Computer Privacy Digest Wed, 28 Sep 94 Volume 5 : Issue: 039
Today's Topics: Moderator: Leonard P. Levine
Reason 24: Capacity Requirements
Re: Reason 16: Expense
Top 10 Anti Clipper List
Update address >>>Network Security Observations<<<
Post Office Boxes
Questions Re: Security of Computerized Medical Database
Find E-Mail Address?
Database Marketing Revisited
Will Our Rights be Protected?
Re: Anti-Clipper
ACLU release and letter on FBI wiretap bill
CPD Informaton
---------------------------------------------------------------------
Housekeeping information is located at the end of this Digest.
----------------------------------------------------------------------
From: email list server <listserv@Sunnyside.COM>
Date: 26 Sep 1994 12:13:42 -0700
Subject: Reason 24: Capacity Requirements
100 Reasons to Oppose the FBI Wiretap Bill
Reason 24: The FBI Wiretap bill allows the Attorney General to
develop monitoring specs
The proposed wiretap law says that the Attorney General will provide to
telecommunications carrier associations and and standard-setting
organizations a notice of "maximum capacity" required to accommodate
all of the communication interceptions, pen registers, and trap and
trace devices that the Attorney General estimates that government
agencies may "use simultaneously." Telecommunications carriers will
then be required to ensure that systems are capable of "expanding to
the maximum capacity." (Proposed section 2603(a))("legal code")
-> 9/25 NEWS UPDATE: Wiretap legislation slows in House. Sources say
-> that Rep. Brooks unlikely to consider bill. ACLU announces opposition
-> to wiretap plan.
------------------------------------------------------------------------
What To Do: Fax Senator Joe Biden (202-224-0139). If you live in California,
fax Senator Diane Feinstein (202-228-3954 )
Express your concerns about the FBI Wiretap proposal.
------------------------------------------------------------------------
100 Reasons is a project of the Electronic Privacy Information Center
(EPIC) in Washington, DC. For more information: 100.Reasons@epic.org.
========================================================================
------------------------------
From: mea@intgp1.att.com (Mark E Anderson +1 708 979 4716)
Date: 26 Sep 94 20:50:00 GMT
Subject: Re: Reason 16: Expense
Reason 16: Wiretapping is a particularly expensive investigative
method.
Since 1970, the average cost per order has increased 1,100
percent.
I would be a little careful about using this reason to oppose the
wiretap bills. These can also be reasons to support the bills so as to
reduce the costs of these wiretaps and gather more information making
them more cost effective. I can think of a dozen things they could do
but then again, I have a pretty devious mind.
--
Mark Anderson
mea@intgp1.att.com
------------------------------
From: normh@crl.com (Norman J Harman)
Date: 26 Sep 1994 11:08:12 -0700
Subject: Top 10 Anti Clipper List
Organization: CRL Dialup Internet Access (415) 705-6060 [login: guest]
I will offer an anti Clipper/Skipjack T-shirt. They would be white
with black printing and cost approximately $5.00 plus $2.90 shipping to
US locations. That is the cost to produce one shirt. I am trying to
spread awareness not make money.
I posted a while ago asking for suggestions on what the shirts should
say. One of the best ideas was from Donald Alan Whiteside. He
suggested a top 10 list and provided one item for that list. I need
some more. This list will be on the back of the shirt. On the front
will be a "Big Brother Inside Logo and a Clipper Chip .
"Top 10 reasons to Say No to Clipper"
#1 "Can't trust Clinton not to read McDonalds recipes for Big Mac
secret sauce."
#2 "We all know its just so the FBI can get free phone sex."
#3 "The spies at NSA will get eyestrain reading all of Santa's mail"
#4 "Your idea here."
Please send comments, suggestions, and questions to normh@crl.com.
After I get a finished list I will post how to get one, about one
week.
A worthy cause is better if it benefits another good cause so the
shirts will be silk-screened by Zerolith, part of a non-profit
organization that employs, shelters, and assists homeless youth. If
you would like to talk with Zerolith or donate money directly here is
how to contact them.
