PRIVACY Forum Digest Wednesday, 28 September 1994 Volume 03 : Issue 18 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy. CONTENTS No responses in favor of Wiretap Bill received (Lauren Weinstein; PRIVACY Forum Moderator) Digitizing signatures (Bob Rahe) Electronic Signatures (Terrence P. Maher) More Electronic Signatures (John French) Looking for Help (Mary Zahn Hanin) FBI Wiretap Bill (Marc Rotenberg) Another Civil Liberty Group Opposes Wiretap Bill (Dave Banisar) ACLU release and letter on FBI wiretap bill (ACLU Information) Privacy & American Business conference in DC next week (Lance J. Hoffman) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. ALL submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All submissions included in this digest represent the views of the individual authors and all submissions will be considered to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW home page at the URL: "http://www.vortex.com/". For information regarding the availability of this digest via FAX, please send an inquiry to privacy-fax@vortex.com, call (818) 225-2800, or FAX to (818) 225-7203. ----------------------------------------------------------------------------- VOLUME 03, ISSUE 18 Quote for the day: "If anything should happen to me, you must go to Gort. You must say these words: Klaatu, Barada, Nickto. Please repeat that." -- Klaatu (Michael Rennie) "The Day the Earth Stood Still" (1951) ---------------------------------------------------------------------- Date: Wed, 28 Sep 94 20:45 PDT From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: No responses in favor of Wiretap Bill received Greetings. As you'll see, the PRIVACY Forum received a number of items opposed to the current "FBI Wiretap Bill" in the current cycle. Though I recently suggested here in the digest that persons in favor of the bill (I know you're out there) send in their thoughts so that all sides of the issues can be discussed, no articles in favor of the bill were received. I'd like to emphasize again that it is important that different points of view be presented, even where particular views might be perceived to be minority ones amongst the readership. However, if proponents don't submit items, only the points of views of those who do send in articles can be seen. Regardless of how we feel as individuals about this and other controversial topics, a well-rounded discussion would be to everyone's advantage. --Lauren-- ------------------------------ Date: Wed, 21 Sep 1994 10:08:31 EDT From: bob@hobbes.dtcc.edu (Bob Rahe) Subject: Digitizing signatures In Digest Volume 03, Issue 17 Bill Hensley worries about a local store apparantly getting his signature electronicly when he signed a credit card slip on a 'funny' pad. Altho there may be risks to privacy with the storing of someone's signature like that, it would not seem that this is raising that risk by a significant amount. It merely means the store doesn't have to take the slip to a scanner to get it digitized. Makes it only marginally easier to get. And UPS around here doesn't use paper at all when you sign for packages. They have an electronic clipboard with a plastic stylus and a window where you sign and an LCD display that shows what you are scratching. ------------------------------ Date: Wed, 21 Sep 1994 11:05:34 -0500 (CDT) From: Terrence P Maher Subject: Electronic Signatures As I practice credit card and debit card law, I thought a short note on why VISA/MC/AMEX ("interchange systems") are moving to electronic signatures was necessary. Back in the old days, prior to electronic draft capture, in order to get paid on these tickets, the merchant had to mail them to its bank (or the bank's processor). These tickets would then be manually keyed into the interchange systems for payment. The paper stayed with the merchant's bank, and everything done after that was handled electronically. Under the interchange rules, if a cardholder disputed a transaction (a "chargeback" in credit card lingo), the cardholder's bank, prior to making the chargeback to the merchant's bank, had to request the merchant's bank to send a copy of the transaction ticket (a "retrieval request" in credit card lingo). Under the rules, the merchant's bank had a few days to send a copy of the actual ticket to the cardholder's bank, to avoid the chargeback. So banks paid people to sift through paper tickets to identify a ticket that was subject to a retireval request. Not only was the system slow (the merchant did not get paid on these tickets until approximately a week after they were mailed), but many keypunch errors occurred. The paper ticket volume just got to be too much. It was becoming impossible to store and index all of these paper tickets. To get rid of the paper. the interchange systems instituted "electronic draft capture" ("EDC"). Under EDC, all of the information that the interchange system needs to process a transaction was captured by those little POS terminals sitting by the register. This included the merchant's I.D. number, the authorization number, the cardholder's account number, the total amount of the sale, and the date and time of the sale. At the end of each shift (or the end of the day), the merchant "closed the batch" and the electronic "tickets" in that batch were electronically summarized and transmitted to the merchant's bank for direct submission to the interchange systems. No mailing of paper tickets or keypunching was necessary! Those little paper tickets that the printers on the POS devices kick out are really only for the cardholder's benefit, the yellow copy never leaves the merchant's place of business. Under the agreement between the merchant's bank and the merchant for credit card processing services, the