Date: Tue, 02 Apr 96 13:28:12 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V8#029
Computer Privacy Digest Tue, 02 Apr 96 Volume 8 : Issue: 029
Today's Topics: Moderator: Leonard P. Levine
Re: Computer Privacy
Re: Computer Privacy
Re: USENET Reposters: Privacy and Copyright Concerns
Re: USENET Reposters: Privacy and Copyright Concerns
Finding Lost Money
Re: SSN Absurdity
Crooks Buying Your Social Security Data
BC Health Minister Bans Info Sale to Drug Companies
[from RISKS] Argentine Hacker
Re: The Stalker's Home Page
Informed View on 800 ANI
ACM/IEEE Letter on Crypto
Re: Privacy and Electronic Commerce
Info on CPD [unchanged since 11/22/95]
----------------------------------------------------------------------
From: cprosse@elux3.cs.umass.edu (Christopher Prosser)
Date: 31 Mar 1996 18:35:02 -0500
Subject: Re: Computer Privacy
Organization: UMASS
References: <comp-privacy8.28.8@cs.uwm.edu>
quinn@direct.ca (john quinn) wrote: I need some help on a legal
question. Can an employer obtain information from a computer and
from disks marked "private" and use that information to fire an
employee? Specifically, another employee found files considered
inappropriate, reported them to management, who subsequently read
through all the files and built a case against the original
employee. Can this information be used against the employee, or is
it inadmissable due to an invasion of privacy?
As I understand it, yes. Provided that the employer owns the computer,
they are legally entitled to everything on the machine, regardless if
it is marked private or not. It is also legal for your employer to
read your email, though it isn't very ethical.
My Employee Agreement clearly states this fact so I try not to keep
anything around that I fdon't care if my bosses read. If I want to, I
encrypt it using PGP.
--
Chris Prosser
------------------------------
From: Barry Campbell <Btc@cris.com>
Date: 30 Mar 1996 09:47:54 +0000
Subject: Re: Computer Privacy
Organization: CCSL
References: <comp-privacy8.28.8@cs.uwm.edu>
john quinn wrote: I need some help on a legal question. Can an
employer obtain information from a computer and from disks marked
"private" and use that information to fire an employee?
Specifically, another employee found files considered
inappropriate, reported them to management, who subsequently read
through all the files and built a case against the original
employee. Can this information be used against the employee, or is
it inadmissable due to an invasion of privacy?
John:
(1) Consult an attorney experienced in technology-related privacy law
in your jurisdiction for the definitive word on this.
(2) Having said that, it has been my experience that if the computer is
provided by the employer and is under the employer's control, users
have no "reasonable expectation of privacy" regardless of how disks or
files may be marked. (And since the employer is probably a private
entity and not an agent of the government, none of the
search-and-seizure protections of the Fourth Amendment apply, anyway.)
(3) In general, though there have been some legislative efforts at the
state and federal level that have attempted to combat this (largely
unsuccessful, from what I've gathered), employees have very little
"right to privacy" in the workplace. Calls may be monitored; the
contents of computer disks and files may be inspected, with no legal
recourse to the employee.
Lesson: Don't discuss or have anything on corporate communications
media that you wouldn't want to wind up on your boss's desk.
--
Barry Campbell | "There's no difference between theory
<Btc@cris.com> | and practice in theory, but there is
http://www.cris.com/~Btc | in practice."
------------------------------
From: sgs@access.digex.net (Steve Smith)
Date: 30 Mar 96 17:14:40 GMT
Subject: Re: USENET Reposters: Privacy and Copyright Concerns
Organization: Agincourt Computing
References: <comp-privacy8.28.11@cs.uwm.edu>
andypajta@aol.com (AndyPajta) wrote: If anything I write is
copyrighted as soon as it is "fixed" and I choose to "publish" it
on a newsgroup for other SUBSCRIBERS, that doesn't give any
individual subscriber (the search engine, in this case), the right
to re-publish it (i.e., to charge advertisers for space on their
web page and allow the viewing of my composition beyond what I
originally intended). [snip] To put it more...legal?... I can not
photocopy a magazine article and republish it in another magazine
without the copyright owner's permission.
Sounds logical to me.
