PRIVACY Forum Digest Sunday, 27 June 1993 Volume 02 : Issue 21 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Topanga, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy. CONTENTS Summer Doldrums (Lauren Weinstein; PRIVACY Forum Moderator) Re: The other side of Clipper (Barry Jaspan) The other side of Clipper (Bob Leone) Questions for the Privacy Forum (Ohringer@DOCKMASTER.NCSC.MIL) Re: USPS NCOA request results (Phil Karn) USPS NCOA request results (Alan Wexelblat) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. ALL submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All submissions included in this digest represent the views of the individual authors and all submissions will be considered to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are also available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". For information regarding the availability of this digest via FAX, please send an inquiry to privacy-fax@vortex.com, call (310) 455-9300, or FAX to (310) 455-2364. ----------------------------------------------------------------------------- VOLUME 02, ISSUE 21 Quote for the day: "All you of Earth are idiots." -- Eros (Dudley Manlove) "Plan 9 From Outer Space" (1959) ---------------------------------------------------------------------- Date: Sun, 27 Jun 93 16:12 PDT From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Summer Doldrums Greetings. We've now entered the "summer doldrums" period for Internet Digests, where submissions and volume tend to drop to minimums for the year. So, this is a good time to submit your own privacy concerns, concepts, horror stories, or other relevant materials. Remember, privacy is *you*. --Lauren-- ------------------------------ Date: Sun, 13 Jun 93 11:35:08 EDT From: "Barry Jaspan" Subject: Re: The other side of Clipper (padgett@tccslr.dnet.mmc.com) First, I believe that the tapping capability of Clipper/Capstone will prevent its ever replacing STU-IIIs and other complex algoritms for dedicated point-point connections that require absolute privacy. Undeniably. The question is who will be able to using STU-IIIs without causing themselves potential problems. The answer is "the government, and no one else." Legislation from the government banning "any other cryptography" would be impossible to enforce and akin to trying to stuff knowlege back into Pandora's box. It is just not going to be happen and the government is intelligent enough not to take on a losing battle that could just flood the legal system (and there would be pleanty of floodees). Since when has a law being impossible to enfoce prevented the government from enacting it? Consider: speed limits, drug use, Prohibition. Each of these *is* (was) a losing battle, and each *is* flooding (did flood) the legal system. And yet the governemnt continues to stand behind impossible laws. Why? The NSA is not stupid. They *know* they will be unable to prevent dedicated people from using strong cryptography. So why bother mandating Clipper? Because then anyone using strong cryto will be labelling themself as a criminal, giving law enforcement authority to arrest them (or just seize their assets) should the desire ever arise. Barry Jaspan, bjaspan@gza.com ------------------------------ Date: Wed, 16 Jun 1993 11:28:24 -0400 From: Bob Leone Subject: The other side of Clipper > Legislation from the government banning "any other cryptography" would > be impossible to enforce and akin to trying to stuff knowlege back into > Pandora's box. It is just not going to be happen and the government is > intelligent enough not to take on a losing battle that could just > flood the legal system (and there would be pleanty of floodees). False. There would not be a flood. What would happen, if the govt made non-Capstone encryption illegal, is that it would be considered prima-facie evidence of criminal conspiracy (since only a criminal would want his comm secure against monitoring by law-enforcement agents, right? Sure). What would then happen is: if the govt wants to monitor you, and you use non-Capstone, then they nail you. Make the penalties heavy enough, and they don't really need to prove any of the charges they wanted to monitor you for. After a few well-publicized cases, not too many people will use non-Capstone encryption. Bob Leone (leone@gandalf.ssw.com) (The opinions expressed are my own.) ------------------------------ Date: Fri, 18 Jun 93 22:27 EDT From: Ohringer@DOCKMASTER.NCSC.MIL Subject: Questions for the Privacy Forum An organization is planning to use the last four digits of employees Social Security Numbers as part of a scheme for assigning computer passwords. I am not asking about the security aspects of this, but am wondering about the privacy implications. Is there anything particular that needs to be considered about the last four digits as apposed to four other digits? Is this an acceptable use of (part of) social security numbers? Would it matter if the last nine digits (all of) or the last one digit were used? What precedents exist for allowing or prohibiting such use? What precedent is set by this proposed use? I look forward to reading how readers would react if they faced such a proposal. ------------------------------ Date: Mon, 21 Jun 93 13:20:08 -0700 From: Phil Karn Subject: Re: USPS NCOA request results I can personally attest to the popularity of the USPS change of address database. Having moved twice in the past two years (first from New Jersey to a rented house in San Diego, and again a year later within San Diego when I bought a house), I had a chance to try out a trick suggested by a local friend. Whenever I gave my new mailing address to someone, I added a unique, bogus "apartment number" to keep track of how far that particular copy of my address propagated. It was hardly worth the effort. The *vast* majority of junk mail I began to receive at each new address came with "#P", the code I had added to the USPS change-of-address form. It even appears on my address in the ham radio ARRL Repeater Directory listing for members of the ARRL Future Systems Committee, of which I am a member. The information you put on those harmless-looking little cards goes *everywhere*. And since I bought a house last August, another major source of junk mail without a code has appeared that clearly uses the public real estate records at the county clerk's office. It seems to go in cycles. First were all the solicitations from burglar alarm, carpet and drapery companies. Then it was "let us help you file your homestead exemption". Now it's mortgage insurance and mortgage refinancing. The moral is clear: if you want to disappear, don't file a change of address form with the USPS, and don't buy a house. :-) Phil ------------------------------ Date: Thu, 24 Jun 93 11:29:04 -0400 From: "Alan (Gesture Man) Wexelblat" Subject: USPS NCOA request results I, like Steve Peterson, received a thick bundle of dead trees from the USPS asserting that any and all of the companies listed (several thousand names) might have received my change-of-address. Interestingly, the USPS also claims that only those companies that "already had my address" could have gotten the new one. I don't see how they could assert this unless they're denying that they ever sold the list of people-who-changed-addresses. Just another data point... --Alan Wexelblat, Reality Hacker and Cyberspace Bard Media Lab - Advanced Human Interface Group wex@media.mit.edu Voice: 617-258-9168, Pager: 617-945-1842 wexelblat.chi@xerox.com ------------------------------ End of PRIVACY Forum Digest 02.21 ************************