Date: Wed, 23 Aug 95 09:20:55 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V7#015
Computer Privacy Digest Wed, 23 Aug 95 Volume 7 : Issue: 015
Today's Topics: Moderator: Leonard P. Levine
Re: Netscape Security
Re: Netscape Security
Re: A Netscape Story
Re: A Netscape Story
Re: A Netscape Story
Re: An Abuse of Individual Right to Privacy?
Re: An Abuse of Individual Right to Privacy?
A New Newsletter Recommendation
Time to Tree the Tiger in the U.S.A.
Re: Information Collection at Sears
Medicare leak through FOIA analysis and 9 digit ZIP
Duration of Customer Relation & Customers Privacy
EPIC Alert 2.09
Info on CPD [unchanged since 08/01/95]
----------------------------------------------------------------------
From: nevin@cs.arizona.edu (Nevin ":-]" Liber)
Date: 19 Aug 1995 17:31:42 -0700
Subject: Re: Netscape Security
Organization: University of Arizona CS Department, Tucson "It's too dang hot!" Arizona
shank@netscape.com (Peter Shank) wrote: The standard way to
determine the level of security of any encryption scheme is to
compare the cost of breaking it versus the value of the information
that can be gained. In this case he had to use roughly $10,000
worth of computing power (ballpark figure for having access to 120
workstations and a few parallel supercomputers for 8 days) to break
a single message. Assuming the message is protecting something of
less value than $10,000, then this information can be protected
with only RC4-40 security. For information of greater value,
currently available RC4-128 security should be used.
This type of cost analysis is only valid *if* the user of the computing
power has to make a tradeoff between using it for this purpose and
other useful work. If these machines would otherwise be idle, this
computing power is virtually free (imagine if everyone ran RC4-40
cracking software instead of screen savers...). Also, how much cheaper
does the computing power get if you allow, say 30 days to crack a
message? How much cheaper is the computing power going to be next year
or the year after that (assuming the data still retains its value; more
on this below)?
How valuable are credit card numbers? A reasonable assumption could be
the credit limit on the card. My credit limit per card is certainly
well within the ballpark of the $10K cost you associate with cracking a
message, and I would guess that most non-students who have the
equipment to surf the Internet have a similar amount of credit
available.
The other aspect to determining the level of security needed is the
duration that the information retains its value. My primary credit
card has had the same number for the last five years, and I don't see
it changing in the foreseeable future, barring someone else "stealing"
it. This, combined with credit limits usually going up over time,
makes this data valuable *indefinitely*.
Inside the US, software can support a range of stronger encryption
options, including RC4-128, which is 2^88 times harder to break.
Irrelevant. How many sites on the Internet are going to want to deal
with US-only transactions?
The other question to ask is who exactly is assuming the risk:
Netscape, Visa, or consumers directly?
--
Nevin ":-)" Liber nevin@CS.Arizona.EDU (520) 293-2799
------------------------------
From: bo774@freenet.carleton.ca (Kelly Bert Manning)
Date: 21 Aug 1995 07:11:58 GMT
Subject: Re: Netscape Security
Organization: The National Capital FreeNet, Ottawa, Ontario, Canada
"Prof. L. P. Levine" (levine@blatz.cs.uwm.edu) writes: The standard
way to determine the level of security of any encryption scheme is
to compare the cost of breaking it versus the value of the
information that can be gained. In this case he had to use roughly
$10,000 worth of computing power (ballpark figure for having access
to 120 workstations and a few parallel supercomputers for 8 days)
to break a single message. Assuming the message is protecting
something of less value than $10,000, then this information can be
protected with only RC4-40 security. For information of greater
value, currently available RC4-128 security should be used.
It might be prudent to take a long term perspective of the value of the
asset. If it is your charge card account number and data that helps to
convince someone of your identity $10,000 is about the same order of
magnitude as most card credit limits. The cardholder may not be on the
hook individually for bogus charges, but the credit granting
institution may have something to say about using netscape with weak
encryption.
If the message contains information that allows an impersonator to
highjack your identity and open up a number of charge accounts the
total could easily run up to over $10,000. Again, you may not be on the
hook for bogus charges, but if you get arrested, perhaps repeatedly and
have to devote time and effort to clearing yourself the cost may be
more than $10,000.
I'm not being alarmist when I mention people being arrested because of
actions of impersonators. It happens, sometimes repeatedly.
