PRIVACY Forum Digest Friday, 19 November 1993 Volume 02 : Issue 35 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy. CONTENTS Privacy of cellular phones (Cris Pedregal Martin) On the Road to Nosiness? (Les Earnest) Re: "On the Road to Nosiness?" (Joel A. Fine) Privacy of Card Readers (Brad Dolan) ID Cards & Campus Privacy (Willis H. Ware) Unresolved latent matching (faatzd2@rpi.edu) CPSR Alert 2.05 [Extracts re: FBI Digital Telephony Initiative, Crypto Policies, and Medical Privacy -- MODERATOR ] (Dave Banisar) TTGI/CPNI is Not Protected (David Gast) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. ALL submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All submissions included in this digest represent the views of the individual authors and all submissions will be considered to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are also available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". For information regarding the availability of this digest via FAX, please send an inquiry to privacy-fax@vortex.com, call (818) 225-2800, or FAX to (818) 225-7203. ----------------------------------------------------------------------------- VOLUME 02, ISSUE 35 Quote for the day: "And now, for something completely different..." -- Segment bumper line from "Monty Python's Flying Circus" (1969-1974) ---------------------------------------------------------------------- Date: Sat, 6 Nov 1993 15:16:19 -0500 (EST) From: pedregal@unreal.cs.umass.edu (Cris Pedregal Martin) Subject: Privacy of cellular phones [Subject field chosen by MODERATOR] (Of course, readers here know that using a cellphone broadcasts in the clear their conversations -no need for more caveats on this.) On the arrest made after cellular eavesdropping: the chutzpah (or naivete?) of the cop who openly admitted to illegally scanning cellular frequencies is a tip-off of something. Has this scanning become widespread in law enforcement? After all, one can always make up another probable cause if the fishing expedition yields something. It is to be expected that the case will be thrown out on tainted evidence grounds. But if the practice if widespread, it'll just tell the cops eavesdropping is still one off-the-book method, so they don't write it down on their reports. Law enforcers have plenty incentive to bend laws in their work. But civil rights are for everyone, including suspected criminals -- the real test of whether we respect rights if when we have to protect those of persons we don't like (or whose actions we don't like). Not concerned with this since you are an honest citizen? Think again; since bad guys don't always wear black hats anymore, you might be mistaken for one any day. And then all those legal "technicalities" will matter. And, in the same digest, a nitpick: > > The state of Wisconsin recently appointed a Privacy Advocate. > > Carol M. Doeppers, the wife of a UW Geology Professor begins in this ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ No, I am not with the PC police, but this kind of bio information is irrelevant, probably sexist, and arguably a violation of the Privacy Advocate's privacy! (most likely by the original newspaper story writer) -- Cris Pedregal Martin pedregal@cs.umass.edu Computer Science Department UMass / Amherst, MA 01003 ------------------------------ Date: Sat, 6 Nov 93 14:03:29 -0800 From: Les Earnest Subject: On the Road to Nosiness? (Digest V02 #34) In his Detroit Free Press article, Dan Gillmor describes prospective privacy intrusions in the form of vehicle tacking based on "intelligent vehicle highway systems." Some of these problems can be avoided through appropriate design decisions, but the fact is that many of us can be tracked today on a minute-by-minute basis. The article says: * Proposals for electronic tolls -- which economists and traffic planners generally agree would be an efficient way to reduce congestion and pay for upkeep. The reasoning, which makes sense, is that you should pay more to use the highway at rush hour than at 2 a.m. How would that be done? Highway and vehicle sensors, which wouldn't slow traffic like old-fashioned toll booths, would know when you use the road and bill you accordingly. However, instead of basing toll payments on a credit/billing system, a debit card can be used that is purchased anonymously. This can be done in at least two ways: using a smart card that keeps track of how much of its value has been "spent" on tolls or a card that simply gives its ID number when interrogated, so that a central toll computer can keep track of how much of its original value has been spent. A more elegant approach would be to use a Digicash card or equivalent coupled with a transceiver. Any of these schemes would do a reasonable job of preserving privacy. California state officials originally proposed an automatic toll billing system in which the vehicle identification number could be read electronically, which would have been disasterous for privacy. However, they have apparently been talked into using the anonymous debit card approach by privacy advocates, principally Chris Hibbert. However, those of us who use cellular phones can be, and perhaps are being, tracked already. A certain amount of tracking is essential in order to make