Date: Thu, 17 Feb 94 12:53:58 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V4#032
Computer Privacy Digest Thu, 17 Feb 94 Volume 4 : Issue: 032
Today's Topics: Moderator: Leonard P. Levine
Re: WA state bill could censor VR and multimedia
Re: WA state bill could censor VR and multimedia
Free Encryptor. Come n' get it.
Electronic Food Stamps
Re: Clipper Overseas
"Big Brother Inside" Logo
Government Encryption Policies and Internet Break-ins
Re: Clipper Overseas
Re: Privacy in Mailing Lists
Cellular phones
National Information Infrastructure Testimony
The Computer Privacy Digest is a forum for discussion on the effect
of technology on privacy. The digest is moderated and gatewayed into
the USENET newsgroup comp.society.privacy (Moderated). Submissions
should be sent to comp-privacy@uwm.edu and administrative requests
to comp-privacy-request@uwm.edu. Back issues are available via
anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp"
with password "yourid@yoursite". The archives are in the directory
"pub/comp-privacy". Archives are also held at ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
From: finagler@leland.Stanford.EDU (Bradley James Rhodes)
Date: 16 Feb 1994 04:23:02 GMT
Subject: Re: WA state bill could censor VR and multimedia
Organization: Stanford University, CA 94305, USA
Robert Jacobson <cyberoid@u.washington.edu> writes:
The bill was amended to remove this clause and to simply state that
virtual reality, like other media (including videogames), should
have an age-group rating concocted by the local software
association. It's fairly sure that the bill may go through other
changes in a conference with a House bill not containing these
clauses.
I called today (2/15) and it appears the clause was indeed taken out by
the Ways and Means committee.
------------------------------
From: Chuck Weckesser <71233.677@CompuServe.COM>
Date: 16 Feb 94 11:12:35 EST
Subject: Re: WA state bill could censor VR and multimedia
The Washington State Bill does not have a prayer of passing muster with
the Supreme Court. This is settled law. Their bill will fail. I bet my
next paycheck on it.
One cannot interfere with any aspect of the First Amendment except so
called "fighting words" (e.g. yelling "fire" in a crowded theater).
------------------------------
From: qwerty@netcom.com (Xenon)
Date: Wed, 16 Feb 1994 07:48:01 GMT
Subject: Free Encryptor. Come n' get it.
Organization: PGP Info Clearinghouse.
-----BEGIN PGP SIGNED MESSAGE-----
When in the Course of human events, it becomes necessary for one people
to ensure their own right to privacy, they get PGP :-).
Tired of sending your e-mail on postcards? Send me mail with Subject
"Bomb me!" to get Gary Edstrom's PGP FAQ and my "Heres' How to MacPGP!"
guide. (They are also available by anonymous ftp to netcom.com in
/pub/gbe and /pub/qwerty).
PGP is the free encryption program designed by Phil Zimmerman, and is
available for most any computer.
-=Xenon=- <qwerty@netcom.com>
-----BEGIN PGP SIGNATURE-----
Version: 2.3
iQCVAgUBLWGI2ASzG6zrQn1RAQHcbAP/eXmlL1cCWW0WuRIk51LW+76BAbc+Oh33
YjJHXpZJqT+oDAilG/mZTulS+E2Ea0U1TnAQ5oaph+4kDV9vaa9T1Xr9gqxAIceJ
qojhnB56iHyQ1P5zorhB3slOFzLp7SMcyiLNTHKbld+kAWHJimD08FkQkLphLk/N
r0ARUwIYStM=
=+A4f
-----END PGP SIGNATURE-----
------------------------------
From: "Mich Kabay / JINBU Corp." <75300.3232@CompuServe.COM>
Date: Wed, 16 Feb 1994 08:28:46 -0600 (CST)
Subject: Electronic Food Stamps
Posted in Risks by: "Eric Burch" >INTERNET:burch@vnet.IBM.COM
15-Feb-94 08:54 ESTRe: Lone Star cards
In RISKS 15.54 you wrote (actually, quoting a newspaper reporter)
about Texas starting to distribute "Lone Star" cards in lieu of
paper food stamps. In the state of Maryland, we've had the
"Independence" card, which does the same thing for about a year
(the advantages of a smaller state, I guess). From what I've
heard, it has cut down on food stamp fraud, and since it's tied
into the supermarket scanner, only the correct foods are covered by
the card. (On the shelves, where the price is displayed, the
supermarket will display a "WIC Approved" sticker next to the items
that are covered by the card).