Problem is that copyright is merely a "right to sue". It's not "real"
until it's tested in court. As a silly example, Alan Sherman
copyrighted middle C. Anybody who played middle C was playing his
"song". Anybody who played any other note was playing his song
transposed. Needless to say, it never hit the courts.
Are you willing to sue Digital?
--
Steve Smith sgs@access.digex.net
Agincourt Computing +1 (301) 681 7395
"If you're not looking for something, you won't find anything."
------------------------------
From: hrick@gate.net (Rick Harrison)
Date: 31 Mar 1996 16:16:23 -0500
Subject: Re: USENET Reposters: Privacy and Copyright Concerns
Organization: CyberGate, Inc.
References: <comp-privacy8.28.11@cs.uwm.edu>
When you post a message to Usenet, you are giving implied permission
for all Usenet feed-takers to redistribute messages. Commercial
services such as CIS and AOL charge their users by the minute for
access to Usenet. So, to logically extend the principle to its
extreme, it could reasonably be argued that someone who markets the
archives of a newsgroup on a CD-ROM, or a service like DejaNews, is
merely re-distributing the feed in a slightly different (and more
useful, "value-added") format.
I imagine this principle will eventually be tested in court.
Personally I hope messages posted to Usenet will be proven to be public
domain material unless the authors attach a copyright notice to their
messages.
--
Rick Harrison, editor, Journal of Planned Languages
http://members.aol.com/harrison7/
------------------------------
From: tburgess@uoguelph.ca (Todd W Burgess)
Date: 30 Mar 1996 18:51:14 GMT
Subject: Finding Lost Money
Organization: University of Guelph
A couple of week ago, I heard a disturbing radio commercial. The
ad said that there is over 200 million dollars of inactive bank
accounts across Canada and you may be entitled to it. All you had
to do is call a 1-900 number and they would do a search for you
(you would have to pay for the phone call though). They claimed to
be wired in to all the banks in Canada and could search all their
databases in about 60 seconds.
Assuming their claims are true, I have a couple of complaints regarding
their "service". I have seen what happens when you go searching for
lost bank accounts. When my father had to look for my Grandad's bank
accounts all the banks had a couple of requirements before they would
perform a search.
The first was they would not discuss any information about a customer
over the phone, my Dad had to go in person to a branch. The second was
the bank manager insisted that my Dad present photo ID and the papers
showing that he had power of attorney. After the manager reviewed all
the information, only then would they authorize the search.
I find it hard to believe that a third party can circumvent all the
bank's security procedures for a small fee. As well, I also find it
hard to believe that the bank would permit access to its customer
database. I would hope the only people who have access to my customer
information is the bank and nobody else.
I always assumed that the banks maintained "closed" networks. I have
heard stories about the lengths banks go to, to protect their computer
hardware. I would hope such security applies to their customer
accounts.
I hope the advertisement was a fraud but if it is not then I would love
to know why the banks are permitting this kind of service.
--
University of Guelph, Computer Science Major E-mail: tburgess@uoguelph.ca
URL: http://eddie.cis.uoguelph.ca/~tburgess
------------------------------
From: bo774@FreeNet.Carleton.CA (Kelly Bert Manning)
Date: 31 Mar 1996 08:40:42 GMT
Subject: Re: SSN Absurdity
Organization: National Capital Freenet, Ottawa, Canada
Glen L. Roberts (glr@ripco.com) writes: Someone mailed me an few
pages out of the 3/20/96 Congressional Record - Senate S2546. It
has a list of "Executive Nominations received by the Senate
3/20/96" It then lists hundreds of NAMES & SSNs! Are these people
insane? Have they no concern for privacy?
Or about making it trivially easy for someone to impresonate someone
who might be admitted to official functions. And it's not like it
hasn't been pointed out already, many times. I have a memory of reading
somewhere, I think it was in "databanks in a free society", a decades
old book, about how the committee members met once on a weekend in a
federal office in Washington, DC, and had to pronounce the magic
combination of name and SSN to a microphone to confirm that they were
the people who were supposed to be allowed into the building. The book
points out that even 30 years ago it was so easy to obtain SSNs that
this of almost no value.
A recent issue of "Privacy Journal" reported that a teacher used the
SSN's of college students to open charge accounts. Theft of
identity/credit rating is a growth industry. The same issue said that
credit bureaus are getting many thousands of complaints every day about
people who;s names have been used by fraud artists. Apparently there is
even a new flag in Credit Reports {confirm identity before opening
accounts/loans}. What a novel idea.