Zerolith
3075 21st Street
San Francisco, CA 94110-2626
415.641.1014 voice
415.641.1474 fax
--
Norman J. Harman Jr. o o Smiley Publishing
normh@crl.com \__/ San Francisco, CA
------------------------------
From: nso@delphi.com
Date: 27 Sep 94 04:54:18 -0500
Subject: Update address >>>Network Security Observations<<<
Organization: Delphi (info@delphi.com email, 800-695-4005 voice)
Announcement
November 1994 NETWORK SECURITY OBSERVATIONS will be out with its
inaugural issue. NETWORK SECURITY OBSERVATIONS is expected to be the
leading international journal on computer network security for the
science, research and professional community. Every annual volume
contains five issues, each offering ample space for vigorously reviewed
academic and research papers of significant and lasting importance, and
a wealth of other network security information, including security
patches and other technical information supplied by manufacturers,
related governmental docu- ments (international), discussions about
ethics and privacy aspects, the Clipper chip and other cryptologic
issues, viruses, privacy enhanced mail, protocols, harmonization of
computer security evaluation criteria, information security management,
access management, transborder data flow, edi security, risk analysis,
trusted systems, mission critical applications, integrity issues,
computer abuse and computer crime, etc. etc.
If and when appropriate reports of major international conferences,
congresses and seminars will be included, as well as information made
available by governments, agencies, and international and supra
national organizations. Network Security Observations is published in
the English language, and distributed Worldwide. The publication does
NOT feature commercial announcements. National and international
organizers of dedicated conferences, etc. can offer calls for papers
and invitations to participate. Relevant posting from other publishers
announcing new relevant books, etc are welcomed as well.
NETWORK SECURITY OBSERVATIONS provides the in depth and detailed look
that is essential for the network system operator, network system
administrator, edp auditor, legal counsel, computer science researcher,
network security manager, product developer, forensic data expert,
legislator, public prosecutor, etc., including the wide range of
specialists in the intelligence community, the investigative branches
and the military, the financial services industry and the banking
community, the public services, the telecom industry and the computer
industry itself.
Subscription applications by email or fax before November 1, 1994 are
entitled to a special rebated subscription rate. Special
academic/educational discounts, and rebates for governmental personnel,
and other special groups, are available upon request. Network Security
Observations is a not-for-profit journal, and therefore we are sorry to
reject requests for trial orders.
For further information please contact:
by email> NSO@delphi.com
Or by fax> +1 202 429 9574
Or alternatively you can write to:
Network Security Observations
Suite 400
1825 I Street, NW
Washington DC, 20006
United States
------------------------------
From: Mark Mullins <mark.mullins@chaos.lrk.ar.us>
Date: 27 Sep 1994 02:39:00 +0000 (GMT)
Subject: Post Office Boxes
Organization: The Courts of Chaos * Jacksonville AR USA * 501-985-0059
Hi, I am not sure if this has been discussed on this newsgroup, so
forgive me if it has. I have used a PO Box for several years due
to privacy concerns. I am a SWF, and don't want my home address
readily accessible. WELL, I just learned that all one has to do to
attain the home address of a PO Box holder is fill out a form and
pay two bucks. Most people don't know this anyway (though more
will now!) but I think that this is very uncool.
Strongly agreed Professor!!
Although I don't like it from a business stand point, I am sure you
will be happy to know that this has changed. You can still follow
the same process for a business PO Box however the physical
addresses for the PO Boxes of private citizens are no longer
availible.
My question to you Professor, Is there a way for one to find out WHO
paid the $2 fee to find out your home address?? Is the information
recorded permanently?? How long does it take to find this information
out?? I can see where it wouldn't take long for the wrong individual
with this information to put it to the wrong use.. :-(
--
. SLMR 2.1a . Money talks.. But all mine ever says is GOODBYE!! :(
------------------------------
From: Richard Goldstein <richgold@netcom.com>
Date: 27 Sep 1994 06:01:12 -0700 (PDT)
Subject: Questions Re: Security of Computerized Medical Database
I am a statistician and I sit on the Human Studies Committee (IRB) of a
local HMO. I have been assigned as primary reviewer for our committee
for a recently submitted protocol dealing with security issues on the
HMO's computerized patient data base. (Note: this may not need
committee approval under Federal rules, but it does under local
rules.) I am requesting some help regarding issues I should be asking
about and guidance on literature.
Brief explanation of project: the current computerized medical record
has two sections (I am oversimplifying some issues here, without, I
hope, being misleading): a coded section that can be searched via
computer and a text section that currently cannot be automatically
searched. The HMO has entered into an agreement with a 'local'
university (about 90 miles away) to attempt to develop tools for
exploiting clinical text data (e.g., access, search, extract,
manipulate the text portion of the record).
The process includes providing the university with example records
(size of sample not known), where the records have been 'sanitized'.