The device that accepts the card is a small keyboard/mag card
reader next to the small shelf mounted above the scanner proper
(used to, say, write checks). From what I've seen, the
'Independence' card works well (although the keyboard used to enter
the PIN is a bit too exposed). The big Risk is that the same
device is used to pay for groceries on your credit or ATM card. In
the case of the ATM card, you have to enter your PIN (big-time Risk
there; I never pay this way)--but if you use your Visa or
MasterCard YOU NEED NOT ENTER ANY IDENTIFYING INFORMATION! If you
want to pay by credit card, you take the card out of your wallet,
put it through the mag card reader, return it to your wallet (the
cashier never looks at the card since they are busy scanning
products).
When it's time to pay, you tell the cashier that you're using a
card, they press a key, a confirmation message comes up on the
device (you then press the "yes" key), you wait a few seconds for a
bank approval, sign a slip that printed up (since the cashier never
saw your card, who's to say if the signature is forged?) and walk
out with your purchase. I'd guess that the procedure is that the
cashier has to examine the card, but rarely happend in practice.
It's an exercise of the reader to identify the risk here. The slip
that is signed is just a printout on the same stock as the
receipt--not anything that is forwarded to the credit card company
(so it seems). I guess this way even small-time hoodlums can feed
their families easily :-)
(Feel free to pass this to Risks digest--I'd guess you're getting
mail from all over and you can edit the followup contribution with
the juciest tidbits.)
<<end>>
Michel E. Kabay, Ph.D.
Director of Education
National Computer Security Association
------------------------------
From: howland@walrus.mvhs.edu (Curt Howland)
Date: Wed, 16 Feb 1994 15:20:13 GMT
Subject: Re: Clipper Overseas
Organization: Worlds Welfare Work Association
Christopher Zguris <0004854540@mcimail.com> writes:
I haven't seen this discussed so I'm going to ask.
You haven't been over in comp.org.eff.david-sternlight receintly...
What are the implications for Clipper's use on communications
between US and foreign countries and companies?
Everything your post alludes to, in my opinion. Clipper is a secret
system, where the keys are burned in during manufacture. Therefore, ALL
clipper chips will have their keys held by the US government. It's part
of the spec.
It's a given that the NSA monitors a lot of data communications,
That's what they exist for.
and I remember reading about the monitoring ofUS communications
using NSA equipment in foreign countries thereby by avoiding the
issue of monitoring on US soil,
When anyone cares to ask, that's their reasoning.
so couldn't the same trick be used to monitor communications in
foreign countries that would also include US links?
This is the simplicity of abuse that Clipper lends itself to. It's not
a matter of the NSA/spooks WANTING to be able to listen at will, but of
them designing a system themselves for the "good of all" that hands
them this capability. The designed the entire system, and we can only
wonder what it really does, since it's illegal to know.
Having an 80 bit key and the NSA is like leaving a kid in a candy store
and expecting that he won't know how to open the jars. They will find a
way.
As far as privacy goes, the desire is there for just the nitch that
Clipper fills for the individual/corp. Clipper's noise is making a lot
of people take notice of just how open things are to listening most of
the time, I only hope other options get created while Clipper is still
"voluntary".
---
Curt Howland "Ace" DoD#0663 EGFC#011 EFF#569
howland@walrus.mvhs.edu '82 V45 Sabre
"Laws do not persuade just because they threaten."
