Date: Sun, 27 Mar 94 16:50:12 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V4#046 Computer Privacy Digest Sun, 27 Mar 94 Volume 4 : Issue: 046 Today's Topics: Moderator: Leonard P. Levine Funny Money article in THE SCIENCES Phone Book Pseudonyms SSNumbers for NY driver's licenses Groupware: is Privacy an Issue? Re: Time Magazine on Clipper Dutch legislators trying to pull a fast one? Re: video privacy Re: Time Magazine on Clipper The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. Back issues are available via anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The archives are in the directory "pub/comp-privacy". Archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: "Prof. L. P. Levine" Date: 23 Mar 1994 08:40:19 -0600 (CST) Subject: Funny Money article in THE SCIENCES Organization: University of Wisconsin-Milwaukee From: RISKS-LIST: RISKS-FORUM Digest Tuesday 22 March 1994 (15:68) Mich Kabay [NCSA] <75300.3232@CompuServe.COM> writes: In "Funny Money" (_THE SCIENCES_ 34(2):6, March/April 1994), Brian Mono writes about counterfeiting using off-the shelf hardware and software. Nothing very new for RISKS readers, but it's a good one-page summary of the problem for novices. In brief: o A report published in the autumn of 1993 by the National Research Council warns that the U.S. government has not kept up with technology used by amateurs to print counterfeit money. o Scanners, computers, colour printers and colour copiers [the distinctions among all of these devices are fading fast] tempt more people today to print small amounts of money. o Traditionally, counterfeiters have been few and concentrated in a few areas such as New York City. Casual counterfeiters are the opposite: many people over an enormous area. o In 1991, there were about $6-$8 million of counterfeit money detected by officials in the U.S. (only ~0.003% of the the Federal Reserve System's yearly total of $265 billion in currency handled). o "The dollar amount of scanned and color-copied fakes has doubled in each of the past three years...." o All countermeasures contemplated by the government must include consideration of backward compatibility: money-changing machines and business people have to be able to use both the older bills and whatever new ones appear. o Some recent countermeasures have had little effect; e.g., many bills have "so-called security threads, metallic polyester strips inscribed with USA and the denomination of the bill." Unfortunately, "hardly anyone outside the Treasury Department is aware of their existence." o Proposed countermeasures include colour-shifting ink and aliasing (a technique that tricks photographic reproduction machines into printing a line along the intersections of sets of parallel lines which are offset from each other at a particular angle). Holograms are also a practical possibility to deter amateurs. o One proposal from the NRC is that every copy machine print its serial numbers on every copy it produces. This technology is already in place in Xerox Corporation's "MajestiK" colour photocopiers. However, many observers are concerned about privacy issues. Norbert S. Baer, a member of the NRC committee, asked, "Would the Pentagon Papers have been leaked if identification numbers were implanted on them?" [MK thinking out loud: AI pattern recognition algorithms coupled with a library of currency images could permit a smart copier to blank out all attempts to photocopy money. Such a technique would drive criminal hackers wild with the uncontrollable urge to crack the protection codes and actually make the poor machine _print_ the currency images. So the currency images would have to be one-way encrypted. But then the criminal hackers would try to decrypt the images. So there would have to be a cryptographically-sound checksum that could permit identification but not reproduction. Comments?] ------------------------------ From: Rob Aronson Date: 23 Mar 1994 11:11:20 -0500 Subject: Phone Book Pseudonyms poivre@netcom.com (poivre) writes: NYNEX/NYTel seems to be pretty cool about identities. When i signed up for phone service, I didn't have to give any SSN, drivers license number, etc etc. For all I could see, I could have made up a name like John Doe, Jane Smith, etc etc. I had a phone line put in about six months ago and can't recall being asked for any significant information to confirm my identity. A friend of mine has his phone listed under a pseudonym. Apparently no effort is made to ensure that the name which will be listed in the directory is a real person. But New York Telephone seems to have a weakly enforced (non-enforced??) policy that the listee must be real. When my friend had his line installed he asked that it be listed under his "uncle's name" and he wasn't questioned about it. However, once when he called the business office to resolve some billing issue he let it slip that the pseudonym was not a real person, to which the rep replied something like "Oh no, we don't allow that. We have to get this situation resolved, please hold". The rep put him on hold but my friend hung up and no one has ever bothered him about it since. -------------------------------+------------------------------------------- | Rob Aronson | Phone:(212) 902-2207 Fax:(212) 346-3729 | | Senior Programmer Analyst | Email: rob@fw.gs.com | | | aronson@dockmaster.ncsc.mil | | Goldman, Sachs & Company | raronson@aol.com | | 85 Broad Street 85/08 | | | New York, NY 10004 | "I am not a number, I am a free man!" | -------------------------------+------------------------------------------- ------------------------------ From: Rob Aronson Date: 24 Mar 1994 15:46:58 -0500 Subject: SSNumbers for NY driver's licenses I know there has been prior discussion on the topic of Social Security numbers and driver's licenses, but the issue seems to be coming closer to home for New Yorkers. This is an excerpt of an article by David Seifman in today's (3/24/94) New York Post. For those of you unaware, the New York City Sheriff's Department is charged with enforcing civil laws (not criminal laws) and the Sheriff (Phil Crimaldi) tends to be very opinionated. He's probably going to push hard for his proposal. ------------------------- SHERIFF SEES A SOC. SEC. SOLUTION TO SCOFFLAWS Gaps in the law that allow brazen parking scofflaws to register vehicles without penalty can be corrected easily, city Sheriff Philip Crimaldi said yesterday. "If the Social Scurity number became the motorist ID, alot of the current loopholes would be closed," Crimaldi declared. The Post reported yesterday that the city wrote off $1.4 million in fines amassed by the 10 top scofflaws last year - and is unable to collect $814,000 in tickets run up by new offenders on this year's list. City Transportation Department officials complain that their hands are tied because it's the state Department of Motor Vehicles that controls vehicle registrations. And the DMV's computer system is designed to block the registration only of individual plates. That means that scofflaws can simply sell a car with numerous tickets and register another vehicle. DMV spokesman George Filieau said his agency is committed to cracking down on those who take advantage of the system, but it will take time to revamp its computer database, which has 11 million entries. He said adding drivers' Social Security numbers "may be one of the possible solutions to the problem" of scofflaws who hide their identity by switching plates, addresses and even names. Other states already use Social Security numbers to track motorists. But Filieau said when New York was considering the system years ago, federal regulations barred their use on the grounds of confidentialty. [The article goes on to talk about an individual who is being sought by the city DOT for owing about $85k in fines on 96 different registrations] -------------------------------+------------------------------------------- | Rob Aronson | Phone:(212) 902-2207 Fax:(212) 346-3729 | | Senior Programmer Analyst | Email: rob@fw.gs.com | | | aronson@dockmaster.ncsc.mil | | Goldman, Sachs & Company | raronson@aol.com | | 85 Broad Street 85/08 | | | New York, NY 10004 | "I am not a number, I am a free man!" | -------------------------------+------------------------------------------- ------------------------------ From: Barbara Labier Date: 25 Mar 1994 22:28:54 EST Subject: Groupware: is Privacy an Issue? Organization: The American University - University Computing Center I'm doing research on the effects of Groupware on workers. Groupware is an electronic conferencing software that allows team memmbers to communicate with each other via the computer. I am most interested in the issues of privacy and power. I am interested in the way people in the group respond to the new challeges of Groupware. With the new openess, workers write their thoughts in an open form which will be available to every level in the corporation. Instead of mistakes being used as a reason to demote or degrade aperson's performance , they will now be seen as healthy and a sign of growth. How does this work in the real world? Are workers comfortable with this? What about the issues of power? Is the traditional dominance and ctrol hierarchy ready to turn the reigns of power over to the group? The group as a result of groupware now makes major decisions. The group shares decision maming duties, there is a new spirit of helpfulness and sharing of ideas and responsibilities. All the competition between people is now directed towards making a competitive product faster, more creative, and with more quality than the competition in the market place. Power in now defined as the successful development of a proudct that is compeititve created by a single group who then becomes important. Instead of one person receiving all the prestige and glory the group receives the accolades. More money and more competitive productsare the siren song for corporations who will do most anything to stay competitive in the world market. But what are the effects on workers who now create proudcts faster? Do they feel stressed out when worklife and homelife are merged? Is Groupware just another manipulation by management to make workers work harder promising them more equality in decision making and participtaion in exchange for speeding up the developmentprocess? Groupware hypothetically makes everyone available 24 hours a day. When do we get to find peace of mind away from the office when the office becomes kind of virtual reality and our cyberspace is leased by the corporation. As Ice-Tea says "This is the real". But how do you feel