Date: Fri, 11 Feb 94 21:29:51 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V4#029
Computer Privacy Digest Fri, 11 Feb 94 Volume 4 : Issue: 029
Today's Topics: Moderator: Leonard P. Levine
WA state bill could censor VR and multimedia
Help with Computer Privacy Policy
Privacy in Mailing Lists
New Mailing List on Information Problems
Re: Data Encryption and Privacy -- PGP Issues
The Computer Privacy Digest is a forum for discussion on the effect
of technology on privacy. The digest is moderated and gatewayed into
the USENET newsgroup comp.society.privacy (Moderated). Submissions
should be sent to comp-privacy@uwm.edu and administrative requests
to comp-privacy-request@uwm.edu. Back issues are available via
anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp"
with password "yourid@yoursite". The archives are in the directory
"pub/comp-privacy". Archives are also held at ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
From: Robert Jacobson <cyberoid@u.washington.edu>
Date: Thu, 10 Feb 94 08:09:08 -0800
Subject: WA state bill could censor VR and multimedia
A friend who frequents the Washington state government passed this on
to me:
There is a bill at the state level: (excerpts from ``Public Health &
Safety Act 1994'' bill, SBR 6174)
NEW SECTION. Sec. 706 (1) A license is required for the commercial
use of virtual reality technology for entertainment or purposes
other then bona fide education, training, research, and
development.
where VR is defined:
NEW SECTION. Sec 702. (4) ``Virtual Reality'' means any computer
or other electronic technology that creates an enhanced illusion of
three-dimensional, real-time or near-real-time interactive reality
through the use of software, specialized hardware, holograms,
gloves, masks, glasses, computer guns, or other item capable of
producing visual, audio, and sensory effects of verisimilitude
beyond those available with a personal computer.
My friend was present at the hearing of a portion of this bill.
Evidentally, the person backing the bill, Senator Phil Talmadge, and
his crew are convincing the State Congress that VR will permit ``a
realistic illusion of killing another person and such an illusion will
make it easier for someone to go out and acutally commit such a crime
outside of VR'' (quoting my friend who was quoting from memory).
This is all part of the movement to reduce violence by controlling
media and entertainment.
However, because of a misunderstanding of the possibilities of the
technology and the lack of a total suspention of disbelief which most
researchers would claim will never happen, the government would like to
restrict and control anything which has VR elements, whether being
marketed as VR or not.
The important issue which needs to be addressed right now is not so
much a method to reduce the violence in communities but the nature of
government-level control.
The State Congress has a very short calendar this year. This matter
could be voted upon as early as next week (week of 14 Feb 94), and the
congressional session ends 8 March 1994, so this could be voted into
law in less than one month.
Senator Phil Talmadge (206) 786-7436
Leading the opposition: Senator Sheldon (206) 786-7644
Senate Fax: (206) 786-1999
Commission on Public Health & Safety Act 1994
Bill to be heard in Ways & Means Committee (Sen. Rinehart, Chair),
Wednesday night, February 9, 1994; then to Rules.
for status of bill, call Secretary of Senate: 206/786-7550
------------------------------
From: plbuschm@nyx10.cs.du.edu (Pete Buschman)
Date: Thu, 10 Feb 94 23:00:06 GMT
Subject: Help with Computer Privacy Policy
Organization: Nyx, Public Access Unix at U. of Denver Math/CS dept.
Attention: This is a general request to readers of the newsgroups
alt.privacy, comp.society.privacy, alt.comp.acad-freedom.*
and misc.legal.computing.
Please Note: This is NOT a netwide flame issue. I have refrained
from naming my home institution as I hold no malice for
them and am trying to conststructively change an unfair
system. If you choose to respond, I only ask that you do
so constructively and with consideration.
I am a student at a Private College. This institution has a
campus-wide network with a direct internet connection, and the majority
of students use the system exclusively for email purposes. The thought
that their privacy might possibly be violated does not occur to most of
them.
Two days ago, a close friend of mine was quietly asking for extra space
on his account. He was treated rudely and informed that before the
space would be granted him, they would look at his files to see if
there was anything they felt should be deleted or backed up on disk. He
explained the situation to me and I researched what little computer
policy did exist. In doing so, I found information on the EDUCOM code
which was posted in all labs, and also a little loophole that stated
the College would conform to all Michnet acceptable use standards. The
result was that the Director of Computer Services received a notice
from us stating that they had no right to inspect a students files
without the students permission because that action violated the the
standards the College claimed to follow.
