PRIVACY Forum Digest Friday, 2 July 1993 Volume 02 : Issue 23 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Topanga, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy. CONTENTS Clinton Admin Information Policy (Press Release and Info) (Lauren Weinstein; PRIVACY Forum Moderator) Using just last four digits of SSN (Avi Gross) Re: using Soc. Security number in passwords (Paul E. Black) The other side of Clipper (A. Padgett Peterson) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. ALL submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All submissions included in this digest represent the views of the individual authors and all submissions will be considered to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are also available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". For information regarding the availability of this digest via FAX, please send an inquiry to privacy-fax@vortex.com, call (310) 455-9300, or FAX to (310) 455-2364. ----------------------------------------------------------------------------- VOLUME 02, ISSUE 23 Quote for the day: "Whatever Lola wants, Lola gets." -- Lola (Gwen Verdon) "Damn Yankees" (1958) ---------------------------------------------------------------------- Date: Fri, 2 Jul 93 13:03 PDT From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Clinton Admin Information Policy (Press Release and Info) Greetings. The following press release arrived here a few days ago. Another copy of the release itself, as well as the entire document referred to by the release, have been placed into the PRIVACY Forum archive. Note that it is a fairly long file (~140K bytes uncompressed). To access: Via Anon FTP: From site "ftp.vortex.com": /privacy/omb-a-130.Z or: /privacy/omb-a-130 Via e-mail: Send mail to "listserv@vortex.com" with the line: get privacy omb-a-130 as the first text in the BODY of your message. Via gopher: From the gopher server on site "gopher.vortex.com" in the "*** PRIVACY Forum ***" area under "omb-a-130". --Lauren-- -------------------- Title:OMB Announces New A-130 Circular 6.28.93 Date:28 Jun 93 21:44:26 UT Almanac-Area: FOR IMMEDIATE RELEASE Contact: Barry Toiv June 28, 1993 (202) 395-3080 CLINTON ADMINISTRATION AIMS FOR OPEN INFORMATION POLICY The Clinton Administration has taken a major step to improve the Federal government's policies and capabilities for making information available to the American people. Office of Management and Budget (OMB) Director Leon E. Panetta issued new policies on June 25 for managing government information that encourage agencies to utilize new technologies to improve public access. Sally Katzen, Administrator of OMB's Office of Information and Regulatory Affairs (OIRA), which is charged with developing and implementing the government's information policies, said that the revisions of OMB Circular A-130 "will help bring the Federal government into the information age. This is a major step toward realizing the vision of a government that uses technology better to communicate with the American people." OMB Circular A-130, entitled "Management of Federal Information Resources," establishes policy that Federal agencies will follow when acquiring, using, and distributing government information. "These long-awaited revisions to Circular A-130 are an integral part of the President and Vice-President's technology initiative, announced February 22, 1993," said Katzen. "We will use information technology to make government information available to the public in a timely and equitable manner, via a diverse array of sources, both public and private. We will also ensure that privacy and security interests are protected." The new circular emphasizes integrated management of information dissemination products. Agency electronic information products, whether computer tapes, CD-ROMs, or on-line services, will fall under the same policy umbrella as printed publications or audiovisual materials. The circular asks agencies to develop and maintain indexes and other tools to make it easier for the public to locate government information. The circular provides that, generally, the Federal government should recoup only those costs associated with the dissemination of information, and not those associated with its creation or collection. Similarly, it provides that agencies should not attempt to restrict the secondary uses of their information products. "These policies build on the tradition of open information flow reflected in the Freedom of Information Act," Katzen observed. "This revision of Circular A-130 marks the beginning, not the end, of our efforts to improve access by and service to the citizen," she added. She noted that OMB will take other steps to improve the management of information, as part of the Administration's efforts to "reinvent government" and the National Performance Review's mandate to improve all areas of Federal management. In cooperation with the other agencies in the Information Infrastructure Task Force called for in the President's technology initiative, OMB will: o sponsor a coordinated initiative to improve electronic mail among agencies; o promote the establishment of an agency-based Government Information/Inventory Locator System (GIILS) to help the public locate and access public information; and, o use the Paperwork Reduction Act to encourage agencies to convert paper documents such as purchase orders, invoices, health insurance claims, environmental reports, customs declarations and other regulatory filings to electronic form. In addition, the Administration will work with Congress to update the Freedom of Information Act with respect to electronic records. OMB first issued Circular A-130 in 1985. OMB is revising the Circular in two phases. The first phase, issued today, focuses on information policy. An earlier version was the subject of extensive public comment, and the final document reflects those comments. The second phase, to be proposed shortly, will revise the way the government manages its information technology resources. The revised Circular will be published in the Federal Register on July 2. It is available from the OMB Publications Office (202-395-7332). The Circular is also available in electronic form. On the Internet use anonymous File Transfer Protocol (FTP) from nis.nsf.net as /omb/omb.a130.rev2 (do not use any capital letters in the file name). For