Date: Tue, 22 Mar 94 13:08:27 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V4#045
Computer Privacy Digest Tue, 22 Mar 94 Volume 4 : Issue: 045
Today's Topics: Moderator: Leonard P. Levine
Deletion of Computer Privacy Addresses at pica.army.mil
MCIMAIL Group Mailings
Video Tape Rental Records
FBI's Push for Digital Telephony
FBI's Push for Digital Telephony
Re: Network Security
Re: Time Magazine on Clipper
Re: Phone Book Pseudonyms
Re: IRS Purchase Order
Re: IRS Purchase Order
New Book From IOM On Health Data Privacy
The Computer Privacy Digest is a forum for discussion on the effect
of technology on privacy. The digest is moderated and gatewayed into
the USENET newsgroup comp.society.privacy (Moderated). Submissions
should be sent to comp-privacy@uwm.edu and administrative requests
to comp-privacy-request@uwm.edu. Back issues are available via
anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp"
with password "yourid@yoursite". The archives are in the directory
"pub/comp-privacy". Archives are also held at ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
From: "Dennis G. Rears" <drears@Pica.Army.Mil>
Date: 21 Mar 94 11:12:01 EST
Subject: Deletion of Computer Privacy Addresses at pica.army.mil
The following email address will disappear at the end of the month:
comp-privacy@pica.army.mil
comp-privacy-request@pica.army.mil
I see that some people are still using these addresses.
As of 31 March, pica.army.mil will be providing the following services
for the Computer Privacy Digest
o ftp site for
o telecom privacy <telecom-priv>
o misc privacy files
o computer privacy digest.
o will run the subscriber list for readers who get the CPD as
individual news articles via email (This is the last remaining function
I need to transition with Professor Levine).
I hope to add the CPD archives to my www server by May.
dennis
P.S. I think Len has done a marvelous job as Moderator since I left.
[Moderator: (modestly blushing) Awe Shucks]
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 21 Mar 1994 15:04:18 -0600 (CST)
Subject: MCIMAIL Group Mailings
Organization: University of Wisconsin-Milwaukee
The MCIMAIL system, probably to comfortably handle reading groups,
regularly posts the names of all members of a reading group to each
member of that group. I am sure that this was designed into the system
as a deliberate feature and I believe it is generally a good idea. (I
must stress that this applies only to MCIMAIL. To my knowledge, in the
greater Internet community such mailings display only your own name as
addressee and not that of other readers.)
I recently learned of this from others who deal with privacy who felt
(as did I) that for a Privacy Digest this is not right; people who
subscribe to such a list should not be forced to have their names made
public to the other (MCIMAIL) readers. If they post, and if they do
not ask me to make those postings anonymous, then they lose their
"right to privacy" and become "public persons" to use the newspaper
vernacular.
One other digest group moderator felt so strongly about this that he
decided to cut MCIMAIL users off from his mailings entirely. I believe
his intention was to encourage MCIMAIL to change this policy by making
them realize what is lost by it. I feel this is throwing out the baby
with the bath water and have taken a different approach.
I have modified the mailing procedure for Computer Privacy Digest to
allow each MCIMAIL recipient to receive a separate mailing. This
increases the burden on the Internet network, which normally mails to a
group with a single posting coupled with a command to "explode" that
posting into separate mailings. In doing this I effectively take the
stance that for a Privacy group efficiency must give way to privacy. I
am sure that for a different sort of mailing this is less of a
problem.
Thus, MCIMAIL readers of this digest will receive two copies of this
mailing, one using the group mail procedure and the other displaying
only their own names. Later mailings will be in the private form
only.
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of Computer Privacy Digest and
Professor of Computer Science | comp.society.privacy.
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
---------------------------------+-----------------------------------------
------------------------------
From: sutter@verisoft.com (Paul Sutter)
Date: 21 Mar 1994 15:52:12 +1700
Subject: Video Tape Rental Records
Beth Givens writes: Regarding the video rental privacy law: The
law protects you from having the *titles* of videos that you rent
released to others, but not
Let's not get confused here. The law does *NOT* protect you from the
release of the titles that you rent to others. The law simply makes it
illegal to disclose the information; it does not prevent the disclosure
of this information any more than the 55 speed limit prevents me from
setting my cruise control at 68.
The next time you are renting a video, take a look at any clerk in the
store and ask yourself what that person would do for $100. And if not
him, then the next guy.
Lawmakers are not guarding your privacy; it's the kid behind the
counter.
------------------------------
From: ks@netcom.com (Kurt F. Sauer)
Date: 22 Mar 1994 03:43:43 GMT
Subject: FBI's Push for Digital Telephony
The New York Times, Sunday, March 20, 1994, buried in the lower right-
hand corner of page 14:
F.B.I. Director Extols New Wiretap Software
WASHINGTON, March 19 (AP)--Louis J. Freeh, Director of the F.B.I., told
Congress on Friday that law enforcement would be crippled in monitoring
criminals through wiretaps if a proposed telecommunications bill was
not passed.
