Date: Wed, 02 Mar 94 13:00:58 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V4#037
Computer Privacy Digest Wed, 02 Mar 94 Volume 4 : Issue: 037
Today's Topics: Moderator: Leonard P. Levine
Re: Privacy and Sexual Crimes
Re: Electronic Banking - CheckFree
Computer databases of information
FBI Digital Telephony Proposal and PCS mobile phones
Re: EFF on FBI Telephony Bill
Re: EFF on FBI Telephony Bill
Re: Van Eck Radiation Helps Catch Spies
The Computer Privacy Digest is a forum for discussion on the effect
of technology on privacy. The digest is moderated and gatewayed into
the USENET newsgroup comp.society.privacy (Moderated). Submissions
should be sent to comp-privacy@uwm.edu and administrative requests
to comp-privacy-request@uwm.edu. Back issues are available via
anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp"
with password "yourid@yoursite". The archives are in the directory
"pub/comp-privacy". Archives are also held at ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
From: swayne@draper.com (A. Steven Wayne)
Date: Tue, 1 Mar 1994 17:49:31 GMT
Subject: Re: Privacy and Sexual Crimes
Organization: The Charles Stark Draper Laboratory, Inc.
Chuck Weckesser <71233.677@CompuServe.COM> wrote: Should Rapist's
And Pedophiles Be Forced To Register With The Authorities Every
Time They Move Away?
There are two issues here: the rights of the individual (who I assume
to have been previously convicted) and the security of society. Since,
in many cases, these deviants suffer from an essentially incurable
mental illness and are likely to be a danger to society and neither
they nor society will gain anying by further incarceration; society
might reasonably look to protect itself by keeping tabs on these
individuals.
------------------------------
From: matt@ra.oc.com (Matthew Lyle)
Date: Tue, 1 Mar 1994 18:24:30 GMT
Subject: Re: Electronic Banking - CheckFree
Organization: OpenConnect Systems, Dallas, TX
Hyatt_Edward_R@byu.edu writes: I have thought about using the
CheckFree service, but I am worried about the prospect of giving
them my SS#, bank account #, etc. Can I trust their claim of
confidentiality; and what would protect my information from being
disclosed to other organizations? I would like to hear what others
think.
They will set up the account without having your SS#. Mine is set up
with CheckFree that way.
--
Matthew Lyle matt@oc.com
matt@utdallas.bitnet
(NeXTMail) matt@cubist.intosh.com
OpenConnect System, Dallas, Texas (214) 888-0474
------------------------------
From: chiang@berdis.ecn.purdue.edu (Ray Lon Chiang)
Date: Tue, 1 Mar 1994 19:01:33 GMT
Subject: Computer databases of information
Organization: Purdue University Engineering Computer Network
I am currently taking a class on Cryptography and Privacy. One of the
class' "assignments" (not graded, just for "fun") is to look up various
computer information databases which exist, and mention any privacy
issues for each of these databases.
I've found a great deal of information online (cpsr.org,
ftp.convex.com, various FAQs), but I still have a few questions. I'd
appreciate replies by email. I will post a summary if people want it.
In any case, if I've glossed over anything, I'd appreciate any pointers
to information or direct information. Also, if you provide direct
information and want anonymity, please say so in your email.
-Ray
PS: Is there any research going on regarding ensuring accuracy of
databases? After reading most of the privacy-related newgroups for
several years, I've never really seen any such information. I'm
just making mention of it because of all of the comments like "30%
of all entries in such-and-such database has errors or is
ambiguous.
-------------------------------------------------------------------------------
1) Compuserve's Phonefile
I remember reading something about the Phonefile system on
Compuserve. However, since I don't have a Compu$erve account (nor
do I want one for the obviou$ reason$), I don't have any details
about how this system works.
- What kind of searches are possible with this database? (e.g. Is
it possible to do multiple field searches with boolean expressions?
Is it possible to use some sort of wildcard search?)
- How much information is on this database? Is a given user's
address, phone number, etc. in there? How many users are there?
I'd appreciate it very much if anyone could give me some pertinent
details.
2) Reverse-Tracing Phone Numbers
Obviously, the phone companies can (and usually) will do this. I'm
wondering if some of the other 1-900 numbers which allow you to do
this maintain their own database (as opposed to having some sort of
connection to various phone companies).
3) Company Employee Records
Any company keeps records of its employees, both past and present.
I suppose the main issue here concerns the availability of such
information and the duration for which certain bits of information
(e.g. drug tests, tax records, health insurance, etc.) are kept.
Exact policies might be nice to see, but I'd like to get a general
idea of the ranges.
I know that at least some sort of record is kept since I was
required to use the same employee number from one summer job and
another summer job at the same company several years later.
4) Federal Records
The government probably has the single largest combined database of
information on most individuals, law-abiding or otherwise. :) I
would expect that most of this information is distributed across
many departments. I suppose some of the more obvious would be:
- Criminal records with the FBI (in the NCIC).
- Tax records in the IRS.
- Medical information in the MIB.
I would appreciate it if anyone would point out the many (i.e.
notable bureaus under each of the goverment departments)
combinations of (type of record)/(government bureau) that exist.