about these issues? I'd appreciate comments expecially from those of you who are using Groupware and those people who have certain feelings about the prospect of using it. So is Groupware Nirvana or Paranoia? Thanks Barb ------------------------------ From: Christopher Zguris <0004854540@mcimail.com> Date: 22 Mar 94 17:02 EST Subject: Re: Time Magazine on Clipper How did the NSA suddenly move into the role of "helper" of the American citizen? When Cliff Stoll notified them about the computer "break-in's" he found, the NSA wanted all the info he had but would offer no help whatsoever. I've read several books on the NSA and I can't remember them ever wanting to get involved in "protecting" anything except themselves and other government communications. Now the NSA - an agency with the greatest ability (if the rumors of their computing and surveillance powers are to be believed) to crack codes - wants to "give" us a secure code? Please. Nobody knows what sort of "bugs" Clipper has for their benefit, but judging from what their charter and actions charges to do it wouldn't be surprising if they could break the code. I think the movement of the NSA into the "mainstream" (compared to where they used to be) is amazing! Perhaps now that the cold war is over and they're running out of evil enemies they have to look for new "markets"? Christopher Zguris CZGURIS@MCIMAIL.COM ------------------------------ From: "Prof. L. P. Levine" Date: 23 Mar 1994 15:10:27 -0600 (CST) Subject: Dutch legislators trying to pull a fast one? Organization: University of Wisconsin-Milwaukee From RISKS-LIST: RISKS-FORUM Digest Tuesday 22 March 1994 (15:68) ralph@runner.knoware.nl (Ralph) writes: Yesterday, leading Dutch newspaper 'De Volkskrant' reported that included intoa new bill that deals with telecommunication, is an article that will outlaw cryptography in the Netherlands. One can apply for a waiver but they will want to know why you want to use cryptography, and they want your keys. It looks like the Dutch government is trying to slip this one behind the backs of the voters just before the elections in may. Most stunning was that the Green party and others considered the issue 'a matter of little importance' and were not willing to do anything about it. Lucklily the proposal is still in draft state, which means there is still time to get something done about it, but only if people are made aware of the consequences of such a law. ------------------------------ From: bcn@world.std.com (Barry C Nelson) Date: 27 Mar 1994 01:31:38 GMT Subject: Re: video privacy Organization: The World Public Access UNIX, Brookline, MA BETH GIVENS 619-260-4806 writes: Regarding the video rental privacy law: The law protects you from having the *titles* of videos that you rent released to others, but not the *subjects.* Here's the wording on the back of a receipt from the Wherehouse, a video rental and music store: [snip] The upshot is that our video rental records are not very well protected. Subject matter information can still be marketed. Massachusetts legislators were so excited about this that they made it a crime for video rental shops to keep records over 30 days, after a transaction is "complete", and also made it a crime to give title, category or subject records to any third party, except under 18 USC 2710 (b)(2)(c and f), if they contain the renter's name. Mass. Acts of 1993, Chapt 388. (veto overridden, Jan 4, 1994) (up to 60 days and $1,000 for violation of keeping or disclosing records) Yes, they can still market anonymous information. -BCNelson [new statute to be codified as MGL c.93 2.106] ------------------------------ From: laine@MorningStar.Com (Laine Stump) Date: 27 Mar 1994 05:22:35 GMT Subject: Re: Time Magazine on Clipper Organization: Morning Star Technologies, Columbus, Ohio laine@MorningStar.Com (Laine Stump) writes: It is very possible (some say likely) that the Clipper algorithm puts patterns into the encrypted text which the NSA can later use to aid them in breaking any encryption used "on top" of a Clipper-encrypted data stream. wilhelm@lsesun6.epfl.ch (Uwe WILHELM) writes: So, the question is: if I put another layer of encryption before the Clipper encryption and after the Clipper decryption - is your point still valid? me -> (my_encryption) -> (Clipper_encryption) -> (wire through NSA) -> (Clipper_decryption) -> (my_decryption) -> her/him I can't see any chosen plaintext attack. All the NSA (or whoever) has, is a encrypted stream of data, which is as safe as the encryption I used. Because of the order you've done it in, you're safe. It has been proven that the security of a series of encryptions is at least as good as the *first* encryption. It's when the order is reversed (the case I was talking about) that the security of your encryption can be compromised. I guess I should have used a different wording than "on top" (although that was also the wording in the original post that I was replying to. The April issue of Dr. Dobb's Journal has a few good articles on encryption that can explain all this much better than I could ever hope to, and point you in the right direction for sources related to the topic. Laine Stump laine@morningstar.com ------------------------------ End of Computer Privacy Digest V4 #046 ****************************** .