Date: Tue, 08 Mar 94 07:54:02 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V4#039
Computer Privacy Digest Tue, 08 Mar 94 Volume 4 : Issue: 039
Today's Topics: Moderator: Leonard P. Levine
Re: Van Eck Radiation
Government Tracking Dorm Residents
Ideas for PGP Implementation
About Authentication
Re: EFFector Online 07.04 - FBI Digital Telephony Nightmare Recurs
Time Magazine on Clipper
Government Databases
Government Databases
Re: Computer databases of information
Re: Unsolicited Advertising - A Proposal
Re: Unsolicited Advertising - A Proposal
The Computer Privacy Digest is a forum for discussion on the effect
of technology on privacy. The digest is moderated and gatewayed into
the USENET newsgroup comp.society.privacy (Moderated). Submissions
should be sent to comp-privacy@uwm.edu and administrative requests
to comp-privacy-request@uwm.edu. Back issues are available via
anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp"
with password "yourid@yoursite". The archives are in the directory
"pub/comp-privacy". Archives are also held at ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
From: leppik@uxa.cso.uiuc.edu (leppik peter)
Date: 4 Mar 1994 17:08:08 GMT
Subject: Re: Van Eck Radiation
Organization: University of Illinois at Urbana
wbe@psr.com (Winston Edmond) writes:
>Are LCD displays less radiative/monitorable than CRTs?
At least LCD screens don't have miniature particle accelerators inside them,
and all the attendant electromagnetic noise that generates....
--
Peter Leppik-- p-leppi@uiuc.edu
Assistant Head, Department of Mad Science
University of Illinois at Urbana-Champaign
------------------------------
From: minie@hsuseq.humboldt.edu (Carl Minie)
Date: 4 Mar 94 12:13:23 -0800
Subject: Government Tracking Dorm Residents
I work at a university which is in the process of installing
several modules of BANNER, an Oracle-based system written for educational
institutions. The vendor of BANNER, Systems and Computer Technology (SCT),
maintains several Internet lists which are used by SCT to communicate with
BANNER installations and for installations to exchange information.
Recently, a suggestion was made on one of these lists by a BANNER
site, one of the campuses of the State University of New York, seeking an
enhancement to the BANNER module that involves student housing. Part of
the suggestion reads as follows:
"Currently there is no way in BANNER to list all residents of a
particular room by their occupancy dates. We need this information in
order to bill students accurately for dorm damages. We are also asked
to provide information to various agencies (Attorney General, FBI, etc.)
that requires verification of a particular student's residency on campus."
My question is this: why are the Attorney General,
the FBI, et. al., verifying student residences? I would appreciate if
someone with particular knowledge of law enforcement and/or education
would tell me why the government is asking universities to keep track of
dormitory students. Thank you in advance for your replies.
-----------------------------------------------------------------
Carl Minie, Systems Analyst Box: minie@hsuseq.humboldt.edu
Humboldt State University Fax: (707) 826-6100
Arcata CA 95521 Vox: (707) 826-6120
-----------------------------------------------------------------
------------------------------
From: soren@argon.gas.uug.arizona.edu (Soren F Ragsdale)
Date: 4 Mar 1994 22:58:16 GMT
Subject: Ideas for PGP Implementation
Organization: University of Arizona UNIX Users Group
Ideas For A New Implementation of PGP
I love PGP and the power that it gives the user (read: allows the
user to retain) through secure electronic communications. I have, however,
found an inherent limitation of PGP which makes its application more
suitable as a program _feature_ than as a stand-alone application. I
submit, for your consideration, an idea for a program which would expand
the power and use of PGP with a limited decrease in security.
PGP Limitations:
Ideally, users would use PGP on all mail as a simple but impermeable
"envelope" against snooping hackers. Unfortunately, PGP implemented as an
application makes encrypting anything but the most sensitive of information
a relative waste of time and energy. To use PGP on my Macintosh, for
instance, I would have to launch my text editor, open and compose a new
document, save it, launch MacPGP, encrypt and save the document (deleting
the original), upload the encrypted message (deleting the message on my
computer), open PINE (or whatever mailreader that I would use), send the
message, and delete the original on my host computer. Nine steps for a
simple message encrypted in a bulletproof fashion. Recieving and
decrypting a message is similarly complicated.
