Date: Mon, 24 Oct 94 15:15:39 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V5#052 Computer Privacy Digest Mon, 24 Oct 94 Volume 5 : Issue: 052 Today's Topics: Moderator: Leonard P. Levine Logging Entry and Exit. Re: TEMPEST Source Re: TEMPEST Source Re: How to Verify Your Phone Number Re: How to Verify Your Phone Number Cellular Phone Fraud Revisited Re: Question: Post Office Package Inspection Current Legislation on Information Policy Re: Calling Number ID Debate The Mother of All Utility Bills Re: AOL Sells its Subscriber List FBI Dir. to seek Banning of all Non-clipper Crypto? O.J. Simpson Trial Jury Questionnaires Info on CPD, Contributions, Subscriptions, FTP, etc. ---------------------------------------------------------------------- From: ttw@beta.lanl.gov (Tony Warnock) Date: 21 Oct 1994 17:17:46 GMT Subject: Logging Entry and Exit. Organization: Los Alamos National Laboratory There is a legimate use for logging legal comings and goings. If an intruder can bypass the usual logging stuff, then the uncertainty in the time of a break-in may be narrowed. This is the same idea as having a night watchman log his rounds. The applicability of such an log depends on circumstances (as though other things didn't). Your own home - not useful. Office - not very useful. Jewel vault - useful. Level 4 virus containment - very useful. Office building during working hours - not useful. Office building during off-hours - useful. Etc. There is a trade-off between privacy and the necessity of logging times. The individual should be allowed to make the choice. Employers may make logging a condition of employment but the employee can walk if not satisfied. -- Tony Warnock ttw@lanl.gov 505-667-2225 ------------------------------ From: Dave Moore Date: 21 Oct 1994 14:57:50 -0400 (EDT) Subject: Re: TEMPEST Source Joel McNamara said: I just finished Winn Schwartau's "Information Warfare." In the van Eck chapter, a source makes the following statement, "In the United States, it is illegal for an individual to take effective countermeasures against Tempest surveillance." I would be interested in finding such a reference because it sounds ludicrous to me. FCC class specifications set maximum limits on RF emanation. Tempest simply shields to a much higer level (lower emanation) than normal commercial standards. It's inconceivable that anyone could claim it illegal to suppress RF noise too well. This sounds like BS to me. ------------------------------ From: cntrspy@ix.netcom.com (Chris Hall) Date: 24 Oct 1994 01:51:40 GMT Subject: Re: TEMPEST Source Organization: Netcom joelm@eskimo.com (Joel McNamara) writes: I just finished Winn Schwartau's "Information Warfare." In the van Eck chapter, a source makes the following statement, "In the United States, it is illegal for an individual to take effective countermeasures against Tempest surveillance." This is attributed to a privately circulated document by Christopher Seline, titled "Eavesdropping on the Electro- magnetic Emanations of Digital Equipment: The Laws of Canada, England, and the United States" (June 7, 1990). This strikes me as VERY interesting since many "ham" radio operators find surplus tempest cases complete with rf chokes and cables in which to mount their computers. There are two surplus companies in California that sell tempest resistant cases for PC's. Is there any statute or case law listed in the book. I met Winn, and while he is a nice guy, some of his facts and reality base are a little off. -- =============================================================== Chris Hall, Chief Operating Officer Executive Protection Associates, Inc. Worldwide Investigations, Privacy Protection Strategies, Second Passport Agents, Off-shore Banking and Trust Agents. e-mail: cntrspy@ix.netcom.com, PGP key available. Opions Expressed are those of the Author and not of EPAI. =============================================================== ------------------------------ From: dwinfrey@cpcug.digex.net (David Winfrey) Date: 22 Oct 1994 01:41:52 GMT Subject: Re: How to Verify Your Phone Number Organization: Capital PC User Group, Inc., Rockville, Maryland, USA 1 800 MY-ANI-IS yields the correct number from here in 301-land. *67 1 800 MY-ANI-IS also yields the correct number. Apparently *67 blocks only local Caller ID. ------------------------------ From: Jim Cooper Date: 22 Oct 1994 12:50:34 -0400 Subject: Re: How to Verify Your Phone Number Organization: Mordor International BBS dwn@dwn.ccd.bnl.gov (Dave Niebuhr) wrote: It worked from 516 (Long Island) and when I called it from my job's PBX, it gave a number on the outgoing trunk which is what I suspected. And in 201 area (Bergen County, at least!) In many areas, simply dialing 958 will get you a readback of