Date: Wed, 19 Jun 96 18:37:41 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V8#049
Computer Privacy Digest Wed, 19 Jun 96 Volume 8 : Issue: 049
Today's Topics: Moderator: Leonard P. Levine
Your Views Sought on Workplace Privacy
Keystroke Recorders
Re: New Chip Renews Privacy Debate
Re: New Chip Renews Privacy Debate
Re: New Chip Renews Privacy Debate
Re: Net Finders
Re: Air Force Sergeant Jailed in e-Mail Case
eMail and Privacy
Privacy while Downloading from Newsgroup
US Export Law
Marketing on the Information Highway
Info on CPD [unchanged since 11/22/95]
----------------------------------------------------------------------
From: "John H. Cushman Jr." <cushman@nytimes.com>
Date: 17 Jun 1996 13:21:55 -0400
Subject: Your Views Sought on Workplace Privacy
Organization: The New York Times
For an article in the New York Times, I am interested in hearing from
people about their experiences with computer privacy issues in the
workplace. I am *not* interested in e-mail privacy (we handled that in
a separate article). I *am* interested in whether your employer has a
policy about appropriate use of the computer, whether your use is
monitored, whether there is informed consent, whether you are wasting
your time at work, whether this is stealing from the employer... that
kind of stuff. What are the software considerations? Pointers to other
resources gratefully accepted. Thanks for the help... I only have a few
days.
Please reply to me, not to the list.
Reply to <cushman@nytimes.com>
Thanks, Jack Cushman
------------------------------
From: Devin <dak@viper.nauticom.net>
Date: 17 Jun 1996 16:55:45 -0400 (EDT)
Subject: Keystroke Recorders
In a recent issue a poster spoke of getting a junk e-mail selling a
disk of key recorders. The question of whether this is legal for
employers to use remains to be answered. I would assume these for the
most part would be legal in a company environment to insure employees
didn't play games on company time, but where do we draw the line. The
same employer could also snoop into your e-mail.
he orginal poster said he would send the info and address to any
interested parties, however when I contacted him he knew nothing of his
post. If anyone else received this information would you please e-mail
the company's address so that I may investigate this further. Thanking
you in advance.
--
Devin Knight
Nystar Corp.
$
@%%%%%$=Devin<dak@pgh.nauticom.net>
$
------------------------------
From: eichin@kitten.gen.ma.us (Mark W. Eichin)
Date: 17 Jun 1996 23:04:43 -0400
Subject: Re: New Chip Renews Privacy Debate
References: <comp-privacy8.46.8@cs.uwm.edu>
As for Japan's constitution, I wonder what it really says. It is
certainly possible that it forbids wiretapping, but I'd bet that it
only means "domestically"...
I don't know how they interpret "any means of communication" in this
context, but you can look up the full text at
http://www.ntt.jp/japan/constitution/english-Constitution.html (there
are japanese versions near there as well...)
ARTICLE 21:
Freedom of assembly and association as well as speech, press and all
other forms of expression are guaranteed. 2) No censorship shall be
maintained, nor shall the secrecy of any means of communication be
violated.
------------------------------
From: Jay@krusty.gtri.gatech.edu (Jay Harrell)
Date: 18 Jun 1996 13:10:23 -0500
Subject: Re: New Chip Renews Privacy Debate
Organization: Georgia Tech Research Institute
References: <comp-privacy8.46.8@cs.uwm.edu> <comp-privacy8.48.7@cs.uwm.edu>
bernie@fantasyfarm.com (Bernie Cosell) wrote: Oh, but were we
talking about exports? Do you really believe that
crypto-technology is the *ONLY* one which cannot flourish in the US
unless it has an export market, too? ... In fact, things are more
subtle: as far as I know, US telephone equipment doesn't work
elsewhere in the world; (more examples) None of that seems to hurt
the market for domestic electronic doodads [and indeed, foreign
manufacturers make useless-to-their-market stuff *just* so they can
export stuff to *US*!]