Ideas for a new program:
The program which I hope will be produced is a well-written Email
program like PINE with a PGP option. In the "addresses" file, in addition
to a nickname, real name, and address, the addresses would also allow a
record of the person's public key. If any messages are addressed to this
person, before the message is sent, the program allows the message to be
automatically and transparently encrypted with the security of the PGP
algorythm. The encrypted message is sent, without any of the mucking
around with saving or transferring between applications. Reciept and
decryption should be similarly transparent, with either a command or an
automatic detection of a PGP message and the option of decryption with a
private key.
Limitations of the new program:
I realize that this method is by no means as secure as the original
PGP. As stated in the beginning, this reader is intended for casual use to
stop the recreational hacker, rather than a determined hacker or the NSA.
The sysadmin could monitor keystrokes to find the password to unlocking the
decryption key, and searching through RAM may find scraps of the decrypted
program, but I feel that these limitations are not very important: any need
for a truly secure communication can still be the job of the original PGP
application for a level of security uncompromised by convenience.
As it is, sending a message involves weighing the probability of the
information winding up in the wrong hands with the bother of encryption,
and for me, the option of relatively secure encryption online would be a
welcome one. I would hope that the source code could be written for UNIX,
as this is (as I understand it) where the bulk of Email transfers take
place and would serve well as a common standard. I welcome further
discussion on the subject and hopefully seeing this necessity of modern
computing become a reality. Please reply via Email to:
soren@gas.uug.arizona.edu
------------------------------
From: Paul Robinson <PAUL@TDR.COM>
Date: 4 Mar 1994 20:18:23 -0500 (EST)
Subject: About Authentication
Organization: Tansin A. Darcos & Company, Silver Spring, MD USA
One of the readers of my message on biometrics as a form of authentication
(e.g. proof that the person who appears before a clerk is who they claim
to be) was my mentioning of use of documents as authentication where the
clerk cannot biometrically identify you (because they don't know you):
Dear Paul,
I was just reading your item in RISKS15.61 and wondered if your choice
of words was deliberate or not? :-)
I try to use my words in a manner which makes clear what I am saying, and
I use words, whenever possible, in a precise manner.
However, when someone else needs to identify you and doesn't know you,
they usually have to rely on authentication. Usual forms of
authentication are various forms of paper, photographic/multimedia,
and/or magnetic authentication issued by a government or trusted
third-party. ^^^
OR as in "as opposed to?"
Perhaps, but that's not quite right. For example, the ID card issued by a
university to its students, or by an employer. An id issued by "Ajax
Check Cashing Service" is a nontrusted third party and is usually of zero
value for identification to any other party, while the photographic ID
issued to employees of the local telephone company are usually given a
very high authentication value by other parties.
Credit cards from any of the major (inter)national issuers (American
Express, Carte Blanche/Diner's Club, Discover, Master Card, Visa), have
good authentication value when presented with some other identification,
usually a motor-vehicle operator's permit card ("driver's license"),
especially when trying to have the party accept a draft or negotiable
instrument from you, e.g. writing a check to pay for groceries in the
checkout counter.
Highest authentication usually is reserved for government-issued ID. The
higher the level, the more acceptable it is and the higher the
credibility. Personal experience in California - back when I could not
obtain a credit card - was that a drivers' license alone was next to
useless to get a place to accept a check, probably due to transients and
people who bounced checks and moved on. But present a U.S. Passport and
many places would accept that *alone*. With a drivers license and
passport the acceptance rate was effectively 100%.
What does a passport prove? That you have a birth certificate, a drivers'
license, two photos and $40. That and an application at a post office
was all it took to get one. In fact, mine expires next year after
having had one for 10 years.
---
Paul Robinson - Paul@TDR.COM
Voted "Largest Polluter of the (IETF) list" by Randy Bush <randy@psg.com>
------------------------------
From: wbe@psr.com (Winston Edmond)
Date: 5 Mar 1994 19:41:37 GMT
Subject: Re: EFFector Online 07.04 - FBI Digital Telephony Nightmare Recurs
Organization: Panther Software and Research
Stanton McCandlish wrote: .. With increasing use of
telecommunications, this simple transactional information reveals
almost as much about our private lives as would be learned if
someone literally followed us around on the street, watching our
every move.
bernie@fantasyfarm.com replied: Isn't that last part legal, too?