"The sanitization process has three stages:
1. automated masking or identifiers such as addresses and
telephone numbers in ... extract headers as created [at the
HMO]
2. automated masking of medical record numbers
3. automated masking of each segment of each member's name
everywhere these segments occur in the ... extract"
There are some known problems with this masking (e.g., regarding the
occurrence of names in the record other than than of the particular
patient). My problem is that I have no idea how much faith, trust,
etc. to put into the "automated masking" process. Of particular help
would be guidance on what questions to ask about this process to help
make decisions about whether it is sufficient (guidance on literature
would also be appreciated).
I note also that the people on the project appear to be unaware of the
possibility of identifying patients via combinations of coded
information. As a statistician, I am aware of some of the large
literature on this question, especially with respect to Census
information. However, I am not familiar with recent literature on this
question or with computer algorithms; further, I am not aware of any
literature dealing specifically with this question for medical records
(except that I do have a copy of the 9/93 publication from the Office
of Technology Assessment entitled _Protecting Privacy in Computerized
Medical Information_; however, this is not a technical publication).
Another question relates to what we should be asking about the security
of the university computer; we have been told that the center "has
implemented data access security by granting electronic access to [HMO]
data only to researchers designated as members of the [HMO] project."
However, we have been provided with NO details; again, what questions
should we be asking and how do we interpret the responses.
I should mention that our committee very strongly opposes any movement
of hmo data outside the hmo, but in rare circumstances we have agreed
when we were satisfied with the security situation (usually a
stand-alone computer in a room that could easily be locked).
Any help or advice would be greatly appreciated and should, preferably,
be sent directly to me at "richgold@netcom.com". If desired, I could
post a summary of the resulting responses to this group.
--
TIA,
Rich Goldstein
------------------------------
From: levinson@sunbow.dab.ge.com (Dave Levinson)
Date: 27 Sep 1994 13:57:37 GMT
Subject: Find E-Mail Address?
Organization: Martin Marietta
Does anyone know how to locate someones E-Mail address. He is an old
high school buddy and has a unique last name. Thanks..
--
Dave tha Wave
------------------------------
From: hedlund@reed.edu (M. Hedlund)
Date: 28 Sep 1994 01:08:20 -0700
Subject: Database Marketing Revisited
Organization: Northwest Nexus Inc.
I received the following survey today. I admit that I am just as
concerned about the accumulation of marketing data as the next
comp.society.privacy reader; but maybe, when the battle seems bleak, we
should pause and consider the nature of our opposition. Just for
laughs.
"SHOPPING SURVEY
"In order to help us provide First Interstate Bank Cardholders like you
with valuable services, please answer the following questions. [...]
"7) Are you... ? (Check all that apply.)
[ ] Male
[ ] Female"
</hedlund>
------------------------------
From: drdave@access3.digex.net (David Schurman)
Date: 25 Sep 1994 15:34:46 -0400
Subject: Will Our Rights be Protected?
Organization: Express Access Online Communications, Greenbelt, MD USA
I'd like to ask the help of the users while I research the question of
privacy in data/telecommunications.
There are privacy concerns specific to but not limited to the First and
Forth Amendment to the constitution.
First Amendment:
"Congress shall make no law respecting an establishment of religion, or
prohibiting the free exercise thereof; or abridging the freedom of
speech, or of the press, or the right of the people peaceably to
assemble, and to petition the government for a redress of grievances."
Fourth Amendment:
"The right of the people to be secure in their persons, houses, papers,
and effects, against unreasonable searches and seizures, shall not be
violated, and no warrants shall issue, but upon probable cause,
supported by oath or affirmation, and particularly describing the place
to be searched, and the persons or things to be seized."
The issue in my mind is that, with the increase of the transfer of
information by computer and other electronic means; Are the issues of
privacy and security being adequately addressed by means of the Clipper
Chip and Encryption? Are our rights under these amendments being
protected? What violations of these and other rights will be committed
by those in the government under the guise of "protecting" those
rights.
I would be interested to have some insightful discussion on these and
other related topics.
--
David Schurman <<< drdave@access.digex.net >>>
------------------------------
From: olcay@libtech.com (olcay cirit)
Date: 27 Sep 94 07:22:47 PDT
Subject: Re: Anti-Clipper
Heres an idea:
Clip Clipper
Skip Skipjack
--------------
Slip Clipjack
--
Olcay
(| Olcay Cirit |) "Note that I have taken special measures to
|) ----------------- (| restrain the computer to the desk in the
(| olcay@libtech.com |) case that it may explode" - Olo
------------------------------
From: ACLU Information <infoaclu@aclu.org>
Date: 26 Sep 1994 17:52:45 -0400
Subject: ACLU release and letter on FBI wiretap bill
ACLU NEWS RELEASE
ACLU Opposes FBI Wiretap Access Bill;
Legislation Would Create Dangerous Precedent
For IMMEDIATE RELEASE
September 26, 1994
Contact: Barry Steinhardt
BarryS @ aclu.org
or Kathy Parrent, 212-944-9800, ext. 424
The American Civil Liberties Union today called on the House
Judiciary Committee to reject the FBI Wiretap Access Bill, H.R. 4922,
which would require private electronics manufacturers to insure that the
FBI can wiretap using developing telecommunications technologies.