I wonder just how they will do it? It's hard to think of anything
except biometric identification that would work, and I don't think that
that is what they are thinking of.
--
notice: by sending advertising/solicitations to this account you will be
indicating your consent to paying me $70/hour for a minimum of 2 hours for
my time spent dealing with it
------------------------------
From: taxhaven@ix.netcom.com (Adam Starchild )
Date: 31 Mar 1996 19:05:41 GMT
Subject: Crooks Buying Your Social Security Data
Organization: Netcom
Taken from The New York Post, March 28, 1996:
Neal Travis' New York: Crooks Buying Your SS Data
A major scandal is about to strike the Social Security Administration.
I understand a gang of credit-card scammers has had access to Social
Security's closely-guarded files for close to two years.
The criminals, popularly known as "The Nigerian Gang," have been
bribing Social Security clerks in New York and across the nation to
furnish them with the details that those workers are sworn to protect.
The gang has been stealing new credit cards from Newark Airport, to
where they are bulk-mailed before being sorted and set to individual
addresses.
To validate the cards, the gang has to provide the Social Security
number of the holder, plus such facts as the maiden name of the
recipient's mother. The corrupt clerks have been providing this data
out of the administration's computerized files at $160 a pop.
"The clerks have been making a fortune," says a bank investigator.
"The gang itself has made millions, because weeks go by before anyone
even knows they've been scammed."
This investigator says four of the gang were picked up by federal
authorities during Mardi Gras in New Orleans while using bogus cards at
ATMs.
"They were carrying lists of names, SS numbers and identifying codes,"
says this source. "The authorities were able to work out who in Social
Security had accessed this information.
"A woman in New York has broken down and confessed, and at least
another eight clerks around the nation are targeted for arrest. Both
the gang and the clerks will face federal mail- fraud charges."
--
Posted by Adam Starchild
Asset Protection & Becoming Judgement Proof at
http://www.catalog.com/corner/taxhaven
------------------------------
From: bo774@freenet.carleton.ca (Kelly Bert Manning)
Date: 01 Apr 1996 15:44:58 -0500
Subject: BC Health Minister Bans Info Sale to Drug Companies
See http:/www.health.gov.bc.ca/newsrel/nrdate.html
How does this relate to computers, since the root issues are generic?
Well, for one thing having the data in machine readable form makes it
much easier to merge and relate data and perform this kind of data
mining.
For another thing, the Single Payer system assigns unique province wide
Practitioner ID numbers that makes it easier to relate data from
separate points of sale. The same applies to Personal Health Numbers,
but that doesn't seem to be at issue in this matter.
Finally, when systems interact, it doesn't seem to be enough to ensure
that Privacy/Confidentiality is protected on just one system. While
Pharmanet wasn't the source of this information it defines a province
wide standard that could simplify the task of combining information
from different points of sale.
For background the URL above has a couple of press releases about
Minister's statements about regulation of Pharmaceutical company prices
and profits. See Feb 26 and Feb 13. This has been getting a lot of news
coverage since the Mulroney goverment ended "compulsory licencing"
about a decade ago.
--
notice: by sending advertising/solicitations to this account you will be
indicating your consent to paying me $70/hour for a minimum of 2 hours for
my time spent dealing with it
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 01 Apr 1996 15:04:14 -0600 (CST)
Subject: [from RISKS] Argentine Hacker
Organization: University of Wisconsin-Milwaukee
Taken from RISKS-LIST: Risks-Forum Digest Monday 1 April 1996
Volume 17 : Issue 95 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND
RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public
Policy, Peter G. Neumann, moderator
From: David Kennedy <76702.3557@compuserve.com>
Date: 01 Apr 96 02:02:50 EST
Subject: Argentine Hacker
U.S. uses first computer system wiretap UPI Financial 29/3/96 13:27
By MICHAEL KIRKLAND
WASHINGTON, March 29 (UPI) -- U.S. officials used an unprecedented
court-ordered wiretap of a computer network to charge a young Argentine
man with breaking into Harvard, U.S. Navy and NASA computers, the
Justice Department said Friday. At a news conference at the Justice
Department, U.S. Attorney Donald Stern of Boston called the operation
"cybersleuthing."
o Other systems penetrated, Univ Mass, Cal Tech, Northeastern and
systems in Mexico, Korea, Taiwan, Brazil and Chile.