-Seneca, 65 AD
------------------------------
From: Dave Banisar <banisar@washofc.cpsr.org>
Date: Wed, 16 Feb 1994 10:24:49 EST
Subject: "Big Brother Inside" Logo
Organization: CPSR Washington Office
Big Brother Inside Logo A parody of the Intel's Logo modified for the
Clipper Chip is now available for use for stickers, posters, brochures
etc.
The Big Brother Inside graphic files are now available at the CPSR
Internet Archive - ftp/gopher cpsr.org /cpsr/privacy/crypto/clipper
big_brother_inside_sticker.ps (postscript-scale to fit your project)
big_brother_inside_logo.gif (Color GIF - good startup/background screen)
big_brother_inside_picts_info.txt (Info on the files)
The files have also been uploaded to America Online in the Mac Telecom
and Graphic Arts folders.
big_brother_inside_sticker.ps is a generic postscript file, created in
CorelDraw. The postscript image lies landscape on the page, and
consists of the intel-logo's ``swoosh'' and crayon-like lettering on
the inside.
This design was originally created for the sticker project: the image
was screened onto transparent stickers 1" square for the purpose of
applying them to future clipper-chip products. (cdodhner@indirect.com
was in charge of that project; as far as I know he's still distributing
them for a small donation to cover printing & mailing costs).
The design was created by Matt Thomlinson <phantom@u.washington.edu>
------------------------------
From: Paul Robinson <PAUL@TDR.COM>
Date: Wed, 16 Feb 1994 13:26:05 -0500 (EST)
Subject: Government Encryption Policies and Internet Break-ins
Organization: Tansin A. Darcos & Company, Silver Spring, MD USA
Bill Stewart <wcs@anchor.ho.att.com>, writes in newsgroup alt.security,
among others:
[Sure would be nice if the EFF or CPSR would put out a press
release along these lines. Anybody?]
The news from the Information Superhighway hasn't been good this
week. Major breakins have been occurring
If it's the "Information Superhighway", shouldn't that read "major
Carjackings" rather than breakins? :)
from someone who's been stealing users' passwords as they log in
across the net, using them to break into their machines, and using
their machines to watch the net for more passwords. It's not
really that hard to stop - encryption technology has been available
for several years that sends passwords across the net in encrypted
form the eavesdroppers can't use - but most people haven't deployed
encryption. Why not?
P.I.T.A. (Pain in the 'somewhere') and costly. Security is a pain; as
I write in my mailing list, backups, among other things, are like
getting your teeth cleaned; something you put off because it's
unpleasant.
Well, part of it's just laziness, but in large part the use of
encryption has been restricted by the government's Cold War era
policies against developing, using, or distributing encryption
software.
If you want to take the laws on encryption on its face, there is no
restriction on a private party creating an encryption program for use
in the United States; that much isn't in question. The government may
be pushing the trojan horse "Clipper" chip, but people can still use
any encryption method they can buy or obtain. The real issue that
seems to bother people is international transmissions.
Also, the people that own the trademark "Clipper" for a type of
microprocessor chip should sue the government for damages, since the
various agencies have in effect used eminent domain to sieze a private
trademark for public purposes.
Encryption is the mathematical privacy coding that lets people send
their passwords and conversations privately. If you want to sell
encryption software overseas, you have to get a munitions export
license, just as you would for exporting assault rifles or nuclear
weapon parts,
Whether this is correct or not is another issue. I believe there are
exceptions for anything which is public domain, publicly available in a
store over the counter, or otherwise has no special restrictions on
purchase. I may be wrong on this point.
and they'll only give you a license for crippled software that the
NSA can break easily, unless you're a bank or selling to a
"friendly" government's military. If you want to sell encryption
software in the US, you can't export it, which means you have to
sell separate US and export versions.
People believe they cannot legally export this material, which serves
the same purpose, whether or not it actually is illegal (a prohibition
which imposes a penalty and can stand constitutional challenge) which
is another question.
