Date: Sat, 27 Jan 96 09:26:30 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V8#009
Computer Privacy Digest Sat, 27 Jan 96 Volume 8 : Issue: 009
Today's Topics: Moderator: Leonard P. Levine
Re: Health Privacy Bill (S.1360)
Re: Lotus [IBM] Blinks
Re: Lotus [IBM] Blinks
Re: One Person's War on Junk Mail
Re: One Person's War on Junk Mail
Re: One Person's War on Junk Mail
Re: One Person's War on Junk Mail
Re: One Person's War on Junk Mail
New Hampshire Senate Considers Mandatory Drivers SSN
S. 652: A Senator's Response
Some Thoughts on Privacy in General
White House E-mail Made Public
Single Computer Breaks 40-bit RC4 in Under 8 Days
Re: Keyboard Monitors
Re: Unsolicited email Advertising
Medical Records Privacy
Straight Jacketing the Internet
Info on CPD [unchanged since 11/22/95]
----------------------------------------------------------------------
From: Robert Gellman <rgellman@cais.cais.com>
Date: 23 Jan 1996 23:52:43 -0500 (EST)
Subject: Re: Health Privacy Bill (S.1360)
Robert Ellis Smith wrote: If the current "medical confidentiality"
proposal in Congress is enacted as is, a patient would be powerless
to sue if an insider at a hospital browsed through medical files
without a need to know, if a hospital released patient information
to an information company it uses that had been cited for
violations of federal laws on the management of personal
information, if a hospital employee disclosed information to an
authorized recipient in a format that could be easily intercepted
(fax, e-mail, word-of-mouth, unsealed envelope), or if a doctor's
assistant used patient information to harass a patient (perhaps by
calling the patient's home).
This is simply not true. The bill provides (Secion 201) that a health
informtion trustee (record keeper) may not disclose a medical record
except as authorized under the bill. The same section also provides
that information may only be used or disclosued if the use or
disclosure is compatible with or related to the purposes for which the
information was obtained.
Smith's first example is a hospital insider browsed a record without a
need to know. That is not an authorized purpose and is a violation of
the bill and fully actionable. The bill also requires that there be a
record of all non-treatment disclosures so that there would be evidence
if improper disclosures were made. There is no such requirement
today. If a hosptial did not maintain the accounting for disclosures,
it could be sued for that as well.
Smith's second example involves release to a company that had been
cited for violations of information laws. The bill provides (Section
111) that a record keeper must establish and maintain appropriate
administrative, technical, and physical safeguards to ensure the
confidentiality, security, accuracy, and integrity of information. The
release of information to a person who has demonstrated an inability to
maintain it in accordance with law would be a violation of this
requirement and fully actionable under the bill.
Smith's third example is if information is transmitted in a format that
could be easily intercepted. This could also be a violation of the
same security requirement in Section 111. And by the way, these kinds
of disclosures go on today all the time. Try filing a lawsuit today
and see where that gets you. If you can't show large damages, no
lawyer will take your case.
Smith's fourth example is if a physician's assistant used information
to harass a patient. This would not be an authorized use because it is
not compatible with the purpose for which the information was obtained
(section 201). This use would be fully actionable under the bill.
Further, in each of these cases, the successful plaintiff would be
entitled to minimum damages of $5000, punitive damages, and attorney
fees. These are not necessarily available under existing statutes or
under common law.
The bill gives no one immunity. It provides a statutory scheme that
criminalizes lots of conduct that is not criminal today. It provides
clearer and better civil remedies than are available today. Common law
remedies are pie-in-the-sky. Their availability for 200 years has not
prevented the medical establishement from passing around medical
records with virtually no restrictions. That's why we need
legislation.
I will agree that the bill in question needs a lot of work before it is
worth passing. What is doesn't need is misinformation about its
content.
+ + + + + + + + + + + + + + + + + + + + + + + + +
+ Robert Gellman rgellman@cais.com +
+ Privacy and Information Policy Consultant +
+ 431 Fifth Street S.E. +
+ Washington, DC 20003 +
+ 202-543-7923 (phone) 202-547-8287 (fax) +
+ + + + + + + + + + + + + + + + + + + + + + + + +
------------------------------
From: WELKER@a1.VsDeC.nL.nuwc.navy.mil
Date: 24 Jan 1996 09:46:22 -0400 (EDT)
Subject: Re: Lotus [IBM] Blinks
The Administration contends that this is not so. With their
"commercial key escrow" scheme, they contend that you shouldn't be
able to build a door they cannot break down, but they also contend
that they should be able to order you to give a copy of the key to
a government-approved individual, so that they can come enter your
house (with a warrant, of course) when they wish.
While the debate over who should hold the escrowed keys is a legitimate
one, I must point out that some form of key escrow is essential as a
practical matter in order for electronic documents to be legally
binding. I think this more than anything else is why PGP is not much
appreciated by the business community. We cannot permit electronic
commerce wherein someone can claim "oops, I lost the key...sorry about
your $1M".