The cost of computing goes down continuously, while inflation, if
nothing else, makes the cost of everything rise. Will you still be
using the same account number when the cost of decrypting individual
messages drops to $1,000. How about when it drops to $100? It is
becoming quite cheap to record huge amounts of data on archival quality
media. A $10,000 price tag for decryption today is no guarantee that it
would be archived and decrypted later when costs are much lower, or
when something develops that makes it worth while for someone to expend
the resources to put your data trail under the microscope.(future USA
Supreme Court nominees please take note)
So in conclusion, we think RC4-40 is strong enough to protect
consumer-level credit-card transactions -- since the cost of
breaking the message is sufficiently high to make it not worth the
computer time required to do so - -- and that our customers should
use higher levels of
I've never had a credit card account and don't plan to, however I would
never use this for banking transactions. It will be interesting to see
what financial institutions think of it.
security, particularly RC4-128, whenever possible.
This sounds like good advice in any circumstance.
------------------------------
From: Barry Margolin <barmar@ner.bbnplanet.com>
Date: 20 Aug 1995 18:28:46 -0400
Subject: Re: A Netscape Story
Organization: BBN Planet Corp., Cambridge, MA
"Prof. L. P. Levine" <levine@blatz.cs.uwm.edu> writes: The geniuses
at Netscape have put into their excellent software this
undocumented (or poorly documented) feature to amuse me. I must
ask why else they would have done it.
This a an extremely common practice in the software business.
Programmers like to put in little surprises like these. There's even a
name for them: Easter Eggs. Just about every release of the Macintosh
OS has had a few (e.g. press the appropriate, obscure combination of
keystrokes or click the mouse in just the right place and the list of
programmers might pop up).
Why do they do it? Because programmers are creative people and they
like to have fun. And users like the challenge of finding these
goodies (hence the origin of the term "Easter Egg").
Have they not learned from the experience of Prodigy or Microsoft
that communications software that runs in ways that the user is not
warned about can easily lead the user to wonder what else is
automatically installed? That undocumented stuff might well be
very intrusive.
Sure, it could be. But they generally aren't. They're harmless little
displays that basically congratulate the user for finding a hidden
treasure.
Most of us recall the near disaster that faced Prodigy some years
ago when a swap file they installed on the user's PC seemed to have
material to be uploaded from the user's work space. The facts were
finally shown to be much more benign, but the damage still echos
around the net.
This wasn't an "undocumented feature", it was just an accident due to
the way the Prodigy software interacts with the OS. In fact, it was
more the OS's fault than Prodigy's -- the Prodigy software asked the OS
to create a big file for it, and the OS returned a file whose contents
happened to include the data that used to be in those disk blocks.
Most operating systems will clear disk blocks before allocating them to
a new file, but MS-DOS doesn't.
Currrently we are watching the introduction of Windows 95. Windows
95 might or might not have software that automatically reports to
Microsoft just what software you are running. I suspect it does
not, but we shall see.
Microsoft has been extremely upfront about the Registration Wizard,
which I believe is what you're talking about. Of course, if you're a
conspiracy theorist (which it appears you may be) you might think
they're lying through their teeth.
The existence of Easter Eggs doesn't make other covert actions by
communications software any more or less likely. In fact, it might
even make it less likely -- vendors that are trying to steal your data
are not likely to make you suspicious of them by putting other covert
actions in their software. They'd want it to look as safe as possible
so that you'll trust it.
On the other hand, they may be putting the Easter Eggs in because they
think you'll use the above logic in order to trust them. But you had
them pegged right away.
--
Barry Margolin
BBN PlaNET Corporation, Cambridge, MA
barmar@bbnplanet.com
Phone (617) 873-3126 - Fax (617) 873-5124
------------------------------
From: olcay@libtech.com (olcay cirit)
Date: 21 Aug 95 09:16:49 PDT
Subject: Re: A Netscape Story
If you are running Netscape on your IBM type PC and you type
CTRL-ALT-F you suddenly find yourself looking at "The Amazing Fish
Cam" which connects to a netscape server and does something cool, I
suppose.
If you are running Netscape on a Sun station, and you click on a link
using the middle (adjust) button on your mouse, the status bar will
change to 'Mozilla' temporarily while another Netscape Window is
loading.
Also, if you click on the netscape logo in the about screen, you are
launched into a screen with all the authors and such.
I don't know the documentation status of the above two, though.
I truly wonder just what else Netscape does that they have not told
me/us about. I hope that there are those privacy nuts out there
who are watching as packets are thrown around the net. I hope that
they are looking for stuff that the user did not intend to send to
the author of the package. I hope that the CTRL-ALT-F is the only
unadvertized special feature.
This is just speculation, but I get suspicious when I connect to the
Netscape Site. Could it be that Netscape hands over your email, name,
system software information, traceroute info, and other things for
their own personal use?
Lot's of sites do this, but they are usually for testing or
demonstrating these features. Or for a prank.