RESULT:
Much to our incredible surprise, we, as students, have been asked to
demonstrate to the Administration what an official privacy policy would
be like, and to _prove_ that other schools have such policies for
students computer rights. The personal reaction, however, indicates
that they don't believe we can come up with much. [ Help me prove them
wrong. ] This school is _very_ resistant to change and I believe, that
if we come up with enough precedents and even Federal law if possible,
they cannot help but issue an official policy statement or risk
extremely bad publicity. We have been informed that a committee has
been formed to deal with this issue, and are going to insist on our
right to present information or even possibly serve on that committee.
OUR GOAL:
To force the Administration into a position where, due to overwhelming
precedent, legal or academic, they must implement an official policy
regarding computer privacy.
This policy would include, but not be limited to:
1. Acknowledgement of computer files as intellectual property.
2. Permission from the student must be required before files are
inspected, modified, or deleted in cases where criminal conduct is not
suspected.
3. In cases where criminal conduct is suspected and the app ropriate
college authorities insist on a search of files, the student WILL be
notified and MUST be present at the time of searching unless the
student waives that right.
4. Logging of students activities on the computers is unlawful unless
the student has been informed prior to the time the logging was begun
or has previously consented to such activity.
5. Any user has the right to know if their files have been examined or
their activities logged anytime within record.
The above are just some of the examples we have thought of specifically
for our school. The College has a long history of violating the above
because there was no policy to prevent it. Please help us change
this!
WHY WE NEED HELP:
Note: Although the tone of this post might sound as if a large response
is expected, please do not take it as such. This is not our only method
of research, but a supplement to it. Any information we get as a
response is greatly appreciated as it will aid us in changing something
that truly needs it.
We are required to present this information in the next few weeks. The
research loads are immense if we wish to truly cover all the bases and
make this policy as fair to everyone as possible. The administration
is going to try and rush this through as quickly as possible, and we
need to get everything relevant in before the issue is closed.
WHAT WE NEED:
We need any and all information on Privacy, Intellectual Rights, and
what constitutes these, _Appropriate_to_an_Academic environment I am
already aware of the vast resources available through ftp.EFF.org, and
I am asking you, as readers, of these related newsgroups, if you have
any information you are willing to contribute, please do so.
The areas we need information on are the following:
(We don't expect you to mail these, as that may be to much to expect.
Pointers to ftp sites are quite acceptable. If you wish to use email,
by all means do so.)
1. Legal format for presenting our ideas. Neither of us has any legal
experience and we want to make this as official as possible.
2. Precedents and Laws relating to Computer Privacy.
3. Exceptional Policies from other academic institutions. If your
school deals with these issues in unique ways, please send us yours!
4. Situations where Federal or State Law does _not_ apply to a private
institution.
5. Anything else we might have missed which is relevant.
CONCLUSION:
To any and all, who offer help. Thank you! Our goal is to preserve the
rights of computer users where we are and we applaude anyone else who
has been able to effect a similar change at their schools.
[Respond via email or followup post. I'm not picky and I started
following these newsgroups every day as well.]
Note: Denver University is NOT my home site and is NOT the school
referred to in this post. I use NYX for my news activities. Mail sent
to NYX is forwarded to me so email responses will reach me.
Best wishes and a hearty Thank You to anyone who offers help. I am
excited about this.
Regards to all.
Peter L. Buschman plbuschm@nyx.cs.du.edu
Say NO to the Clipper Initiative.!
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: Fri, 11 Feb 1994 12:01:48 -0600 (CST)
Subject: Privacy in Mailing Lists
Organization: University of Wisconsin-Milwaukee
Earlier this month I received the following request in the Computer
Privacy Digest input box: (The userid is deleted.)
Date: Fri, 4 Feb 1994 15:59:06
From: <xxxx@xxx.xxx.edu>
To: comp-privacy-request@uwm.edu
I would like to request a mailing list of subscribers who
participate in your bulletin board system. Please send info to:
xxxx@xxx.xxx.edu
Thank you.
I sent the author a response indicating that if it was submitted as a
request for posting, I would be glad to ask each of you if you wanted
to send the author a mailing permitting the author to set up a separate
list. I indicated that such a global request of a Privacy list was
especially insensative.
