Date: Tue, 12 Mar 96 10:19:53 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V8#023
Computer Privacy Digest Tue, 12 Mar 96 Volume 8 : Issue: 023
Today's Topics: Moderator: Leonard P. Levine
Re: A Far-Reaching Privacy Bill
CIA & NSA Run Remailers
Re: Police (ab?)use of SSN's
Re: Powerful Engines that Search Usenet
Re: Powerful Engines that Search Usenet
Social Security Number Misuse
Social Security Number Misuse
Congressional Privacy Bill
Info on CPD [unchanged since 11/22/95]
----------------------------------------------------------------------
From: Daniel Veditz <daniel@borland.com>
Date: 08 Mar 1996 11:37:23 -0800
Subject: Re: A Far-Reaching Privacy Bill
Organization: Borland International
References: <comp-privacy8.20.9@cs.uwm.edu>
Beth Givens wrote: California state senator Steve Peace has
introduced a bill, which if it passes, will give consumers a great
deal of control over their personal information. The bill reads in
part: "No person or corporation may use or distribute for profit
any personal information concerning a person without that person's
written consent. Such information includes, but is not limited to,
an individual's credit history, finances, medical history,
purchases, and travel patterns."
This will no doubt lead to the additional disclaimer on nearly all
applications and forms: "By signing this form you give us permission to
use your personal data in any way we see fit." You already usually
sign something very similar in doctor's offices if you are paying with
insurance.
--
Dan Veditz
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 09 Mar 1996 07:42:36 -0600 (CST)
Subject: CIA & NSA Run Remailers
Organization: University of Wisconsin-Milwaukee
Taken from RISKS-LIST: Risks-Forum Digest Friday 8 March 1996 Volume
17 : Issue 87 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED
SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy,
Peter G. Neumann, moderator
CIA & NSA Run Remailers
Date: 08 Mar 1996 14:37:14 -0500 (EST)
From: Frank Sudia <sudiaf@btec.com>
Subject: CIA & NSA Run Remailers
I attended last week's ``Information, National Policies, and
International Infrastructure" Symposium at Harvard Law School,
organized by the Global Information Infrastructure Commission, the
Kennedy School, and the Institute for Information Technology Law &
Policy of Harvard Law School.
During the presentation by Paul Strassmann, National Defense
University, and William Marlow, Science Applications International
Corporation, entitled ``Anonymous Remailers as Risk-Free International
Infoterrorists'', the question was raised from the audience (Professor
Charles Nesson, Harvard Law School) -- in a rather extended debate --
whether the CIA and similar government agencies are involved in running
anonymous remailers, as this would be a perfect target to scan possibly
illegal messages.
Both presenters explicitly acknowledged that a number of anonymous
remailers in the US are run by government agencies scanning traffic.
Marlow said that the government runs at least a dozen remailers and
that the most popular remailers in France and Germany are run by the
respective government agencies in these countries. In addition, they
mentioned that the NSA has successfully developed systems to break
encrypted messages will less than 1000-bit [public] keys and strongly
suggested using at least 1024-bit keys. They said that they themselves
use 1024-bit keys.
I ask Marlow afterwards if these comments were off or on record, he
paused then said that he can be quoted.
So I thought I pass that on. It seems interesting enough, don't you
think?
Viktor Mayer-Schoenberger, Information Law Project,
Austrian Institute for Legal Policy
[Lightly edited for RISKS. By the way, don't forget that if you can
monitor and compare the incoming and outgoing mail from an anonymous
remailer, ``anonymous'' identities can be compromised. Beware of
anonymity-bearing gifts. Also, see Matt Blaze's contribution on key
lengths for symmetric crypto in RISKS-17.69. PGN
------------------------------
From: softwa19@us.net (Charles R. Smith)
Date: 10 Mar 1996 17:46:20 GMT
Subject: Re: Police (ab?)use of SSN's
Organization: US Net, Incorporated
References: <comp-privacy8.22.1@cs.uwm.edu>
Aaron Zaugg <relief@indirect.com> wrote: I recently bought myself a
scanner to eavesdrop on just what sort of tasks the police in my
area keep themselves busy with. I've become quite alarmed however
at the amount of personal information that is broadcasted over
their frequencies. Most alarming is the constant barrage of social
security numbers that I pick up. In most cases, officers at a
traffic stop or investigation will use driver's license number to
do their NCIC and PACE searches. In some cases that number is
identical to their SSN (DL numbers that are not SSN's begin with a
[...]
National Crime Information Center - (Much like the Internet but for law
enforcement only) NCIC is a nation wide network of computers made up of
local, state and federal systems. This system is tied to DMV
information in all 50 states, holding plate, driver, Vehicle ID number
and other auto related data. It is also tied to the FBI crime
information center which contains wanted information and all criminal
histories. It has access to all boat registration, plane registration
and fire-arms registrations. Other users of NCIC information are the
IRS, CIA, NSA, BATF, and most state welfare and taxation agencies.