Virtually,
Olcay
------------------------------
From: Evan Rosser <ejr@cs.UMD.EDU>
Date: 20 Aug 1995 19:36:28 -0400
Subject: Re: A Netscape Story
Have they not learned from the experience of Prodigy or Microsoft
that communications software that runs in ways that the user is not
warned about can easily lead the user to wonder what else is
automatically installed? That undocumented stuff might well be
very intrusive.
Hmm. Personally, I don't think it was any wondering about what *else*
was installed in Prodigy that caused people to worry -- it was the very
real presence of user data in a Prodigy file. It was documented.
Certainly there was musing about what that data was being used for, but
it was a specific, not vague, concern (i.e. being transmitted to
Prodigy.) In this case there's nothing to lead me to believe that
simply because Netscape put in a hot key for a popular page, they might
be uploading my data.
I am not too concerned about undocumented playful hacks. It has a long
history -- i.e. "MAKE LOVE"/Not war? on DEC-20's, developers' pictures
in the Mac SE ROM's, etc. As a matter of fact, there are more such
things in Netscape -- try typing "about:mozilla" as a URL to load.
But on a more serious note, I agree that a company that distributes
communications programs in binary-only form cannot allow anything to
undermine the public's trust. I guess they didn't think that tricks
such as the above do.
--
Evan Rosser
ejr@cs.umd.edu
------------------------------
From: bo774@freenet.carleton.ca (Kelly Bert Manning)
Date: 21 Aug 1995 07:20:33 GMT
Subject: Re: An Abuse of Individual Right to Privacy?
Organization: The National Capital FreeNet, Ottawa, Ontario, Canada
Robert Shorten (shorten@nic.wat.hookup.net) writes: Well, wouldn't
such a thing be like the phone book? The phone company lists names
and addresses of people and doesn't ask them first whether they
want to be listed (such people have to contact the phone company.)
As long as they (the directory people) give clear information in
their directory as to how one can be unlisted, I don't think it's
an invasion of privacy. There are already paper directories that
list names, addresses, phone numbers, and even places of work.
But what is the coverage rate? Where I live publishing personal
information about someone is prohibited by provincial Credit Reporting
law unless they consent or one of a short list of conditions are met.
Anyone who published my name and address would be paying me $100,
perhaps for each copy of the directory.
I noted in a post several months ago that the local Polk directory had
a coverage rate of around 60% in a group of about 400 consecutive phone
numbers in a high income residential area.
It is worth keeping in mind when you look at one of these directories,
or even at the phone book, that there is nothing to indicate how many
are missing. All you see is the listed numbers.
Do non-published phone number/address rates in the USA range from 30%
in places such as Seattle to over 60% in Los Angeles? What you don't
see may be quite large.
------------------------------
From: travis.winfrey@gs.com (Travis Winfrey - NY)
Date: 22 Aug 95 14:14:05 EDT
Subject: Re: An Abuse of Individual Right to Privacy?
shorten@nic.wat.hookup.net (Robert Shorten) writes: Well, wouldn't
such a thing be like the phone book? The phone company lists names
and addresses of people and doesn't ask them first whether they
want to be listed (such people have to contact the phone company.)
As long as they (the directory people) give clear information in
their directory as to how one can be unlisted, I don't think it's
an invasion of privacy. There are already paper directories that
list names, addresses, phone numbers, and even places of work.
Your reply assumes that `brett@aa.net' will do what they said they will
do when there is no special reason to assume that. In particular,
privacy issues frequently are decided by what is the more profitable
action, and I suspect this one would be similar.
I know that if I were a high-end stereo/speaker manufacturer, I would
be thrilled to correlate posts in the appropriate music group to the
real, live people who can buy my expensive widgets. In many cases,
people may not suspect anything because of their own purchases and
subscriptions that lead to their being present on similar mailing
lists. You can create your own examples using the many computer and
consumer groups on the net.
One can also create more sinister examples using stalkers or
wife-beaters, but that's nowhere near as likely. However, a friend who
was sexually abused by her father had her diary and many personal
letters she had written subpoened for the trial. Given that type of
explosive situation, it wouldn't be far-fetched for someone to try to
connect xyz's posts in alt.recover.sexual-abuse to the real person, or
similar confessional/support groups. This didn't happen in the trial
in question, I'm simply outlining possibilities.
------------------------------
From: cpreston@alaska.net (Charles M. Preston)
Date: 20 Aug 1995 11:47:33 -0800
Subject: A New Newsletter Recommendation
I would like to recommend a new publication called The Jarvis Report.