[snip] After all, if $1.5 million can buy a CIA
counter-intelligence agent, I wonder how much a Lotus Notes key
escrow holder goes for these days? You can find a copy of the Lotus
press releases at http://www.lotus.com
Consider the following positive impact (from the standpoint of the
users): encryption of messages becomes the norm rather than the
exception. Sure the government can intercept any particular message it
wants, but it still has to break the 40-bit key of any message it wants
to read. I can't say for sure, but I think this makes it logistically
challenging for any government to try to scan all encrypted email
traffic with a keyword search, for example.
Further, persons who really wish to protect their data can layer a
better encryption scheme on top of Lotus'. The third party is then
forced to either admit that they are scanning the subject's mail (if it
is a government and wants to subpoena the key), or live without knowing
its contents. I think Lotus accomplishes far more to protect privacy
in the long run by making it a standard practice to encrypt your mail
than they lose by partially compromising a (not the) key.
Of course, none of this really matters, since encrypted Notes mail only
flows within a single Lotus Notes network. If it has to pass through a
mail gateway and be read by a recipient using the competition's
products, it will cease to be encrypted -- no value for electronic
commerce outside a single company or very tight business relationship.
I don't see how there can be any kind of realistic electronic commerce
at the international level without the cryptosystem being in the public
domain (or at least dirt cheap).
------------------------------
From: jfh@acm.org (Jack Hamilton)
Date: 25 Jan 1996 03:06:37 GMT
Subject: Re: Lotus [IBM] Blinks
Organization: kd6ttl
References: <comp-privacy8.8.9@cs.uwm.edu>
Monty Solomon <monty@roscom.COM> wrote: Although there are a lot of
reasons why we think this is a terrible idea, the first one that
springs to mind is the fact that the one public key that Lotus has
embedded in all their software is a single point of failure for
every International Lotus user throughout the world.
It isn't clear to me from the press release that there will be only one
public key. There could be one per country, or one per license. That
would increase security somewhat.
But not to the point that I would buy Notes if I wanted security. I
wonder why Lotus/IBM doesn't include a user exit, allowing an
administrator to use PGP or ViaCrypt or whatever other encryption
mechanism they want.
--
Jack Hamilton jfh@acm.org
------------------------------
From: fyoung@oxford.net (F Young)
Date: 24 Jan 96 22:04:54 EST
Subject: Re: One Person's War on Junk Mail
Beth Givens <bgivens@pwa.acusd.edu> reports: A San Diego man, Bob
Beken, recently won an interesting suit in Small Claims Court
against Computer City involving unwanted mail solicitations.
Perhaps this case, along with the Avrahami case, will serve as wake
up calls to the direct marketing industry. Consumers want and
deserve to be able to control what enters their mailboxes. Your
thoughts??
I've never been through a time when I got so upset about junk mail that
I would go through the trouble of writing a "contract" such as that of
Mr. Beken, or suit the marketer in court. Personally, I'm more upset
on fax advertising or the long and windy unsolicited e-mail as it cost
me money to receive them. Long e-mails could also potentially fill up
my mailbox and cause important messages to get bounced.
I realize more and more communities charge curbside garbage pickup by
the bag, and I can see a concern on junk mail there.
I find the fact that my name and address (and other personal info) are
being sold for profits or otherwise exchanged with unknown third parties
much much more troubling than the actual pieces of unsolicited mail I
receive.
Although I can't wait for someone to try that in Canada and set a
precedence ...
------------------------------
From: bo774@freenet.carleton.ca (Kelly Bert Manning)
Date: 25 Jan 1996 05:01:18 GMT
Subject: Re: One Person's War on Junk Mail
Organization: The National Capital FreeNet
References: <comp-privacy8.8.1@cs.uwm.edu>
Beth Givens (bgivens@pwa.acusd.edu) writes: A San Diego man, Bob
Beken, recently won an interesting suit in Small Claims Court
against Computer City involving unwanted mail solicitations. He
purchased some items at Computer City (owned by Tandy, which also
owns Radio Shack and Incredible Universe) and paid by check. When
he noticed the clerk keying his name and address into the computer
at the checkstand, he asked if he was going to get any junk
Should we draw the conclusion that he didn't give the address and it
was read from the cheque?
I ran into what may be a variation on that the last time I paid my car
insurance. The clerk wanted to know "is there a phone number" because I
didn't write one on the form. Then she noticed I was paying by cheque
she perked up and grabbed it, only to turn up the corners of her mouth
when she saw that it only had my name on it, with no address or phone
number.
I used the same cheques for buying the vehicle and didn't get any sort
of hassle.
What is sort of annoying is that the telco writes in my phone number on
the rare occassions I pay them by cheque.
I had fun with the cableco a while back when their office was locked
during a strike. I sent them a cheque for the amount I was paying,
without the statement. They returned it to the bank branch for
forwarding to me. Guess the management types trying to keep the cash
flow going didn't know how to do a name search. -- notice: by sending
advertising/solicitations to this account you will be indicating your
consent to paying me $70/hour for a minimum of 2 hours for my time
spent dealing with it
------------------------------
From: David & Kirsten Lichty <miracles@znet.com>
Date: 25 Jan 1996 10:56:15 GMT
Subject: Re: One Person's War on Junk Mail
Organization: zNET
Hello,
This is a subject I've spent some time on.
My favorite response is to stuff their postage paid envelope full
(really, really full) of all of the stuff they sent me at a postage
rate I subsidised.