NCIC has been used by an Arizona law enforcement official to find his
ex-girl friend and kill her. NCIC assisted a drug gang in Pennsylvania
identify narcotics agents. NCIC has been used by Private Detectives to
obtain information for political purposes. Most NCIC data is available
only through special terminals and passwords hooked up to this private
network. However, even after data is transmitted over a secure
network, local dispatchers pass this data to front line officers over
open radio systems. This fault has been used here in Virginia to
obtain clean names and SSNs for criminals to buy guns. Some agencies
with NCIC computers also have connections to the Internet, leaving them
open for possible hacker attack. I fought what seemed like an endless
battle with state officials here in Virginia in 1994 to NOT hook any
NCIC systems or data to the Net. Although, the natural inclination was
to join the crowd, I was finally able to convince them that doing so
was risk not worth taking. This was done during the State mandated
Internet study when I questioned Maryland Officials about security.
They admitted that their SAILOR (a public Internet connection) system
had been used to penetrate the computers of a U.S. nuclear power
plant.
In November, 1993, a local couple was murdered in their home in what
was discovered later to be a drug related crime. The police were able
to catch the killers because they found the couple's stolen car outside
an apartment complex. However, during the stake-out, the police used
their radio for a NCIC inquiry. A local TV station overheard the call
and put their live TV broadcast van on the spot in minutes. The police
were able to catch the two killers while dodging the TV reporters.
Fortunately, no one was killed.
Ten days later I demonstrated to Commander Lew Moore, head of
Communications for Chesterfield County Police, my on-line ciphering
software. I demonstrated secure data, graphics and VOC (voice) file
transfer, and playback, noting the fact that he had 100 cellular phones
and 30 laptops already available. I even pointed out proudly that it
could be used with packet radio modems easily adapted to his radios. I
even offered to let them have the software for free.
His response... "Well, that's nice but I really don't know what we
would use it for."
SOURCES:
NCIC details of operation, disclaimer, size and on-line agencies: NCIC
Users Manual - FBI, J.Edgar Hoover Bld., Washington, D.C.
NCIC abuses: John P. McPartlin, "GAO: FBI BREACH IS AN INSIDE JOB",
Information Week, Sept. 9th, 1993
Winn Schwartau, "INFORMATION WARFARE", Thunder's Mouth Press, 1994 ISBN
1-56025-080-1
Use of SAILOR to penetrate US nuclear reactor computer - Barbara G.
Smith, Manager Maryland State Library SAILOR Internet Project. VA
INTERNET STUDY COMMITTEE MEETING, August 25, 1994, Summary of Minutes
(Call Va. Dept of Information Technology for complete minutes at
804-344-5550)
--
1 if by land, 2 if by sea. Paul Revere - encryption 1775.
Charles R. Smith SOFTWAR - Richmond, VA
http://www.ultimate.org/2292/
------------------------------
From: wb8foz@netcom.com (David Lesher)
Date: 10 Mar 1996 15:27:45 GMT
Subject: Re: Powerful Engines that Search Usenet
Organization: NRK Clinic for habitual NetNews Abusers - Beltway Annex
References: <comp-privacy8.21.5@cs.uwm.edu> <comp-privacy8.22.10@cs.uwm.edu>
Richard Thieme <rthieme@lifeworks.com> writes: But I had
communicated what I thought was semi-privately within a moderated
group and found every post to that group archived and available.
[...] But it took me aback to see what I thought was a
communication, say, in a single room to twenty people recorded on a
hidden cassette recorder (as it were) and broadcast over world wide
radio.
You POSTED something, & expected it to be private?
Me thinks you need to relearn some basic lessons re: Usenet. It's
total purpose is to make public your statements.
If you wanted to say something privately --- why did you not email the
desired recipient?
--
A host is a host from coast to coast.................wb8foz@nrk.com
& no one will talk to a host that's close...........(v)301 56 LINUX
Unless the host (that isn't close).........................pob 1433
is busy, hung or dead........vr vr vr vr.................20915-1433
------------------------------
From: bodafu@CAM.ORG (David L. Bergart)
Date: 11 Mar 1996 19:41:10 GMT
Subject: Re: Powerful Engines that Search Usenet
Organization: Communications Accessibles Montreal, Quebec Canada
References: <comp-privacy8.21.5@cs.uwm.edu>
magary@news-e2c.gnn.com (Al Magary) wrote: but for those, like
myself, who conduct all Internet business under their own name,
Alta Vista's archiving of old correspondence is chilling.
Were you not aware that Usenet is a public forum?
What's the difference between *anyone* being able to see your posting
today, and anyone being able to see it in a few months? How is this
chilling? If you want privacy, there are established methods.