Perhaps things are one step more subtle than Mr. Cosell realizes. Most
of the products on the domestic electronics market, even the ones built
by US companies, are manufactured overseas. This arrangement isn't
possible for for a US company with products using encryption technology
because of the export restrictions. In theory the manufacturing jobs
could be moved back to the US, but in practice what happens is that the
US engineering jobs are eliminated in favor of doing the engineering
somewhere without the export restrictions. It isn't simply that there
is a huge overseas market for encryption, but the prohibition on export
_is_ harmful to the industry within the US.
Let me speculate on what is really going on here [and has been
going on *consistently* throughout the massive misinformation and
propaganda campaign the crypto-export folk have been mounting over
the last while]. US citizens are free to encrypt anything they
wish however they wish.
This isn't really true. US citizens are free to use encryption only as
long as they are on US soil when they encryp and on US soil when they
decrypt. A US citizen cannot encrypt the files on their laptop, travel
overseas with that laptop and software and decrypt those same files.
This isn't misinformation, just a fact.
Where the market is, I suspect, is in multi-national corporations.
That's where the *big* bucks are.
Exactly, so why should we continue keeping US companies away from that
market? And if we allow some US companies to get rich in that market,
some of the technology they develop will eventually make it's way into
consumer goods as well. Then we all will be able to afford good
encryption.
only thing that'll change is that RSA Inc and a few other
crypto-producers will get very very rich. A noble cause to be
sure, so keep thumping that drum!!!
I will always fight for the opportunity for US engineers to get rich,
even if those engineers don't happen to be me. It's bad enough we
export our low-paying jobs; we don't need to export our high paying
jobs too.
--
Jay Harrell
Atlanta Georgia
------------------------------
From: bgold@platinum.com (Barry Gold)
Date: 19 Jun 1996 14:53:12 -0700
Subject: Re: New Chip Renews Privacy Debate
I think Bernie Cosell is missing the point. Yes, US Citizens can get
strong encryption -- triple DES, IDEA, RSA, and PGP. In many cases
they can get them for free. (PGP is freeware for non-commercial use.)
But those products aren't very convenient, and they aren't integrated
into other tools. If I want to send an encrypted message, I must put
the message into a file, encrypt the file, make sure it's in ascii
format, and include the resulting encrypted file in my mail. If I
receive an encrypted and/or signed message, I must save it to a file
and decrypt and/or signature check the file.
This is only moderately inconvenient for me, an experienced Unix user.
At that, it means that I don't _routinely_ encrypt messages to other
people, even if I happen to know their public keys.(1) But for a
relatively naive user of a PC, this will probably mean they never use
encryption products at all. Having to go into a DOS shell, then figure
out how to include the encrypted result in their message... Windows
sells so well because most people don't want to have to deal with all
that stuff! And if they _do_ all that stuff, the result likely will be
a mess that can only be handled by mime-compatible mail-agents. Based
on the mail I receive from Eudora users, it looks like the default is
to send any included file in base-64 format (instead of just including
the ASCII in show-ascii format).
The only way that _convenient_ tools for encrypted mail will get
developed is if there's a sufficiently large (or sufficiently rich)
market for them.
So, yes, it's a marketing ploy by RSA. An important one for those of
us who want to see encryption used routinely. Public Key
Partners/Viacrypt want to be able to sell to multinational
corporations, who won't buy unless they can use the _same_ product in
US and foreign locations, freely carry it around in their laptops,
etc.
So I want to see RSA (and other crypto manufacturers) win this one
because I want to see those products being sold -- cheap -- in every
computer store. At first there will be expensive ones for use by
multinationals. Then medium-sized businesses will want it so they can
use the internet to compete with their multinational rivals. Then
smaller businesses... and eventually(2) it will be convenient enough
for the home user.
This applies even more strongly to voice telephony. Scrambling voice
(etc.) in real time practically demands a specialized hardware
component in or directly connected with the telephone. Such units
won't become cheap and easy to use _until_ they can be sold to the
people with the largest economic need for protection against industrial
espionage -- the large multinationals. Then their customers and
suppliers will need them, and eventually we'll see scramblers for your
home phone(3) for prices competitive with an answering machine.