the number of the phone you are using. I wonder if they record the numbers of everyone who called? and then maybe sell them on a list of 'those who are curious'!! ------------------------------ From: vin@shore.net (Vin McLellan) Date: 22 Oct 1994 02:18:04 -0500 Subject: Cellular Phone Fraud Revisited Paul Robinson made some thoughtful comments (20 Oct 1994) on the technical options for protecting cellular phone calls against fraud and eavesdropping. He also said, however, that: ...Cellular Companies have been notorious for evading security problems in their phones. Rather than spend the money to add encryption in their switch software, they got a law passed to make it illegal to listen to cellular frequencies and to build equipment that can monitor cellular bands. I think Mr. Robinson aims at the wrong target when he blames the cellular phone companies (either the hardware or the service vendors) for the lack of simple protection (encryption) on the "air" link (phone-to-cell) of a cellular call. I'm a real fan of one-time password technologies, but simple encryption here is much more straightforward, easy, and cost-effective. I would argue -- and I'm certain that a through inquiry into the standards-making process would confirm -- that the phone and service vendors not only could, but *would* have added encryption to that open phone link if they could. The technology is trivial; the chip-cost in volume, pennies; and the marketing advantages apparent to all. To understand the lack of this privacy technology in cellular air links, I brashly suggest we must turn to the same federal agencies which have so consistently refused to support stronger-than-DES and "public key" encryption. When an industry acts against its own interest (as the cellular industry did in leaving the air links unprotected) and there is no substantive technical or financial issues involved, we must look to the government's fingers in the standard-making process that defined the market. It's important to note that even if the cellular air link was encrypted, the cops could always have access to the actual conversation with a court order, since a "common carrier" firm has to have the key to manage their end of the link. That fact that this was not enough -- the fact that someone wants these coversations utterly accessible, wholly unprotected -- says a great deal about the politics of privacy in US. In Europe, it has been reported that various European intelligence agencies were much more open in acknowledging their interest, as they too blocked the use of encryption in cellular air links. In the US, unfortunately, public policy is shaped in the shadows, debated only among informed insiders -- because, thus far, the government has not dared to acknowledge its interests in the face of public skepticism and concern. Was there any logic for why we got legislation outlawing simple radio sets which can hear to these unprotected calls, rather than protecting those calls with cheap encryption? There was (and is) no financial, technical, or marketing logic -- and by outlawing common technology it stood traditional communications law on its head. This situation is patently the result of an unacknowledged public policy initiative by someone who had an interest in leaving citizens' communications unprotected and available. Yet, it seems to flirt with images of paranoia and extremism to ask, "Who did this to us, and why?" The apparent illogic with which a major privacy issue was resolved insults our intelligence. Such is often the case. Privacy is the historic "wild card" among our constitutional rights -- the only "right" which was defined first by John Q. Public's intepretation of how the Constitution's inherent individualism was to be protected in an era of mass communications. Congress and the Courts only belatedly caught up with the popular understanding of this Americanism -- and the cops and spooks, on the front lines in their battles to protect us all, have never seen privacy as a matter of principle, only a question of procedures. And, as any bureaucrat knows, procedures exist to define ways to evade them. I believe the impassioned claims about FBI/police restraint on (perfectly legal) wiretapping and the unprotected gaps (like the cellular air link) in our info/communications systems are intertwined. The public's worries about privacy have forced the FBI and other agencies to minimize their apparent involvement with electronic eavesdropping and wiretapping. These agencies and their advocates have addressed their intelligence needs by using their influence to maintain unprotected public communication links which they can listen to, or pay others to listen to... without bothering with any permissions. The issue is fudged