For duly authorized law enforcement agents, but many states have "stalking"
laws against people doing that without unauthorization. Even when
authorized, the expense of actually doing so probably limits how often it's
done. If costs decrease, it could be done more often.
-WBE
------------------------------
From: Dave Banisar <banisar@washofc.cpsr.org>
Date: 6 Mar 1994 14:13:18 -0500
Subject: Time Magazine on Clipper
Time Magazine, March 14, 1994
TECHNOLOGY
WHO SHOULD KEEP THE KEYS?
The U.S. government wants the power to tap into every phone, fax and computer
transmission
BY PHILIP ELMER-DEWITT
... (general background)
... (general info on techo advances)
Thus the stage was set for one of the most bizarre technology-policy
battles ever waged: the Clipper Chip war. Lined up on one side are the three-
letter cloak-and-dagger agencies -- the NSA, the CIA and the FBI -- and key
policymakers in the Clinton Administration (who are taking a surprisingly
hard line on the encryption issue). Opposing them is an equally unlikely
coalition of computer firms, civil libertarians, conservative columnists and
a strange breed of cryptoanarchists who call themselves the cypherpunks.
At the center is the Clipper Chip, a semiconductor device that the NSA
developed and wants installed in every telephone, computer modem and fax
machine. The chip combines a powerful encryption algorithm with a ''back
door'' -- the cryptographic equivalent of the master key that opens
schoolchildren's padlocks when they forget their combinations. A ''secure''
phone equipped with the chip could, with proper authorization, be cracked by
the government. Law-enforcement agencies say they need this capability to
keep tabs on drug runners, terrorists and spies. Critics denounce the Clipper
-- and a bill before Congress that would require phone companies to make it
easy to tap the new digital phones -- as Big Brotherly tools that will strip
citizens of whatever privacy they still have in the computer age.
In a Time/CNN poll of 1,000 Americans conducted last week by Yankelovich
Partners, two-thirds said it was more important to protect the privacy of
phone calls than to preserve the ability of police to conduct wiretaps. When
informed about the Clipper Chip, 80% said they opposed it.
The battle lines were first drawn last April, when the Administration
unveiled the Clipper plan and invited public comment. For nine months
opponents railed against the scheme's many flaws: criminals wouldn't use
phones equipped with the government's chip; foreign customers wouldn't buy
communications gear for which the U.S. held the keys; the system for giving
investigators access to the back-door master codes was open to abuse; there
was no guarantee that some clever hacker wouldn't steal the keys. But in the
end the Administration ignored the advice. In early February, after computer-
industry leaders had made it clear that they wanted to adopt their own
encryption standard, the Administration announced that it was putting the NSA
plan into effect. Government agencies will phase in use of Clipper technology
for all unclassified communications. Commercial use of the chip will be
voluntary -- for now.
It was tantamount to a declaration of war, not just to a small group of
crypto-activists but to all citizens who value their privacy, as well as to
telecommunications firms that sell their products abroad. Foreign customers
won't want equipment that U.S. spies can tap into, particularly since
powerful, uncompromised encryption is available overseas. ''Industry is
unanimous on this,'' says Jim Burger, a lobbyist for Apple Computer, one of
two dozen companies and trade groups opposing the Clipper. A petition
circulated on the Internet electronic network by Computer Professionals for
Social Responsibility gathered 45,000 signatures, and some activists are
planning to boycott companies that use the chips and thus, in effect, hand
over their encryption keys to the government. ''You can have my encryption
algorithm,'' said John Perry Barlow, co-founder of the Electronic Frontier
Foundation, ''when you pry my cold dead fingers from my private key.''
... (history of Public Key encryption).
... (history of PGP)
Rather than outlaw PGP and other such programs, a policy that would
probably be unconstitutional, the Administration is taking a marketing
approach. By using its purchasing power to lower the cost of Clipper
technology, and by vigilantly enforcing restrictions against overseas sales
of competing encryption systems, the government is trying to make it
difficult for any alternative schemes to become widespread. If Clipper
manages to establish itself as a market standard -- if, for example, it is
built into almost every telephone, modem and fax machine sold -- people who
buy a nonstandard system might find themselves with an untappable phone but
no one to call.
