Date: Wed, 22 Sep 93 16:20:42 EST
Errors-To: Comp-privacy Error Handler <comp-privacy-request@PICA.ARMY.MIL>
From: Computer Privacy Digest Moderator <comp-privacy@PICA.ARMY.MIL>
To: Comp-privacy@PICA.ARMY.MIL
Subject: Computer Privacy Digest V3#043
Computer Privacy Digest Wed, 22 Sep 93 Volume 3 : Issue: 043
Today's Topics: Moderator: Dennis G. Rears
Professional Report Online: Computers, Gov't and Privacy
Re: Privacy Bill?
Re: crypto witchhunt?
Re: Computer Privacy Digest V3#040
The Computer Privacy Digest is a forum for discussion on the
effect of technology on privacy. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy
(Moderated). Submissions should be sent to
comp-privacy@pica.army.mil and administrative requests to
comp-privacy-request@pica.army.mil.
Back issues are available via anonymous ftp on ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
From: Lew Oleinick <lewo@emx.cc.utexas.edu>
Subject: Professional Report Online: Computers, Gov't and Privacy
Date: 21 Sep 1993 09:48:25 -0500
Organization: The University of Texas - Austin
I have just completed work on my Master's Thesis. The
title is "Computerized Governmental Database Systems
Containing Personal Information and the Right to Privacy."
I thought there might be an interest in this topic on the net
and for that reason I am posting the abstract and table of
contents of my thesis. The report itself is available via
anonymous FTP.
I attended the Lyndon B. Johnson School of Public Affairs
at the Univ. of Texas-Austin where I specialized in information
technology policy. At the LBJ school, masters students write
something called a "professional report" rather than a thesis.
So technically, my thesis is really a professional report.
I have placed a copy of my report online along with the
abstract and table of contents. I have also placed a copy
of my resume online as I will be looking for work soon and hoped to
make some contacts in government or industry with those who
are interested in my area of study.
The report, abstract, TOC, and resume are stored in a directory
that is accessible via anonymous FTP.
The ftp site is:
bongo.cc.utexas.edu
login=anonymous.
Change directories to pub/lewo.
You will find the following files:
-rw-r--r-- 1 lewo 3951 Sep 19 17:31 abstract.txt
-rw-r--r-- 1 lewo 125657 Sep 19 17:22 privacyreport.zip
-rw-r--r-- 1 lewo 5363 Sep 19 17:34 resume.txt
-rw-r--r-- 1 lewo 4774 Sep 19 17:23 tableofcontents.doc
The report itself is labeled "privacyreport.zip." As it is zipped
be sure to transfer in binary format.
NOTE !!! This file is a WordPerfect 5.1 file that was written on a PC.
The file was zipped using PKZIP. I have not translated the
file to a straight ASCII file as of yet because the WP51
translation program doesn't capture footnotes and I don't
have the time quite yet to write the macro to do this
for me. What this means is that unless you have WP51 or higher on
a PC you won't be able to read the text in its entirety. However,
if you have MS Word, you'll be able to read the body of the text.
The report is about 102 pages long.
Any comments or suggestions are welcome at:
lewo@emx.cc.utexas.edu
I will post a compilation of comments and suggestions if a desire
for such a compilation is present on the net.
Enjoy,
-- Lew Oleinick
------------- begin abstract and TOC ------------------
ABSTRACT
Computerized Governmental Database Systems
Containing Personal Information
And
The Right to Privacy
by
Lewis William Oleinick, M.P.Af.
The University of Texas at Austin, 1993
SUPERVISORS: Chandler Stolp and Philip Doty
This report identifies and examines the potential
threats to individual privacy created by the collection,
aggregation, and dissemination of personal information
by governmental agencies and the role computer systems
play in potentiating such threats. Computer matching,
computer profiling, the national criminal justice
database, and portfolio creation via data aggregation of
personal information are the governmental activities
stipulated to be potentially threatening to personal
privacy. These four activities are forms of
"dataveillance." Dataveillance poses dangers to the
security of civil liberties in a free society.
To carry on an intelligible discussion about
privacy and how the collection, aggregation, and
dissemination of personal information by governmental
agencies may threaten individual privacy it is necessary
to first define privacy and personal information.
Independence, autonomy, dignity, and respect create a
conceptual framework upon which privacy may be defined.