the cellular phone system work. This includes measurement of signal strength from a given cellular phone at various transceiver sites and with various antennas -- each site typically has six or so directional antennas. Back-of-the-envelope calculations indicate that by comparing signal strengths from various sites and antennas the location of the phone often can be determined to less than a square mile and sometimes more accurately. Note that your phone can be tracked even when you are not talking -- if it is open to incoming calls it can be tracked without your being aware of it. Furthermore, there appear to be no legal constraints on the use of this information. The cellular phone company can give it to a law enforcement agency without the latter having to get court order. Alternatively, the company can sell this information to whoever is interested. Probably most cellular phone companies will not disclose tracking information based on ethical considerations, but I wouldn't want to count on it. I believe that this is a loophole that should be closed by appropriate legislation. -Les Earnest ------------------------------ Date: Mon, 08 Nov 1993 10:24:54 -0800 From: "Joel A. Fine" Subject: Re: "On the Road to Nosiness?" Dan Gillmor writes: > ...suppose some future road officials decide to install new > cameras and higher-capacity transmission lines, allowing the > system to scan locations, license-plate numbers and drivers' > faces into the computer. A similar system is already in place in Campbell, California, and several nearby municipalities, for the purpose of enforcing speed limits. An unmanned radar-camera combination automatically photographs speeding motorists and records their speed at the time the picture was taken. Several days later, the driver receives a copy of the photo, along with a bill for the appropriate fine for the traffic violation. The driver never talks with, or sees, a traffic cop. - Joel Fine joel@cs.berkeley.edu ------------------------------ Date: 08 Nov 93 10:43:32 EST From: Brad Dolan <71431.2564@CompuServe.COM> Subject: Privacy of Card Readers Dave Millar, millar@pobox.upenn.edu, asks for info about alternate names for and uses of security card systems. We called them "key cards" in the nuke plants where I used to work. You didn't have to be an atomic scientist ;-) to figure out that big brother would monitor the data closely. That's why I never felt too sorry for the people who were clobbered based on key card data. Of course, there is always the potential for bad data ..... About once a year, somewhere in the industry, a guy would get "disciplined"/ canned for: (1) Claiming he performed a task, when there was no key card record of his entry into the space where the work would be performed. (2) Spending "too little" time in the space where the work would be performed. (3) Spending "too much" time in an out-of-the way space on a midnight shift. & other variations on these themes. [ A key question which arises revolves around the issue of whether the same sorts of tracking records that it makes sense to keep in a nuclear or other secure facility are reasonable for the typical educational environment. See the next message below. -- MODERATOR ] ------------------------------ Date: Mon, 15 Nov 93 15:56:17 PST From: "Willis H. Ware" Subject: ID Cards & Campus Privacy Dave Millar of the Univ of Pennsylvania wants to know: > Can you help me find any information on the issues associated with > information kept on security card scanner systems? We have a large > network of card readers scattered across campus tracking the comings > and goings of several tens of thousands of people at several hundred > points on campus - administrative buildings, dining halls, dorms, > libraries, etc. What, if anything, stops someone from collecting > this data and using it in ways not known or intended by the people > being monitored? In a word, very little. Stop looking; you will find nothing. The University of Pennsylvania is a private institution and hence can behave largely as any entity in the private sector does with personal information, do as it pleases. In the private sector there are very few legal restrictions on what may done with personal information; credit information on an individual is one of exceptions. The only thing going in favor of the individual is the morality and ethical behavior of the institution and concerned well informed leadership and administrators. As a matter of proper behavior and sensible administration, the University should have in place a policy stipulating how such information will be protected and access to it controlled, how such information will be stored, how long it will be retained, who may be allowed access to it, with whom it will be shared, will law enforcement have access to it, is it subject to subpoena, are audit trails accumulated of any one individual, etc. Additionally, the campus population should also know what things are possible with the system; e.g., what is the information used for, how might it be used if some administrator has a bright idea for a new use, who makes policy on the use, does or should the campus population have a voice in such decisions. In short there should be a privacy policy governing the operation of