That's still a big if. Zimmermann is already working on a version of PGP
for voice communications that could compete directly with Clipper, and if it
finds a market, similar products are sure to follow. ''The crypto genie is
out of the bottle,'' says Steven Levy, who is writing a book about
encryption. If that's true, even the nsa may not have the power to put it
back.
Reported by David S. Jackson/San Francisco and Suneel Ratan/Washington
------------------------------
From: Alain Simon <matrox!rcorco.rco.qc.ca!alain@uunet.UU.NET>
Date: 6 Mar 1994 16:57:53 -0500
Subject: Government Databases
Organization: Virtual Illusions & Real Virtualities Ltd
ai504@FreeNet.Carleton.CA (John Olson) writes: I'm with the
Communications Branch (public affairs branch) of the federal
industry department -- Industry Canada. [ ... ] And what about
government...federal and provincial -- what, if any, roles should
there be here?
No role whatsoever. We have far too much government as it is.
But the Net could have a tremendous impact on government: perception of
jurisdictions, distribution of services, communication with people,
expression of political will, downsizing of bureaucracy, and perception
of their role by politicians and bureaucrats.
Your views really could be helpful to me...as I try to figure out
just what people think about all this. (Of course you could be just
a wild and crazy flamer who'll rant at anything connected with
government, but I'll take my chances.) If you don't want me to
throw anything you flip my way into the public environment pickle
barrel, tell me.
It is not necessary to be a wild and crazy flamer to wish the
government would stay out of our lives. Being a tax payer is reason
enough. Being worried about democracy is another one. This being
said, let me admit it: yes, I am a wild and crazy flamer.
------------------------------
From: weiksner@bow.princeton.edu (George Michael Weiksner)
Date: 7 Mar 1994 14:57:03 GMT
Subject: Government Databases
Organization: Princeton University
the Privacy Act of 1974, the government is not allowed to use data for
any purpose other than the one for which is was originally collected
for. However, through various loopholes, we have a defacto national
database of personal information. It is fairly probable that the
Department of Immigration will share its information with the IRS to
help locate illegal immigrants.
My questions are:
1.) What government databases of personal information are there?
(Or a reference to a list of such databases).
2.) Where is there information about how departments may use other
departments information (not legal information, but how
they do it in practice.)
3.) How can we monitor the accuracy and use of this information?
4.) What limits should be placed on the government on acquisition
of info?
Any direct responses, pointers to literature, etc. will be greatly appreciated.
------------------------------
From: palbert@netcom.com (Phil Albert)
Date: 7 Mar 1994 18:10:07 GMT
Subject: Re: Computer databases of information
Organization: Disorganized
rinewalt@GAMMA.IS.TCU.EDU writes: Perhaps one of the most
mysterious consumer-reporting companies is MIB, formerly the
Medical Information Bureau, in Brookline, Mass. "It's a very
difficult company to learn very much about," says Massachusetts
state senator Lois Pines. "They don't want people to know that
they exist or what they do."
Well, what do they do? (i.e. what data do they store?)
--
Phil Albert, full-time patent attorney and philosopher, part-time car thief
Voicenet: (415) 543-9600 bizcardnet: Townsend & Townsend
Internet: palbert@netcom.com or palbert@cco.caltech.edu
------------------------------
From: Matt Crawford <crawdad@munin.fnal.gov>
Date: 4 Mar 1994 11:32:57 -0600
Subject: Re: Unsolicited Advertising - A Proposal
I don't *know* this will happen; advertisers seem to be working on
technology to be more selective, ...
But would they *apply* this technology to email advertising? Direct
mail and phone soliciting costs them O($1) per victim. Junk email is
probably a lot less.
Over and above applicable AUPs, how about a voluntary labelling
guideline, such as "Precedence: junk" (or some euphemism), with a
credible expectation that non-complying advertisers will get a black
eye.
_________________________________________________________
Matt Crawford crawdad@fnal.gov Fermilab
------------------------------
From: pmacghee@motown.ge.com (Peter F. MacGhee, x 2266)
Date: 5 Mar 1994 19:13:37 GMT
Subject: Re: Unsolicited Advertising - A Proposal
Organization: Martin Marietta Corp, Moorestown NJ
As far as business, or sales proposals go, you could always try placing
them under "alt.ads", or "alt.for_sale"
------------------------------
End of Computer Privacy Digest V4 #039
******************************
.