Date: Mon, 22 May 95 13:07:49 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V6#048 Computer Privacy Digest Mon, 22 May 95 Volume 6 : Issue: 048 Today's Topics: Moderator: Leonard P. Levine Re: Health Privacy Re: What are the VISA Codes? Re: Nautilus, PLEASE.... Re: Nautilus, PLEASE. [long] Info on CPD [unchanged since 12/29/94] ---------------------------------------------------------------------- From: Robert Gellman Date: 21 May 1995 22:54:09 -0400 (EDT) Subject: Re: Health Privacy Peter Marshall posted a very interesting message about the consequences of consenting to the disclosure of medical records that are part of standard auto policies. The problem is even worse than he (and the author of the posted message) suggested. By consenting to the disclosure of your medical record in this (coerced) fashion, you may also have waived any physician-patient privilege that may have been available to protect your privacy. Since you have consented to a disclosure in some way, you have also waived your interest in confidentiality and therefore waived the privilege. The standard consent forms for submitting payment claims to health insurers are also typically very broadly written to favor the rights of the insurance company. That is the bad news. The perverse good news is that the privilege isn't really worth much of anything so you are not losing much. The privilege offers NO protection against routine disclosures of medical records to public health officials, law enforcement agencies, employers, inspectors general, auditors, health database organizations, researchers, cost containers, outcomes researchers, computer service companies, and other major institutions that make regular use of identifiable health records. For whatever it is worth, a proposed federal bill (Fair Health Information Practices Act -- H.R. 435) would make many consents to disclosure only valid for 30 days. Bob Gellman Privacy and Information Policy Consultant Washington, DC rgellman@cais.com ------------------------------ From: gmcdouga@arn.net (Gerald) Date: 22 May 1995 03:39:31 GMT Subject: Re: What are the VISA Codes? Organization: ARNet, Inc. bo774@freenet.carleton.ca says: The caller said my friend had won (at least) $2500 worth of prizes... The grand prize was a car and she was one of only 5 finalists. All that was required was a small ($750) purchase made with her (my friend's) visa card. And I'll bet she hadn't even entered any contest. There is an unbelievable number of gullible people out there. I truly feel sorry for them, yet they DO ask for it. On one of the night-time news shows last week they had a con\verave on various phone scams of this nature. A couple of the victims were scammed 2 or 3 times. Remember the glorious line in "The Magnificant Seven" (Eli Wallach) "If God didn't want them shorn, why did He make them sheep." Too often these poor suckersa forget that "If it sounds too good to be true, it probably IS." They let "something for nothing" blank out the only true slogan in this are "There ain't no such thing as a free lunch" This seems like a classic scam - newer but nonetheless classic. But people still bite for the "pidgeon Drop" and the "Gypsy Switch" every day. ------------------------------ From: banisar@epic.org (Dave Banisar) Date: 22 May 1995 08:37:53 -0400 Subject: Re: Nautilus, PLEASE.... Organization: EPIC Tsled@aol.com wrote: About a week and a half ago I read an article about a program called NAUTILUS. I am trying to find where it can be found, can you help me P-L-E-A-S-E !!! I thank you ahead of time for your help in this matter. Nautilus and several other popular encryption programs are available from ftp://FTP.CSN.ORG/mpj/README or http://epic.org/privacy/tools.html. -- Dave Banisar EPIC ------------------------------ From: "Prof. L. P. Levine" Date: 22 May 1995 08:39:38 -0500 (CDT) Subject: Re: Nautilus, PLEASE. [long] Organization: University of Wisconsin-Milwaukee Taken from RISKS-LIST: Risks-Forum Digest Saturday 13 May 1995 Volume 17 : Issue 12 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Date: 11 May 1995 15:43:02 -0400 From: simsong@acm.org (Simson L. Garfinkel) Subject: Nautilus foils wiretaps PC SOFTWARE FOILS WIRETAPS 5/10/95 By SIMSON L. GARFINKEL Special to the Mercury News As the U.S. Senate debates granting the Federal Bureau of Inves- tigation new powers to wiretap personal communications, three West Coast computer programmers have planned their own preemptive strike: a free program, distributed on the Internet, that renders legal and illegal wiretaps useless. The programmers, Bill Dorsey of Los Altos, Pat Mullarky of Belle- vue, Wash., and Paul Rubin of Milpitas, plan to release today a program that turns ordinary IBM-compatible personal computers into