When it goes back to them is is usually over the first class 1 oz.
rate. This requires someone at the company to come up with postage due
to receive it. In most companies this is enough of a hassle that a
manager or at least a supervisor becomes involved.
In the envelope with their junk is my request to be dropped from their
list. It is still slow, but I've gotten off of most of the un-wanted
lists.
Another trick, I use different middle initials or invent a "dept. no."
for various responses. With a little record keeping, I can tell who is
selling my name. And with a mini-contract as you described this could
become interesting.
Thanks for the posting.
--
David
San Diego, CA
------------------------------
From: Dan Langille <dan@dvl.co.nz>
Date: 26 Jan 1996 12:57:20 GMT
Subject: Re: One Person's War on Junk Mail
Organization: DVL Software Limited
References: <comp-privacy8.8.1@cs.uwm.edu>
Beth Givens wrote: Is this a significant victory? I think so. A
court has agreed that a consumer has a right to say "no" to junk
mail and to have the request honored. Perhaps this case, along with
the Avrahami case, will serve as wake up calls to the direct
marketing industry. Consumers want and deserve to be able to
control what enters their mailboxes. Your thoughts??
I think not. I always understood it to be the case that asking not to
receive unsolicited material meant the sender must cease. If I am
mistaken, the I would agree with you that the case is significant.
Otherwise, it's just an example where someone really mucked up and Mr
Beken was smart enough to know how to take advantage of what he thought
was going to happen.
Good on him.
--
Dan Langille
DVL Software Limited
------------------------------
From: horowitz@nosc.mil (Alan M. Horowitz)
Date: 27 Jan 1996 01:08:57 GMT
Subject: Re: One Person's War on Junk Mail
Organization: NCCOSC RDT&E Division, San Diego, CA
References: <comp-privacy8.8.1@cs.uwm.edu>
Beth Givens <bgivens@pwa.acusd.edu> writes: Consumers want and
deserve to be able to control what enters their mailboxes. Your
thoughts??
Why do you have a general right to stop me from sending mail to you? If
I harrass you by mail, I am committing a crime (already on the books),
and you have a right to file a complaint - as long as you are honest
enough to do so under penalty of perjury.
YOu are welcome to _contract_ with me to prevent me from sending mail
to you. You have to give a consideration to me, of course, or I am not
likely to enter into such a contract.
Every time I hear the word "consumer" I wince my eyes. Another
do-gooder run amuck, wanting to distort the marketplace's civil
remedies. Funny how the do-gooder finds a way to latch onto a paid
position as an "activist", in his scheme.
Where _did_ Ralph Nader get 2 million dollars for that Washington
townhouse he lives in ?!?
------------------------------
From: David Marston <marston@mv.mv.com>
Date: 24 Jan 1996 23:18:01 -0500 (EST)
Subject: New Hampshire Senate Considers Mandatory Drivers SSN
There is a bill about to be heard by New Hampshire's Senate
Transportation Committee that would require criminal background checks
for all vehicle registrants, new or renewal. "Wanted felons" would be
denied registration, and presumably be arrested. The same bill would
also delete provisions that allow applicants for driver's licenses to
request that their Social Security Number (SSN) and digitized picture
not be kept in the database at the Department of Safety (the licensing
agency).
The bill has no verbiage stating a grand purpose, but we can reasonably
deduce from its effects that it is supposed to constrain the ability of
wanted criminals to remain at large. Note: the State Police is another
division of the Department of Safety, so it is closely tied to the
Division of Motor Vehicles. The DMV authorities would no longer have
discretion to check if a person is wanted, but would have to check
every applicant through the National Crime Information Center or the
National Law Enforcement Telecommunications System. Fees are increased
to pay for that processing.
The bill requires that all drivers supply their SSN. Apparently, the
sponsoring senators believe that such a requirement somehow makes it
harder for wanted criminals to hide their identity. In fact, it
increases the likelihood that a lying applicant will cause grief for an
innocent person by appropriating his/her SSN. Bureaucratic typos and
mistakes would also ensnare the innocent. And as we computer people
know, numbers have an allure to the lazy bureaucrat, because they
appear to make it easy to have a positive match with the target person.
Thus, names and other identifying characteristics are felt to be less
reliable or harder to use once the allegedly distinct number is
available.
The bill is Senate Bill 608-FN-Local, which can be abbreviated to SB
608. Comments will be taken at a public hearing on Wednesday, January
31, 1996, at 9:30 AM in Room 102 of the Legislative Office Building,
which is directly behind the State House (Capitol) in downtown Concord,
NH. If you are a New Hampshirite who can't attend, you can give your
opinion to your state senator. Sponsors of this bill are Senators
Roberge and Colantuono; if you are in the district represented by
either one, you may want to express your opposition to their opponents
in this Fall's elections as well.
--
David Marston
------------------------------
From: Mike Hales <mhales@primenet.com>
Date: 24 Jan 1996 22:24:02 -0700
Subject: S. 652: A Senator's Response
Organization: Smoke-N-Mirrors
The following is a response to my letter, including my comments, to the
gentleman from Idaho:
Note: This response is being mailed and posted to several newsgroups.