Privacy is a culturally defined norm. As such a
discussion of the American cultural tradition of privacy
is necessary to understand both how Americans have
defined privacy over time and the roles privacy has
played in American society in 1) "starting over," 2) in
interpersonal relationships, and 3) in maintaining the
"balance of power" with the State. Privacy is held to
be as important as the unalienable rights of "life,
liberty, and the pursuit of happiness" by the majority
of the American public. Americans have become more and
more concerned with their privacy as intrusive
technologies have evolved. Many Americans fear that
computers allow the U.S. Government too much power over
the average citizen.
Privacy has been protected in the United States by
precedents set in court cases, by legislation and by
executive act. The breadth of cases pertaining to
privacy precludes the examination of all cases. Supreme
Court cases provide a historical overview of the
evolution of the right to privacy as the questions
presented to the Court have become more complex with the
introduction of new technologies into the law
enforcement process.
Congress has attempted to address the public's
concerns of the government's collection, aggregation,
and dissemination of personal information by passing
legislation designed to protect individual privacy. The
four major pieces of legislation passed by Congress for
the protection of the citizen's right to privacy are the
Freedom of Information Act, the Privacy Act, the
Computer Security Act of 1987, and the Computer Matching
and Privacy Protection Act of 1988. The Office of
Management and Budget has produced regulations designed
to enforce the intent of the legislation promulgated by
Congress. These regulations are contained in OMB
Circular A-130 which details federal information policy.
This report concludes by suggesting the need for
the implementation of a Privacy Protection Board at the
national level. Such a board would be based on the
model suggested by David Flaherty.
The primary conclusion that should be drawn from
this report is that society as a whole must re-evaluate
the existing paradigm of who should be in control of
personal information; i.e., should it be the agency who
collects it or should the power of control remain with
the individual about whom the information was collected.
This report suggests that a certain modicum of control
over the disclosure of personal information should
revert to the individual about whom the information was
collected.
TABLE OF CONTENTS
Chapter 1. Introduction. . . . . . . . . . . . . . . . . . . . .1
Description of Problem. . . . . . . . . . . . . . . . . . .1
Governmental Activities of Interest . . . . . . . . . . . .2
Reasons for Concern . . . . . . . . . . . . . . . . . . . .3
Bringing the Concerns to a Personal Level . . . . . . . . .3
Justification for Focusing on
Governmental Activities . . . . . . . . . . . . . . . . . .4
Recapitulation of Topic and
Statement of Position . . . . . . . . . . . . . . . . . . .5
Explanation for the Ordering
of the Presentation of Material . . . . . . . . . . . . . .5
Ordering of Presentation of Materials . . . . . . . . . . .6
Chapter 2. Governmental Dataveillance. . . . . . . . . . . . . .7
Introduction. . . . . . . . . . . . . . . . . . . . . . . .7
Defining Surveillance and Dataveillance . . . . . . . . . .7
Forms of Governmental Dataveillance . . . . . . . . . . . .8
Transition from Personal Surveillance
to Mass Dataveillance . . . . . . . . . . . . . . . . . . 13
Dangers of Personal and Mass
Dataveillance . . . . . . . . . . . . . . . . . . . . . . 14
Chapter 3. Privacy and Personal Information: The Relationship
Explored . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Introduction. . . . . . . . . . . . . . . . . . . . . . . 19
Terms necessary for the definition
of privacy. . . . . . . . . . . . . . . . . . . . . . . . 19
Definition of Personal Information. . . . . . . . . . . . 23
Definition of Privacy . . . . . . . . . . . . . . . . . . 24
Difficulties with Defining Privacy. . . . . . . . . . . . 25
Chapter 4. The Cultural Tradition of Privacy in American Society27
Introduction. . . . . . . . . . . . . . . . . . . . . . . 27
Public Opinions on Privacy. . . . . . . . . . . . . . . . 27
Privacy's Role in "Starting Over" --
A Cultural Basis. . . . . . . . . . . . . . . . . . . . . 34
The Role of Privacy of Personal
Information in Interpersonal
Relationships . . . . . . . . . . . . . . . . . . . . . . 40
The State and the "Balance of
Power". . . . . . . . . . . . . . . . . . . . . . . . . . 45