The bill would require telephone companies to install software in their
new digital switching systems that would allow the F.B.I. and other
law enforcement agencies to do court-authorized wiretaps. Mr. Freeh
said traditional wiretaps were not sophisticated enough to sort out
calls on digital networks, which can carry thousands of calls at once.
Mr. Freeh, who has intensely lobbied for the bill, said the phone com-
panies would not put in the new software voluntarily. The bill is
opposed by the telephone industry for the fines it imposes and by some
civil liberties groups as intrusive.
"Unless Congress creates a new law, law enforcement's ability to
protect the public against crime will be gravely eroded and the
national security will be placed at risk," Mr. Freeh testified at a
joint hearing of House and Senate Judiciary subcommittees.
Mr. Freeh said the bill would not expand any of the legal standards for
wiretaps. He said evidence from electronic surveillance had secured
the convictions of more than 22,000 dangerous felons over the past
decade.
Senator Patrick Leahy, a Vermont Democrat who heads the Senate
Judiciary subcommittee on technology and the law, said, "None of us
wants to impede the ability to go after kidnappers, but we do have some
very serious privacy concerns."
--
Kurt F. Sauer
Richardson, Texas
------------------------------
From: Dean Ridgway <ridgwad@CSOS.ORST.EDU>
Date: 18 Mar 1994 12:55:26 -0800
Subject: FBI's Push for Digital Telephony
Well you-know-who is at it again. According to _Business_Week_
03/14/94 pg. 55, "Big Brother turns Big Ears on Electronic Networks".
A measure soon to be introduced on Capitol Hill would require that all
network providers, including the Internet and commercial on-line
services, build in the capability to record any person's e-mail and
deliver it to federal law-enforcement authorities. Government agents
will need only to show a person merits investigation, rather than
obtain a court order as is the case for telephone eavesdropping.
The reasons given are the same old stories, drug dealers and criminals
might be using computer networks and getting court orders are just too
"inconvenient". I might just be paranoid but "merits investigation"
sounds alot like just asking for.
The next logical step will be to outlaw non-clipper encryption.
Dean Ridgway | FidoNet 1:357/1.103 | InterNet ridgwad@csos.orst.edu
| CIS 73225,512 |
------------------------------
From: herronj@MAIL.FWS.GOV
Date: 21 Mar 94 08:34:10 MST
Subject: Re: Network Security
Mike Gadda writes: My university has a Novell Network and last
year someone bugged the whole campus with a program called Lan
Assist Plus. This program allows *anyone* to mess with what
others are doing by having another persons screen captured on
there own. The person being watched has no idea. This person can
be rebooted or messed with by unwanted keystrokes. I couldn't
believe it myself when I first saw it. I wonder if Novell
anticipated this problem when creating their networks.
The program you mention really doesn't have anything to do with
Novell. LAN Assist works as a TSR that captures keys strokes and
screens (much the same way pcAnywhere does) when activated by a remote
computer. Even if the computer wasn't on a network a program could do
the same thing and store the information to a local drive for later
analysis. On a network the software simply makes use of the line to
the outside world to transmit this data.
The program is intended for technical support. When someone on the
network has a problem they call their tech. support, who may be many
miles away. The tech support person then starts up LAN assist, picks
this users workstation, and has the person duplicate the problem. S/he
can then very often solve the problem without ever leaving their desk
(Lan Assist also allows the remote user to have control of the
keyboard).
Lan Assist has many options that leave privacy in place. Including the
ability to require the user to "grant permission" prior to the take
over, password takeover, a "wagon wheel" indicator that it is being
monitored, etc. It is up to the system administrator to implement one
or more of these privacy security measures. I know on our system we
make loading LAN Assist a separate menu item, this way the TSR doesn't
even load unless the user chooses to do so. Even then we use the
"wagon wheel" indicator so the user knows exactly when they are being
monitored. I personally believe the "wagon wheel" should be built in
to the program so it is ALWAYS used and NOT AN OPTION. Actually it
should be the law since this could be used to read peoples Email (as
they read/write the mail), which is a violation of Federal Law.
------------------------------
From: wilhelm@lsesun6.epfl.ch (Uwe WILHELM)
Date: 21 Mar 1994 14:57:59 GMT
Subject: Re: Time Magazine on Clipper
Organization: Ecole polytechnique federale de Lausanne
laine@MorningStar.Com (Laine Stump) writes:
If all the government is doing is taking a marketing approach
with this Clipper chip technology, what's all the fuss? By
simply adding another layer of encryption on top of Clipper
will defeat its backdoor and threats from snooping. The
government rarely suceeds at anything when it comes to business
-- especially if it involves marketing.
This is a common, and dangerous, misconception. Cryptographers know
that it is much easier to break a code if they can analyze "chosen
text" that has been encrypted, in other words if they can get a
look at some sequence of input text they have chosen after it goes
through the encryption algorithm. It is very possible (some say
likely) that the Clipper algorithm puts patterns into the encrypted
text which the NSA can later use to aid them in breaking any
encryption used "on top" of a Clipper-encrypted data stream. It is
widely rumored that the NSA already does this with a voice
compression algorithm it developed which is widely used in
telecommunications equipment.