>> "The search procedure was specifically designed to let another
computer do the complex searches in a way that provided privacy
protection for the innocent users of the network," Reno said. <<
o The investigators used a program called I-Watch for Intruder
Watch run on a government computer located at Harvard. The program
searched the net for the targeted criminal among 16,000 university
users.
[DMK: A search for info on this program revealed I-watch may be a
product from Ipswitch, Inc. of Lexington MA.]
>> I-Watch was able to "identify certain names that were unique to
the intruder," Heymann said, as well as locations and accounts -- his
"computer habits." Because the search was conducted by I-Watch, the
communications of the legitimate users were never seen by human eyes.
I-Watch was left undisturbed in its work through November and December
until it had narrowed down the thousands of possibilities to one
unauthorized computer cracker, Julio Cesar Ardita, 21, of Buenos
Aires, officials said. <<
o Ardita's home was raided on 28 Dec and his PC and modem seized.
He remains free because the charges against him are not among those
when the US-Argentina extradition treaty applies.
o Charged with: "possession of unauthorized devices" (illegal use
of passwords), (18 USC 1029) unlawful interception of electronic
communications (18 USC 2511) and "destructive activity in connection
with computers." (18 USC 1030) [DMK: citations mine, not UPI's]
>> The information he accessed is considered "confidential," Stern
said, but "did not include national security information." <<[DMK: "C2
in 92!"]
>> Ardita's alleged cracking was first detected last August when the
Naval Command Control and Ocean Surveillance Center in San Diego
detected a computer intruder, officials said. << ...
>> The Naval Criminal Investigative Service did an analysis of the
intruder's "computer habits," including signature programs used to
intercept passwords. << ...
>> Eventually, an intruder who called himself "griton" -- Spanish
for "screamer" -- was detected using four computer systems in Bueons
Aires to crack the Harvard computer, and the illegal accessing of the
other sites was discovered. <<
Dave Kennedy [US Army MP][CISSP] Volunteer SysOp Natl. Computer
Security Assoc Forum on Compuserve
------------------------------
From: bo774@FreeNet.Carleton.CA (Kelly Bert Manning)
Date: 31 Mar 1996 09:07:41 GMT
Subject: Re: The Stalker's Home Page
Organization: The National Capital FreeNet
References: <comp-privacy8.27.2@cs.uwm.edu> <comp-privacy8.28.1@cs.uwm.edu>
"Michael J. McClennen" (michaelm@eecs.umich.edu) writes: In fact,
this is nothing new. The capability to find anyone anywhere in the
country has existed for at least 20 years now. Case in point: 20
years ago, my cousin fled an abusive relationship in California.
For the next four years, until she found someone able to protect
her, she was regularly visited and threatened by this man. No
matter where she moved (or how far off the beaten path) he was
always able to find her within a few months.
All this technology does is make available to the casual user the
kinds of information that were formerly available to anyone willing
to track down the right sources and pay the right fees or bribes.
I don't think it does make this available to the casual user. White
pages online give less than 50% coverage in many areas. A lot can be
done just by being consistent in using an alias when setting up utility
accounts, and when asking for your name, etc. Never give your home
address or real name to someone who doesn't need to know it.
The biggest exposure is unavoidable public records. I've been able to
trace all of the personalized crap mail I've recieved at home in the
past 6 years (5 items) to releases from public records. The Provincial
I&P act should reduce that to nothing. Crap mailers seem to be running
scared. The last clown to pull my address of a provincial record
initially claimed that he had pulled it off municipal records not yet
covered. A different story emerged when I got a Judge's order to
produce documents. That source is no longer legally available to him or
anyone else. My personal view is that despite claims to the contrary he
was fully aware of the act, it's dates for coverage of different areas,
and the fact that he was doing something that the act prohibits.
Besides, properly designed access audit trails can make information
just as secure as financial accounts. It's also quite easy to flag a
name with a distinctive misspelling/variation to tell who passed it on
without your consent. Your bank can't guarantee that someone won't
embezell money from your bank account, but with properly designed
controls they can follow the trail once you notice. Sometimes
conscience is just a small voice saying "someone might be watching".