It is a quarterly newsletter about industrial espionage, and some
technical tricks of the trade. Ray Jarvis, who puts out the
newsletter, has an extensive government background in technical
surveillance and he provides classes for government and private
security in countermeasures and associated subjects. His stated aim is
to collect and analyze verifiable instances of the theft of proprietary
information, and to provide an overall look at trends and problems.
All 6 sections of the July issue were either useful or entertaining.
This edition includes an account of widespread electronic eavesdropping
in Israel, and suggestions on balanced line detection of series
telephone line transmitters.
A newsletter sample (article on Israel) can be found in the Info-Sec
Super Journal area at http://all.net
The Jarvis Report is published by Jarvis International
Intelligence, Inc., 11720 E. 21st Street, Tulsa, OK, 74129
Tel 918-437-1100 Fax 918-437-1191
Charles Preston Information Integrity cpreston@alaska.net
------------------------------
From: Bryan Nelson <nells@pacificrim.net>
Date: 21 Aug 1995 21:40:41 GMT
Subject: Time to Tree the Tiger in the U.S.A.
Organization: Pacific Rim Network, Inc.
William A. LaFreniere
W.A.L. REHAB
(360) 676-4766
Time to tree the tiger in the U.S.A.
As most of you are probably aware, the assault of government on the
rights of the individual, the taxpayer and small business has reached
the crisis level. Many of us are adversely affected by intrusive
government employees and regulations on a daily basis. We find
ourselves unable to do anything about it because we are working people,
and haven't the time to devote to the cause. The people who are waging
war against us are using work-time, along with computer and telephone
networks to keep ahead of our efforts to keep them at bay.
We can't control their numbers, we cant fire them. We can't cut their
purse strings,they hold the purse, and can weave more strings faster
than we can cut them. It probably will do no good to complain about
them, even to your State representatives,you will be talking to one of
them over the phone. They are unionized governmentemployees. You may
have thought that government employees were not allowed to
unionize...think again. It's one of government's most closely guarded
secrets. If thereever was a motive for the Oklahoma bombing, this was
likely the reason. You may have heard rumblings about a New World
Order, probably came from some union motivational speech, but don't
worry, other Countrys would never let it happen.
What we need to concern ourselves with, is how to extract them. It will
be no easy task, as unions have had many years to write protections
into the law. But extract we must, as many of you are aware, union are
self-serving and self-preserving.Such influence on commerce,
regulations, and the carrying out of Justice.
Bill is the owner of a small business. He is one of the people who has
to deal with an intrusive government on a daily basis. Regulations keep
him in poverty and prevent him from being able to compete with more
politically advantaged businesses. Government employees blinded by
legality of their regulations,threaten to take everything he owned, and
leave him on the streets of Bellingham Washington U.S.A.. You may not
be as adversely affected as he is, but if you have a story to tell, or
would like to form an organization to compile a list of government
wrongdoings,and provide organized opposition and to Rehab the LAW, give
him a call. He will call you to set up meeting times and to keep you
informed on progress.
Please leave your name and phone number. Here again is his business
message number. (360) 676-4766
Thanks for your help and understanding
--
Bill LaFreniere
W.A.L. REHAB
<tt>0266 </tt><a href="http://www.pacificrim.net/~chamber/">Bellingham,
Washington,
USA</a><br>
------------------------------
From: NRA@MAXWEL.PH.KCL.AC.UK (Nigel Arnot)
Date: 22 Aug 1995 09:35:16 GMT
Subject: Re: Information Collection at Sears
Organization: Dept Physics, Kings College London
rathinam@worf.netins.net (Sethu R Rathinam) says: will have enough
data to make a perfect duplicate of your signature. Question is,
when such capability is achieved, will the companies tell you about
the capability maturity - especially if you and I never asked
questions when signing the "dumb" signature pads?
Possible countermeasure. I have just produced a few perfectly
recognisable copies of my own signature which would have *extremely*
different pressure/velocity profiles, by the simple expedient of
concentrating and deliberately writing slow/fast/extra heavy/light at
various moments during the manufacture of the signature.
If the result was just scanned in as a bitmap it would match my normal
signature well enough, but the profile would be quite worthless. If I'm
ever invited to sign on a pad, this is probably what I'll do. And if
next time the computer can't recognise my signature, I'll let the
world know what's doing on!
--
Nigel.
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 22 Aug 1995 10:52:23 -0500 (CDT)
Subject: Medicare leak through FOIA analysis and 9 digit ZIP
Organization: University of Wisconsin-Milwaukee
Taken from RISKS-LIST: Risks-Forum Digest Monday 21 August 1995
Volume 17 : Issue 28 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND
RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public
Policy, Peter G. Neumann, moderator
Date: 20 Aug 1995 09:35:01 -0500
From: Quentin Fennessy <Quentin.Fennessy@sematech.org>
Subject: Medicare leak through FOIA analysis and 9-digit ZIP
I read an article on Medicare in the 20 Aug 1995 _Austin
American-Statesman_. The article was evidently done for the Cox
Newspaper chain. The article talks of the deterioration of the
service, and also touches on that fact that a handful of doctors earn a
disproportionate share of Medicare funds paid out.
