PRIVACY Forum Digest Wednesday, 22 July 1992 Volume 01 : Issue 09 Moderated by Lauren Weinstein (lauren@cv.vortex.com) Vortex Technology, Topanga, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy. CONTENTS PRIVACY Brief (Moderator--Lauren Weinstein) Knowing Better (Phil Karn) 911 privacy concern (Mel Beckman) U.S. encryption export control policy softens somewhat (Peter G. Neumann) Emerging Privacy Issues: Libraries (Peter Marshall) Telephone wiretapping (Erling Kristiansen) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. ALL submissions should be addressed to "privacy@cv.vortex.com" and must have RELEVANT "Subject:" lines. Submissions without appropriate and relevant "Subject:" lines may be ignored. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@cv.vortex.com". Mailing list problems should be reported to "list-maint@cv.vortex.com". All submissions included in this digest represent the views of the individual authors and all submissions will be considered to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "cv.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. For information regarding the availability of this digest via FAX, please send an inquiry to privacy-fax@cv.vortex.com, call (310) 455-9300, or FAX to (310) 455-2364. ----------------------------------------------------------------------------- VOLUME 01, ISSUE 09 Quote for the day: "It's such a comfort having a machine to do our thinking for us." -- Morticia Addams (referring to "Whizzo" the computer) "The Addams Family" (1964-1966) ---------------------------------------------------------------------- PRIVACY Brief (from the Moderator) --- The California State Supreme Court recently reversed the conviction of a wife and her lover for the murder of the wife's husband. The prosecution's primary evidence in the case was tapes of telephone conversations between the wife and her lover that the husband had been secretly making, which the prosecution had obtained. The court ruled unanimously that federal law bars family members from tapping the family phone, and that the tape was not admissible. The prosecution had argued that "domestic" taping of that sort was not illegal, and that even if the taping was illegal it was still admissible since the government had played no role in the making of the tapes (i.e. they acquired evidence made by a citizen). The court rejected both of these arguments, but reversed the conviction reluctantly. The court also suggested that perhaps it was unfortunate that Congress had adopted laws allowing such a broad-based suppression of evidence in such cases. ------------------------------ Date: Sat, 18 Jul 92 00:20:14 -0700 From: karn@chicago.Qualcomm.COM (Phil Karn) Subject: Knowing Better Okay, here's a personal anecdote for you. The other day I made an offer on a house. Sitting with my realtor in a Carl's Jr, I'm signing a large stack of forms when her transportable cell phone rings. It's a mortgage broker who wants to prequalify me for a loan. She hands the phone to me and before I know it, I'm telling him where I work, how much I make, how much I have in the bank, what other loans I have outstanding, etc. Unlike most people who can at least plead ignorance, I know all too well how easily these things are monitored. But in the excitement of the moment I did it anyway. That's why meaningful encryption ought to be a standard feature of any cellular telephone system. Phil ------------------------------ Date: Sat, 18 Jul 92 11:41:26 PST From: mbeckman@mbeckman.mbeckman.com (Mel Beckman) Subject: 911 privacy concern In this morning's Ventura County Star/Free Press newspaper (Sat 92jul17) appears an article headlined "Woman calls for help, lands in jail." Here is my own summary of their story: Oxnard, CA resident Helene Golemon called 911 to report (twice) a loud teenage street party in the wee hours. Later, at 6:00am, an officer arrived and arrested her on a (subsequently learned-to-be) erroneous misdemeanor traffic warrant. Golemon expressed outrage at the 911 records check, and that the warrant even existed at all. "Those kids were out there drinking and driving drunk. Nothing happened to them and I got arrested." After booking, including fingerprints and mug shots, she was detained in a holding cell until her husband posted $188 bond later that morning. Assistant police chief William Cady claimed that dispatchers often check available records, even on a reporting person, to know as much as possible about the people involved when responding to 911 calls. "Procedurally, our people did nothing wrong" he said. The arrest warrant, dated from an illegal left turn from May, 1988. Golemon fought the ticket and lost, then attended state-sponsored driver's education (a CA alternative to fines available for first-time offenders) in August 1988. The court has a copy of Golemon's driver education certificate on file, and Linda Finn, deputy executive officer for Ventura County Superior and Municipal Courts, couldn't explain why a warrant was later issued in 1989. Goleman was never notified of the warrant. Goleman felt the incident was vindictive, because the dispatcher was annoyed with her. "When I tried to explain the continuing problems we're having, she was very short with me," she said. Golemon then asked for the dispatchers name, and the dispatcher in turn demanded Golemon's full name. After Golemon complied, the dispatcher only told Golemon her badge number. The dispatcher remains unidentified in the news report, and an Oxnard police sergeant who reviewed the tape said the dispatcher was "absolutely professional." The privacy and computer risk concerns here seems to me three fold. First, the police often act with inappropriate gravity on erroneous, and apparently unverifiable, data. Under what circumstances does a misdemeanor warrant demand a 6:00am public arrest? Certainly more time could have been expended verifying the data, as an at-large illegal left-turner hardly threatens public safety. Second, apparently innocuous -- even beneficial -- contacts with government can result in record searches for unrelated information. Not only can this result in egregious seizures, as in this case, such an atmosphere can only stultify public/government relations. Crime and corruption thrive in such an environment. Third, although individuals have the right to know most information the government retains on them (FOIA), that right becomes meaningless if the government can, at any time, decided