merchant has to store them for up to 7 years, and has to present a copy within 5-10 days in case one of those dreaded retrieval requests come through. There's the problem - if a retrieval request comes in, the merchant doesn't want to have pay an employee to search through six months of tickets in order to send one copy back to the bank within this short period. Picture a major retailer that might take hundreds of card transactions a day. It was a mess, and both the merchant's bank (who has to fund chargebacks if the retrieval request was not timely honored) and the merchant could suffer unnecessary losses. The interchange systems' solution? Why not capture the signatures and transaction information digitially and store them, so the bank can directly access the files to get a "copy" of the ticket in the event of a cardholder dispute. With the new data compression systems, these digital images can be shrunk down to relatively small data files and easily stored on electronic media or CD_ROM. That is the rationale, but I agree the materials can be used for other less honorable purposes. Terrence (Terry) P. Maher, Esq. ------------------------------ Date: 22 Sep 94 16:02:29 EDT From: John French <73554.271@compuserve.com> Subject: More Electronic Signatures Another example of electronic signatures: At least some Sears stores have already instituted these systems, and the national consumer relations department cannot tell me whether the sales clerk at one store was correct when she told me they are intending to implement it in all Sears stores. The clerk said it was for the convenience of the clerks when comparing signatures on the card - they can now compare it to a signature on their screen as opposed to the receipt just signed by the customer. Apparently she did not know what Consumer Relations later admitted to me, that graphics of the signatures are being stored. I for one will not use the "special pens" when signing my credit card receipts in the future. ------------------------------ Date: Thu, 22 Sep 1994 09:51:06 -0500 From: mzhanin@omnifest.uwm.edu (Mary Zahn Hanin) Subject: Looking for Help Greetings! I am a reporter for the Milwaukee Sentinel (Milwaukee's morning newspaper) and have been assigned to put together a comprehensive series of articles on personal privacy in the age of computers. We are specifically interested in showing people how much information can be gathered about them without their knowledge. We are hopeful that someone on this list will have some ideas on how we can go about this; or, in the alternative, have some stories of their own to share. This is a major issue which few newspapers have looked at closely. We hope to educate the public and policy makers so that informed decisions about privacy issues can be made in the future. If you can help, please send your responses to my E-Mail address. One word of caution. The university which handles my Internet account is changing computers on Monday and Tuesday and will not be functioning. Please send me responses on or before Sunday or after next Tuesday (Sept 27). Thanks for the help. Mary Zahn Hanin. ------------------------------ Date: Fri, 23 Sep 1994 10:15:12 EST From: Marc Rotenberg Subject: FBI Wiretap Bill The Electronic Privacy Information Center has begun a campaign to stop the FBI wiretap bill that is now pending in Congress. EPIC has compiled 100 Reasons to oppose the legislation. The Reasons cover a range of issues from the history of wiretap law to examples of recent abuse. Some of the Reasons explore specific ramifications of the wiretap legislation, others look more broadly on the possible impact on network development. Reason 32 and Reason 36 listed below look at the possible impact on network security and innovation. The views are based on documents obtained from federal agencies under the Freedom of Information Act. To maximize public awareness of the issue while minimizing the flow of duplicate messages, EPIC is posting the Reasons to different news groups. The postings are unique, the same Reasons are not posted to more than one list. There is less than two weeks left in this session of Congress. If you are interested in this issue and would like to express your views, look at the posting for more information. ======================================================================== 100 Reasons to Oppose the FBI Wiretap Bill Reason 32: The FBI wiretap bill is likely to slow and to distort the development of communications technology A confidential memorandum obtained from the Department of Commerce under the Freedom of Information Act had this to say about the FBI wiretap bill: "The proposed bill could obstruct or distort telecommunications technology development by limiting fiber optic transmission, ISDN, cellular services and other technologies until they are modified to avoid impeding lawful government access." ---------------------- Reason 36: The FBI wiretap bill is likely to jeopardize the security of electronic communications. A confidential memorandum obtained from the Department of Commerce under the Freedom of Information Act had this to say about the FBI wiretap bill: "The proposal could impair the security of business communications by requiring system modifications that could facilitate not only lawful government interception, but unlawful interception by others. For certain industries, such as banking and financial services, communications security is critical." -> 9/28 NEWS UPDATE: Senate Judiciary Committee approves wiretap -> plan, but opposition from individual Senators still likely. Rep. Brooks -> to consider bill. ------------------------------------------------------------------------ What To Do: Contact your Senator. Urge a no vote on S. 