I do not consider this a breach in 'Nettiquette, as it is not a
personal communication. Rather this is a communication between a
citizen and his elected representative and reflects the views of said
representative, which are and should be in the public domain.
Dear Senator Craig,
Thank you for responding to my letter. While it is apparent that we
hold similar views on the First Amendment Issue, I fear that the
importance of this issue is being seriously downplayed. This causes me
great concern.
Please follow below and note my comments. (I am sorry that I am not
more eloquent, so must resort to line-by-line commentary to your
response.)
Larry_Craig@craig.senate.gov wrote: Thank you for contacting me
regarding Senator Exon's amendment to the Telecommunications
Competition and Deregulation Act (S. 652). I appreciate having the
benefit of your thoughts. This amendment received broad bipartisan
support in the Senate and
It was a knee-jerk reaction to a college students badly researched
paper. This paper, and the issues it addressed, was picked up by Time
magazine and others and played nationwide. It was *not* checked for
accuracy, nor was the factual data verified (and found innaccurate)
until later. The paper was THOROUGHLY DEBUNKED upon peer review.
And, just because it "received broad bipartisan support" doesn't mean
it is right. Did you research the issue? Did your staff? What do you
really know about the "Internet"?
speech and has upheld restrictions on its transmission through
other media. Furthermore, our nation has a long history of
permitting extraordinary actions when the vulnerability of
children is at stake as well.
Here you admit it is "extrordinary action...". Let me submit to you
that the information "readily available" on the Internet is no more so
than that available at my local convenience or video rental store. In
fact, my son came home the other day with a story of how he and his
friends found some videocassette covers that apparently contained
sexually-explicit material. His description of the covers was very
graphic. Does this mean we must "regulate" the alley? The
trash-collection agency? After all, this material was deposited in a
trash can for pickup by the contractor, yet freely available to anyone
who came along. In this case, my children came along and discovered
them. Do I hold the City of Boise liable because they provided the
"pipeline" for this material?
In my view, this measure represents the best attempt yet to prevent
the stalking, harassment, and abuse of children and others by those
who use technology to prey on their victims. I welcome any further
ideas, suggestions, or improvements to this legislation by anyone
with a desire to protect those who are vulnerable to the Internet's
darker side.
The stalking, harassment, and abuse you speak of is prevalent
throughout our society, not just on the Internet. Further, the
"Internet" is not the same entity as the "bulletin boards" that Time
and others so eagerly attached all this hysteria to. (I sincerely wish
that I could spend a day with you and show you what the Internet is
*really* all about.) We, as a society, have taken measures to address
these issues. There are laws already in place to provide the safeguards
we seek, and they don't infringe on the rights (moral judgements aside)
of consenting adults. While your point about the Court holding that
obscene material is not protected speech is valid, the infringements
upon what *is* protected is another issue. What this bill and other
ill-conceived and poorly thought out legislation fails to take into
account is that it would unduly infringe on many more law-abiding
individuals than it would serve to deter. Therefore, it will be tossed
out by the Supreme Court and we will all have wasted a great deal of
time and money on this non-issue. Better than trying to get a balanced
budget, I suppose...<g>
Perhaps more important than all of the above; we Americans are
conveniently ignoring one glaring fact. The Internet is, as the name
implies, *International*. Whatever regulations we decide to put on it
will be conveniently ignored by the rest of the world.
In reading posts from international "netizens", it is painfully obvious
that most of the world is looking on in awe and disdain at our
simplistic and stupid view of this and other issues. "Why don't they
educate their children and guide them in their daily chioces?" "No,
they give them money and send them to the mall to mouth obscenities at
the shoppers." > NOW, LET'S CUT TO THE CHASE:
This issue is *not* about "protecting the children" (you sound like
Bill "I Feel Your Pain" Clinton).
What I suspect is that you know what a threat to the existing power
structure the Internet really is. Finally, real, everyday people will
have a way to express their opinions worldwide; freely, inexpensively,
and without any kind of filtering. Facts, and *opinions* of those
facts, will become known instantly to everyone and debated fiercely and
freely. (Not subject to editorial review by those who own the printing
presses and transmitting stations.) There will be no place to hide. How
un-American!
Please sir, convince me that it is otherwise, for I percieve the
American political parties are kowtowing as usual to special interests
and powerful fringe groups.
As they say, "Every picture tells a story":
"The information superhighway is a revolution that in years to come
will transcend newspapers, radio, and television as an information
source. Therefore, I think this is the time to put some restrictions
on it."
- U.S. Senator James Exon -
Can you tell me the gentleman doesn't have a hidden agenda? He doesn't say
anything about the children here. What he says is that we can't allow
*information* to be *uncontrolled* ("restrictions on it..."). This is
the same kind of "for the good of all" statements Hitler started with...
Thank you for your time and interest in my concerns.
Sincerely,
--
Mike Hales
1905 Shone Street
Boise, ID 83705
mhales@primenet.com
------------------------------
From: ingramm@Cognos.COM (Mark Ingram)
Date: 25 Jan 1996 15:20:17 GMT
Subject: Some Thoughts on Privacy in General
Organization: Cognos Incorporated, Ottawa CANADA
I know how hard it is to keep a debate going in a mailing list, but I
have to try to get this out, so here goes ...