And what's best and cutest, is that if this campaign succeeds [as
it might well], then there will be *nothing* that will have changed
for US citizens. We will be no more secure or 'private' than we
were...
Except that we'll be able to buy reasonably priced, _convenient_,
_fast_ crypto devices instead of command-line based freeware programs.
(1) And it's _important_ that messages be routinely encrypted. That
way, any eavesdroppers can't just devote their resources to the
encrypted messages on the theory that those are the ones that matter.
If only "significant" messages are encrypted, eavesdroppers can do
traffic analysis on them, if nothing else.
Also, the inevitable march of increased CPU power means that today's
"securely" encrypted messages will eventually become readable. If only
"significant" messages are encrypted, eavesdroppers will just
brute-force them all as soon as computing power becomes cheap enough.
If _routine_ messages are encrypted, it will be expensive to
brute-force the messages and we will gain a few more years before it
becomes practical to break _every_ message every archived.
(2) 2-3 years, based on the recent history of software cycles.
(3) or your cordless or cellular phone, where encryption is even more
important given the problem of routine eavesdropping on the airwaves.
------------------------------
From: glr@ripco.com (Glen L. Roberts)
Date: 18 Jun 1996 13:49:06 GMT
Subject: Re: Net Finders
Organization: Full Disclosure
References: <comp-privacy8.48.6@cs.uwm.edu>
Hugh Giblin <ulysses@acpub.duke.edu> wrote: One of the "net
finders" IAF picked up my email address from guess where? Ironies
of ironies, yep, the Computer Privacy Digest. Is there no place
sacred in this world for privacy?
We maintain a database of people who don't want junk email, and offer
to clean others lists for free.
http://pages.ripco.com:8080/~glr/nojunk.html
I don't suppose we'll have any luck getting places like IAF to clean
their database...
--
Links to Rogue Web Sites:
http://pages.ripco.com:8080/~glr/rogue
The Bastard PR Firm -- Censor the Net Now:
http://pages.ripco.com:8080/~glr/bastard.html
------------------------------
From: jhlawton@cs.unh.edu (James H. Lawton)
Date: 18 Jun 1996 15:29:21 GMT
Subject: Re: Air Force Sergeant Jailed in e-Mail Case
Organization: Computer Science Department, University of New Hampshire
References: <comp-privacy8.46.7@cs.uwm.edu> <comp-privacy8.47.6@cs.uwm.edu>
[Note from Matthew Gaylor: . . . As a result, an Air Force master
sergeant will spend the next three months in jail for using his
office computer to exchange sexually explicit stories, jokes and
comments with other consenting adults.
hermit@cats.UCSC.EDU (William R. Ward) writes: Well one peculiarity
with the military is that it's a 24-hour-a-day job. You get time
off, but you are still using your employer's facilities. I think
that what you do in your free time should to a certain extent
entitle you to some privacy; i.e. the master sergeant should be
punished badly for doing that stuff on duty, but off duty I think
the restrictions should be lessened.
The point here is the use of government equipment, not when it was
done. All DoD computers are required to display the following:
* * * * W A R N I N G * * * *
DOD COMPUTER SYSTEMS ARE PROVIDED FOR THE PROCESSING OF
OFFICIAL U.S. GOVERNMENT INFORMATION ONLY. USE OF THIS
SYSTEM IS RESTRICTED TO AUTHORIZED USERS. SYSTEM WILL
BE MONITORED TO ENSURE INFORMATION SECURITY, SYSTEM
INTEGRITY, AND THE LIMITATION OF USE TO OFFICIAL PURPOSES.
THE USE OF DOD COMPUTER SYSTEMS CONSTITUTES CONSENT TO
MONITORING AS AN INTEGRAL PART OF SYSTEM MANAGEMENT.