--
notice: by sending advertising/solicitations to this account you will be
indicating your consent to paying me $70/hour for a minimum of 2 hours for
my time spent dealing with it
------------------------------
From: "anonymous" <levine@blatz.cs.uwm.edu>
Date: 01 Apr 1996 11:21:21 -0600 (CST)
Subject: Informed View on 800 ANI
To protect the guilty (me) I have asked our moderator to put this into
the "pile" anonymously. [moderator: I have posted it under my own
email address]
I am one of those, who among many other things, helps design and
install these 800 ANI Data Gathering systems for businesses. I don't
try to impose my morals on my clients, and they know what they buy from
me is not affected by my personal agenda. In some cases, clients pay
me to be on the other side of the issue. I take their money, and do
the best job that I can. So I have a professional stance on both sides
of the fence.
Like most things, the use of 800 number ANI as a marketing tool started
slowly. Over the last decade, I have watched it grow from a simple
time saving device for calling up customer data files, to it's present
form. Over that time, business needs have changed; client management
has changed. New people; new ideas; new agendas! I have reasons to
expect that this little tiger cub has grown up, and is about to eat the
children ...
Recently: Dean Ridgway <ridgwad@PEAK.ORG> commented:
I think this discussion on ANI/CLID is getting way out of hand.
ANI is a fact of life for 800 callers, get used to it. If you
don't want them to get your number use a phone booth.
It may not be the discussion that is getting out of hand, but the
practice itself. While this situation is currently a "way of life"
there is no reason for it to remain so. An aware public, concerned
with its own privacy can create the necessary change. The most common
excuse for providing 800 ANI data to the customer (as opposed to
stopping at the central office ... like all other calls) is the
auditing of the bill. This is (at best) garbage, at worse, deliberate
misleading drivel designed to protect the status quo! ... Most, if not
all, 800 billing is _time_ based. There is absolutely no valid reason
to know the source of the call to audit a bill based on connect time
alone. As far as going to a pay phone, why should I have to
inconvenience myself to protect my privacy. Also, just maybe, the
location of the pay phone tells them more than they need to know ...
like the name of the company I am calling from (semi-public pay phones
do show the name of the company that they are located at).
The real problem is one of choice. Increasingly, I (you, or anyone)
has no choice about calling that 800 number. It is a sad, but true,
fact that many companies give out _only_ 800 numbers for certain
departments. They refuse to provide callers with a "regular" number
for access. [If you don't believe me, try to find the non-800 numbers
for any 10 vendor support groups taken at random. Many of the people
staffing those numbers don't even _know_ the non 800 number!] Many
voice mail and return messages contain only 800 numbers. Some are
labeled _urgent_ (of course they are nothing of the sort). If this is
not a knowledgeable attempt to invade my privacy, it sure comes
close! [BTW, there is a whole subject here based on "Who Owns That
800 Number, and Who _am_ I calling?"]
I think I have said this once before here. If I am calling a
business' 800 number, more than likely I want to do business with
them. Thus I don't particularity care if they get my name,
number, and credit rating.
There are any number of fallacies here ... almost too many to list ...
let us start with the fact of the "credit rating". How about if you
are calling from a friend or co-workers house whose credit rating is
less than sterling? As a result, your inquiry is shuffled off to the
"less than important" file, or your are "tagged" with an increased
"risk based fee" based on someone else's credit rating or where they
live. [Yes, such things do happen.] Still happy? Or, maybe you are
calling from home (or the office) and, after listening to what they had
to say, you decide not to do business after all, or maybe you did ...
dosen't matter. Now they are calling you back every 2 months with some
"new offer", repeatedly until they get through, (computer driven
dialers are relatively cheap) and are a constant pest. [Unfortunately,
this is becoming more common (and they are calling your co-worker too,
they think that he is you, or vis-versa).] Still Happy? If you are,
read on...
Let us assume that like many others you are an independent consultant
(or a financial advisor, independent sales representative, social
worker, or any number of other people who value not just their own
privacy but have an interest in protecting the IDENTITY OF THEIR
CLIENTS.) Let us also assume that you sometimes contact businesses
from the client location. ... if you can't see the picture yet, let me
make it just a little more clear. If I know you, and I know where you
_usually are_, and I know what you usually do, then I can start to
build a data base that shows _every location_ that you have called
from. Just a _little_ work on my part will have a partial list of your
clients. A less than scrupulous provider of services to *me* would
know more about my business than I wanted known, maybe enough to cause
me problems. [And I'm talking _history_ here! Personal experience is
the best teacher!]