The chilling part for me is that I can post "I agree, let's do it" in
response to the question "Does anyone here in comp.lang.c want to
develop a new C compiler?", and then someone else can cross post a
reply to alt.pedophilia.drool and make it look like I'm agreeing to
something completely different in a newsgroup I've never read or posted
to.
A sophisticated user would catch the misrepresentation, but the naive
guy who's thinking of hiring me, and who does a search for my name on
DejaNews won't understand.
--
____D__a__v__i__d_____B__e__r__g__a__r__t___________________________________
bodafu@cam.org
------------------------------
From: crissiet@ix.netcom.com (SETH SKLAREY)
Date: 12 Mar 1996 03:24:38 -0800
Subject: Social Security Number Misuse
To: Chris Hibbert
I was very impressed with your overview of the mis-use of social
security number requests. Here in Florida they put it into the driver
license records, (which are public records & open to everyone), were
used as a mortgage broker's license number(since changed and the man I
spoke to at the State Comptroller's office who issues mortgage broker's
license swas very aware of the topic and they have since changed their
policy.
However, contractors who go to pull permits in the Miami, Florida area
are required to provide it, and it is required by state law (which I
think is unconstitutional and conflicts with federal law and which I
want to challenge) when renewing occupational licenses. They also
require FEIN's for occupational licenses if the business is a
corporation, but I don't know of any prohibition against this although
there should be for the same obvious reasons.
When I approached the ACLU about filing a suit 2 years ago they said I
would not prevail. However, lately they seem more receptive.
The question is WHAT IS THE FEDERAL PENALTY if a GOVERNEMENTAL agency
refuses to issue a license or permit if you refuse to give your
number? Also, if you open a bank account, like a checking account that
does not pay interest, do you still have to give the number?
The last time I requested new phone service the local phone co.
(BellSouth) asked for the number, but backed down when I refused, but
they said their policy is to require a possibly higher deposit to those
individuals.
Any further information you run across on this subject will be
appreciated and I will likewise forward any to you.
I am also considering filing suit against credit reporting agencies and
Check verification companies to force them to remove my social security
number from their records under the Florida Right to Privacy Amendment
in the Fla Constitution.
--
SETH SKLAREY crissiet@ix.netcom.com
------------------------------
From: anonymous <levine@blatz.cs.uwm.edu>
Date: 10 Mar 1996 21:03:25 -0600
Subject: Social Security Number Misuse
[moderator: this user requested anonymity, I am posting this under my
own userid.]
I remember a discussion back when I was sitting in Administrative Law
class some years ago to the effect that, technically, the SSN
authorizing legislation prohibits the use of SSNs for ANY purpose,
including driver's licenses. If I remember correctly, that's still on
the books, though widely disregarded.
I got onto this issue a few years back when UNIPAC started allowing
"dial-up student loan account access". They allow you to call in and
get your current balance and payment record via a phone system, using
your SSN as your account number. I went a few dozen rounds with UNIPAC
over this--I found it disturbing that anyone who had my SSN could
essentially do an unauthorized credit check on me--and eventually
forced them to change my account number after threatening to sue. The
policy as a whole, I believe, is still in place.
I encourage you to stick with this, though. MY SSN, for example, is
also my driver's license number, my university employee number, student
loan account number, and, as of recently, my local "business
registration" number. The potential for abuse is outrageous . . . and
maybe the CPD is a way to bring this issue to light.
I assume the student loan information is what your are most interested
in. After the normal routine of going through numerous representatives
and supervisors several times to finally get a pledge of action, my
student loans were sold about two weeks ago to Sallie Mae. As of the
time of sale, they hadn't actually done anything about the account
password, so I'm a little curious as to whether there was any
connection. (This is, by the way, the fourth time this has happened in
four years, every time resulting in new structuring, new payments books
and the inevitable several months of correcting mailing addresses.
Their administrative nightmares are stories for another list though . .
.). I have already contacted Sallie Mae and asked for the brochures on
their version of the dial-in account maintenance program, but have yet
to receive them. Fortunately, I kept copies of all the letters written
to UNIPAC . . ..
Sallie Mae could also, I notice from the fine print, turn around and
grant maintenance of the account back to UNIPAC . . .. This adventure
is far from over.
Also, I will be opening a domain of my own in the next month, and
hosting a variety of Web sites. One of the sites I'm putting together
is an activist-oriented site: concise summaries of selected issues of
public concern, links to the five to ten top sites on that subject
(enough to provide a full, but not overly biased, overview) and finally
links at the end of each page for emailing or otherwise contacting
appropriate governmental officials to request action. I'd love to
dedicate a page to the issue of the legality of the use of SSNs as
identification #s. If you come across material in addressing this
issue, or generate any that is available or could be made available via
the Web, please don't hesitate to forward it. I've also forwarded the
copy of the RRE mailing with your recent message to a number of net
lawyers, and should I get anything useful from them in re the original
authorizing legislation, I'll pass it along (I am, BTW, a lawyer by
training but Webmaster by profession--hence the interest in putting
together such a site in the first place).