an untappable secure telephone. It uses an encryption algo- rithm called ''triple-DES'' that is widely believed to be un- breakable. ''Electronic surveillance by the government is on the rise,'' says Dorsey, the group's lead programmer. ''There also exists an equally large threat from the private sector as well: industrial espionage. Foreign governments are interested in wiretapping and getting information out of our high-tech firms.'' Called Nautilus, the program is being released as an attack on the Clinton administration's national encryption standard, the Clipper chip. Civil rights groups have criticized the Clipper initiative, since the federal government holds a copy of every chip's master key and can use that key to decrypt -- or decode -- any Clipper-encrypted conversation. But since the keys used by Nautilus to encrypt conversations are created by users, the government does not have a copy. A nod to Jules Verne Nautilus has another advantage over Clipper: Whereas AT&T's Clipper-equipped Telephone Security Devices Model 3600 costs $1,100, Nautilus is free program. ''You don't need any special expensive hardware for it. You just use ordinary PCs,'' says Rubin. The name ''Nautilus'' was taken from Captain Nemo's submarine in the Jules Verne novel, ''20,000 Leagues Under the Sea.'' But whereas Nautilus the sub was used to sink Clipper ships, the programmers hope that their creation will sink Clipper chips. To use Nautilus, both participants must have a copy of the pro- gram and an IBM PC-compatible computer equipped with a Sound Blaster card and a high-speed modem. The two participants must also agree upon a series of words called a ''pass phrase,'' which is used to encrypt the conversation. Both participants run the program and type in the pass phrase; one person instructs their computer to place the telephone call, the other instructs their computer to answer. Once the call is in progress, either user must press a key on their computer in order to speak, similar to using a hand-held radio. But unlike walkie-talkies, the users can interrupt each other. Could help criminals Such innovations could lead to conversations that would be practically foolproof from eavesdropping, either by pranksters or the government. It could become invaluable in future years to financial institutions and other corporations involved in sensi- tive negotiations. ''It will certainly be beneficial to many citizens and many other users of it,'' says Jim Kallstrom, assistant director of the Federal Bureau of Investigation's New York field office. ''I suspect that it also will be beneficial, unfortunately, to crimi- nals. ''I would hope the extremely enterprising and smart people that we have in this country would work toward solutions that would not only protect the communication of citizens . . . but would also allow the law enforcement objectives to be maintained.'' Rubin stressed that while Nautilus was a challenge to write, it ''isn't rocket science.'' Much of the program, in fact, was assembled from parts that already were available on the Internet, the worldwide network of computer networks. It will even be easier to construct programs similar to Nautilus once Microsoft releases its computer telephony system for Windows 95. ''It will be impossible to keep a program like Nautilus out of the hands of people who want it,'' Rubin said. Gene Spafford, a professor of computer science at Purdue Univers- ity who is an expert on computer security, said: ''It will be interesting to see what reaction this provokes from the govern- ment.'' Nevertheless, Spafford said, in order for encryption to be widely adopted, it will have to be ''built into the phones.'' Dorsey said that anybody in the United States who has Internet access can download the program. For the instructions, use the Internet FTP command to connect to the computer FTP.CSN.ORG. Change to the ''mpj'' directory and retrieve the file called README. Use a text editor to read the README file, which contains some fairly complex instructions on how to get the actual Nauti- lus file. This computer has been set up so that the program cannot be downloaded by people located outside the United States. ''I intend to follow all laws regarding the release of cryptography,'' he said. ------------------------------ From: "Prof. L. P. Levine" Date: 29 Dec 1994 10:50:22 -0600 (CST) Subject: Info on CPD [unchanged since 12/29/94] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the SUBJECT: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit or append to the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Mosaic users will find it at gopher://gopher.cs.uwm.edu. Older archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V6 #048 ****************************** .