Date: Tue, 08 Mar 94 07:54:02 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V4#039 Computer Privacy Digest Tue, 08 Mar 94 Volume 4 : Issue: 039 Today's Topics: Moderator: Leonard P. Levine Re: Van Eck Radiation Government Tracking Dorm Residents Ideas for PGP Implementation About Authentication Re: EFFector Online 07.04 - FBI Digital Telephony Nightmare Recurs Time Magazine on Clipper Government Databases Government Databases Re: Computer databases of information Re: Unsolicited Advertising - A Proposal Re: Unsolicited Advertising - A Proposal The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. Back issues are available via anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The archives are in the directory "pub/comp-privacy". Archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: leppik@uxa.cso.uiuc.edu (leppik peter) Date: 4 Mar 1994 17:08:08 GMT Subject: Re: Van Eck Radiation Organization: University of Illinois at Urbana wbe@psr.com (Winston Edmond) writes: >Are LCD displays less radiative/monitorable than CRTs? At least LCD screens don't have miniature particle accelerators inside them, and all the attendant electromagnetic noise that generates.... -- Peter Leppik-- p-leppi@uiuc.edu Assistant Head, Department of Mad Science University of Illinois at Urbana-Champaign ------------------------------ From: minie@hsuseq.humboldt.edu (Carl Minie) Date: 4 Mar 94 12:13:23 -0800 Subject: Government Tracking Dorm Residents I work at a university which is in the process of installing several modules of BANNER, an Oracle-based system written for educational institutions. The vendor of BANNER, Systems and Computer Technology (SCT), maintains several Internet lists which are used by SCT to communicate with BANNER installations and for installations to exchange information. Recently, a suggestion was made on one of these lists by a BANNER site, one of the campuses of the State University of New York, seeking an enhancement to the BANNER module that involves student housing. Part of the suggestion reads as follows: "Currently there is no way in BANNER to list all residents of a particular room by their occupancy dates. We need this information in order to bill students accurately for dorm damages. We are also asked to provide information to various agencies (Attorney General, FBI, etc.) that requires verification of a particular student's residency on campus." My question is this: why are the Attorney General, the FBI, et. al., verifying student residences? I would appreciate if someone with particular knowledge of law enforcement and/or education would tell me why the government is asking universities to keep track of dormitory students. Thank you in advance for your replies. ----------------------------------------------------------------- Carl Minie, Systems Analyst Box: minie@hsuseq.humboldt.edu Humboldt State University Fax: (707) 826-6100 Arcata CA 95521 Vox: (707) 826-6120 ----------------------------------------------------------------- ------------------------------ From: soren@argon.gas.uug.arizona.edu (Soren F Ragsdale) Date: 4 Mar 1994 22:58:16 GMT Subject: Ideas for PGP Implementation Organization: University of Arizona UNIX Users Group Ideas For A New Implementation of PGP I love PGP and the power that it gives the user (read: allows the user to retain) through secure electronic communications. I have, however, found an inherent limitation of PGP which makes its application more suitable as a program _feature_ than as a stand-alone application. I submit, for your consideration, an idea for a program which would expand the power and use of PGP with a limited decrease in security. PGP Limitations: Ideally, users would use PGP on all mail as a simple but impermeable "envelope" against snooping hackers. Unfortunately, PGP implemented as an application makes encrypting anything but the most sensitive of information a relative waste of time and energy. To use PGP on my Macintosh, for instance, I would have to launch my text editor, open and compose a new document, save it, launch MacPGP, encrypt and save the document (deleting the original), upload the encrypted message (deleting the message on my computer), open PINE (or whatever mailreader that I would use), send the message, and delete the original on my host computer. Nine steps for a simple message encrypted in a bulletproof fashion. Recieving and decrypting a message is similarly complicated. Ideas for a new program: The program which I hope will be produced is a well-written Email program like PINE with a PGP option. In the "addresses" file, in addition to a nickname, real name, and address, the addresses would also allow a record of the person's public key. If any messages are addressed to this person, before the message is sent, the program allows