Do you unconditionally trust anyone and everyone who works for the
U.S. Government?
I might be completely off the point, and I have to admit that I'm not
very sophisticated, if it actually comes down to doing real encryption.
On the other hand, I thought I had a rather thorough understanding of
how things work (in general). So, the question is: if I put another
layer of encryption before the Clipper encryption and after the Clipper
decryption - is your point still valid?
me -> (my_encryption) ->
(Clipper_encryption) ->
(wire through NSA) ->
(Clipper_decryption) ->
(my_decryption) -> her/him
I can't see any chosen plaintext attack. All the NSA (or whoever) has,
is a encrypted stream of data, which is as safe as the encryption I
used.
I don't think there's much ado about nothing... but, who is able to
take advantage of this kind of secure communication? and is it legal
anyway?
------------------------------
From: poivre@netcom.com (poivre)
Date: 21 Mar 1994 21:17:18 GMT
Subject: Re: Phone Book Pseudonyms
Organization: NETCOM On-line Communication Services (408 241-9760 guest)
Dave Niebuhr (dwn@dwn.ccd.bnl.gov) wrote:
Some years ago, in order to protect my privacy, I registered my
phone under the name "Mehitabel DeCatte" (pronounced
"Mehitabel the cat"). Having such a "nom de phone" was legal
and was cheaper than having an unlisted number. Our cat,
Mehitabel, did live at our residence with
Ok, for all of you who do something like this, how?
When I tried to get a different name for my phone, I was told
it wasn't possible. They wanted either my Soc Sec Number,
which I wouldn't give out, or my drivers license, presented in
person, so that they could verify my identity.
They wouldn't let me use a fake name, and in fact, I asked
directly, and was told it wasn't possible.
I have my phone listed under a fictious name and the phone company
(NYTel/NYNEX) didn't blink an eye. The only thing I had to do was
to make sure that it was an unreasonable one such as John Doe,
Richard Roe; it had to be reasonable sounding.
However, I checked my phone book and found lots of John Doe's ...
NYNEX/NYTel seems to be pretty cool about identities. When i signed up
for phone service, I didn't have to give any SSN, drivers license
number, etc etc. For all I could see, I could have made up a name like
John Doe, Jane Smith, etc etc.
------------------------------
From: stanley@skyking.oce.orst.edu (John Stanley)
Date: 21 Mar 1994 22:21:08 GMT
Subject: Re: IRS Purchase Order
Organization: Coastal Imaging Lab, Oregon State University
Prof. L. P. Levine <levine@blatz.cs.uwm.edu> wrote: [Great for
identifying anonymous callers who request information on whether
illegal acts must be declared, and other such revealing queries?
PGN]
By the time the IRS has targeted you to put one of these things on your
line, I think you have more to worry about than making anonymous calls
to the IRS. They already know who you are.
------------------------------
From: Ron Bean <nicmad!madnix!zaphod%astroatc.UUCP@cs.wisc.edu>
Date: 21 Mar 1994 20:54:33 -0600 (CST)
Subject: Re: IRS Purchase Order
The Internal Revenue Service intends to procure 28 remote telephone
data collection units, including software.
The unit must be no larger than 5.9x1.5x3.2 inches.
Where did they get these dimensions from? Why not 6x1.5x3?
------------------------------
From: SchwartzM@DOCKMASTER.NCSC.MIL
Date: 22 Mar 94 10:56 EST
Subject: New Book From IOM On Health Data Privacy
I just received a new book published for the National Academy of
Science's Institute of Medicine entitled "Health Data in the
Information Age: Use, Disclosure and Privacy". The copyright is 1994
and is the result of a follow-on project to their 1991 publication "The
Computer Based Patient Record: An Essential Technology For Health
Care". This new book covers a variety of topics including the
recognition of the formation of so-called Regional Health Data Networks
for the purpose of tracking patient outcomes and facilitating improved
access to medical data on patients. A great deal of the book deals
with the significant privacy issues that will need to be addressed as
we move toward the computerization of the medical record and the use of
computer networks for remote consulting, including legislative
approaches. Additional work covers the issues surrounding the release
of health care provider specific data (hospital/physician) relative to
attempts to give the public an ability to make quality of care
decisions in their selections of providers. This is already being done
in New York, Pennsylvania and other states in the realm of cardiac
surgery and cardiology related interventions and has come under
significant fire from the health care community for being, at best
mis-leading to an uninformed public, at worst a significant threat to
patient access to health care.
The book may be ordered from National Academy Press at 1-800-624-6242
and is priced at $39.95. It is a major work in this area and I would
strongly urge its reading to anyone interested.
Marc Schwartz Director of Clinical Services Summit Medical Minneapolis,
MN 55447 Voice: 612-473-3250 Internet: SchwartzM at
dockmaster.ncsc.mil
------------------------------
End of Computer Privacy Digest V4 #045
******************************
.