The article has a sidebar, which says, in short: Cox analyzed 100
million computerized Medicare payment records for the report. The
information was obtained via FOIA. The doctors names were not
released. Evidently there is an ongoing court case to release the
doctors' names. Cox was able to identify some of the doctors. The
doctor's id codes were obscured by Medicare, but the 9 digit zip codes
of the doctor's offices were not. Cox was able to pinpoint individual
doctors given this level of detail.
Risks: If information needs to be split into private and public
components then care needs to be taken for the job to be done
correctly. 9-digit zip codes divide the US into fairly small areas and
so can (and have) given away the store.
This is not to say that I think this Medicare information should be
kept secret. However, 9 digit zip codes in databases can be used to
pinpoint all sorts of details about folks.
Quentin Fennessy quentin.fennessy@sematech.org
------------------------------
From: larpes@katk.helsinki.fi (Gard Larpes)
Date: 22 Aug 1995 06:58:50 GMT
Subject: Duration of Customer Relation & Customers Privacy
Organization: Helsinki University
Hello does any one have some ideas concerning "Cutomers relation".
I am searching ideas conserning customer relation, and its basic
elements looked at it from the view of an agreement.
Basic idea: A registration of an customer relation, requires an
customer relation agreement between the registrator and the
registrated.
Questions:
What are the basic elements in the customer relation? That is what sort
of changes would mean, an change in the customer relation?
What sort of changes would mean, that the agreement is not valid?
What sort of changes could be valid, with only passiv acceptance from
the registered.
In finland the privacy legislation, allows registration of individuals
only if there is an natural bondage between the registered and the
registrator. Such an natural bondage is an customer relation.
But when does an customer relation exist judicially? If registration
of an customer is based on allowens from the customer, in that case
there should be an sign of allowance as passiv/active agreement. An
customer pre-agreement would mean an bondage, and judicially clear
case.
But what sort of changes in the customer relation would mean that the
earlier agreement is no longer valid as base for registration?
What sort of changes in the registrator company (identity, ownership)
would mean an change inflikting the customer relation & it's base for
registration of the customers?
Interesting views & oppinions are WANTED !!!
------------------------------
From: "Dave Banisar" <banisar@epic.org>
Date: 21 Aug 1995 16:47:56 U
Subject: EPIC Alert 2.09
=============================================================
@@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@
@ @ @ @ @ @ @ @ @ @ @ @
@@@@ @@@ @ @ @@@@@ @ @@@ @@@ @
@ @ @ @ @ @ @ @ @ @ @
@@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @
=============================================================
Volume 2.09 August 21, 1995
-------------------------------------------------------------
Published by the
Electronic Privacy Information Center (EPIC)
Washington, DC
info@epic.org
http://www.epic.org
*Special Edition: Crypto*
=======================================================================
Table of Contents
=======================================================================
[1] "New" Crypto Policy Announced: Clipper II?
[2] NIST Announcement on Key-Escrow Workshops
[3] Documents: FBI & NSA Want to Ban Non-Escrowed Encryption
[4] EPIC Crypto Web Pages Online
[5] Upcoming Conferences and Events
=======================================================================
[1] "New" Crypto Policy Announced: Clipper II?
=======================================================================
The Clinton Administration ended a year of silence on August 17 when
it issued a long-awaited statement on the Clipper Chip and key-escrow
encryption. Unfortunately, the "new" policy is merely a re-working of
the old one -- the Administration remains committed to key-escrow
techniques that ensure government agents access to encrypted
communications. The only changes are a willingness to consider the
export of 64-bit encryption (if "properly escrowed"), the possibility
of private sector escrow agents to serve as key-holders, and
consideration of software implementations of key-escrow technologies.
As EPIC Advisory Board member Whit Diffie observed in an op-ed piece
in the New York Times, the new approach won't work. "While other
nations may share our interest in reading encrypted messages for law
enforcement purposes, they are unlikely to embrace a system that
leaves them vulnerable to U.S. spying. They will reject any system
that gives decoding ability to agents in the United States." Diffie
further notes that "64-bit keys are not expected to be adequate."
In a statement re-printed below, the National Institute of Standards
and Technology (NIST) announced two public workshops "to discuss key
escrow issues." More information concerning these meetings can be
obtained from Arlene Carlton at NIST, (301) 975-3240, fax: (301)
948-1784, e-mail: carlton@micf.nist.gov.