INFORMATION DERIVED FROM SYSTEM MONITORING MAY BE USED
AS A BASIS FOR ADMINISTRATIVE, DISCIPLINARY, OR CRIMINAL
PROCEEDINGS. IF YOU DO NOT CONSENT TO CONTINUED MONITORING
OR ARE NOT AN AUTHORIZED USER OF THIS SYSTEM, EXIT THIS
SYSTEM NOW.
* * * * YOUR USE OF THIS SYSTEM IS BEING MONITORED * * * *
The basic rule is: if its not government business, you can't do it on a
government computer. There is very little grey area.
--
=====================================================================
James H. Lawton jhlawton@cs.unh.edu
"When the first link of the chain is forged, the first speech
censured, the first thought forbidden, the first freedom denied,
it chains us all irrevocably"
=====================================================================
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 18 Jun 1996 14:07:20 -0500 (CDT)
Subject: eMail and Privacy
Organization: University of Wisconsin-Milwaukee
Recently the Media has discovered that e-Mail is less private than a
postcard. The have been shocked to note that not only is the
transmission of electronic message all done in the clear and is
searchable by anyone on the appropriate backbone, but even worse, the
system generally used by most people is owned by their employer. The
business ethics at most establishments is such that managers have no
qualms about reading employee e-Mail, even as they have no problems
listening in at the business phone.
Regular readers here are not shocked or surprised and have examined
various legislative approaches to the problem. These are all good
ideas and efforts should continue. However, I want to talk here about
a technical solution that is well within reach of any well connected
network citizen.
I will address two products that are now both free and freely
available, although other solutions with modest cost may well be a
better approach for others. I am not endorsing the products but use
them only as examples.
One is called PGPn123 and is available by contacting alpha1@znet.com .
That product is used in conjunction with PGP (Pretty Good Privacy) and
easily allows any window product on a PC to decrypt, encrypt and sign
documents as well as to maintain the public and private keysets. It
offers nothing for the PGP user except for ease of use and makes
encryption a snap (well actually a click :-)).
The other product is a free e-Mail service offered by a company who can
be contacted via their URL at http://www.juno.com or via e-Mail at
president@juno.com . The cost of the e-Mail service, they claim, is
borne by advertisers who present a small 1x3 advertising graphic while
the program is running. They require that you fill out a questionaire
when you subscribe allowing you to present yourself as whatever sort of
consumer you feel is appropriate. They do not offer any other internet
access except this e-Mail capability but what they do offer works.
Once per day I make a local call which picks up whatever is in my
out-box and delivers whatever they have waiting. It is not interactive
and ties up my phone for a minute or two.
Neither of these products is needed. PGP works just fine but many
folks find it hard to use; its command line approach differs strongly
with the point a click nature of the systems many use. E-Mail is
available from other sources. Here in Milwaukee a service called
Omnifest (omnifest.uwm.edu) costs $25.00/year and I am sure other
places have inexpensive service available too.
My point is this: With services like the two described above I now
regularly get and send public passkeys, put them on my PGP keyring, use
the editor supplied by Juno to write e-Mail, click to the PGPn123
encrypter, encrypt the e-Mail for the reader I am corresponding with
and e-Mail off the encrypted message. The folks at Juno know who I am
writing to but not what I say. All clear material is contained in my
home computer, no one sees the passwords or keyrings. Similarly,
people who wish to correspond in private with me send me their public
keys, get mine and my boss and my government know nothing about my
illicit affairs or what I think of my Governor, President or present
employer.
There is no reason to assume that all of my e-Mail comes from where I
work any more than that all of my regular e-Mail comes from that place
or that my only phone is in the office.
I am the Moderator of CPD but I sign myself len_levine@juno.com here.
------------------------------
From: beardawg@usa.pipeline.com ()
Date: 18 Jun 1996 22:36:56 GMT
Subject: Privacy while Downloading from Newsgroup
Organization: PSINet/Pipeline USA
Let me admit right upfront - I'm a newbie. That said -
Who, other than my ISP, has access to what I may be downloading from
the newsgroups? I know about "cookies" on the web, but I haven't read
anything about downloading privacy. If indeed it is not private, then
is there anonymous download software available? Any info is
appreciated.