The first point I would like to make is that there is no real problem
with having no privacy -- unless you are a criminal, of course. I have
come across many cliches and supposed pearls of wisdom that all allude
to this:
"Secrets will out."
"If though wouldst cast the mote from another's eye, first cast the
beam from thine own."
Etc. (additions welcome)
I was first going to attempt to justify this assertion with a vaguely
religious argument, you know, God knows everything about you, so there
can't really be anything wrong with knowing everything about someone
else ... but I was led inescapably to the issue of intent -- of course
there's nothing wrong with God knowing everything, because God won't do
anything evil with that knowledge! So it's a specious argument.
However, in a truly public (non-private? aprivate? deprived (:-)?)
world, there isn't even a problem with intentions (or so I assert).
Let us take a worst-case example, or at least one that I know, the
stalking issue. Let's say that solely because your address was known,
someone hunted you down and killed you. But in a world of no privacy,
the killer's location and actions are known, and we can presume that
redress will be swift and permanent! I know, this offers little
comfort to your corpse, but I think most would admit that unless you
want to live in a world of dull scissors and nerf hammers, anyone can
kill anyone else at any time; and the only thing that can stop it (and
in my opinion, the only thing that should) is the unwillingness of the
killer to face the consequences. So the fact that there is no privacy
is a boon, in this case.
I submit that *all* supposed invasions of privacy are similar to this
example. Person A knows something about person B, and performs action
C as a result. If the action is unjustified, person B has redress; and
if it is justified, why should person B complain?
The real problem with a lack of privacy, as I see it (and I see it
growing every day -- at a hyper-exponential rate), is when it is
one-way. There are people, and organizations, that know things about
me, and I know *nothing* about them. I don't even know what they know
about me!
So, the next time someone asks you for some personal information, don't
feel invaded -- feel shut out! They have access to mountains of
fascinating information, and you have bupkis ...
Any and all replies, followups, comments, and criticisms gratefully
received.
--
Mark Ingram
ingramm@cognos.com
------------------------------
From: 74231.1231@compuserve.com (Feng Ouyang)
Date: 25 Jan 1996 15:48:19 GMT
Subject: White House E-mail Made Public
Organization: CompuServe Incorporated
I just heard an interview on PBS, talking about a new book on White
House staff E-mail messages that were released to public after a
"freedom of information" law suit. I have a few questions that I think
worth pondering.
1. When the staff members (of Reagon and Bush administration) wrote the
E-mail they did not expect it to be made public. Is it fair to have
the court decision applied to those messages (retroactive)?
2. I believe not all conversations and telephone calls in the White
House are public records. So why E-mail? In a more general term, if
some form of private communication is allowed in the Government, why
exclude E-mail from that?
3. Where does public access end? For example, if the staff members
decided to subscribe to CompuServe so they can exchange messages out
side of the White House computer system, will these accounts later be
subjected to public disclosure? Does it matter whether these accounts
are paid for by the Government of by the individuals? Does the public
have the right to inspect personal records of the staff members to
detect the existence of such E-mail accounts?
4. Unlike hard copy memos or letters, E-mail is easy to temper or even
fabricate. That is why, if I understand correctly, E-mail cannot be
used for legal documents. Now how can one judge the accuracy of E-mail
as public record? What right do the authors or involved party have
when they question the authenticity of the message?
How you find these questions interesting.
--
Feng Ouyang
74631.1231@compuserve.com
------------------------------
From: Monty Solomon <monty@roscom.COM>
Date: 26 Jan 1996 01:13:02 -0500
Subject: Single Computer Breaks 40-bit RC4 in Under 8 Days
Begin forwarded message:
From: daveg@pakse.mit.edu (David Golombek)
Date: 18 Jan 1996 20:45:33 -0500
To: cypherpunks@toad.com
Subject: Single computer breaks 40-bit RC4 in under 8 days
MIT Student Uses ICE Graphics Computer To Break Netscape Security in
Less Than 8 Days: Cost to crack Netscape security falls from $10,000
to $584
CAMBRIDGE, Mass., January 10, 1996 -- An MIT undergraduate and
part-time programmer used a single $83,000 graphics computer from
Integrated Computing Engines (ICE) to crack Netscape's export
encryption code in less than eight days. The effort by student Andrew
Twyman demonstrated that ICE's advances in hardware price/performance
ratios make it relatively inexpensive -- $584 per session -- to break
the code.
While being an active proponent of stronger export encryption, Netscape
Communications (NSCP), developer of the SSL security protocol, has said
that to decrypt an Internet session would cost at least $10,000 in
computing time.
Twyman used the same brute-force algorithm as Damien Doligez, the
French researcher who was one of the first to crack the original SSL
Challenge. The challenge presented the encrypted data of a Netscape
session, using the default exportable mode, 40-bit RC4 encryption.
Doligez broke the code in eight days using 112 workstations.
"The U.S. government has drastically underestimated the pace of
technology development," says Jonas Lee, ICE's general manager. "It
doesn't take a hundred workstations more than a week to break the code
-- it takes one ICE graphics computer. This shuts the door on any
argument against stronger export encryption."