Chapter 5. A Brief Legal History of the Right to Privacy: A
Survey of Selected Supreme Court Cases . . . . . . . . . . . . 49
Introduction. . . . . . . . . . . . . . . . . . . . . . . 49
Reasons for Choosing the Ten Cases. . . . . . . . . . . . 50
Analysis of Cases . . . . . . . . . . . . . . . . . . . . 51
Mapp v. Ohio . . . . . . . . . . . . . . . . . . . . 52
Griswold v. State of
Connecticut. . . . . . . . . . . . . . . . . . . . . 53
Katz v. United States. . . . . . . . . . . . . . . . 55
Stanley v. State of
Georgia. . . . . . . . . . . . . . . . . . . . . . . 57
Eisenstadt v. Baird. . . . . . . . . . . . . . . . . 59
Roe v. Wade. . . . . . . . . . . . . . . . . . . . . 60
United States v. Miller. . . . . . . . . . . . . . . 62
Whalen v. Roe. . . . . . . . . . . . . . . . . . . . 64
Bowers v. Hardwick . . . . . . . . . . . . . . . . . 66
United States Department
of Justice v. Reporters
Committee for Freedom of
the Press. . . . . . . . . . . . . . . . . . . . . . 67
Summation of Cases and Problems with
Judicial Activism . . . . . . . . . . . . . . . . . . . . 70
Chapter 6. Legislative and Executive Action to Protect the
Privacy of Personal Information. . . . . . . . . . . . . . . . 73
Introduction. . . . . . . . . . . . . . . . . . . . . . . 73
The Freedom of Information Act. . . . . . . . . . . . . . 74
The Privacy Act . . . . . . . . . . . . . . . . . . . . . 76
Criminal Justice Information Control
and Protection of Privacy Act of 1974 . . . . . . . . . . 82
The Computer Security Act of 1987 . . . . . . . . . . . . 83
The Computer Matching and Privacy
Protection Act of 1988. . . . . . . . . . . . . . . . . . 85
OMB Circular A-130. . . . . . . . . . . . . . . . . . . . 88
Chapter Summary . . . . . . . . . . . . . . . . . . . . . 91
Chapter 7. Conclusion and Suggestions for Additional Legislation93
Introduction. . . . . . . . . . . . . . . . . . . . . . . 93
Recapitulation of Major Themes. . . . . . . . . . . . . . 93
Policy and Advancing Technology . . . . . . . . . . . . . 98
Government Responsibilities . . . . . . . . . . . . . . . 99
Suggestions for Additional Legislation. . . . . . . . . .101
Conclusion. . . . . . . . . . . . . . . . . . . . . . . .102
--
-----------------------------------------------------------
Lew Oleinick lewo@emx.cc.utexas.edu
Systems Analyst 512-471-3241 ext. 269
Statistical Services Group Univ. of Texas - Austin
------------------------------
From: "Theodore L. Dysart" <dysart@parrot.wpi.edu>
Subject: Re: Privacy Bill?
Date: 21 Sep 1993 20:51:10 GMT
Organization: Worcester Polytechnic Institute
In article <comp-privacy3.37.2@pica.army.mil> peterson@CS.ColoState.EDU (james peterson) writes:
>I have recently been hearing about a privacy bill being considered
>by Congress. Does anyone have the text of this bill to post?
I am doing a paper on e-mail privacy and I looked into this legislation.
It is sponsored by Senator Paul Simon, and it is called "The privacy for
consumers and workers act" As explained to me by his aide, it does the
following:
If an organization declares that it has the right to read/review
your e-mail, it must do so all the time. If they do not review
mail on a regular basis, but retain the right to, they must make
you aware of the fact that they have "opened" your mail.
It doesn't stop them from doing it, but at least you must be informed. 8)
The aide told me that it was unavailable in an on-line format, but they
are happy to send it to you. (took about 2 wks.)
We voluntered to do some surveys or research for the office, but their
interest was more directed towards Unions. (The brochure with the record
from the hearing included an extensive statement from the Union at the
Sharaton Hotel in Boston.)
Ted.
-------------------------------------------------------------------------------
_/_/_/_/_/ _/_/_/_/ _/_/ |Thodore L. Dysart | Also Student Conductor for
_/ _/ _/ _/ |dysart@wpi.wpi.edu| the WPI Glee Club and Head
_/ _/_/_/ _/ _/ | Sales Rep. for | Chef for the WPI Baker's
_/ _/ _/ _/ | WIN Enterprise | Dozen - Available for
_/ _/_/_/_/ _/_/ | (508)753-1522 | Special Occasions 792-9119
------------------------------
From: amn@ubik.demon.co.uk (Anthony Naggs)
Subject: Re: crypto witchhunt?
Organization: UBIK (we are everywhere!)
Reply-To: amn@ubik.demon.co.uk
Date: Wed, 22 Sep 1993 03:16:34 +0000
The attached messages accompanied Shari Steele's posting in the latest
issue of Computer Underground Digest (v5 #73, aka comp.society.cu-digest).
I think they offer useful information, I hope you can republish them.