--
beardawg
"be true to yourself, to one else will be"
------------------------------
From: "Glenn Benson" <Glenn.Benson@zfe.siemens.de>
Date: 19 Jun 1996 15:40:05 +0200
Subject: US Export Law
Organization: Siemens AG, Neu_Perlach-Munich-Germany-Europe.
I am trying to understand US export law and its motivations. It is
fairly easy to locate the wording of US law but I am having some
trouble identifying its intention.
Is the law really intended to prevent non-US residents from obtaining
access to high-grade cryptography? Is the law's intention to control
domestic use of cryptography? Does the government have an official
position defining intent?
What is the current status of US-implemented applications that invoke a
cryptography API, e.g., Microsoft's CryptoAPI? Can these applications
be exported?
--
Glenn.Benson@zfe.siemens.de
+49 89 636 50 583
------------------------------
From: Rose M Daitsman <daitsman@csd.uwm.edu>
Date: 19 Jun 1996 11:48:37 -0500 (CDT)
Subject: Marketing on the Information Highway
New tools for marketing products are ready for sale. However, the
price of convenience of renting videos by computer and making purchases
of clothing, appliances,etc. via tv is a serious loss of privacy. The
insidious aspect of this is that people will voluntarily accept opening
their lives, habits, idiosyncracies, tastes, needs to the marketers who
will no doubt take advantage and manipulate on a one-to-one basis so
that people will not know their own mind. It will be difficult to
distinguish between one's own reason and will and that of someone who
wants your dollars.
The "information highway" is about to become the parking lot for a
"global mall".
How do we change it?
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 14 Jun 1996 13:19:56 -0500 (CDT)
Subject: Info on CPD [unchanged since 11/22/95]
Organization: University of Wisconsin-Milwaukee
The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
This digest is a forum with information contributed via Internet
eMail. Those who understand the technology also understand the ease of
forgery in this very free medium. Statements, therefore, should be
taken with a grain of salt and it should be clear that the actual
contributor might not be the person whose email address is posted at
the top. Any user who openly wishes to post anonymously should inform
the moderator at the beginning of the posting. He will comply.
If you read this from the comp.society.privacy newsgroup and wish to
contribute a message, you should simply post your contribution. As a
moderated newsgroup, attempts to post to the group are normally turned
into eMail to the submission address below.
On the other hand, if you read the digest eMailed to you, you generally
need only use the Reply feature of your mailer to contribute. If you
do so, it is best to modify the "Subject:" line of your mailing.
Contributions to CPD should be submitted, with appropriate, substantive
SUBJECT: line, otherwise they may be ignored. They must be relevant,
sound, in good taste, objective, cogent, coherent, concise, and
nonrepetitious. Diversity is welcome, but not personal attacks. Do
not include entire previous messages in responses to them. Include
your name & legitimate Internet FROM: address, especially from
.UUCP and .BITNET folks. Anonymized mail is not accepted. All
contributions considered as personal comments; usual disclaimers
apply. All reuses of CPD material should respect stated copyright
notices, and should cite the sources explicitly; as a courtesy;
publications using CPD material should obtain permission from the
contributors.
Contributions generally are acknowledged within 24 hours of
submission. If selected, they are printed within two or three days.
The moderator reserves the right to delete extraneous quoted material.
He may change the Subject: line of an article in order to make it
easier for the reader to follow a discussion. He will not, however,
alter or edit the text except for purely technical reasons.
A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18].
Login as "ftp" with password identifying yourid@yoursite. The archives
are in the directory "pub/comp-privacy".
People with gopher capability can most easily access the library at
gopher.cs.uwm.edu.
Web browsers will find it at gopher://gopher.cs.uwm.edu.
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
End of Computer Privacy Digest V8 #049
******************************
.