Remember the lesson of Deja-vu and the Net ... what is going to happen
when some of these companies decide to "pool" those reels of tape
provided by the phone company, (or the months of history in their own
files) into an easily accessible data base? What if they decide to
"publish" this information and charge for access to that data base?
Calls to a specific 800 number indicate an interest in a unique
company, product, service, or concept. Consider for example an 800
number for information on Diabetic products and treatment run by a drug
chain. How about one for "sexual aids", or something innocent like a
slightly racy lingerie company. These things might be of more interest
to your future employers (estranged wife/husband, prospective insurance
company, new in-laws, etc.) than what you post in alt.sick.jokes. I
know of no present law that would prevent this from happening. Do
you? [Before you dismiss such a thing as far fetched, you should know
that I was once offered over $30,000 for a record of a single client's
long distance calls for the preceding 3 months. More than 3 times the
actual cost of the calls!]
It gets worse. I *am* an independent consultant. My client list *is*
confidential. Yet I have to contact multiple "support numbers" from a
client location to do my job. "No problem", say those who want to keep
ANI on 800 numbers, "You should have nothing to hide!". Well, it is no
secret that my client is using a vendor's system (of course it might
not be the client that I am calling from so that could pose a
problem). No secret that I am a consultant (I have nothing to hide,
except maybe the identity of my client where we are not yet ready to
act). *Maybe* not even a secret that I am working for a particular
client; but many clients would like to keep it one. They go to
significant lengths to do so, and expect me to do so too. What *IS* a
secret that a particular client, has a specific number, located in
proximity to, or associated with ______ (fill in your own critical
item). Now the marketing (or research, or personnel, or ... whatever)
department of a (maybe not so reputable vendor) has yet another number
to access. Of course the intent might not be something as innocent as
marketing! [Yep, personal experience again!]
While I can, and do, use a cellular phone for some of those calls,
others must go by land lines for reasons of security. Some things just
can't be discussed over the air. So, I'm in a catch-22. Can't use 800
numbers with Cellular; can't dial 800 numbers over the regular land
line from certain locations; can't get a non-800 number to reach the
support group. All this because the phone companies decided to market
ANI as a business tool. What happens? Projects take longer (by weeks
sometimes) than they should; clients pay more (meetings, "research
time" which is really just making the call from my own office, and my
cost for the phone calls); and some vendors loose out because I have to
assume that ALL vendors are capturing this data (even though I know
that some are not). Therefore, all vendors are being tared with this
same brush. The only people being served here are the "control freaks"
in business who assume that more data; means more control; means
greater market share; means more money. Short term, maybe. Long term
... well the jury is still out on that one.
What I *DO* care about is them selling this information to a
third party. Most companies see this as "free" money and the
only way to get them to stop this despicable practice will be
some kind of legislative action.
Yes! And if they didn't have it to start with, they couldn't sell it!
And there is NO REASON for them to have it, especially if you don't
want them to get it!
------------------------------
From: "Dave Banisar" <banisar@epic.org>
Date: 01 Apr 1996 16:24:53 -0500
Subject: ACM/IEEE Letter on Crypto
Reply to: ACM/IEEE Letter on Crypto
Association For Computing Machinery
Office of US Public Policy
666 Pennsylvania Avenue SE
Suite 301
Washington, DC 20003 USA
(tel) 202/298-0842 (fax) 202/547-5482
Institute of Electronics and Electrical Engineers
United States Activities
1828 L Street NW
Suite 1202
Washington, DC 20036-5104 USA
(tel) 202/785-0017 (fax) 202/785-0835
April 2, 1996
Honorable Conrad Burns
Chairman, Subcommittee on Science, Technology and Space
Senate Commerce, Science and Transportation Committee
US Senate SD-508
Washington, DC 20510
Dear Chairman Burns:
On behalf of the nation's two leading computing and engineering
associations, we are writing to support your efforts, and the efforts of
the other cosponsors of the Encrypted Communications Privacy Act, to
remove unnecessarily restrictive controls on the export of encryption
technology. The Encrypted Communications Privacy Act sets out the
minimum changes that are necessary to the current export controls on
encryption technology. However, we believe that the inclusion of issues
that are tangential to export, such as key escrow and encryption in
domestic criminal activities, is not necessary. The relaxation of
export controls is of great economic importance to industry and users,
and should not become entangled in more controversial matters.