such a system and the policy should be made known to all campus users. If it does not, there is no law that will require it do so. All you can do is to demonstrate, cajole, pressure, embarrass, threaten, publicize, persuade, etc. in an effort to get a proper response. In the end everyone on the Penn campus will depend on the ethics of the University administration. I suggest that you contact my colleague and friend, Professor David Farber of the Computer Science Department. He is alert to computer security and privacy problems. He may be well informed on this system and can give you more detailed answers, or help you in rectifying any shortfalls. Willis H. Ware Santa Monica, CA [ Depressing, isn't it? -- MODERATOR ] ------------------------------ Date: Mon, 8 Nov 93 11:59:43 EST From: Subject: Unresolved latent matching ... I once worked for a startup company (now defunct) that wanted to develop fingerprint matching systems to sell to Governments. Our initila product would not have handled "unresolved latent matching" ... that is, matching outstanding crime scene prints against incoming prints for current crimes, job applications, etc. We were unable to sell such a system ... state goverments believe that the real BANG they get from automated fingerprint processing is NOT improved efficiency, lower cost, faster response times, or any of the normal business advantages. What they get is BIG PUBLICITY when someone submits his prints as part of a routine job application (say as a schoolbus driver ...) and it kicks out a match with an unresolved crime scene print for say an AXE mureder 10 years ago. This kind of thing is the real payback law enforcement sees in such systems. BTW - it has never been proven one way or another that fingerprints are unique identifiers ... only that no two individuals have yet been found to have the same prints ... it is possible in theory ... ------------------------------ Date: Fri, 12 Nov 1993 13:13:48 EST From: Dave Banisar Subject: CPSR Alert 2.05 [Extracts re: FBI Digital Telephony Initiative, Crypto Policies, and Medical Privacy -- MODERATOR ] [ I have extracted the following three numbered items from CPSR Alert 2.05 -- MODERATOR ] [1] FBI's Operation "Root Canal" Documents Disclosed In response to a CPSR Freedom of Information Act lawsuit, the FBI this week released 185 pages of documents concerning the Bureau's Digital Telephony Initiative, code-named Operation "Root Canal." The newly disclosed material raises serious doubts as to the accuracy of the FBI's claim that advances in telecommunications technology have hampered law enforcement efforts to execute court-authorized wiretaps. The FBI documents reveal that the Bureau initiated a well- orchestrated public relations campaign in support of "proposed legislation to compel telecommunications industry cooperation in assuring our digital telephony intercept requirements are met." A May 26, 1992, memorandum from the Director of the FBI to the Attorney General lays out a "strategy ... for gaining support for the bill once it reaches Congress," including the following: "Each FBI Special Agent in Charge's contacting key law enforcement and prosecutorial officials in his/her territory to stress the urgency of Congress's being sensitized to this critical issue; Field Office media representatives educating their contacts by explaining and documenting, in both local and national dimensions, the crisis facing law enforcement and the need for legislation; and Gaining the support of the professional associations representing law enforcement and prosecutors." However, despite efforts to obtain documentation from the field in support of Bureau claims of a "crisis facing law enforcement," the response from FBI Field Offices was that they experienced *no* difficulty in conducting electronic surveillance. For example, a December 3, 1992, memorandum from Newark reported the following: The Newark office of the Drug Enforcement Administration "advised that as of this date, the DEA has not had any technical problems with advanced telephone technology." The New Jersey Attorney General's Office "has not experienced any problems with the telephone company since the last contact." An agent from the Newark office of the Internal Revenue Service "advised that since the last time he was contacted, his unit has not had any problems with advanced telephony matters." An official of the New Jersey State Police "advised that as of this date he has had no problems with the present technology hindering his investigations." Likewise, a memorandum from the Philadelphia Field Office reported that the local offices of the IRS, Customs Service and the Secret Service were contacted and "experienced no difficulties with new technologies." Indeed, the newly-released documents contain no reports of *any* technical problems in the field. The documents also reveal the FBI's critical role in the development of the Digital Signature Standard (DSS), a cryptographic means of authenticating electronic communications that the National Institute of Standards and Technology was expected to develop. The DSS was proposed in August 1991 by the National Institute of Standards and Technology. NIST later acknowledged that the National Security Agency developed the