those who do not have FTP capability, the document can be retrieved via mail query by sending an electronic mail message to nis-info@nis.nsf.net with no subject, and with send omb.a130.rev2 as the first line of the body of the message. It is also available on the Commerce Department's FEDWORLD bulletin board. (Dial 703-321-8020 (N-8-1). New users should register as "NEW".) ------------------------------ Date: Mon Jun 28 11:51:12 EDT 1993 From: avi@pegasus.att.com Subject: Using just last four digits of SSN I am following up on a message by Ohringer@DOCKMASTER.NCSC.MIL regarding the use of the last four digits of the social (in)security number as part of a password scheme. (S)he expressed concern about privacy issues. I am not happy with having any part of my social security number used in any way. In my organization, we have a similar setup where we have group logins for access to a major resource and we protect it with a secondary prompt for your username/password. Unfortunately, the password is the last 4 digits of the SS and can not be changed. Since I, and many others, have access to a database of hundreds of thousands of users that includes their entire social security number, this means that it is easy to log in as someone else. During a recent crisis, I needed to allow people to get in this way that have not been set up in our database. I had to let them log in as "me" by giving them my number. Unlike a standard choosable password, this has leaked my number permanently. I note that once people start using the same thing, it becomes dangerous. I can picture banks, etc, starting to use the last digits as PIN numbers, and then anyone having access to this information (or the full SS#) can get in to other accounts of yours. While on this topic, I recently was on a Federal Jury and I noticed sign-in sheets for prospective (and actual) jurors sitting in public and containing full names, addresses AND social security numbers! They neglected to include phone numbers. I complained about this and was told that people were "too busy" to read your social security number. They refused to change the system. Every day they print a new printout and then use the signed entries to set you up to be reimbursed for your time and transportation. My guess is that they key in your SS# rather than name. This was in marked contrast to what happens in the courtroom. After making you publicly announce your name, home town (but not address) and even your choice of newspapers, they tell the chosen jury to avoid talking to any lawyers, defendants, etc, while the trial is in progress. However, should they want to annoy you, or even cause you problems, they can just walk up and get all this information by flipping through the pages. Avi Gross, avi@pegasus.att.com, XXX-XX-1234 ------------------------------ Date: Mon, 28 Jun 93 09:41:31 PDT From: pblack@kangaroo.Berkeley.EDU (Paul E. Black) Subject: re: using Soc. Security number in passwords On Fri, 18 Jun 93 22:27 EDT, Ohringer@DOCKMASTER.NCSC.MIL writes: > An organization is planning to use the last four digits of employees > Social Security Numbers as part of a scheme for assigning computer > passwords. I am not asking about the security aspects of this, but am > wondering about the privacy implications. Is there anything particular > that needs to be considered about the last four digits as opposed to > four other digits? Is this an acceptable use of (part of) social > security numbers? Would it matter if the last nine digits (all of) or > the last one digit were used? I believe this is the wrong thing to do. Using Social Security numbers in passwords makes the passwords easier to guess when something is known about the user (similar to the user having first name, spouse's name, or birthdate in the password). So the passwords will be weaker. In addition the password may go places where the Social Security number might not have, thus spreading some information about the number even farther. Thus there are distinct disadvantages. The number of digits merely strengthens or weakens the above arguments. Since the last four digits of numbers are not unique, making passwords unique must be done another way. The only advantage I can see, making the password easier to remember, can be achieved other ways: make passwords a combination of two words, e.g. doverCel (Dover is a city in the state of DELaware), creating words which *sound* real, but are not, e.g. phondate (a syllable generator hooked to a dictionary filter), etc. In short, I see no advantage to using *any* digits of a social security number, and several disadvantages. Paul E. Black CS Division, 571 Evans Hall School: pblack@cs.berkeley.edu University of California at Berkeley Home: paul@beehive.cirrus.com Berkeley, California 94720 Voice: +1 510 643 6261 USA ------------------------------ Date: Mon, 28 Jun 93 12:27:14 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Subject: The other side of Clipper From: "Barry Jaspan" Subject: Re: The other side of Clipper (padgett@tccslr.dnet.mmc.com) >Undeniably. The question is who will be able to using STU-IIIs >without causing themselves potential problems. The answer is "the >government, and no one else." From: Bob Leone Subject: The other side of Clipper >False. There would not be a flood. What would happen, if the govt made >non-Capstone encryption illegal, is that it would be considered prima-facie >evidence of criminal conspiracy (since only a criminal would want his >comm secure against monitoring by law-enforcement agents, right? Sure). I respectfully disagree. While this is possible, what the criminals will do is to first encrypt using a secure mechanism and *then* feed it to the Clipper chip. In this manner, Clipper will actually slow down the process since the gov will need a wiretap authorization *first* before they will be able to accuse anyone of malfeasence. Further IMHO the current furor over seizures where no criminal charges are is indicative that the pendulum is swinging away from easy court orders. The gov may still tap communications as a matter of course, but prosecution may become more difficult. Besides, as I have said, the real target audience for Clipper/Capstone will not *care* if the gov listens. Warm & muggy today, tuggy tomorrow, Padgett ------------------------------ End of PRIVACY Forum Digest 02.23 ************************