Breaking the code relies more on raw computing power than hacking
expertise. Twyman modified Doligez's algorithm to run on ICE's Desktop
RealTime Engine (DRE), a briefcase-size graphics computer that connects
to a PC host to deliver performance of 6.3 Gflops (billions of floating
point instructions per second). According to Twyman, the program tests
each of the trillion 40-bit keys until it finds the correct one.
Twyman's program averaged more than 830,000 keys per second, so it
would take 15 days to test every key. The average time to find a key,
however, was 7.7 days. Using more than 100 workstations, Doligez
averaged 850,000 keys per second.ICE used the following formula to
determine its $584 cost of computing power: the total cost of the
computer divided by the number of days in a three-year lifespan
(1,095), multiplied by the number of days (7.7) it takes to break the
code.
ICE's Desktop RealTime Engine combines the power of a supercomputer
with the price of a workstation. Designed for high-end graphics,
virtual reality, simulations and compression, it reduces the cost of
computing from $160 per Mflop (millions of floating point instructions
per second) to $13 per Mflop. ICE, founded in 1994, is the exclusive
licensee of MeshSP technology from the Massachusetts Institute of
Technology (MIT).
###
INTEGRATED COMPUTING ENGINES, INC.
460 Totten Pond Road, 6th Floor
Waltham, MA 02154
Voice: 617-768-2300, Fax: 617-768-2301
FOR FURTHER INFORMATION CONTACT:
Bob Cramblitt, Cramblitt & Company
(919) 481-4599; cramco@interpath.com
Jonas Lee, Integrated Computing Engines
(617) 768-2300, X1961; jonas@iced.com
Note: Andrew Twyman can be reached at kurgan@mit.edu.
------------------------------
From: Dan Langille <dan@dvl.co.nz>
Date: 27 Jan 1996 00:52:26 +1300
Subject: Re: Keyboard Monitors
Organization: DVL Software Limited
References: <comp-privacy8.8.4@cs.uwm.edu>
Prof. L. P. Levine wrote: What follows is a spam, but for a product
that we should be aware of and warned about. SUBJECT:***KEYBOARD
RECORDERS********
My classmates and I used to do such things at university back in the
early '80s. It was fairly straightforward.
You'll also be pleased to know that most of the recent operating
systems don't allow such things.
[moderator: sorry I seem to have lost the mailing address.]
Gee. I wonder how that happened... ;)
--
Dan Langille
DVL Software Limited
------------------------------
From: Dan Langille <dan@dvl.co.nz>
Date: 26 Jan 1996 13:04:48 GMT
Subject: Re: Unsolicited email Advertising
Organization: DVL Software Limited
References: <comp-privacy8.8.2@cs.uwm.edu>
Dick Mills wrote: I can't imagine anyone reacting so strongly to a
wrong telephone number, or to a misaddresed post card. Let's just
apply the same standard of civility and tolerance in cyberspace.
Honest mistakes I have no problem with. But I have never received an
eMail which was incorrectly addressed. And I have never recieved a
phone call which was to a wrong number and which was trying to sell me
something.
I suppose it's just that most people do not want to see junk mail on
the Internet. Commercial information yes. But not in newsgroups nor
in eMail. One exception: if you ask a question in a newsgroup about
widgets, I feel it is acceptable for you to then receive eMail from a
company that sells widgets. You asked for you. You got it. --
--
Dan Langille
DVL Software Limited
------------------------------
From: fisherdcb@aol.com (Fisher DCB)
Date: 26 Jan 1996 23:57:09 -0500
Subject: Medical Records Privacy
Organization: America Online, Inc. (1-800-827-6364)
i'm a reporter for a group of television stations. i'm doing a story on
computerized medical records and whether safeguards are adequate. does
anyone know of people who have had experiences they might be willing to
share?
please respond to above e-mail address....or call 202 783 0322
------------------------------
From: "Declan B. McCullagh" <declan+@CMU.EDU>
Date: 25 Jan 1996 14:38:50 -0500 (EST)
Subject: Straight Jacketing the Internet
NEWS ANALYSIS: TELECOM REFORM
+
by Craig A. Johnson
American Reporter Correspondent
Washington, D.C.
1/22/96
CONGRESS STRAIGHT-JACKETS THE NET
by Craig A. Johnson
American Reporter Correspondent
WASHINGTON -- Chief House and Senate telecom conference negotiators are
set to squeeze the Internet into yet another a regulatory rathole.
Conference leaders are attempting to attach further "de-regulatory"
restrictions to the conference committee's draft telecom bill that will
remove guarantees for access and interconnection, and permit telecom
companies to price Net services in ways which seem defensible only to
the special interests which crafted the provisions.
Fresh from the "indecency" defeat, Net lobbyists and public interest
groups barely caught their breath before a new "red tide" of restraints
appeared in the draft conference bill language.
Though Netheads in Washington, such as D.C. Internet Society Chair Ross
Stapleton-Gray, reassure us that the Internet will remain "pretty much
the way it is now," and that neighborhood Internet service providers
(ISPs) will generally be able to offer access at continuing competitive
rates, insiders who have studied the language of the bill have grave
concerns about how the Internet of the future will look.