=======================================================================
[2] NIST Announcement on Key-Escrow Workshops
=======================================================================
EMBARGOED FOR RELEASE: NIST 95-24
3 p.m. EDT, Thursday, Aug. 17, 1995
Contact: Anne Enright Shepherd COMMERCE'S NIST ANNOUNCES
(301) 975-4858 PROCESS FOR DIALOGUE ON
KEY ESCROW ISSUES
Furthering the Administration's commitment to defining a
workable key escrow encryption strategy that would satisfy
government and be acceptable to business and private users of
cryptography, the Commerce Department's National Institute of
Standards and Technology announced today renewed dialogue on key
escrow issues.
A Sept. 6-7 workshop will convene industry and government
officials to discuss key escrow issues, including proposed
liberalization of export control procedures for key escrow
software products with key lengths up to 64 bits, which would
benefit software manufacturers interested in building secure
encryption products that can be used both domestically and
abroad.
Key escrow encryption is part of the Administration's
initiative to promote the use of strong techniques to protect the
privacy of data and voice transmissions by companies, government
agencies and others without compromising the government's ability
to carry out lawful wiretaps.
In a July 1994 letter to former Rep. Maria Cantwell, Vice
President Gore said that the government would work on developing
exportable key escrow encryption systems that would allow escrow
agents outside the government, not rely on classified algorithms,
be implementable in hardware or software, and meet the needs of
industry as well as law enforcement and national security. Since
that time, discussions with industry have provided valuable
guidance to the Administration in the development of this policy.
For example, many companies are interested in using a corporate
key escrow system to ensure reliable back-up access to encrypted
information, and the renewed commitment should foster the
development of such services.
Consideration of additional implementations of key escrow
comes in response to concerns expressed by software industry
representatives that the Administration's key escrow policies did
not provide for a software implementation of key escrow and in
light of the needs of federal agencies for commercial encryption
products in hardware and software to protect unclassified
information on computer and data networks.
Officials also announced a second workshop at which industry
is invited to help develop additional Federal Information
Processing Standards for key escrow encryption, specifically to
include software implementations. This standards activity would
provide federal government agencies with wider choices among
approved key escrow encryption products using either hardware or
software. Federal Information Processing Standards provide
guidance to agencies of the federal government in their
procurement and use of computer systems and equipment.
Industry representatives and others interested in joining
this standards-development effort are invited to a key escrow
standards exploratory workshop on Sept. 15 in Gaithersburg, Md.
This workshop is an outgrowth of last year's meetings in which
government and industry officials discussed possible technical
approaches to software key escrow encryption.
The Escrowed Encryption Standard, a Federal Information
Processing Standard for use by federal agencies and available for
use by others, specifies use of a Key Escrow chip (once referred
to as "Clipper chip") to provide strong encryption protection for
sensitive but unclassified voice, fax and modem communications
over telephone lines. Currently, this hardware-based standard is
the only FIPS-approved key escrow technique. NIST officials
anticipate proposing a revision to the Escrowed Encryption
Standard to allow it to cover electronic data transmitted over
computer networks. Under this revised federal standard, the
Capstone chip and other hardware-based key escrow techniques
developed for use in protecting such electronic data also will be
approved for use by federal agencies.
As a non-regulatory agency of the Commerce Department's
Technology Administration, NIST promotes U.S. economic growth by
working with industry to develop and apply technology,
measurements and standards.
=======================================================================
[3] Documents: FBI & NSA Want to Ban Non-Escrowed Encryption
=======================================================================
On a related note ...
Declassified government documents recently obtained by EPIC show
that key federal agencies concluded more than two years ago that the
"Clipper Chip" key-escrow initiative will only succeed if alternative
security techniques are outlawed. The information is contained in
several hundred pages of material concerning Clipper and cryptography
EPIC obtained from the FBI under the Freedom of Information Act.
The conclusions contained in the documents appear to conflict
with frequent Administration claims that use of key-escrow technology
will remain "voluntary." Critics of the government's initiative,
including EPIC, have long maintained that government-sanctioned key-
escrow encryption techniques would only serve their stated purpose if
made mandatory. According to the FBI documents, that view is shared by
the Bureau, the National Security Agency (NSA) and the Department of
Justice (DOJ).
In a "briefing document" titled "Encryption: The Threat,
Applications and Potential Solutions," and sent to the National
Security Council in February 1993, the FBI, NSA and DOJ concluded that:
Technical solutions, such as they are, will only work if
they are incorporated into *all* encryption products. To
ensure that this occurs, legislation mandating the use of
Government-approved encryption products or adherence to
Government encryption criteria is required.