Current restrictions on the export of encryption technology harm
the interests of the United States in three ways: they handicap American
producers of software & hardware, prevent the development of a secure
information infrastructure, and limit the ability of Americans using new
online services to protect their privacy. The proposed legislation will
help mitigate all of these problems, though more will need to be done to
assure continued US leadership in this important hi-tech sector.
Technological progress has moved encryption from the realm of
national security into the commercial sphere. Current policies, as well
as the policy-making processes, should reflect this new reality. The
legislation takes a necessary first step in shifting authority to the
Commerce Department and removing restrictions on certain encryption
products. Future liberalization of export controls will allow Americans
to excel in this market.
The removal of out-dated restrictions on exports will also enable
the creation of a Global Information Infrastructure sufficiently secure
to provide seamless connectivity to customers previously unreachable by
American companies. The United States is a leader in Internet
commerce. However, Internet commerce requires cryptography. Thus
American systems have been hindered by cold-war restraints on the
necessary cryptography as these systems have moved from the laboratory
to the marketplace. This legislation would open the market to secure,
private, ubiquitous electronic commerce. The cost of not opening the
market may include the loss of leadership in computer security
technologies, just at the time when Internet users around the world will
need good security to launch commercial applications.
For this legislation to fulfill its promise the final approval of
export regulations must be based on analysis of financial and commercial
requirements and opportunities, not simply on the views of experts in
national security cryptography. Therefore, we urge you to look at ways
to further relax restrictive barriers.
Finally, the legislation will serve all users of electronic
information systems by supporting the development of a truly global
market for secure desktop communications. This will help establish
private and secure spaces for the work of users, which is of particular
interest to the members of the IEEE/USA and the USACM.
On behalf of the both the USACM and the IEEE/USA we look forward
to working with you on this important legislation to relax export
controls and promote the development of a robust, secure, and reliable
communications infrastructure for the twenty-first century.
Please contact Deborah Rudolph in the IEEE Washington Office at
(202) 785-0017 or Lauren Gelman in the ACM Public Policy Office at (202)
298-0842 for any additional information.
Sincerely,
Barbara Simons, Ph.D.3
Chair, U.S. Public Policy
Committee of ACM
Joel B. Snyder, P.E.
Vice President, Professional Activities and
Chair, United States Activities Board
cc: Members of the Subcommittee on
Science, Technology and Space
------------------------------
From: peter@nmti.com (Peter da Silva)
Date: 30 Mar 1996 00:43:38 GMT
Subject: Re: Privacy and Electronic Commerce
Organization: Network/development platform support, NMTI
References: <comp-privacy8.26.12@cs.uwm.edu> <comp-privacy8.27.5@cs.uwm.edu> <comp-privacy8.28.10@cs.uwm.edu>
Joe Collins <collins@ait.nrl.navy.mil> wrote: I find some of Peter
da Silva's arguments do not consider the breadth of what I consider
electronic commerce to be.
I think you're making overly optimistic assumptions about what happens
to your privacy when you engage in commercial transactions already. I'm
not limiting the nature of electronic commerce, I'm just commenting on
what part of the privacy problem with electronic commerce is due to its
electronic nature. And, honestly, I don't think any of it is.
I also find the specific examples Peter da Silva cites of privacy
ensuring methods either make overly optimistic assumptions or are
in agreement with the concepts of privacy brokerage.
You'll have to elaborate more on the second part of that.
First, I do not consider commerce to be restricted to simple
purchase transactions of money for goods. I would also consider
extension of credit to be part of commercial activity.
I agree, it *is* part of commercial activity. It is, however, not a
part of commercial activity where your privacy is well protected. Look
at all the messages on this list about credit bureaus... the fact that
the credit-based exchange is electronic doesn't change the nature of
credit. The fact that there are privacy problems with electronic credit
transactions doesn't mean that there's an inherent problem with
electronic transactions. It just means that if you want someone to
extend credit to you you have to let them know something about you.