And finally, I follow your newsgroup on a sporadic basis (as much as I
can follow any of them anymore) and appreciate your work.
------------------------------
From: softwa19@us.net (Charles R. Smith)
Date: 08 Mar 1996 02:13:13 GMT
Subject: Congressional Privacy Bill
Organization: US Net, Incorporated
The following commentary was written by the editor of the Richmond
Times-Dispatch. It was published on page A16 in today's (March 7,
1996) edition of the Richmond-Times Dispatch. It is used with
permission.
****************************************************************
Good For Goodlatte
Privacy, as Americans once knew it, probably is forever gone. Now that
most records are kept in computers instead of written files, there
simply is no way to protect them from prying eyes. Want to lie awake
nights? Consider how many clerks (how many of them minimum-wagers?)
can peruse your bank account, your health insurance claims, your
driving record, your tax returns, even your personnel file.
Yet, instead of trying to protect citizens from such intrusion, federal
law enforcement agencies want to gain greater - indeed ensured - access
to all electronic communications. How? By preventing the sale of any
encryption software (which allows computer users to encode data so
others can't decipher it) unless the government is provided the key to
unscramble it.
The FBI argues that it will be handicapped in fighting crime without
the capacity to so monitor all computer exchanges - and perhaps it will
be. But law enforcement also is hampered because police officers
aren't given keys to every home and the freedom to enter at will.
Would the FBI suggest changing that?
Thank goodness for Bob Goodlatte. This week Virginia's 6th District
Congressman introduced his Security and Freedom through Encryption
(SAFE) Act, which would give Americans the freedom to use any
encryption device they choose - not merely those accessible at will by
government snoops. It is good, thoughtful legislation that his
colleagues should support.
Goodlatte's bill ought to be unnecessary. In better days, such
government surveillance would have been unthinkable. Far from being
pressured to forfeit their rights for the pie-crust promise of reducing
crime, early Americans were warned against doing so. "They that give
up essential liberty to obtain a little temporary safety deserve
neither liberty nor safety." Modern Americans would do well to remember
those words by Ben Franklin. Happily, Bob Goodlatte has.
****************************************************************
--
"1 if by land, 2 if by sea." Paul Revere - encryption 1775
Charlie Smith
SOFTWAR Richmond, VA http://www.ultimate.org/2292/
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 02 Mar 1996 10:34:30 -0600 (CST)
Subject: Info on CPD [unchanged since 11/22/95]
Organization: University of Wisconsin-Milwaukee
The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
This digest is a forum with information contributed via Internet
eMail. Those who understand the technology also understand the ease of
forgery in this very free medium. Statements, therefore, should be
taken with a grain of salt and it should be clear that the actual
contributor might not be the person whose email address is posted at
the top. Any user who openly wishes to post anonymously should inform
the moderator at the beginning of the posting. He will comply.
If you read this from the comp.society.privacy newsgroup and wish to
contribute a message, you should simply post your contribution. As a
moderated newsgroup, attempts to post to the group are normally turned
into eMail to the submission address below.
On the other hand, if you read the digest eMailed to you, you generally
need only use the Reply feature of your mailer to contribute. If you
do so, it is best to modify the "Subject:" line of your mailing.
Contributions to CPD should be submitted, with appropriate, substantive
SUBJECT: line, otherwise they may be ignored. They must be relevant,
sound, in good taste, objective, cogent, coherent, concise, and
nonrepetitious. Diversity is welcome, but not personal attacks. Do
not include entire previous messages in responses to them. Include
your name & legitimate Internet FROM: address, especially from
.UUCP and .BITNET folks. Anonymized mail is not accepted. All
contributions considered as personal comments; usual disclaimers
apply. All reuses of CPD material should respect stated copyright
notices, and should cite the sources explicitly; as a courtesy;
publications using CPD material should obtain permission from the
contributors.
Contributions generally are acknowledged within 24 hours of
submission. If selected, they are printed within two or three days.
The moderator reserves the right to delete extraneous quoted material.
He may change the Subject: line of an article in order to make it
easier for the reader to follow a discussion. He will not, however,
alter or edit the text except for purely technical reasons.
A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18].
Login as "ftp" with password identifying yourid@yoursite. The archives
are in the directory "pub/comp-privacy".
People with gopher capability can most easily access the library at
gopher.cs.uwm.edu.
Web browsers will find it at gopher://gopher.cs.uwm.edu.
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
End of Computer Privacy Digest V8 #023
******************************
.