Regards, Anthony
----< begin included text >----
Date: Sun, 19 Sep 1993 21:15:22 CDT
From: CuD Moderators <cudigest@mindvox.phantom.com>
Subject: File 1--U.S. Gov't Begins Attack on Moby Crypto
((MODERATORS' NOTE: The following posts on the U.S. Customs Service
subpoena directed against Grady Ward and others came from a variety of
sources. We pulled together the three that seemed to best summarize
events of the past few days. In editing them, we can't reconstruct
where they all came from, but most appeared on Usenet in the past few
days. The following was distributed on Usenet by Grady Ward)).
++++++++++
Subpoena served on Austin Code Works for
material related to Moby Crypto.
At 10:30 PM EDT Thursday, 16 Sept 1993 Theodore R. Siggins, special
agent for the Department of Treasury, U.S. Customs Service office of
enforcement for Austin, TX (512) 482-5502 served the following
subpoena:
United States District Court
Northern District of California
TO:
Custodian of Records
Austin Code Works
11100 Leafwood Lane
Austin, TX
(512) 258-0785
SUBPOENA TO TESTIFY BEFORE GRAND JURY
documents of object(s)
PLACE
U.S. Courthouse & Federal Building
280 South First Street
San Jose, CA 95113
Grand Jury Room 2115
September 22, 1993 9:00 AM
YOU ARE ALSO COMMANDED to bring with you
Any and all correspondence, contracts, payments, and record,
including those stored as computer data, relating to the
international distribution of the commercial product "Moby
Crypto" and any other commercial product related to PGP and RSA
Source Code for the time period June 1, 1991 to the present.
CLERK
RICHARD W. WIERKING
by deputy clerk (illegible)
This subpoena is issued on application of the United States of America
Michael J. Yamaguchi
United States Attorney
Assistant U.S. Attorney
William P. Keane
280 S. First St., Suite 371
San Jose, CA 95113
(408) 291-7221
s/a Robin Sterzer, Customs
93-1348(SJ) 93-1(SJ)
9 September 1993
served by
Theodore R. Siggins
special agent
Department of Treasury
U.S. Customs Service
Office of Enforcement
P.O. Box 99
Austin, TX 78767
(FTS) 770-5502
(512) 482-5502
+-------------------------- BACKGROUND ----------------------------
The day before yesterday I faxed the following to the NSA:
Grady Ward
3449 Martha Ct.
Arcata, CA 95521
(707) 826-7715
grady@netcom.com
Charlotte Knepper
National Security Agency
301 688 7834
FAX 301 688 8183
Sep 93
Re: Moby Crypto and the Austin Code Works
Recently you phoned Maria Guthery at the Austin Code Works
(512-258-0785) to voice your concern about the publication for export
of my product 'Moby Crypto'.
As the editor and author of the compilation I made sure not to include
any executable code -- only the algorithmic description in C source
code that can be found (and exported) from scores of books and
journals from the US distributed throughout the world.
I believe that this material qualifies for the 'public domain'
technical documentation exception under the current DTR rules. It
seems to me that proscribing the publication of material because it is
conveyed on a magnetic media rather than paper pulp is an NSA
initiative that is both destructive to our basic freedom of expression
and to the trade renaissance that Vice President Al Gore and the
Clinton Administration are trying to foster.
Even the Supreme Court recognizes the role of the computer media in
protecting our freedom; beginning this 1993 calendar year all
decisions will be provided in electronic form. Further, as you may
know, it was recently decided that White House records in electronic
form must be protected as a permanent archive of our government.
Clearly, magnetic media must be treated as a logical extension of the
power and fundamental right of the print media.
Please phone, fax, e-mail or post your ideas or any literature to me
that you think useful if I have misapprehended the situation.
Of course if you wish I will send you a gratis copy of the software
(about nine megabytes of sources for DES, RSA, IDEA, Lucifer, PGP,
SHA, and so on) for your advice and comments.
Very truly yours,
GRADY WARD
+-------------------- WHAT YOU SHOULD DO ---------------------
NSA and the US Treasury has started a new, aggressive campaign to
prevent the spread of cryptographic ideas, algorithms, sources, and
documentation. The subpoena was served on the ACW in the night
because they MIGHT have sold a copy of source code, already available
worldwide, to a foreign national.
If you value the freedom to disseminate ideas on both paper and
magnetic and electronic media, you should immediately preserve your
right to have such knowledge by obtaining a copy of the source to
Pretty Good Privacy and all other cryptographic materials before a
possible complete blackout of such material is attempted by the US
authorities.