Some of you might be aware that there is a group for the moderators of
digests. I sent that group a report on this request, and found out
some interesting things.
From: "Vision List Digest moderator (Philip Kahn)" <vision@teleos.com>
Date: Mon, 7 Feb 1994 10:06:46 -0800
I get those requests about 2-3 times/year. Why do you think she was
asking? I have never gotten a response to that question.
From: rrb@deja-vu.aiss.uiuc.edu (Bill Pfeiffer)
Date: Tue, 8 Feb 1994 16:55:09 -0600 (CST)
I get these requests all the time. Seems that bitnet listservers
have that command built in to them and some find it to be
commonplace. I never give them out either.
A check with postmaster@xxx.xxx.edu gave me the response that the
account holder did this all the time, was probably naive, and that the
work might well not have been that of the legal account holder anyhow,
as University security was not perfect.
Several of the other moderators discussed with me just how insecure our
mailing lists were. It seems that the pseudo-user-name for the mailing
must be a publicly readable word, and is, in fact printed in the
document that the readers get. Although a person could not read the
list itself, he or she could use this name and mail information to
whoever was in the file attached to the name. I had been aware of this
for some time and, like other moderators, have taken care to see to it
that the name does not point to any real list except when I am actively
posting to the Digest. During those short intervals, others may post
also. The system will make me aware of it if/when someone tries.
Other intrusions into your privacy also may exist. For example, there
is a headerline that forces a return message to the originator. It
looks like "Return-Receipt-To: xxx@xxx.xxx.edu" and must be included
in the header group without an intervening white space. This message,
were it sent to a list, would return a set of replies to the poster
indicating a great deal about who had received the mailing. Careful
examination of your incoming mail would reveal the presence of such a
header line.
I use such a line in my individual correspondence. It is a quick check
to see that the mail got through to the user's mailbox and it usually
arrives seconds after I send the mail. It nearly doubles network
traffic, however, and administrators frown. I never deliberately
include it when mailing to a group. The last time I did (I thought the
name I was mailing to was an individual) the 450 "return receipt"
messages reminded me to be more careful.
Mailing lists may not be secure. Even allowing someone to use one,
without allowing him or her to read it, can reveal some of the names of
those in it. If you do not trust your moderator to keep the data
secure and you are concerned, you can not stay on a list. There is no
security to an unmoderated list. I am interested in the judgements of
this group.
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of Computer Privacy Digest and
Professor of Computer Science | comp.society.privacy.
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
---------------------------------+-----------------------------------------
------------------------------
From: Paul Robinson <PAUL@TDR.COM>
Date: Fri, 11 Feb 1994 13:38:11 -0500 (EST)
Subject: New Mailing List on Information Problems
This is to announce the creation of a list for the public disclosure of
bugs, system problems, viruses, and any other conditions in a computer
system that people should be aware of so they can fix the problem.
It is also appropriate to report security holes, dangerous conditions
in PBXs, cellular and wire telephone systems, and other
computer-controlled devices. Also reports of things such as default
accounts and passwords on systems that should be changed, etc.
The focus will be on reporting clear descriptions of problems including
how to generate them. The idea being that this will alert people to
the nature of certain problems that they might be unaware of.
Reproducing these conditions lets others know what is being done, and
can allow people to post solutions on how to block them.
The purpose in creating this list is that currently, the only means
currently available for reporting discovered security holes in computer
systems and possibly other areas is via the Computer Emergency Research
Team (CERT) out of Carnegie Mellon University.
The problem with CERT reporting is that the reports generally tend to
be done in secrecy, and it fails to let system administrators and
others know about what is happening so that these things can be fixed.
In short, CERT acts like a black hole and takes too long to publicize
problems until lots of places get hit because they didn't know about
it.
Some people feel that reports should not be publicized because
potential reports might become available to "the bad guys." Well, the
truth of the matter is that "the bad guys" trade their discoveries
around all the time; the current use of secrecy is only hurting "the
good guys" who want to protect their systems.
This list has just been created, and pending creation of an automated
processor will be temporarily moderated since my current equipment does
not yet tell me what address the message is sent to. This will be
changed in the next two weeks.