In a letter sent to Congressman Jack Brooks, Chair of the House
Judiciary Committee, the ACLU stated that the bill "... creates a
dangerous and unprecedented presumption that government not only has the
power, subject to warrant to intercept private communications, but that it
can require private parties to create special access. It is as if the
government had required all builders to construct new housing with an
internal surveillance camera for government use."
"Moreover, the FBI has not borne the burden of proving why such an
extraordinary requirement is necessary..." the letter said.
A copy of the full letter with the ACLU's detailed objections
follows.
___________________________________________________________________________
September 22, 1994
Honorable Jack Brooks
Congressman, State of Texas
2449 Rayburn House Office Building
Washington, D.C. 20515-4309
Dear Congressman Brooks:
We are writing to you to express the ACLU's opposition to the
FBI-Wiretap Access Bill, H.R. 4922. While we were not actively involved
in Subcommittee deliberations, we have reviewed the legislation and we
have several major concerns.
The principal problem remains that any digital telephone bill
which mandates that communications providers make technological changes
for the sole purpose of making their systems wiretap-ready creates a
dangerous and unprecedented presumption that government not only has the
power, subject to warrant, to intercept private communications, but that
it can require private parties to create special access. It is as if the
government had required all builders to construct new housing with an
internal surveillance camera for government use. Even if such use were
triggered only by a judicial warrant, such a requirement would be strongly
resisted by the American people. H.R. 4922 establishes a similar
requirement, and is without precedent.
Moreover, the FBI has not borne the burden of proving why such an
extraordinary requirement is necessary. In 1993, there were fewer than
1,000 wiretaps authorized and many of them failed to yield any substantive
evidence while intercepting many innocent conversations. It is far from
clear that digital telephones will substantially obstruct legitimate law
enforcement efforts. Without further public discussion and debate, the
public will not have a sufficient opportunity to weigh the loss of privacy
against the FBI's claims. There has been no opportunity to learn the full
extent of the types of investigations that the FBI claims were precluded
because of a restriction on their public dissemination. Yet, based on
these secret assertions, 91 such incidents were cited by the FBI. On
those slim assertions, the public's loss of privacy in digital
communications is all but assured and taxpayers will be asked to pay an
extraordinary price.
H.R. 4922 authorizes $500 million over the next four years to
reimburse telecommunications carriers for the costs that would be imposed
by the bill. Even if you accept these cost estimates -- the industry puts
the real cost in the billions -- we will spending $125 million or $125,000
per wiretap, for the fewer than 1,000 taps that will be conducted each
year.
As you know, the ACLU has the greatest respect for Congressman
Edwards and Senator Leahy. Both have been tireless champions for civil
liberties. The Edwards/Leahy proposal is an improvement over earlier
versions offered by the FBI and we applaud their efforts to add new
privacy protections.
The proposed expansion of the Electronic Communications Privacy
Act to cordless phones and the requirement that a court order be obtained
for transactional data from electronic communication providers both are
steps forward and merit separate consideration by the Congress. But they
cannot and should not be traded for the unprecedented intrusion
represented by H.R. 4922.
In several respects, H.R. 4922 is still too broad in its
application.
For example, earlier versions of the bill would have applied
directly to on-line communication and information services such as
internet providers, America On Line, Compuserve, Prodigy etc. H.R. 4922
would apply directly only to "telecommunications carriers" such as the
Regional Bell Operating Companies.
But this provision does not narrow the scope of the bill as much
as it might seem. First, with the new presumption that the government is
entitled to require private manufacturers to insure its ability to
wiretap, law enforcement will undoubtedly be back in future years
insisting that this limitation thwarts its efforts and will seek to
broaden the coverage to other information providers. Once the basic
principle of H.R. 4922 is accepted, what arguments remain to resist its
expansion. The limited application of H.R. 4922 is surely temporary; what
matters is the basic requirement, not its immediate application.
More importantly, law enforcement will still have the opportunity
to intercept on-line communications over the internet or commercial
on-line networks, by tapping into the facilities of the telecommunications
companies. As critics of the earlier versions had noted the coverage of
the on-line providers was largely redundant. All these communications
still pass over telephone lines.
