#s don't have a check digit.
--
Hans Mulder hansm@cs.kun.nl
------------------------------
End of Computer Privacy Digest V1 #056
******************************