Date: Thu, 11 Mar 93 17:32:48 EST
Errors-To: Comp-privacy Error Handler <comp-privacy-request@PICA.ARMY.MIL>
From: Computer Privacy Digest Moderator <comp-privacy@PICA.ARMY.MIL>
To: Comp-privacy@PICA.ARMY.MIL
Subject: Computer Privacy Digest V2#024
Computer Privacy Digest Thu, 11 Mar 93 Volume 2 : Issue: 024
Today's Topics: Moderator: Dennis G. Rears
Re: Dorothy Denning's article in Comm. of ACM
re: Credit Card Validation
Re: NEW EDITION OF THE PRIVACY GUIDE?
Social Security Numbers as ID
Re: Dorothy Denning's article in Comm. of ACM
The Computer Privacy Digest is a forum for discussion on the
effect of technology on privacy. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy
(Moderated). Submissions should be sent to
comp-privacy@pica.army.mil and administrative requests to
comp-privacy-request@pica.army.mil.
Back issues are available via anonymous ftp on ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
From: Carl Ellison <cme@ellisun.sw.stratus.com>
Subject: Re: Dorothy Denning's article in Comm. of ACM
Date: 9 Mar 1993 21:08:44 GMT
Organization: Stratus Computer, Software Engineering
In article <thomas.731450452@ponder> thomas@ponder.csci.unt.edu (Tom Thomas) writes:
>I am not at all persuaded by Dorothy Denning's defense [...] Beyond this,
>Dr. Denning rationalizes the regulation of cryptography, [...]
>
>Once again, we are being asked to sacrifice a substantial and fundamental
>freedom for the sake of negligible safety and security. [...]
>
>Am curious about others' reactions to 'To Tap Or Not To Tap' in the March
>1993 'Communications of the ACM'.
I agree. I'm going to prepare a rebuttal article/letter to send to CACM
(and probably post here as well), but first I have to carefully read all
articles. It's hard. My blood pressure keeps going up and I have to set
it down.
Among other things, the gov't side focuses on only 1 of 8 scenarios:
variable values Denning's focus
good guy: (govt, private) govt (eg., FBI saint)
bad guy: (govt, private) private (eg., drug dealer)
encrypter: (good guy, bad guy) bad guy
If that's the only scenario you look at or give reasonable weight to, it's
very hard to justify private crypto. So -- we need to prohibit such a
focus from being established.
Meanwhile, I'm not at all sure that the gov't should have a right to
wiretap in the first place. Is the gov't allowed to bug a confessional in
a Roman Catholic church? Can it bug an interview room used by a lawyer for
an imprisoned client? A telephone gives, by its very nature, a suggestion
of privacy: (you have to hold your mouth close to it and hold it close to
your ear -- something you would do in person only if you were whispering a
secret.) That means that the telephone is seducing you into revealing
secrets you would not normally reveal in public -- just as you might in a
confessional or in a private room with your lawyer. [Before you protest
that I'm jumping to conclusions, I have *many* examples of my own
conversations with girlfriends over a telephone which I would never have
spoken through a PA system. I often intentionally lowered my voice and
brought my mouth closer to the mouthpiece, in fact, to keep my roommate
from hearing what I was saying....and I know how easy it is to wiretap, but
even I got seduced into treating a telephone as a private channel. It was
in asking myself why I behaved this way that I realized the psychological
relationship of telephone handset usage to whispering.]
- Carl
--
- <<Disclaimer: All opinions expressed are my own, of course.>>
- Carl Ellison cme@sw.stratus.com
- Stratus Computer Inc. M3-2-BKW TEL: (508)460-2783
- 55 Fairbanks Boulevard ; Marlborough MA 01752-1298 FAX: (508)624-7488
------------------------------
From: "Michael T. Palmer" <m.t.palmer@larc.nasa.gov>
Subject: re: Credit Card Validation
Date: 9 Mar 1993 21:23:20 GMT
Organization: NASA Langley Research Center, Hampton, VA
In article <comp-privacy2.23.6@pica.army.mil> Brinton Cooper <abc@brl.mil> writes:
>Now, Citibank is asking (US Government employee) users of it's Diner's
>club cards to supply them with validation info. When activating a new
>(e.g., personal) account, changing address, or otherwise enquiring about
>one's file, the caller may be asked to supply such information in order
>to assure the credit company of the caller's legitimate identity.
>Information requested is:
>
> Name
> Acccount #
> Address
> Date of Birth
> Social Security Number (you were surprised, maybe?)
> Mother's Maiden Name (My hospital asks for this one, too.)
> Business and home phones
> Other Diner's accounts to which this info applies.
[etc]
>On the one hand, this has the potential to expose what little privacy we
>have left. On the other hand, one can argue that it protects us
>from malicious persons. I don't yet know whether I shall comply.