standard. The newly disclosed documents appear to confirm speculation that the FBI and the NSA worked to undermine the legal authority of the NIST to develop standards for the nation's communications infrastructure. CPSR intends to pursue further FOIA litigation to establish the extent of the FBI involvement in the development of the DSS and also to obtain a "cost-benefit" study discussed in one of the FBI Director's memos and other documents the Bureau continues to withhold. ------------------------------------------------------------- [2] GAO Report Criticizes Gov't Crypto Policy A Government Accounting Office report has found that government policies are hindering the development of encryption technology at the same time the industry is threatened by economic espionage because of computer networks lacking adequate security. The report was requested by House Judiciary Chair Jack Brooks. The report _Communications Privacy: Federal Policy and Actions_ (GAO/OSI-94-2) also found that NIST followed the NSA's lead in developing cryptographic standards for communications privacy and that there has been little public input in this process. NIST terminated a project in 1982 to develop a public key encryption system at the request of NSA and in 1991 introduced a NSA developed standard for digital signatures. In addition, no public input was solicited for the Clipper Chip proposal until 1993, over three years after the initiation of its development. The report also noted the wide range of software and hardware available outside the US and that the continued export controls are apparently more stringent than those in other countries. This is apparently hurting sales of U.S. software and hardware products worldwide. Congressman Brooks said that "[I]t is deeply disturbing to find that some U.S. government agencies are undermining American corporations efforts to protect themselves from state-sponsored theft of trade secrets and other propriety information." Brooks also stated that "The plain truth is that encryption devices and software are available around the world. The barn door is open; the horses are out. It is high time for the government to accept this fact of life and stop hog-tying U.S. industry with overly restrictive export controls that damage this country's effort to compete in the global marketplace." The GAO report is available at the CPSR Internet Library (see below). A paper copy is available from the GAO by calling 202-512-6000. ------------------------------------------------------------- [3] Health Care Reform Plan Released Amidst Growing Concern About Medical Privacy The Clinton health care reform plan was released the same week that a new Lou Harris poll found high levels of concern about privacy among the American public. The health care reform proposal includes important privacy safeguards, but the measures may not go far enough to address public concerns. The Harris poll reveals that Americans are very much concerned about medical record privacy. The poll conducted by Prof. Alan Westin found that 49 percent of all Americans are very concerned and 30 percent are somewhat concerned by the threats to their personal privacy. An additional 56 percent believe that strong federal protection of medical records is necessary to accomplish health care reform. The health care reform proposal includes a strong code of fair information practices, and an explicit prohibitions on the use of medical record information for employment purposes. But the plan leaves open the question of whether the Social Security Number might be used as a patient identifier and also allows more than three years before full legislative safeguards are established. At a conference organized by the US Office of Consumer Affairs, CPSR Washington Office Director Marc Rotenberg and ACLU Privacy and Technology Project Director Janlori Goldman said that the health care reform plan raises far-reaching privacy concerns that must be addressed at the outset. The Office of Technology Assessment released a new report on medical records and privacy at a Congressional hearing held by Rep. Gary Condit (D-CA). "Protecting Privacy in Computerized Medical Information" explores the implications of the automation of health care information and recommends federal legislation to address patient confidentiality and privacy. An electronic copy is available at the CPSR Internet Library. (see below for location details). Senator Patrick Leahy (D-VT) recently held a hearing to explore the privacy implications of medical smart cards. The Senator plans to hold a second hearing on medical record privacy later this year. ------------------------------ Date: Mon, 15 Nov 93 14:24:28 -0800 From: gast@CS.UCLA.EDU (David Gast) Subject: TTGI/CPNI is Not Protected > This puzzled me greatly when it appeared in the Telecom Digest, too. > When I was at AT&T, the code of conduct that I signed asserted that > call detail is Customer Proprietary Network Information (CPNI), and > that it is illegal to disclose CPNI without the customer's consent. > To do so also results in immediate dismissal. So how can Scanners > claim that it's legal for them to sell CPNI? *SOMEBODY* had to break > the law for them to get it. Andy and I have had extensive e-mail and other