Note: I've taken a look at the Federal Register at
gopher.internet.com, but it's rather obscure. I'll probably take a
look at the paper version if it's available here...
5) Mailing List Companies/Credit Bureaus
I've called a few places for information, but some of these people
were relatively unhelpful (or unfriendly). I suppose I'm just
looking for more specific information about who these types of
companies generally deal with.
Just as an afterthought, I noticed that a lot of the people I talked to
at specific companies weren't particularly helpful. For the most part,
I guess they were confused by various requests. I'm not too sure if
this is an effect of customer service-type people, since this is the
first time I've dealt with customer service people I couldn't
communicate with effectively.
------------------------------
From: "M. Hedlund" <hedlund@netcom.com>
Date: Tue, 1 Mar 1994 12:05:01 -0800 (PST)
Subject: FBI Digital Telephony Proposal and PCS mobile phones
[N. B. -- this article has also been posted to comp.risks and sent to
the EFF and Wired.]
This article elaborates on part of the EFF statement issued last week
concerning the FBI's proposed Digital Telephony wiretap bill. The EFF
condemned the bill, which enlarges law enforcement powers of
surveillance, granted by wiretap laws, by adding tracking ability.
Addressed herein is point two of the EFF statement, concerning the
surveillance of mobile communica- tors, such as cellular phones,
Personal Communications Services (PCS) and laptop computers. PCS
mobile phones create severe privacy risks for future phone users,
especially under the FBI's proposal; and these risks strongly support
the EFF's position.
The FBI asserts that their proposal adapts existing wiretap laws to
account for emerging communications technologies. Wiretap laws have
not adequately covered mobile communications, and the FBI is correct to
assume that some revisions will be necessary to adequately balance law
enforcement needs with the privacy rights of mobile phone users. Their
proposed revisions, however, do not simply provide for wiretap;
instead, the FBI seeks to expand wiretap laws, allowing law enforcement
officers to track the signalling information of mobile communcations
users.
The EFF believes that the FBI proposal would create an enormous hole in
the privacy rights of individuals suspected of crimes. Their statement
notes:
It is conceivable that law enforcement could use the signalling
information to identify the location of a target.....This provision
takes a major step beyond current law in that it allows for a tap
and/or trace on a *person*, as opposed to mere surveillance of a
phone line.
This fear is completely realistic. It is not simply "conceivable" that
the FBI's proposal would allow law enforcement to surveil the location
of a target -- positioning technology is a planned part of PCS
networks, one of the technological advances anticipated by the
proposal. Similar positioning technology is planned for cellular
phones, as well.
PCS advances cellular phone technology by integrating mobile
communications with other phone networks, and by expanding the services
and quality mobile phones can offer. Most PCS proposals involve three
forms of mobility: terminal mobility, the ability to make and receive
calls at any location, and the ability of the phone network to track
the location of the mobile phone; personal mobility, the ability of the
user to be reach- able by a single phone number at all times; and
service mobility, the ability of the user to access CLASS(sm)-like
features, such as Call Waiting and Caller ID, from any phone they use.
The FBI proposal requires phone companies, when presented with a
wiretap order, to transmit the content and the signalling, or "call
setup information," from the tapped phone to law enforcement officers.
With a wireline phone, such as a residence phone line, call setup
information would comprise only the originating and dialled phone
numbers, as well as billing information (such as the residence address)
for the call. Because of the wireless aspect of PCS, however, call
setup information for a PCS phone includes very detailed information on
the location and movement of the caller.
PCS mobile phones will connect with the phone network via "microcells,"
or very small receivers similar to those used for cellular phones.
While a cellular network uses cells with up to an 8 to 10 mile radius,
PCS networks will use microcells located on every street corner and in
every building. The call setup information for a PCS call would
include the microcell identifier -- a very specific means of locating
the user. An order for a PCS wiretap would allow law enforcement
officers to receive a detailed, verifiable, continuous record of the
location and movement of a mobile phone user.
These phones are also likely to "feature" automatic registration:
whenever the PCS mobile phone is on (in use or able to receive calls),
it will automatically register itself with the nearest microcell. Law
enforce- ment agencies, able to track this registration, would have the
equivalent of an automatic, free, instantaneous, and undetectable
global positioning locator for anyone suspected of a crime.
PCS tries to improve on cellular phone privacy and security by
incorporating cryptographic techniques. Encryption could not only
create a secure phone conversation, but could also (coupled with use of
a PIN number) insure that only a valid subscriber could make calls on a
particular phone, preventing fraudulent calls on stolen phones. An
additional phone-to-network authentication could prevent fraudulent
calling through a "masquerade" phone designed to simulate a user's
registration.
But the FBI proposal would require that such encryption be defeatable
in wiretap circumstances. As the proposal stands, this form of weak
encryption is distinguishable from the Clipper Chip because the phone
companies, not a key escrow arrangement, enable law enforcement access;
but it is entirely possible that the Clipper Chip could be used as the
encrypting device. In either circumstance, PCS encryption could be
compromised by careless or malicious law enforcement officials.