Likewise, an undated FBI report titled "Impact of Emerging
Telecommunications Technologies on Law Enforcement" observes that
"[a]lthough the export of encryption products by the United States is
controlled, domestic use is not regulated." The report concludes that
"a national policy embodied in legislation is needed." Such a policy,
according to the FBI, must ensure "real-time decryption by law
enforcement" and "prohibit[] cryptography that cannot meet the
Government standard."
The FBI conclusions stand in stark contrast to public assurances
that the government does not intend to prohibit the use of non-
escrowed encryption. Testifying before a Senate Judiciary
Subcommittee on May 3, 1994, Assistant Attorney General Jo Ann
Harris asserted that:
As the Administration has made clear on a number of occasions,
the key-escrow encryption initiative is a voluntary one; we
have absolutely no intention of mandating private use of a
particular kind of cryptography, nor of criminalizing the
private use of certain kinds of cryptography.
The newly-disclosed information suggests that the architects of
the key-escrow program -- NSA and the FBI -- have always recognized
that key-escrow must eventually be mandated. Coming to light on the
eve of the announcement of a "new" Administration policy, the FBI
documents raise significant questions as to the government's long-term
strategy on the cryptography issue.
Scanned images of several key documents are available via the
World Wide Web at http://www.epic.org/crypto/ban/fbi_dox/
=======================================================================
[4] EPIC Crypto Policy Web Pages Online
=======================================================================
EPIC is now making available an extensive series of pages on
cryptography policy. Each page highlights an area of controversy and
provides links to key documents. Materials include formerly secret
government documents obtained under FOIA by EPIC and CPSR, reports
from the Office of Technology Assessment, the General Accounting
Office and others on cryptography. Topics include:
o Efforts to ban cryptography
o The Clipper Chip
o The Digital Signature Standard
o The Computer Security Act of 1987
The pages are available at http://www.epic.org/crypto/ More pages
will become available soon.
=======================================================================
[5] Upcoming Privacy Related Conferences and Events
=======================================================================
Advanced Surveillance Technologies. Sept. 4, 1995. Copenhagen,
Denmark. Sponsored by Privacy International and EPIC. Contact
pi@privacy.org. http://www.privacy.org/pi/conference/
17th International Conference of Data Protection and Privacy
Commissioners. Copenhagen, Denmark. September 6-8, 1995. Sponsored by
the Danish Data Protection Agency. Contact Henrik Waaben, +45 33 14 38
44 (tel), +45 33 13 38 43 (fax).
InfoWarCon '95. September 7-8, 1995. Arlington, VA. Sponsored by NCSA
and OSS. Email: 74777.3033@compuserve.com.
Business and Legal Aspects of Internet and Online Services. Sept.
14-15. New York City. Sponsored by National Law Journal and New York
Law Journal. Contact: (800)888-8300, ext. 6111, or (212)545-6111.
The Good, the Bad, and the Internet: A Conference on Critical Issues
in Information Technology. October 7-8. Chicago, Ill. Sponsored by
CPSR. Contact cpsr@cpsr.org or
http://www.cs.uchicago.edu/discussions/cpsr/annual
18th National Information Systems Security Conference. Oct. 10-13.
Baltimore, MD. Sponsored by NSA and NIST. Contact: 301-975-3883.
Managing the Privacy Revolution. Oct. 31 - Nov. 1, 1995. Washington,
DC. Sponsored by Privacy & American Business. Speakers include Mike
Nelson (White House) C.B. Rogers (Equifax) and Marc Rotenberg (EPIC).
Contact Alan Westin 201/996-1154.
22nd Annual Computer Security Conference and Exhibition. Nov. 6-8,
Washington, DC. Sponsored by the Computer Security Institute.
Contact: 415-905-2626.
Global Security and Global Competitiveness: Open Source Solutions.
Nov. 7-9. Washington, D.C. Sponsored by OSS. Contact: Robert Steele
oss@oss.net.
11th Annual Computer Security Applications Conference: Technical
papers, panels, vendor presentations, and tutorials that address the
application of computer security and safety technologies in the civil,
defense, and commercial environments. Dec. 11-15, 1995, New Orleans,
Louisiana. Contact Vince Reed at (205)890-3323 or vreed@mitre.org.
Computers Freedom and Privacy '96. March 27-30. Cambridge, Mass.
Sponsored by MIT, ACM and WWW Consortium. Contact cfp96@mit.edu or
http://www-swiss.ai.mit.edu/~switz/cfp96
Australasian Conference on Information Security and Privacy June
24-26, 1996. New South Wales, Australia. Sponsored by Australasian
Society for Electronic Security and University of Wollongong. Contact:
Jennifer Seberry (jennie@cs.uow.edu.au).