A senior counsel on the Senate Justice Committee told the American
Reporter last week that new draft changes will put back into the bill
the original Cox-Wyden language (AR, No. 65) that would have prohibited
the FCC from "economically regulating" the Internet. "Nobody really
knows what this means," the source said.
In a style now familiar to reporters covering the telecom bill, House
Commerce Committee Chairman Tom Bliley (R-VA) prefers critical
conference decisions to be made in the dark corners of Capitol offices
and meeting rooms as far away from open committee meetings as
possible.
A "signature sheet" is presently being substituted for open discussion
and debate. This assures that so-called "technical" changes and at
least one "substantive" change to the draft telecom bill, according to
Senate Commerce Committee staffers, can proceed without conferees
understanding too much about what the changes really mean.
he proposed language prohibiting the FCC from economically regulating
the Internet is doubly ironic in that it was not part of the Cox-Wyden
measure, which overwhelmingly passed the House on a vote of 420-4, and
an FCC role for "describing" measures to regulate Internet "content" is
positively sanctioned in the draft language.
Title V of the bill, "Broadcast Obscenity and Violence," classifies the
Internet as equivalent to a broadcast facility and regurgitates the now
familiar criminalization of speech measure inserted into the bill by
the Christian Coalition's poster boy, House Judiciary Chairman Henry
Hyde (R-IL).
Hyde, always eager to please fundamentalists, rammed his amendment
through the House conference caucus on a razor-thin vote (AR No. 174)
of 17 to 16, with members saying later that they did not understand the
implications of what they voted for. This change in the House language
brought it into line with the Exon "indecency" clause in the Senate
bill.
Part of this regulatory cowpie is thrown into the FCC's lap (whose
budget of course is chopped by the Congressional-deficit boys). The
bill states: "The Commission may describe measures which are
reasonable, effective, and appropriate to restrict access to prohibited
communications..."
But, while permitting the FCC to "describe" such measures, the bill
expressly states that the agency has "no enforcement authority over the
failure [on the part of providers or users] to utilize such measures."
This part of the bill is a honey-trap for litigators. Placing the FCC
solely in an advisory role literally ensures that all of the
interpretation, implementation, and enforcement will be undertaken by
the courts and the Department of Justice. Of course, numerous
individual and organizational users and providers will get caught in
the cross-fire.
Other measures tucked away in the telecom bill's turgid prose seem to
have escaped the scrutiny of many self-styled Internet defenders,
protectors, and aficionados. Interconnection and equal access have
barely passed the lips of Net mavens in connection with the telecom
bills, yet these provisions in the draft bill could leave Net providers
out in the cold without protection from gusts of corporate
capriciousness.
The draft bill states that "each telecommunications carrier has the
duty to interconnect directly or indirectly with the facilities and
equipment of other telecommunications carriers" as well as the the duty
to provide "to any other telecom carrier" interconnection and
"nondiscriminatory access to network elements on an unbundled basis..."
What are "network elements," and why is "interconnection" important?
The House telecom bill, H.R. 1555, clearly spelled these out, prior to
its re-write by the conference committee.
In the language of H.R. 1555, "a local exchange carrier" had to offer
to those providing "a telecommunications service or an information
service, reasonable and nondiscriminatory access on an unbundled basis
... to databases, signalling systems, poles, ducts, conduits, and
rights-of-way ... or other facilities, functions, or information ...
integral to the efficient transmission, routing, or other provision...
that is sufficient to ensure the full interoperability of the equipment
and facilities..." of those seeking such access.
But, the conferees, under pressure from the Regional Bell Operating
Companies (RBOCs) removed guarantees of access and interconnection to
providers of "information services," which include Internet service
providers.
In plain English, these changes in the bill mean that ISPs, online
service providers, and any other interactive "information service"
providers dependent upon telecom networks must worship at the altar of
the Bell companies in order to attain "interconnection" and "equal
access," two vital functions of communications which this bill was
supposed to guarantee and enshrine for the information-centered
future.
In even plainer English, they mean that carriers can play with Net
providers like tigers playing with their prey. As providers of the
critical conduits to Internet backbones, local exchange carriers under
the provisions of the bill can essentially charge information services
what ever the market will bear, thus potentially maiming or killing off
small- to medium-sized ISPs.
The carriers can also promote sweetheart deals with corporate monoliths
such as Microsoft, TCI, AT&T, MCI, and Time Warner for access at
discounted rates, as determined by volume or a similar measure. They
can underprice, overprice, or offer no prices, since information
service providers are stripped of all guarantees as the draft law is
currently written.
These are rather extreme visions. The reality is that discretionary
pricing may well take place, but the Internet backbone's national
service providers (NSPs) are working with the Commercial Internet
Exchange (CIX), the Internet Society and others to ensure that
draconian results do not obtain.
Corporate strategy is rapidly developing which will allow traditional
providers control over Internet access and provision. Diversity will
hang on a while longer but the wind is clearly blowing in the direction
of conglomeration and concentration -- in no small part because telcos
in the U.S. are rapidly grasping the fact that long-term marginal costs
for local calls are moving toward zero.
Pricing is increasingly geared toward toward the content that is
accessed, rather than transport costs. Carriers are restructuring in
order to dominate the markets for content provision.