I don't know if I will, either. I'll have to think about this.
Although... I could make up some outrageous "Mother's Maiden Name"
like Spinkelschwartzenheimer. That's serve the validation purpose
(as long as I can *remember* it), but doesn't give out any info on
my personal life.
(Oooh! Dang! Now I can't use that one because I already posted it!)
>[Moderator's Note: I don't use the Diner Card Club. It's one less card
>I have to carry around. On the other hand I have passworded all my
>accounts (credit card, utilities, insurance, etc) that can be accessed
>by phone. I started this after my phone and electric service was cut off
>by someone claiming to be me. The "Mother's maiden name" is no security.
> ._dennis ]
While passwording your credit cards is a good idea, some of us MUST MUST
MUST use that damn Diner's Club card. When I go on Gov't travel, I
*must* charge hotels, rental cars, and registration fees to that card
if I want reimbursement without an act of Congress. Management has
made this CRYSTAL clear to us.
Michael T. Palmer | "A man is crazy who writes a secret in any
m.t.palmer@larc.nasa.gov | other way than one which will conceal it
RIPEM key on server | from the vulgar." - Roger Bacon
------------------------------
From: hirai@cc.swarthmore.edu (Eiji Hirai)
Subject: Re: NEW EDITION OF THE PRIVACY GUIDE?
Organization: Computing Center, Swarthmore College, Swarthmore, PA, USA
Date: Tue, 9 Mar 1993 21:41:13 GMT
Mark McFadden <mcfadm@dnrmai.dnr.wisc.gov> writes:
:No edition since 1980!?! Does anyone know if another is planned?
The new edition came out in 1990.
AUTHOR Hendricks, Evan.
TITLE Your right to privacy : a basic guide to legal rights in an
information society / Evan Hendricks, Trudy Hayden, Jack D.
Novick.
EDITION 2nd ed., completely rev. and up-to-date.
PUBLISHER Carbondale : Southern Illinois University Press, c1990.
DESCRIPT xxii, 184 p. ; 18 cm.
SUBJECT Privacy, Right of --United States.
SERIES An American Civil Liberties Union handbook.
NOTE Rev. ed. of: Your rights to privacy / Trudy Hayden. c1980.
Includes bibliographical references.
ISBN 0809316323.
ALT. ENTRY Hayden, Trudy.
Novik, Jack.
------------------------------
From: Matthew B Cravit <cravitma@student.msu.edu>
Subject: Social Security Numbers as ID
Date: Tue, 9 Mar 93 16:52:25 EST
I was discussing a recent bunch of bicycle and computer thefts here at Michigan
State University with one of the campus police officers, and in the course of
our discussion, I asked what he suggested one do by way of identifying
property. I asked if it was advisable to put a SSN on the bottom of my computer
by way of identification, as the police in Toronto (Canada) where I used to
live suggested using your SIN (Canadian equivalent to an SSN) for
identification of property. He said that quite apart from the fact that this
is not a good idea from a privacy standpoint (I already knew that), putting a
SSN on articles for identification was quite useless because he said that the
Social Security Administration will NOT release the name belonging to a
particular SSN to any local or state law enforcement agency FOR ANY REASON
UNDER ANY CIRCUMSTANCES. Is this assertion of his correct?
[Moderator's Note: This is true. The few law enforcement agencies I
have dealt with have always recommended to use you driver license number.
Of course this was before states starting using a SSN as a driver license
number. ._dennis ]
/Matthew Cravit, Undergraduate Communications/Computer Science Student
Michigan State University, East Lansing, Michigan
Internet: cravitma@studentc.msu.edu OR cravitm@clvax1.cl.msu.edu
------------------------------
From: Peter Swanson <pjswan@engin.umich.edu>
Subject: Re: Dorothy Denning's article in Comm. of ACM
Date: 10 Mar 1993 02:49:02 GMT
Organization: University of Michigan Engineering, Ann Arbor
In article <thomas.731450452@ponder> thomas@ponder.csci.unt.edu (Tom Thomas) writes:
>...Dorothy Denning's defense of proposed
>legislation that would regulate the development of communication technology
>to ensure government wiretapping capabilities...
>
>...'To Tap Or Not To Tap' in the March 1993
>'Communications of the ACM'.
FYI:
Dorothy Denning has another article, 'Wiretapping and cryptography',
on p. 16 of the March 1993 IEEE Spectrum. The subject matter is the same.
--
| Peter J. Swanson | pjswan@caen.engin.umich.edu |
| PhD Pre-Candidate | controls specialist |
| Electrical Engineering:Systems | Fortunately, ah keep muh feathuhs |
| University of Michigan | numbahd for just such ahn emergency.|
------------------------------
End of Computer Privacy Digest V2 #024
******************************