because the reality cannot (yet) withstand public scrutiny, but we are still left whispering our secrets on a party line. "Insiders" make fundamental decisions for us all, and US public policy debates about privacy issues echo of Alice and the Red Queen over tea. -- Vin McLellan The Privacy Guild ------------------------------ From: Jim Cooper Date: 22 Oct 1994 12:50:40 -0400 Subject: Re: Question: Post Office Package Inspection Organization: Mordor International BBS "Houston, James A." wrote: I was wondering if any of the computer-privacy subscribers can enlighten me on the U.S. Post Office's policy on mail/package inspection. Do they inspect packages randomly? It is my understanding that FIRST CLASS mail is not inspected, unless they have a search warrant for some reason. 4th class mail has always carried the caveat "may be opened for postal inspection if necessary" -- though I'm not sure that is still true for the 'quasi government' present postal 'service'.. ------------------------------ From: ghodur@netcom.com (Gayle Hodur) Date: 23 Oct 1994 01:07:52 GMT Subject: Current Legislation on Information Policy Organization: NETCOM On-line Communication Services (408 261-4700 guest) A friend and I are graduate students writing a paper on information policy. We need information, preferably a list of some sort, on the current status of legislation in the area of information policy. We are especially interested in legislation regarding: Copyright Act Freedom of Information Act Paperwork Reduction Act Intellectual property Privacy Telecommunications Fair Credit Reporting Act We would like to be able to track the changes over the past few years, how amendments have been added and any new legislation proposed in these areas. If you have info. or know where we can get it, please email to: Gayle Hodur and Mary Gale at ghodur@netcom.com THANKS! -- ghodur@netcom.com ------------------------------ From: goudreau@dg-rtp.dg.com (Bob Goudreau) Date: 24 Oct 1994 09:23:46 -0400 Subject: Re: Calling Number ID Debate Phil Agre writes: But in order for CNID to avoid inadvertently giving away the phone number of someone who is being stalked, or who otherwise needs to keep their number a secret, it needs a few simple features: * per-line blocking -- a simple, no-cost way to declare that this telephone should not send out its number when dialling * per-line unblocking -- a simple, no-cost way to declare that this telephone now *should* send out its number when dialling * per-call blocking -- a simple, no-cost way to declare that, regardless of whether this line is blocked, this particular call should not include the calling number * per-call unblocking -- a simple, no-cost way to declare that, regardless of whether this line is blocked, this particular call *should* include the calling number In order for people to get the benefit of these commands, some further rules are needed: * All four of these commands should be entered with *different* codes. .... I'm confused. While I agree about the need for distinct codes for per-call blocking and unblocking, why do we need dynamic codes to change the per-*line* setting? This could actually be dangerous to someone who zealously guards his number, as a guest or other casual caller from his home could turn off the per-line blocking without the owner knowing about it. If the guest forgot to turn blocking back on and forgot to inform his host of the change, the host will thenceforth be under the mistaken impression that his calls will be unidentified, even though this is no longer the case. However, I still feel that your feature set should still include four distinct commands: * per-call blocking (as above) * per-call unblocking (as above) * per-line Anonymous Call Rejection -- declares that all subsequent incoming calls whose CLID information is marked "PRIVATE" will be rejected without actually ringing this line. The would-be caller will hear a telco message instructing him to unblock his number and redial if he wants the call to go through. Note that calls from places that don't support Caller ID would be marked "OUT OF AREA", not "PRIVATE", and will thus go through. * per-line Anonymous Call Acceptance -- declares that all subsequent incoming calls will cause the line to ring, regardless of the amount of CLID information they divulge. As you advocate above, all these commands should have separate, nationally standardized command codes, with no toggle interfaces. -- Bob Goudreau Data General Corporation goudreau@dg-rtp.dg.com 62 Alexander Drive +1 919 248 6231 Research Triangle Park, NC 27709, USA ------------------------------ From: "Prof. L. P. Levine" Date: 24 Oct 1994 12:38:11 -0500 (CDT) Subject: The Mother of All Utility Bills Organization: University of