The threat to small- to medium-sized ISPs as well as other small
businesses providing information services is real. The conference
committee draft already anticipates the problem. The title of its
Kafkaesque Section 257, "Market Entry Barriers Proceeding," calls for
remedial action by the FCC for anti-competitive conditions which the
bill may actively foster.
It stipulates that "within 15 months after the date of enactment," "the
FCC shall complete a proceeding for the purpose of identifying and
eliminating ... market entry barriers for entrepreneurs and other small
businesses in the provision and ownership of telecommunications
services and information services, or in the provision of parts or
services to providers of telecommunications services and information
services."
The FCC is supposed to complete this proceeding using criteria which
will favor "diversity of media voices, vigorous economic competition,
technological advancement, and promotion of the public interest,
convenience, and necessity." The next FCC review would not come for
three years, thus placing an enormous burden on the agency to get it
right in its first rulemaking proceeding. In the fast-moving
communications world, a three-year lag time can be equivalent to
setting policy in stone.
Apparently, for the conference leadership, having the beleaguered FCC
take on additional burdens is more palatable than taking the
Congressional responsibility of rectifying the problem in law, and thus
risk flying in the face of powerful interests filling campaign
coffers.
However, in the most unkind cut of all, the bill managers in this
Kafka-like castle on the Hill intend to strip the FCC of economic
regulatory authority over the Internet, thus rendering the above
provision moot. The FCC will have no power to redress market entry
barriers such as distorted conditions for interconnection and access,
or skewed pricing, if the rider on the "signature sheet" currently
circulating makes its way into the bill.
This outcome, depending on its specific language, could well impact
Internet access to schools, hospitals, and libraries. The bill
requires telecommunications carriers to provide "any of its services
that are within the definition of universal service" to schools and
libraries at reduced rates.
But, if the above qualification goes into effect, the definition of
"universal service" could not include the Internet because it could not
be "economically" regulated by the FCC as a "universal service." Net
pricing for schools, hospitals, and libraries may therefore be up for
grabs in a free-for-all commercial environment.
In a bill which is a patchwork of compromises between industry giants,
this Congress insists on behaving recklessly and destructively with
regard to the Internet and its constituency. And, many of the
conferees, as the old saw goes, appear to not "have the sense to pound
sand in a rathole."
-30-
* * *
The American Reporter
Copyright 1996 Joe Shea, The American Reporter
and Craig A. Johnson
All Rights Reserved
The American Reporter is published daily at 1812 Ivar
Ave., No. 5, Hollywood, CA 90028 Tel. (213)467-0616,
by members of the Society of Professional Journalists
(SPJ) Internet discussion list. It has no affiliation
with the SPJ. Articles may be submitted by email to
joeshea@netcom.com. Subscriptions: Reader: $10.00
per month ($100 per year) and $.01 per word to republish
stories, or Professional: $125.00 per week for the re-use of
all American Reporter stories. We are reporter-owned. URL:
http://www.newshare.com/Reporter/today.html Archives:
http://www.newshare.com/Reporter/archives/
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 15 Jan 1996 18:40:39 -0600 (CST)
Subject: Info on CPD [unchanged since 11/22/95]
Organization: University of Wisconsin-Milwaukee
The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
This digest is a forum with information contributed via Internet
eMail. Those who understand the technology also understand the ease of
forgery in this very free medium. Statements, therefore, should be
taken with a grain of salt and it should be clear that the actual
contributor might not be the person whose email address is posted at
the top. Any user who openly wishes to post anonymously should inform
the moderator at the beginning of the posting. He will comply.
If you read this from the comp.society.privacy newsgroup and wish to
contribute a message, you should simply post your contribution. As a
moderated newsgroup, attempts to post to the group are normally turned
into eMail to the submission address below.
On the other hand, if you read the digest eMailed to you, you generally
need only use the Reply feature of your mailer to contribute. If you
do so, it is best to modify the "Subject:" line of your mailing.
Contributions to CPD should be submitted, with appropriate, substantive
SUBJECT: line, otherwise they may be ignored. They must be relevant,
sound, in good taste, objective, cogent, coherent, concise, and
nonrepetitious. Diversity is welcome, but not personal attacks. Do
not include entire previous messages in responses to them. Include
your name & legitimate Internet FROM: address, especially from
.UUCP and .BITNET folks. Anonymized mail is not accepted. All
contributions considered as personal comments; usual disclaimers
apply. All reuses of CPD material should respect stated copyright
notices, and should cite the sources explicitly; as a courtesy;
publications using CPD material should obtain permission from the
contributors.
Contributions generally are acknowledged within 24 hours of
submission. If selected, they are printed within two or three days.
The moderator reserves the right to delete extraneous quoted material.
He may change the Subject: line of an article in order to make it
easier for the reader to follow a discussion. He will not, however,
alter or edit the text except for purely technical reasons.
A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18].
Login as "ftp" with password identifying yourid@yoursite. The archives
are in the directory "pub/comp-privacy".
People with gopher capability can most easily access the library at
gopher.cs.uwm.edu.
Web browsers will find it at gopher://gopher.cs.uwm.edu.
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
End of Computer Privacy Digest V8 #009
******************************
.