Perhaps it is time for Phil Zimmerman and ViaCrypt to begin work on
PGPCS -- and let us all hope we are so lucky.
The cellular phone market is tremendous, and analysts believe that the
PCS market, incorporating both voice and data communications, will be
even larger. Coupled with the FBI's Digital Telephony proposal, PCS
raises many privacy and security risks, making the EFF's condemnation
of the FBI proposal all the more appropriate.
CLASS is a service mark of Bell Communications Research (Bellcore).
For more information:
* Bellcore Special Report SR-INS-002301, "Feature Description and
Functional Analysis of Personal Communications Services (PCS)
Capabilities," Issue 1, April 1992. Order from Bellcore, (800)
521-CORE (2673), $55.00.
* GAO report GAO/OSI-94-2, "Communications Privacy: Federal Policy
and Actions," November 1993. Anonymous FTP to cu.nih.gov, in the
directory "gao-reports".
* EFF documents, available via anonymous FTP or gopher:
ftp://ftp.eff.org/pub/EFF/Policy/Digital_Telephony
------------------------------
From: bernie@fantasyfarm.com (Bernie Cosell)
Date: Wed, 2 Mar 1994 00:51:51 GMT
Subject: Re: EFF on FBI Telephony Bill
Organization: Fantasy Farm, Pearisburg, VA
David M. Berman writes: If laws such as the FBI Telephony Bill and
the legislation surrounding the clipper chip, skipjack, etc. come
to pass, I'm going to have to ignore my excitement about all of
these new technologies and retreat into the safety of paper for all
of my information, communication, and financial needs.
You might temper your rather abrupt conclusion by pondering how your
paper provides any safety those other media will not.
What can we do? How do we get Geraldo, Dan Rather, Pat Robertson,
or whichever idiot to whom Americans like to attend, to come out in
the press against these nightmares? Haven't we learned any lessons
from McCarthy, Orwell, or the East Germans? I've signed the
clipper petition, I've e-mailed Patrick Leahy, but I still don't
see any POPULAR debate over these attempts to overrun the
Constitution.
The reason for that is that there is no such "attempt". I haven't
heard _anyone_ raise an even *remotely* Constitutional issue with
regard to either Clipper or the Digital Telephony bill. There is a
HUGE amount of misinformation, intentional exaggeration, and unfounded
paranoia being spread by the anti-clipper, anti-telephony folk,
resulting in a large number of people [perhaps including you,
considering your remarks] getting an incredibly distorted and muddled
picture of the situation.
------------------------------
From: DAZEDTOO <dazedtoo@delphi.com>
Date: Tue, 1 Mar 94 20:50:42 -0500
Subject: Re: EFF on FBI Telephony Bill
Organization: Delphi (info@delphi.com email, 800-695-4005 voice)
David M. Berman <eyeball@netcom.com> writes: What can we do? How
do we get Geraldo, Dan Rather, Pat Robertson, or whichever idiot to
whom Americans like to attend, to come out in the press against
these nightmares? Haven't we learned any lessons from McCarthy,
Orwell, or the East Germans? I've signed the clipper petition,
I've e-mailed Patrick Leahy, but I still don't see any POPULAR
debate over these attempts to overrun the Constitution. We need to
get creative and get busy.
I know how you feel. I live in Tucson and nobody has been talking about
Clipper and the FBI Digital Telephony Bill at all. Not even the
newspapers. So I got my ass in gear and sent off a couple of letters to
the editor's of the newspapers here. I sent mail to nightly@nbc.com
asking them to start reporting on all this stuff on NBC. And just like
other people have done sent off mail to a couple of congress people.
------------------------------
From: herronj@MAIL.FWS.GOV
Date: Tue, 01 Mar 94 17:28:56 MST
Subject: Re: Van Eck Radiation Helps Catch Spies
BTW, did you know that Zenith sells a non-Van Eck-able PC, or did
at one time. GSA Schedule, no doubt.
These are called Tempest computers. My previous employment was as a
DOD contractor working on this type computer as well as more secure
communications systems.
Let there be NO DOUBT that with proper equipment you can be a mile a
way and pick up everything going on at a PC or peripheral. Even with
Tempest equipment, where the case alone can add $20,000 or more to the
price tag, a couple of loose screws (and the case on a tempest pc
usually has around 25 compared to 5 on a normal pc) can defeat all of
the EMF radiation protection.
We had periodic checks from NSA spooks that came in with their
eavesdropping equipment to monitor us for tempest leaks. They could
always find something and usually torqueing down a few screws would fix
the problem. Don't think that just because you have many computers
that they wouldn't be able to pick out one from the crowd and monitor
it. Each computer has a different electronic signature (much like a
different carrier frequency) that allows its signals to be separated
and deciphered. Normal keyboards, printers and monitors are the
worst. Imagine sitting a mile away and picking up every scan line that
your monitor generates and reconstructing it. (By the way our
keyboards operated by blocking light patterns in certain patterns and
detecting this with CCD's, no electro-mechanical noise).
------------------------------
End of Computer Privacy Digest V4 #037
******************************
.