to integrate facts from disjoint data bases and then act without notice on resulting conclusions. One cannot submit an FOI request on the union of multiple far-flung data sets! -mel _____________________________________________________________________ | Mel beckman | Internet: mbeckman@mbeckman.com | | Beckman Software Engineering | Compuserve: 75226,2257 | | 1201 Nilgai Place | Voice: 805/647-1641 | | Ventura, CA 93003 | Fax: 805/647-3125 | |______________________________|____________________________________| ------------------------------ Date: Sun, 19 Jul 92 11:39:44 PDT From: "Peter G. Neumann" Subject: U.S. encryption export control policy softens somewhat In the ongoing struggle between NSA's desires to be able to intercept international communications and software vendors' desires to be able to compete in international markets, the Bush administration has agreed to ease export controls on encryption-based software somewhat. The decision transfers control of encryption software (albeit only on a case-by-base basis) to the Commerce Department (from the State Department, which enforces standards equivalent to those of weapons export). An article by Don Clark in the San Francisco Chronicle, 18 July 1992, p.B1, suggests that systems with up to 40-digit RSA keys will now be considered for export. Clark's article notes that it is possible to get much better stuff on the streets of Europe -- and mentions "Cryptos", which uses both DES and RSA, which is available today in Moscow! In addition, the administration will now meet with industry representatives up to twice a year. The privacy implications remain murky. If the government can compromise 40-bit RSA keys, then this "softening" is only cosmetic. If they cannot, then one wonders why the "softening" has taken place. But the real irony is that RSA is almost trivial to implement anywhere, and is in some sense a better mousetrap. Perhaps we have here a case of the mousetrap that roared! Peter ------------------------------ Date: Mon, 20 Jul 92 08:47:02 -0700 From: ole!rwing!peterm@nwnexus.wa.com (Peter Marshall) Subject: Emerging Privacy Issues: Libraries Public libraries, those traditional, universal information providers and heirs to a long tradition of defense of users' privacy interests, would appear to be in for an otherwise unexpected change in the nature and extent of the sort of privacy concerns they're accustomed to facing. With increasing--and often, trendy--employment of a number of information technologies and services, coupled with an increase in the extent of library automation, and aided and abetted by a fashionable trend to implement fees for services often grounded on use of information technologies--sometimes referred to as the "entrepreneurial movement; the horizon in the public library world would seem to carry a marked increase in the collection, processing, etc. of transaction-generated information. This tendency, familiar enough in other areas of emerging privacy issues, seems to be occurring, as in some other areas, in an environment that shows signs of a broader tendency to information-as-commodity, and thus to concerns about commercialization and privatization. Although these latter concerns get attention in the professional library community, this group appears generally less tuned-in to privacy issues other' than those that are traditional in the library setting; while at the same time, these same broader concerns appear to get less attention themselves from the broader community these perhaps all-too-familiar civic institutions serve. Emerging privacy issues for public libraries would seem to call up the usual panoply of information-privacy and information-policy concerns; e.g., disclosure as the flip side of access, and those otherwise well-known reference-points, Principles of Fair Information Practices. The public library as the good 'ol bastion of privacy? Let's see. Peter Marshall ------------------------------ Date: Wed, 22 Jul 92 09:16:03 CET From: "E. Kristiansen - WMS" Subject: Telephone wiretapping NRC Handelsblad, a Dutch newspaper, of 20 July has two articles concerning telephone wiretapping. The first article describes several cases of alleged unauthorized wiretaps performed by PTT Telecon, the Dutch telephone company. The PTT is accused of establishing wiretaps on telephone lines without the required court order, on request of the police and legal authorities (district attorney). In one case, a PTT employee has allegedly passed on information obtained from illegally bugging a phone line, to a criminal (drug dealer). The employee has been fired. A PTT spokesperson says that "according to current procedure", the police cannot request a wiretap directly. The request is to be submitted through the proper legal channels. Fron a technical point of view, the article suggests, without giving much detail, that it is very easy to establish a wiretap, and that the only control is through procedures, relying on "highly trusted personnel". Further, it is said that the PTT never performs wiretapping itself, it only establishes the tap to a line going to the police office. It is not said that the PTT CANNOT do wiretapping, and I would assume that they can, e.g. for technical monitoring of line quality. The other article describes how an on-hook telephone set can be used for bugging the room in which it is installed. The trick can be performed by anybody who can gain access, legally or illegally, to any point of the wire pair connecting the telephone set to the exchange. A high frequency signal is injected into the line. This signal bypasses the hook switch of the set (capacitive coupling, I suppose). The microphone modulates the signal (technical details not given), and the intruder can demodulate, and listen to the conversation in the room. When this trick was published in the press, PTT says it will shortly be offering a telephone plug with a built-in capacitor to short the HF signal. The plug will sell for about Dfl.5 (USD 3). Consumer organizations urge that the plug should be available free of charge to anybody asking for it. It is not said whether the trick will work on all current types of phones, or only on particular brands. Erling Kristiansen [ This sort of bugging is definitely not new and has been described in various "popular" books concerning law enforcement and intelligence topics. -- MODERATOR ] ------------------------------ End of PRIVACY Forum Digest 01.09 ************************