Law enforcement does not need access at every point in a
telecommunication in order to intercept it. Access at any one point is
sufficient and that would be readily available since ultimately on-line
communications must travel over the public switched telephone network
which the bill requires be wiretap ready.
Moreover, given the commingled nature of digital communication
lines, it is inevitable that more private information from third parties
will be intercepted than would be the case with analog phones, and the
minimization requirements in the bill will not prevent this.
In the end, this proposal will make our telecommunications
structure more, not less vulnerable.
In its original form the FBI Digital Telephony proposal would have
given the power to the Attorney General to impose standards on
communication providers which would guarantee that their systems were
wiretap-ready.
Essentially, this would have created a centralized wiretapping
system that threatened the privacy of the entire nation and was dependent
for its security on a few select people.
This raised the real concern that if electronic communications
service providers must design their systems to allow and ensure FBI
access, then the resulting mandatory "back doors" may become known to and
be exploited by "criminals."
The new proposal contains the same risks. It would have the
technical standards developed by the industry, through trade associations
or standard-setting bodies, in consultation with the Attorney General.
But it contains a "safe harbor" provision, which protects a carrier from
sanction if it is in compliance with standards created by this approach.
The safe harbor provision virtually guarantees that the standards
developed through the industry-based process will be adopted by all.
Whether the standards are directly imposed by government or created by
concerted industry action, in consultation with the government, makes
little difference. The result is the same. A centralized wiretapping
capacity with all of its vulnerabilities will still be created.
Finally, we have grave concerns about the encryption provisions.
The Edwards/Leahy version has been described as "neutral" on encryption.
The bill provides that telecommunications providers do not need to decrypt
data, unless they hold the key.
In the short term, this is an improvement over the earlier
versions of the bill which would have created obligations to decrypt, but
there are at least two longer term problems.
First, is the new presumption that industry has the affirmative
responsibility to create special technical capacity for the government to
snoop. Can there be any real doubt that the FBI will be back in the years
to come asserting that its ability to intercept communications has been
thwarted by easily available encryption and that an industry obligation,
analogous to the new obligation to provide wiretap capacity, must be
created.
Secondly, in some cases the telecommunications providers may well
hold the key -- particularly as they expand the services they provide to
their customers.
H.R. 4922 proposes a radical and expensive change in our
telecommunications structure. The threats it poses, now and
prospectively, are real, but the need for it far less than evident or
proven. We urge that your Committee not rush into consideration of this
far reaching measure with so little time left in the session.
We thank you for your consideration of our views and we would be
happy to sit down with you to discuss these issues.
Sincerely,
Ira Glasser Laura Murphy Lee
--endit--
The ACLU urges interested persons to contact the following members of
Congress immediately:
Rep. Jack Brooks Sen. Howard Metzenbaum
(202) 225-6565 (voice) (202) 224-7494 (voice)
(202) 225-1584 (fax) (202) 224-5474 (fax)
=============================================================
ACLU Free Reading Room | A publications and information resource of the
gopher://aclu.org:6601 | American Civil Liberties Union National Office
mailto:infoaclu@aclu.org | "Eternal vigilance is the price of liberty"
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 26 Sep 1994 12:45:51 -0500 (CDT)
Subject: CPD Informaton
Organization: University of Wisconsin-Milwaukee
The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
If you read this from the comp.society.privacy newsgroup and wish to
contribute a message, you should simply post your contribution. As a
moderated newsgroup, attempts to post to the group are normally turned
into eMail to the submission address below.
On the other hand, if you read the digest eMailed to you, you generally
need only use the Reply feature of your mailer to contribute. If you
do so, it is best to modify the "Subject:" line of your mailing.
Contributions generally are acknowledged within 24 hours of
submission. An article is printed if it is relevant to the charter of
the digest. If selected, it is printed within two or three days. The
moderator reserves the right to delete extraneous quoted material. He
may change the subject line of an article in order to make it easier
for the reader to follow a discussion. He will not, however, alter or
edit or append to the text except for purely technical reasons.
A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18].
Login as "ftp" with password identifying yourid@yoursite. The archives
are in the directory "pub/comp-privacy".
People with gopher capability can most easily access the library at
gopher.cs.uwm.edu.
Mosaic users will find it at gopher://gopher.cs.uwm.edu.
Older archives are also held at ftp.pica.army.mil [129.139.160.133].
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
End of Computer Privacy Digest V5 #039
******************************