There will, however, be two addresses. The general list will be
PROBLEMS@TDR.COM
which is used to post a report to the list. To subscribe to the list,
use
PROBLEMS-REQUEST@TDR.COM
Currently, both addresses are moderated. This will change shortly as I
upgrade the software on my system. Persons wishing to make a report
but not be identified should state so in the text of their message. In
the future, they will do so by using the -request address which will
come to me directly.
Persons wanting to receive this service by facsimile should contact me
for details. All messages requesting subscriptions or posting
information will be acknowledged. Please pass this announcement
around.
It is my intent to set this up such that people can publicly report
known bugs, viruses and problems in clear detail so everyone knows
about them and can encourage much faster response to these problems
than is currently available. It may even embarass some manufacturers
into making fixes sooner when their errors are glaringly exposed in
public.
---
Paul Robinson - Paul@TDR.COM
------------------------------
From: jeg@aurora.jhuapl.edu (John Grimes)
Date: Sat, 12 Feb 1994 01:47:49 GMT
Subject: Re: Data Encryption and Privacy -- PGP Issues
Organization: Johns Hopkins Continuing Professional Programs
>close@lunch.asd.sgi.com (Diane Barlow Close) writes: Earlier I asked
some questions about PGP (and other stuff) and found out that PGP
stood for a really good encryption system. Then someone pointed out
to me that PGP implements the RSA public-key encryption algorithm,
and there is a patent on the use of RSA for digital communication,
and that includes email. I also said if you use PGP to encrypt or
sign email which you then send to someone else, and you have not
obtained a license for use of the patent from the patent holders,
you are "infringing" the patent.
>>"Tansin A. Darcos & Company" <0005066432@mcimail.com> wrote: PGP
IS freely available and free to use and its use infringes on
nothing: Late last year, the owners of the 5 patents dealing with
RSA encryption (PKP Partners, Inc.) made a special arrangement
with the National Institutes of Science and Technology that in
exchange for a trade of certain encryption inventions developed by
NIST to them, they would make the following provisions: -
Individuals using RSA encryption (which would include the methods
used in PGP) may do so *royalty free* and *without having to
obtain a license*;
>Rest deleted. That left me totally confused. Does PGP infringe or
doesn't it? Are there exceptions or aren't there? I wrote to Jim
Bidzos asking for clarification and he basically said that the stuff
about PGP being free and legal was pure fiction. Jim said that PGP
is definitely unlicensed and is considered infringing by the patent
holders.
>>jim@RSA.COM (Jim Bidzos) wrote: I was sent a copy of statements
you made that RSA had made some licensing deal with the government,
and that somehow this legitimized the use of pgp. This is not
correct. You are probably referring to a Federal Register
announcement last year in which it was proposed that the govt would
get a license to use several PKP patents and PKP would license
those patents uniformly to the private sector. This proposal was
for a proposed Digital Signature Standard, never mentioned the RSA
algorithm, never included the RSA patent, never had anything to
with pgp, and was never executed anyway.
>>Making, using, or selling or distributing pgp, which is
unlicensed, is considered infringement by the patent holders, who
reserve all rights and remedies at law. This has been made clear
on many occasions and in many places, including letters written to
CompuServ, AOL, and to a large number of universities, all of whom
now prohibit its use or distribution, as stated in responses to us
from their counsel.
>>There is, however, free and properly licensed source code for
encryption and authentication using the RSA cryptosystem for
non-commercial purposes. This software is called RIPEM (for a
copy, email the author, Mark Riordan at mrr@scss3.cl.msu.edu), and
is based on free crypto source code called RSAREF (send any message
to RSAREF@RSA.COM). Further, commercial licenses are available at
low cost for RIPEM; however, in cases where consumer privacy is the
application, no-cost commercial licenses have been and are
routinely granted.
Just because Jim Bidzos, PKP Partners, Inc., et al say that PGP is an
infringement of the RSA patent does make not it so. To the best of my
knowledge this issue has not seen a court room and until it does any
rights claimed by the patent holders are just claims without teeth.
This legal fearmongering bugs me to no end, I would like to see PKP
Partners Inc. take their claims to court and get a definitive
establishment of their "rights" before firing off responses like this.
I am no legal expert, but a patent only gives the right to sue, it does
not give the patent holder the final ruling on the extent of their
rights granted under the patent or what the patent covers.
John
jeg@aardvark.jhuapl.edu
------------------------------
End of Computer Privacy Digest V4 #029
******************************
.