There are a wide range of commercial contractual arrangements that
are not restricted to either of these. Examples: secured mortgage
agreements,
You mean like when you buy a house? That's still a matter of credit.
The bank is depending on you to maintain the value of the property
you're living in.
real property transactions,
These, and similar transactions where there are specific government
regulations involved for non-monetary reasons (for example, buying
prescription drugs), are an exception... but not one that has anything
to do with this issue that I can see.
insurance-covered medical treatment (requires identification),
etc.
Insurance-covered medical treatment *is* a credit transaction. Any
transaction where you receive goods or services before complete
specific payment is made is credit, whether or not you're the payer.
The basic problem with the arguments presented by Peter da Silva
lie in assumptions in the following statement:
... Then you wouldn't have to reveal your identity unless you had a
dispute with the electronic bank holding your deposit.
Commerce is mediated by contracts: implicit, verbal, or written. A
contract is a bilateral or multilateral arrangement requiring trust
from all parties. If any party can remain anonymous, the contract
cannot be enforced against that person, and there is no reason to
trust that person.
That's true. That means that in a transaction where one party is
anonymous, the other party has to receive non-refundable payment from
the anonymous party before delivering the goods. The anonymous party
has fulfilled their part of the contract atomicly, and there are no
remaining terms in the contract that *need* to be enforced against
them.
You engage in such anonymous transactions all the time, when you pay
cash for a Burger King Whopper Combo your identity is not known to
Burger King. You can walk up in disguise and buy your meal and provide
no identification.
The only requirement is that the payment be sufficiently
non-counterfeitable that the occasional loss to the seller from
counterfeiting is low enough they can support it.
Cryptographically protected drafts against a cash deposit with an
electronic bank, if they're committed atomically before delivering the
goods, satisfy that requirement... and are no more tracable than the
cash used to open the account.
--
Peter da Silva (NIC: PJD2) 1601 Industrial Boulevard
Bailey Network Management Sugar Land, TX 77487-5013
+1 713 274 5180 "Har du kramat din varg idag?" USA
Bailey pays for my technical expertise. My opinions probably scare them
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 17 Mar 1996 09:14:50 -0600 (CST)
Subject: Info on CPD [unchanged since 11/22/95]
Organization: University of Wisconsin-Milwaukee
The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
This digest is a forum with information contributed via Internet
eMail. Those who understand the technology also understand the ease of
forgery in this very free medium. Statements, therefore, should be
taken with a grain of salt and it should be clear that the actual
contributor might not be the person whose email address is posted at
the top. Any user who openly wishes to post anonymously should inform
the moderator at the beginning of the posting. He will comply.
If you read this from the comp.society.privacy newsgroup and wish to
contribute a message, you should simply post your contribution. As a
moderated newsgroup, attempts to post to the group are normally turned
into eMail to the submission address below.
On the other hand, if you read the digest eMailed to you, you generally
need only use the Reply feature of your mailer to contribute. If you
do so, it is best to modify the "Subject:" line of your mailing.
Contributions to CPD should be submitted, with appropriate, substantive
SUBJECT: line, otherwise they may be ignored. They must be relevant,
sound, in good taste, objective, cogent, coherent, concise, and
nonrepetitious. Diversity is welcome, but not personal attacks. Do
not include entire previous messages in responses to them. Include
your name & legitimate Internet FROM: address, especially from
.UUCP and .BITNET folks. Anonymized mail is not accepted. All
contributions considered as personal comments; usual disclaimers
apply. All reuses of CPD material should respect stated copyright
notices, and should cite the sources explicitly; as a courtesy;
publications using CPD material should obtain permission from the
contributors.
Contributions generally are acknowledged within 24 hours of
submission. If selected, they are printed within two or three days.
The moderator reserves the right to delete extraneous quoted material.
He may change the Subject: line of an article in order to make it
easier for the reader to follow a discussion. He will not, however,
alter or edit the text except for purely technical reasons.
A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18].
Login as "ftp" with password identifying yourid@yoursite. The archives
are in the directory "pub/comp-privacy".
People with gopher capability can most easily access the library at
gopher.cs.uwm.edu.
Web browsers will find it at gopher://gopher.cs.uwm.edu.
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
End of Computer Privacy Digest V8 #029
******************************
.