Wisconsin-Milwaukee Taken from RISKS-LIST: RISKS-FORUM Digest Friday 21 October 1994 Volume 16 : Issue 48 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Date: 21 Oct 1994 13:08:57 -0500 (CDT) From: "F. Barry Mulligan" Subject: "The Mother of All Utility Bills." from The Atlanta Constitution, Tues 18 Oct 1994, p.1, by Christopher C. Warren Imagine a single monthly statement listing all utility charges, including phone, cable, gas, electricity, water, garbage collection and sewerage charges. It could be the mother of all utility bills and would allow consumers to write only a single check for all their services. One Check, as the proposal is being touted, would ease consumer's household management by reducing utility bills to one monthly payment, said Maureen Bailey, vice president of public affairs with American Express, the company proposing the service. The article goes on to describe the pilot test being proposed for the Atlanta metro area. The cost of the service would be shared by the utilities and the consumer. Risks? A little late with one payment and you're instantly in arrears with every company in town. Billing disputes "still would be handled through the individual utility companies", but what if the utility says it didn't get a payment you sent to the service company? If your combined statement is mailed on the 15th and a utility transmits a new charge to the service bureau on the 16th, what happens to the payment grace period? If you've ever had to rob Peter to pay Paul, how do you deal with Peter & Paul, Amalgamated? Perhaps the real question is 'Do I want to give a complete, itemized description of all monthly utility consumption to American Express?' (and pay for the privilege). ------------------------------ From: mdm@sugar.NeoSoft.COM (Michael Mondy) Date: 24 Oct 1994 14:22:36 -0500 Subject: Re: AOL Sells its Subscriber List Organization: NeoSoft Internet Services +1 713 684 5969 Philip H. Smith III, (703) 506-0500 wrote: mea@intgp1.att.com (Mark E Anderson) said (re AOL selling or renting its subscriber list): What's the difference between selling and renting a customer list? There's a big difference. Selling means "Hi, here's a tape with the info, give me a big check". Renting means (at least, in my experience) "Hi, here's a set of mailing labels, give me a smaller check". Yes, the renter could sit down and enter all the data on all the labels; but they're (a) expressly forbidden to do so, and (b) it's hardly cost-effective. Several years, the company I worked for looked into getting some mailing lists. One option was tapes with various data upon them which you had the right to use once. Catching people who tried to make multiple mailouts without paying is easy to catch via a few bogus addresses which are fronts for the mailing list company. (I believe that encyclopedias used to (still do?) have a few minor intentional 'mistakes' to help prove theft of copyright.) -- Mike Mondy mdm@mondy.uucp ------------------------------ From: crf@access.digex.net (Clarke Ferber) Date: 23 Oct 1994 01:44:57 GMT Subject: FBI Dir. to seek Banning of all Non-clipper Crypto? Organization: I'm not organized... Original posting taken from Alt.Privacy. We should start working our Congress Critters now to head this off. Washington, DC -- If private encryption schemes interfere with the FBI's ability to wiretap, they could be outlawed, according to recent comments made by the agency's Director Louis Freeh. Freeh told attendees here at the recent conference on Global Cryptography that if the Administration's Escrowed Encryption System, otherwise known as the Clipper Chip, failed to gain acceptance, giving way to private encryption technologies, he would have no choice but to press Congress to pass legislation that provided law enforcement access to *all* encrypted communications. If, after having pushed Digital Telephony through Congress (which hadn't yet happened when Freeh spoke at this conference), all the Bureau ended up with during wiretaps were the scratchy hiss of digital one's and zeros being hurled back and forth, Freeh made it clear that he would seek a congressional mandate to solve the problem. In other words: Roll your own coded communications; go to jail. Freeh's comments, made during a question and answer session at the conference, are the first public statements made by an Administration official hinting at a future governmental policy that could result in the banning of non-governmental, unbreakable encryption methods. Freeh's remarks were first reported on the WELL by MacWorld writer and author Steven Levy. The FBI confirmed those statements to Dispatch. The Administration, however, continues to state that it has no plans to outlaw or place any restrictions on private