the message to be automatically and transparently encrypted with the security of the PGP algorythm. The encrypted message is sent, without any of the mucking around with saving or transferring between applications. Reciept and decryption should be similarly transparent, with either a command or an automatic detection of a PGP message and the option of decryption with a private key. Limitations of the new program: I realize that this method is by no means as secure as the original PGP. As stated in the beginning, this reader is intended for casual use to stop the recreational hacker, rather than a determined hacker or the NSA. The sysadmin could monitor keystrokes to find the password to unlocking the decryption key, and searching through RAM may find scraps of the decrypted program, but I feel that these limitations are not very important: any need for a truly secure communication can still be the job of the original PGP application for a level of security uncompromised by convenience. As it is, sending a message involves weighing the probability of the information winding up in the wrong hands with the bother of encryption, and for me, the option of relatively secure encryption online would be a welcome one. I would hope that the source code could be written for UNIX, as this is (as I understand it) where the bulk of Email transfers take place and would serve well as a common standard. I welcome further discussion on the subject and hopefully seeing this necessity of modern computing become a reality. Please reply via Email to: soren@gas.uug.arizona.edu ------------------------------ From: Paul Robinson Date: 4 Mar 1994 20:18:23 -0500 (EST) Subject: About Authentication Organization: Tansin A. Darcos & Company, Silver Spring, MD USA One of the readers of my message on biometrics as a form of authentication (e.g. proof that the person who appears before a clerk is who they claim to be) was my mentioning of use of documents as authentication where the clerk cannot biometrically identify you (because they don't know you): Dear Paul, I was just reading your item in RISKS15.61 and wondered if your choice of words was deliberate or not? :-) I try to use my words in a manner which makes clear what I am saying, and I use words, whenever possible, in a precise manner. However, when someone else needs to identify you and doesn't know you, they usually have to rely on authentication. Usual forms of authentication are various forms of paper, photographic/multimedia, and/or magnetic authentication issued by a government or trusted third-party. ^^^ OR as in "as opposed to?" Perhaps, but that's not quite right. For example, the ID card issued by a university to its students, or by an employer. An id issued by "Ajax Check Cashing Service" is a nontrusted third party and is usually of zero value for identification to any other party, while the photographic ID issued to employees of the local telephone company are usually given a very high authentication value by other parties. Credit cards from any of the major (inter)national issuers (American Express, Carte Blanche/Diner's Club, Discover, Master Card, Visa), have good authentication value when presented with some other identification, usually a motor-vehicle operator's permit card ("driver's license"), especially when trying to have the party accept a draft or negotiable instrument from you, e.g. writing a check to pay for groceries in the checkout counter. Highest authentication usually is reserved for government-issued ID. The higher the level, the more acceptable it is and the higher the credibility. Personal experience in California - back when I could not obtain a credit card - was that a drivers' license alone was next to useless to get a place to accept a check, probably due to transients and people who bounced checks and moved on. But present a U.S. Passport and many places would accept that *alone*. With a drivers license and passport the acceptance rate was effectively 100%. What does a passport prove? That you have a birth certificate, a drivers' license, two photos and $40. That and an application at a post office was all it took to get one. In fact, mine expires next year after having had one for 10 years. --- Paul Robinson - Paul@TDR.COM Voted "Largest Polluter of the (IETF) list" by Randy Bush ------------------------------ From: wbe@psr.com (Winston Edmond) Date: 5 Mar 1994 19:41:37 GMT Subject: Re: EFFector Online 07.04 - FBI Digital Telephony Nightmare Recurs Organization: Panther Software and Research Stanton McCandlish wrote: .. With increasing use of telecommunications, this simple transactional information reveals almost as much about our private lives as would be learned if someone literally followed us around on the street, watching our every move. bernie@fantasyfarm.com