It is not yet against the law to possess source code to PGP, the
world's foremost encryption application in the United States. Source
is available for a variety of platforms including MS-DOS, Unix, and
Macintosh from the following sites:
soda.berkeley.edu
ghost.dsi.unimi.it
nic.funet.fi
ota.ox.ac.uk
van-bc.wimsey.bc.ca
and many other sites
For more information about PGP,
send a blank mail message to:
pgpinfo@mantis.co.uk
--
Grady Ward grady@netcom.com
3449 Martha Ct. compiler of Moby lexicons
Arcata, CA 95521-4884 e-mail or finger grady@netcom.com
(707) 826-7715 (voice/24hr FAX) for more information
------------------------------
Date: Sun, 19 Sep 1993 22:29:54 CDT
From: CuD Moderators <cudigest@mindvox.phantom.com>
Subject: File 2--Phil Zimmermann's Comments on the Moby Crypto Incident
On Tuesday, 14 September 93, Leonard Mikus, president of ViaCrypt,
also known as LEMCOM Systems, in Phoenix, Arizona, was served a
Subpoena to Testify Before Grand Jury, to produce documents. The
subpoena was issued by the US District Court of Northern California,
by Assistant US Attorney William P. Keane in San Jose, as part of an
investigation from the San Jose office of US Customs, conducted by
Special Agent Robin Sterzer. The US Attorney above Keane is Michael
J. Yamaguchi.
ViaCrypt is the company that will be selling a fully licensed
commercial version of PGP, starting in November. ViaCrypt has a
license from PKP to sell products that embody the patents held by PKP.
That includes PGP, using the RSA algorithm.
The subpoena, dated 9 September, orders the production of "Any and all
correspondence, contracts, payments, and records, including those
stored as computer data, involving international distribution related
to ViaCrypt, PGP, Philip Zimmermann, and anyone or any entity acting
on behalf of Philip Zimmermann for the time period June 1, 1991 to the
present." The date specified for the production of documents is 22
September 93.
The written agreement between ViaCrypt and myself explicitly states
that US State Department cryptographic export controls will be adhered
to.
The implications of this turn of events are that this US Customs
investigation has escalated to the level of a Federal Grand Jury and a
US Attorney. US Customs says that this change was precipitated by a
ruling recently handed down from the State Department that PGP is not
exportable. Other subpoenas and/or search warrants are expected.
I am the principal target of the investigation. I have advised EFF,
CPSR, and my other attorneys of the situation. A legal defense fund
will be set up by my lead attorney (Phil Dubois, 303 444-3885) here in
Boulder.
This case raises some serious public policy questions regarding First
Amendment rights to publish, rights to privacy as affected by
widespread availability of cryptographic technology, the equivalence
of electronic publication with paper publication, the availability of
lawful domestic cryptographic technology in the face of export
controls, and certain other Constitutional rights. This may turn into
the test case for these issues.
Philip Zimmermann
------------------------------
Date: Tue, 21 Sep 93 22:21 PDT
From: John Higdon <john@zygot.ati.com>
Reply-To: John Higdon <john@zygot.ati.com>
Organization: Green Hills and Cows
Subject: Re: Computer Privacy Digest V3#040
Bryon Propst <bryon@boa.meaddata.com> writes:
> What has happened to our government over the
> last 200 years? We once believed that what the private citizen did was
> his own business until there was physical evidence that they were
> harming another's Constitutional rights. Now, you believe that you
> have the right to "take a preventative stance toward crime and
> corruption...". Sounds good, but where does that lead us? To invading
> ALL areas of our citizens lives that were once deemed private, in the
> hope that you may find a potential infraction?!?
It is actually worse than that. Large amounts of money are spent by law
enforcement create elaborate environments to facilitate crime.
Attractive scams are set up and then the officials sit back and see who
falls into the trap. Sometimes it seems as though these "sting"
operations are designed to "drum up business" as it were. These
entrapments (what else can you call them?) pass legal muster when the
agencies argue to the court that only people who have a propensity
toward crime will nibble at the bait.
This may or may not be true, but it certainly could conceivably create
criminal activity where none would have occurred otherwise. So what it
amounts to is having a government that goes out of its way to sniff
around trying to find evidence of criminal activity that is otherwise
not manifest, and when it cannot find any, creates it.
--
John Higdon | P. O. Box 7648 | +1 408 264 4115 | FAX:
john@ati.com | San Jose, CA 95150 | 10288 0 700 FOR-A-MOO | +1 408 264 4407
------------------------------
End of Computer Privacy Digest V3 #043
******************************