electronic contact over the years regarding CPNI or TTGI as it is also called. (TTGI is Telephone Transaction Generated Information). Given the state of the law, I am somewhat surprised he still maintains that it is illegal to disclose CPNI without the customer's consent. (If that were true, then CNID and ANI would be illegal). Further info follows. > I know that AT&T and the RBOCs have typically refused to disclose > anything without papers signed by a judge. I don't believe that the P&G scandal of a few years ago involved a judge. [Material adapted from an article written by Marc Rotenberg that is in the telecom archives]. In the old days, as far as I know, his statement was true. As William Caming, the general counsel of AT&T for many years wrote in a 1984 article "Protection of Personal Data in the United States," (The Information Society, pp.117-119, vol, 3., no. 2 (1984)) "In testimony before the Privacy Commission, I said in behalf of AT&T that we unreservedly pledged ourselves to undertake promptly a thorough reexamination of our policies and practices impacting upon privacy to ensure that the Bell System's commitment to the spirit of "Fair information" principles was being fully realized. . . . "Over the years, the Bell System has staunchly supported the concept that the protection of its customers' communications and business records is of singular importance. Time and time again, we have stressed to the Congress and the Federal Communications Commission and on other public forums that the preservation of privacy is a basic concept in our business. . . . . ". . . toll billing record are corporate records maintained in the ordinary course of business as necessary substantiation for the charges billed to customers. These records are extremely sensitive since they, in essence, constitute a virtual log of one's daily communications. They are generally kept for a limited period of time to serve the needs of the business and to conform to statutory and regulatory requirements. They are normally destroyed as a matter of business routine at the conclusion of the prescribed retention period, usually six months. "Access to these records is rigorously restricted. They are not released except pursuant to subpoena, administrative summons, or court order valid on its face. . . . Exceptions to the foregoing policies are extremely few in number." But just because something used to be true, does not mean that it is still true. I don't know the law back in 1974. There may have been a law against disclosure or it may have just been Bell policy. I do know that the current state of the law provides no such protection. First, the ECPA permits the disclosure of anything except *content* to any person other than a governmental entity. (That may mean that posting something to the net, which is monitored by the government, could be illegal. :-) ) Second, the FCC has ruled that in the interests of competition (footnote 1), that unless you have more than 20 lines, your inter-lata dialing patterns must be disclosed to other inter-lata exchange carriers (IXCs). Note how the FCC recognizes a privacy interest by people/organizations with many phone lines, but denies people with only a few lines this privacy protection. They further pre-empted any state laws giving greater protection. This ruling was reported by the Privacy Journal and relayed by me to the telecom digest with the Federal Register reference back when it was promulgated. Now if Mr. Sherman or anyone else would like to cite which law other than the apocryphal law was broken I would be interested in learning about it. I believe that Scanners broke no law. I hypothesize that they got the information pursuant to the FCC regulations. The result, of course, is that inviduals such as myself make far fewer long distance calls than we used to. David Footnote 1: The idea that by providers more information consumers will get better prices is ludicrous on its very face. Information is power and money. And unless the IXCs have suddenly become charity institutions, they will use the information to increase profits, not lower prices. [ It's interesting to note the "oddities" in the way different sorts of personal data are subject to differing levels of privacy "protection." At least in certain situations, laws exist to provide some modest protections from the release of our video tape rental title selections. One might *hope* that similar protections (at the very least!) will be extended to viewer programming selections from advanced cable TV and satellite delivery systems (this is actually a whole area of privacy discussion onto itself, which I'll save for a future digest). But while you may be protected from your local video store exposing you as a renter of "Plan 9 From Outer Space," your detailed telephone records may perhaps be released as part of routine business in the name of fostering "competition." So much of this goes on because so *few* people seem to care, much less complain, about privacy matters. Either they don't think it's an issue, or they've taken the fatalistic "there's nothing to be done" approach. Either way, the end result is the same. -- MODERATOR ] ------------------------------ End of PRIVACY Forum Digest 02.35 ************************