And if you want to give it away free, like lots of university and
public domain software, you can't just post it to the net or make
it available for ftp (the Internet version of the public library),
without risking years in jail or at least having your computers
confiscated while the government tries to decide whether to indict
you - and you'd better be able to afford some *very* good lawyers.
Can this sort of free speech really be illegal? Nobody's really
sure, the government won't give you permission and few people want
to risk the jail time to find out if they'll give you forgiveness.
It is my personal opinion that the ITAR rules declaring written
computer programs to be in the same class as munitions or ordnance to
be a "prior restraint" within the meaning of various court cases and
that it possible someone could frame a case for having the ITAR
restrictions declared unconstititutional on those grounds. There are
generally only two reasons the courts will tolerate prior restraint:
obscenity and national security. The first one isn't applicable (ever
seen a porno version of PGP? I haven't, and I'm certain alt.sex would
have postings about it) and the second is "national security". The
second might be stronger, but in this case, the way the laws are
written they are not written to that purpose, but explicitly as a
licensing scheme which IMO is not permitted.
One need only ask one question: if a listing of a cryptographic program
were printed in the {New York Times}, would the Times have to have a
license in order to send copies of its papers outside of the U.S. If
not, then people doing the same thing on computer should not be
required to obtain a license, and if so, the regulations requiring a
license, in effect, represent a license on the content of material and
thus represent an unconstitutional attempt to suppress content.
Now someone (as Vice President Al Gore did) might point out that
cryptography can be used to fight wars. Well, there are two points:
one, the particular law restricts even the export of untouched computer
programs once imported into the U.S. This would be on the order of
forbidding the {New York Times} from reprinting articles appearing in
the {London Observer} when the Times is then reprinted in its sister
paper, the International Herald Tribune.
Also, generally "national security" has only been able to be argued for
works that are secret. This material is published worldwide and thus
is not secret; further, it is printed material and as such is subject
to the full protection of the first amendment.
If the online community is really upset over this, the answer is to
find some lawyers who either are willing to do this for free, or find
someone willing to pay to fight the law in court. It is possible to
file a lawsuit to have a law or regulation declared unconstitutional;
it is for that very reason that people cannot in some cases afford to
break a law that is untenable.
There is a very old history behind this in that the NRA was declared
unconstiutional in the 1930's case of _Schecter v. NRA_. (No, this is
the National Recovery Act/Administration, not the National Rifle
Association.)
------------------------------
From: kec@stubbs.ucop.edu
Date: Wed, 16 Feb 94 17:10:11 PST
Subject: Re: Clipper Overseas
Organization: University of California, Berkeley
<0004854540@mcimail.com> writes:
I haven't seen this discussed so I'm going to ask. What are the
implications for Clipper's use on communications between US and
foreign countries and companies? If company A in the US is
communicating with Company B is some other part of the world over a
Clipper-encrypted data link couldn't the NSA legally monitor and
decode the communition if they chose to do so?
This is a *very* interesting question. As you may recall, CPSR had
some strong objections to NSA's involvement in the development of
Clipper, which seemed especially inappropriate for encryption that
would be used within the US (NSA isn't supposed to do its "spying"
within our borders). But this question that Christopher brings up
could very explain explain their interest.
I can't imagine that foreign companies are going to be willing to
purchase and use software that carries encryption that is escrowed by
the US. And the market for software is decidedly international. Also,
if the email system I'm using in the US uses Clipper, how am I going to
send mail to overseas users? Will they have to accept the conditions
of Clipper in order to communicate with me?
It all seems awfully short-sighted to me.
------------------------------
From: root@cu48.crl.aecl.ca.sun (System Admin)
Date: Wed, 16 Feb 1994 19:35:31 GMT
Subject: Re: Privacy in Mailing Lists
Organization: AECL Research
Use an anonymous posting service like anon.penet.fi...