encryption methods. A White House official said there are "absolutely no plans" on the table to regulate domestic encryption "at the present time." He wouldn't comment, however, as to whether the Administration would back an FBI attempt for such legislation. "Freeh doesn't seem to need a lot of White House support," to get things done, the official said. FBI sources said any moves to approach Congress about regulating private encryption are "so far out there" time wise, that the subject "doesn't merit much ink," as one FBI source put it. "We've got to make sure the telcos rig up their current networks according to the new [digital wiretap] law before we go worrying about private encryption stuff," he said. An FBI spokesman confirmed Freeh's position that the Bureau would aggressively seek to maintain what the spokesman called "law and order objectives." If that meant getting laws passed so that the Bureau's "authorized wiretap activities" couldn't be thwarted by "criminal elements using non-governmental" encryption schemes, "then that's what he [Freeh] would do," the spokesman said. When the Administration went public with its Clipper Chip policy, it stressed that the program would be mandatory. Many civil liberties groups wondered out loud how long it would be before private encryption was banned altogether. The White House, anxious for the public to buy into its one-trick pony the Clipper Chip, said that wouldn't happen. But the Administration hedged its bet. Buried in the background briefing papers of the original Clipper announcement, is a statement that the White House doesn't consider the public's right to use private encryption methods are protected anywhere in the Constitution. ------------------------------ From: "Prof. L. P. Levine" Date: 24 Oct 1994 12:47:58 -0500 (CDT) Subject: O.J. Simpson Trial Jury Questionnaires Organization: University of Wisconsin-Milwaukee Taken from PRIVACY Forum Digest Saturday, 22 October 1994 Volume 03 : Issue 20 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. O.J. Simpson Trial Jury Questionnaires now in PRIVACY Forum Archive (Lauren Weinstein; PRIVACY Forum Moderator) Date: 22 Oct 94 11:47 PDT From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: O.J. Simpson Trial Jury Questionnaires now in PRIVACY Forum Archive Greetings. The PRIVACY Forum has been sent several copies of the complete O.J. Simpson trial questionnaires, which have already been widely circulated in the mainstream media. These are the short "hardship" and longer full versions (in original printed form with space for answers, the longer version ran 75 pages). After some consideration, I've decided that the detailed and personal nature of the questions on these questionnaires (particularly the longer one) makes them a valid topic for discussion in this forum. Among the topics for possible consideration: -- How would you feel about answering these sorts of detailed, personal questions? Would you consider them to be an invasion of your privacy? An acceptable invasion? Unacceptable? -- If a potential juror was unwilling to answer any or all of these questions, would they or should they be subject to any sanctions? -- Do these sorts of detailed personal questions truly yield useful information to the opposing sides in trials? Can the answers be trusted to be honest? -- Does the use of personal inquiry questionnaires of this sort have an overall positive or negative impact on the legal system? -- And so on... To access the questionnaires, which are both in a single file which runs about 57K in length: Via Anon FTP: From site "ftp.vortex.com": /privacy/simpson-jq.Z or: /privacy/simpson-jq Via e-mail: Send mail to "listserv@vortex.com" with the line: get privacy simpson-jq as the first text in the BODY of your message. Via gopher: From the gopher server on site "gopher.vortex.com" in the "*** PRIVACY Forum ***" area under "simpson-jq". Via World Wide Web (WWW): Access the "PRIVACY Forum" archive via the Vortex Technology home page at URL: http://www.vortex.com/ --Lauren-- ------------------------------ From: "Prof. L. P. Levine" Date: 26 Sep 1994 12:45:51 -0500 (CDT) Subject: Info on CPD, Contributions, Subscriptions, FTP, etc. Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions generally are acknowledged within 24 hours of submission. An article is printed if it is relevant to the charter of the digest. If selected, it is printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the subject line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit or append to the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Mosaic users will find it at gopher://gopher.cs.uwm.edu. Older archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V5 #052 ****************************** .