replied: Isn't that last part legal, too? For duly authorized law enforcement agents, but many states have "stalking" laws against people doing that without unauthorization. Even when authorized, the expense of actually doing so probably limits how often it's done. If costs decrease, it could be done more often. -WBE ------------------------------ From: Dave Banisar Date: 6 Mar 1994 14:13:18 -0500 Subject: Time Magazine on Clipper Time Magazine, March 14, 1994 TECHNOLOGY WHO SHOULD KEEP THE KEYS? The U.S. government wants the power to tap into every phone, fax and computer transmission BY PHILIP ELMER-DEWITT ... (general background) ... (general info on techo advances) Thus the stage was set for one of the most bizarre technology-policy battles ever waged: the Clipper Chip war. Lined up on one side are the three- letter cloak-and-dagger agencies -- the NSA, the CIA and the FBI -- and key policymakers in the Clinton Administration (who are taking a surprisingly hard line on the encryption issue). Opposing them is an equally unlikely coalition of computer firms, civil libertarians, conservative columnists and a strange breed of cryptoanarchists who call themselves the cypherpunks. At the center is the Clipper Chip, a semiconductor device that the NSA developed and wants installed in every telephone, computer modem and fax machine. The chip combines a powerful encryption algorithm with a ''back door'' -- the cryptographic equivalent of the master key that opens schoolchildren's padlocks when they forget their combinations. A ''secure'' phone equipped with the chip could, with proper authorization, be cracked by the government. Law-enforcement agencies say they need this capability to keep tabs on drug runners, terrorists and spies. Critics denounce the Clipper -- and a bill before Congress that would require phone companies to make it easy to tap the new digital phones -- as Big Brotherly tools that will strip citizens of whatever privacy they still have in the computer age. In a Time/CNN poll of 1,000 Americans conducted last week by Yankelovich Partners, two-thirds said it was more important to protect the privacy of phone calls than to preserve the ability of police to conduct wiretaps. When informed about the Clipper Chip, 80% said they opposed it. The battle lines were first drawn last April, when the Administration unveiled the Clipper plan and invited public comment. For nine months opponents railed against the scheme's many flaws: criminals wouldn't use phones equipped with the government's chip; foreign customers wouldn't buy communications gear for which the U.S. held the keys; the system for giving investigators access to the back-door master codes was open to abuse; there was no guarantee that some clever hacker wouldn't steal the keys. But in the end the Administration ignored the advice. In early February, after computer- industry leaders had made it clear that they wanted to adopt their own encryption standard, the Administration announced that it was putting the NSA plan into effect. Government agencies will phase in use of Clipper technology for all unclassified communications. Commercial use of the chip will be voluntary -- for now. It was tantamount to a declaration of war, not just to a small group of crypto-activists but to all citizens who value their privacy, as well as to telecommunications firms that sell their products abroad. Foreign customers won't want equipment that U.S. spies can tap into, particularly since powerful, uncompromised encryption is available overseas. ''Industry is unanimous on this,'' says Jim Burger, a lobbyist for Apple Computer, one of two dozen companies and trade groups opposing the Clipper. A petition circulated on the Internet electronic network by Computer Professionals for Social Responsibility gathered 45,000 signatures, and some activists are planning to boycott companies that use the chips and thus, in effect, hand over their encryption keys to the government. ''You can have my encryption algorithm,'' said John Perry Barlow, co-founder of the Electronic Frontier Foundation, ''when you pry my cold dead fingers from my private key.'' ... (history of Public Key encryption). ... (history of PGP) Rather than outlaw PGP and other such programs, a policy that would probably be unconstitutional, the Administration is taking a marketing approach. By using its purchasing power to lower the cost of Clipper technology, and by vigilantly enforcing restrictions against overseas sales of competing encryption systems, the government is trying to make it difficult for any alternative schemes to become widespread. If Clipper manages to establish itself as a market standard -- if, for example, it is built into almost every telephone, modem and fax machine sold -- people who buy a