(Send calendar submissions to Alert@epic.org)
=======================================================================
The EPIC Alert is a free biweekly publication of the Electronic
Privacy Information Center. To subscribe, send the message:
SUBSCRIBE CPSR-ANNOUNCE Firstname Lastname
to listserv@cpsr.org. You may also receive the Alert by reading the
USENET newsgroup comp.org.cpsr.announce.
Back issues are available via http://www.epic.org/alert/ or
FTP/WAIS/Gopher/HTTP from cpsr.org /cpsr/alert/ and on Compuserve (Go
NCSA), Library 2 (EPIC/Ethics).
=======================================================================
The Electronic Privacy Information Center is a public interest
research center in Washington, DC. It was established in 1994 to
focus public attention on emerging privacy issues relating to the
National Information Infrastructure, such as the Clipper Chip, the
Digital Telephony proposal, medical record privacy, and the sale of
consumer data. EPIC is sponsored by the Fund for Constitutional
Government and Computer Professionals for Social Responsibility. EPIC
publishes the EPIC Alert and EPIC Reports, pursues Freedom of
Information Act litigation, and conducts policy research on emerging
privacy issues. For more information, email info@epic.org, WWW at
HTTP://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite
301, Washington, DC 20003. (202) 544-9240 (tel), (202) 547-5482 (fax).
The Fund for Constitutional Government is a non-profit organization
established in 1974 to protect civil liberties and constitutional
rights. Computer Professionals for Social Responsibility is a
national membership organization of people concerned about the impact
of technology on society. For information contact: cpsr-info@cpsr.org
If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible. Checks should be made out to "The Fund for
Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave.,
SE, Suite 301, Washington DC 20003.
Your contributions will help support Freedom of Information Act
litigation, strong and effective advocacy for the right of privacy and
efforts to oppose government regulation of encryption and funding of
the National Wiretap Plan..
Thank you for your support.
------------------------ END EPIC Alert 2.09 ------------------------
_________________________________________________________________________
Subject: EPIC Alert 2.09
_________________________________________________________________________
David Banisar (Banisar@epic.org) * 202-544-9240 (tel)
Electronic Privacy Information Center * 202-547-5482 (fax)
666 Pennsylvania Ave, SE, Suite 301 * HTTP://epic.org
Washington, DC 20003 * ftp/gopher/wais cpsr.org
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 11 Aug 1995 09:39:43 -0500 (CDT)
Subject: Info on CPD [unchanged since 08/01/95]
Organization: University of Wisconsin-Milwaukee
The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
This digest is a forum with information contributed via Internet
eMail. Those who understand the technology also understand the ease of
forgery in this very free medium. Statements, therefore, should be
taken with a grain of salt and it should be clear that the actual
contributor might not be the person whose email address is posted at
the top. Any user who openly wishes to post anonymously should inform
the moderator at the beginning of the posting. He will comply.
If you read this from the comp.society.privacy newsgroup and wish to
contribute a message, you should simply post your contribution. As a
moderated newsgroup, attempts to post to the group are normally turned
into eMail to the submission address below.
On the other hand, if you read the digest eMailed to you, you generally
need only use the Reply feature of your mailer to contribute. If you
do so, it is best to modify the "Subject:" line of your mailing.
Contributions to CPD should be submitted, with appropriate, substantive
SUBJECT: line, otherwise they may be ignored. They must be relevant,
sound, in good taste, objective, cogent, coherent, concise, and
nonrepetitious. Diversity is welcome, but not personal attacks. Do
not include entire previous messages in responses to them. Include
your name & legitimate Internet FROM: address, especially from
.UUCP and .BITNET folks. Anonymized mail is not accepted. All
contributions considered as personal comments; usual disclaimers
apply. All reuses of CPD material should respect stated copyright
notices, and should cite the sources explicitly; as a courtesy;
publications using CPD material should obtain permission from the
contributors.
Contributions generally are acknowledged within 24 hours of
submission. If selected, they are printed within two or three days.
The moderator reserves the right to delete extraneous quoted material.
He may change the SUBJECT: line of an article in order to make it
easier for the reader to follow a discussion. He will not, however,
alter or edit or append to the text except for purely technical
reasons.
A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18].
Login as "ftp" with password identifying yourid@yoursite. The archives
are in the directory "pub/comp-privacy".
People with gopher capability can most easily access the library at
gopher.cs.uwm.edu.
Mosaic users will find it at gopher://gopher.cs.uwm.edu.
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
End of Computer Privacy Digest V7 #015
******************************
.