Martin A. Thompson WORKSTATION/NETWORK ADMINISTRATOR FOR NUCLEAR
PHYSICS BRANCH (WITH MATHEMATICS AND COMPUTATION BRANCH) STN. 49 CRL,
CHALK RIVER ONTARIO, CANADA (613) 584-3311 x 4087 (or x4157 to page me)
FAX: (613) 584-1800 root@cu48.crl.aecl.ca
------------------------------
From: jkayany@garnet.acns.fsu.edu (Joseph Kayany)
Date: 17 Feb 1994 01:16:15 GMT
Subject: Cellular phones
Organization: Florida State University
I am looking for a few cellular phone users who would spare me 5
minutes. I have three questions to ask in connection with a research
we are conducting. If you are a cellular phone user and don't mind
talking with me, please send me a note to: jkayany@garnet.acns.fsu.edu
Thanks a million
------------------------------
From: Robert Ellis Smith <0005101719@mcimail.com>
Date: Thu, 17 Feb 94 09:28 EST
Subject: National Information Infrastructure Testimony
PRINCIPLES OF PRIVACY
FOR THE NATIONAL INFORMATION INFRASTRUCTURE
Robert Ellis Smith
Publisher, PRIVACY JOURNAL, and Attorney at Law
Before the NII Task Force Working Group on Privacy
January 26, 1994
1. Any analysis of the National Information Infrastructure must
recognize that privacy includes more than an expectation of
confidentiality. The right to privacy also includes (1) freedom from
manipulation by others and (2) the opportunity to find safe havens from
the crassness and commercialism of daily life.
2. The infrastructure must be an INFORMATION-TRANSFER medium, not a
SALES medium. It must be primarily an INFORMATION medium, and only
secondarily an ENTERTAINMENT medium. (Will the information
superhighway be only another way to exploit couch potatoes?)
3. It must have different levels of security and confidentiality so
that some sector in it allows for confidential communications. These
communications could be intercepted by law enforcement only under
current Fourth Amendment guidelines. Aside from that, in the
confidential portion of the infrastructure, there must be strict
penalties for the interception of any PERSONAL data without the consent
of BOTH the sending party and the person who is the subject of the
data. And for aggrieved individuals and organizations there should be
a right to sue for breaches of confidentiality.
4. There must be some portion of the infrastructure free from
commercial messages and free from the commercial uses of the names and
electronic mail addresses of the users. Even though it is
commercial-free, this sector need not necessarily be operated by the
government or a non-profit entity.
5. In the sectors of the infrastructure available for use by
individuals, there must remain opportunities for ACCESSING
(non-personal) data anonymously (as exist in a library situation now).
Whether to permit anonymous MESSAGE-SENDING in these sectors remains,
for me, an open question. To deny this will deprive the network of
much of its spontaneity, creativity, and usefulness; however, to permit
anonymous message-sending runs the risk of having these sectors
dominated by obscene, inaccurate, slanderous, racially and
sexually-insulting chatter - and worse.
6. Privacy interests are less compelling, to me, in two other sectors
of the proposed infrastructure. In those sectors transmitting
proprietary business information and sensitive business dealings, the
organizations using the network will see to it themselves that security
meets there needs, and they will have the resources to pay for it. By
the same token, in those sectors providing point-of-sale services
(presumably from the home), companies offering these services will
provide adequate security or risk losing customers.
7. The infrastructure ought not become a means for large conglomerates
to transfer personal information between and among subsidiaries where
the data-handling is regulated (credit bureaus, cable companies,
medical providers) and entities where the data-handling is not
regulated (telephone providers, brokerages, credit-card processors,
telemarketing).
___________
Rather than proposing specific safeguards -- which can be drafted later
-- the task force can be most effective in 1994 by establishing the
DOMINANT THEMES of the infrastructure: information-transfer, not
commercialism; democratic access not corporate dominance; diversity (in
usage as well as in levels of security) not conformity.
------------------------------
End of Computer Privacy Digest V4 #032
******************************
.