nonstandard system might find themselves with an untappable phone but no one to call. That's still a big if. Zimmermann is already working on a version of PGP for voice communications that could compete directly with Clipper, and if it finds a market, similar products are sure to follow. ''The crypto genie is out of the bottle,'' says Steven Levy, who is writing a book about encryption. If that's true, even the nsa may not have the power to put it back. Reported by David S. Jackson/San Francisco and Suneel Ratan/Washington ------------------------------ From: Alain Simon Date: 6 Mar 1994 16:57:53 -0500 Subject: Government Databases Organization: Virtual Illusions & Real Virtualities Ltd ai504@FreeNet.Carleton.CA (John Olson) writes: I'm with the Communications Branch (public affairs branch) of the federal industry department -- Industry Canada. [ ... ] And what about government...federal and provincial -- what, if any, roles should there be here? No role whatsoever. We have far too much government as it is. But the Net could have a tremendous impact on government: perception of jurisdictions, distribution of services, communication with people, expression of political will, downsizing of bureaucracy, and perception of their role by politicians and bureaucrats. Your views really could be helpful to me...as I try to figure out just what people think about all this. (Of course you could be just a wild and crazy flamer who'll rant at anything connected with government, but I'll take my chances.) If you don't want me to throw anything you flip my way into the public environment pickle barrel, tell me. It is not necessary to be a wild and crazy flamer to wish the government would stay out of our lives. Being a tax payer is reason enough. Being worried about democracy is another one. This being said, let me admit it: yes, I am a wild and crazy flamer. ------------------------------ From: weiksner@bow.princeton.edu (George Michael Weiksner) Date: 7 Mar 1994 14:57:03 GMT Subject: Government Databases Organization: Princeton University the Privacy Act of 1974, the government is not allowed to use data for any purpose other than the one for which is was originally collected for. However, through various loopholes, we have a defacto national database of personal information. It is fairly probable that the Department of Immigration will share its information with the IRS to help locate illegal immigrants. My questions are: 1.) What government databases of personal information are there? (Or a reference to a list of such databases). 2.) Where is there information about how departments may use other departments information (not legal information, but how they do it in practice.) 3.) How can we monitor the accuracy and use of this information? 4.) What limits should be placed on the government on acquisition of info? Any direct responses, pointers to literature, etc. will be greatly appreciated. ------------------------------ From: palbert@netcom.com (Phil Albert) Date: 7 Mar 1994 18:10:07 GMT Subject: Re: Computer databases of information Organization: Disorganized rinewalt@GAMMA.IS.TCU.EDU writes: Perhaps one of the most mysterious consumer-reporting companies is MIB, formerly the Medical Information Bureau, in Brookline, Mass. "It's a very difficult company to learn very much about," says Massachusetts state senator Lois Pines. "They don't want people to know that they exist or what they do." Well, what do they do? (i.e. what data do they store?) -- Phil Albert, full-time patent attorney and philosopher, part-time car thief Voicenet: (415) 543-9600 bizcardnet: Townsend & Townsend Internet: palbert@netcom.com or palbert@cco.caltech.edu ------------------------------ From: Matt Crawford Date: 4 Mar 1994 11:32:57 -0600 Subject: Re: Unsolicited Advertising - A Proposal I don't *know* this will happen; advertisers seem to be working on technology to be more selective, ... But would they *apply* this technology to email advertising? Direct mail and phone soliciting costs them O($1) per victim. Junk email is probably a lot less. Over and above applicable AUPs, how about a voluntary labelling guideline, such as "Precedence: junk" (or some euphemism), with a credible expectation that non-complying advertisers will get a black eye. _________________________________________________________ Matt Crawford crawdad@fnal.gov Fermilab ------------------------------ From: pmacghee@motown.ge.com (Peter F. MacGhee, x 2266) Date: 5 Mar 1994 19:13:37 GMT Subject: Re: Unsolicited Advertising - A Proposal Organization: Martin Marietta Corp, Moorestown NJ As far as business, or sales proposals go, you could always try placing them under "alt.ads", or "alt.for_sale" ------------------------------ End of Computer Privacy Digest V4 #039 ****************************** .