2375, the FBI Wiretap proposal. Fax Rep. Jack Brooks 202/225-1584. Express your concerns. Staff in both the House and Senate report that these messages are making a difference.. ------------------------------------------------------------------------ 100 Reasons is a project of the Electronic Privacy Information Center (EPIC) in Washington, DC. For more information: 100.Reasons@epic.org. ------------------------------ Date: Fri, 23 Sep 1994 20:07:10 EST From: Dave Banisar Subject: Another Civil Liberty Group Opposes Wiretap Bill The American Civil Liberties Union (ACLU) today wrote to Rep. Jack Brooks, Chairman of the House Judiciary Committee, "to express the ACLU's opposition to the FBI Wiretap Access Bill, H.R. 4922." The organization's position is the latest indication that the legislation is running into serious trouble in Congress for several reasons, including strong opposition from civil liberties and privacy advocates. The bill's proponents had initially hoped to bring it to a vote on the floors of the House and Senate by mid-September. Instead, the bill remains in committees of both houses and is the object of a grassroots campaign to prevent its enactment. Excerpts from the ACLU letter: "The principal problem remains that any digital telephone bill which mandates that communications providers make technological changes for the sole purpose of making their systems wiretap- ready creates a dangerous and unprecedented presumption that government not only has the power, subject to warrant to intercept private communications, but that it can require private parties to create special access. It is as if the government had required all builders to construct new housing with an internal surveillance camera for government use. ... "Moreover, the FBI has not borne the burden of proving why such an extraordinary requirement is necessary. ... "H.R. 4922 proposes a radical and expensive change in our telecommunications structure. The threats it poses, now and prospectively, are real, but the need for it is far less than evident or proven. We urge that your Committee not rush into consideration of this far reaching measure with so little time left in the session." The Electronic Privacy Information Center (EPIC) is urging all concerned individuals and organizations to contact the following members of Congress immediately: Rep. Jack Brooks Sen. Howard Metzenbaum (202) 225-6565 (voice) (202) 224-7494 (voice) (202) 225-1584 (fax) (202) 224-5474 (fax) For more information about the FBI Wiretap Bill, check the Voters Telecomm Watch (VTW) gopher site (gopher.panix.com) or send e-mail to . ------------------------------ Date: Mon, 26 Sep 1994 17:52:45 -0400 From: ACLU Information Subject: ACLU release and letter on FBI wiretap bill ACLU * ACLU * ACLU * ACLU * ACLU * ACLU * ACLU * ACLU * ACLU NEWS RELEASE * NEWS RELEASE * NEWS RELEASE * NEWS RELEASE ACLU Opposes FBI Wiretap Access Bill; Legislation Would Create Dangerous Precedent For IMMEDIATE RELEASE September 26, 1994 Contact: Barry Steinhardt BarryS @ aclu.org or Kathy Parrent, 212-944-9800, ext. 424 The American Civil Liberties Union today called on the House Judiciary Committee to reject the FBI Wiretap Access Bill, H.R. 4922, which would require private electronics manufacturers to insure that the FBI can wiretap using developing telecommunications technologies. In a letter sent to Congressman Jack Brooks, Chair of the House Judiciary Committee, the ACLU stated that the bill "... creates a dangerous and unprecedented presumption that government not only has the power, subject to warrant to intercept private communications, but that it can require private parties to create special access. It is as if the government had required all builders to construct new housing with an internal surveillance camera for government use." "Moreover, the FBI has not borne the burden of proving why such an extraordinary requirement is necessary..." the letter said. A copy of the full letter with the ACLU's detailed objections follows. ___________________________________________________________________________ September 22, 1994 Honorable Jack Brooks Congressman, State of Texas 2449 Rayburn House Office Building Washington, D.C. 20515-4309 Dear Congressman Brooks: We are writing to you to express the ACLU's opposition to the FBI-Wiretap Access Bill, H.R. 4922. While we were not actively involved in Subcommittee deliberations, we have reviewed the legislation and we have several major concerns. The principal problem remains that any digital telephone bill which mandates that communications providers make technological changes for the sole purpose of making their systems wiretap-ready creates a dangerous and unprecedented presumption that government not only has the power, subject to warrant, to intercept private communications, but that it can require private parties to create special access. It is as if the government had required all builders to construct new housing with an internal surveillance camera for government use. Even if such use were triggered only by a judicial warrant, such a requirement would be strongly resisted by the American people. H.R. 4922 establishes a similar requirement, and is without precedent. Moreover, the FBI has not borne the burden of proving why such an extraordinary requirement is necessary. In 1993, there were fewer than 1,000 wiretaps authorized and many of them failed to yield any substantive evidence while intercepting many innocent conversations. It is far from clear that digital telephones will substantially obstruct legitimate law enforcement efforts. Without further public discussion and debate, the public will not have a sufficient opportunity to weigh the loss of privacy against the FBI's claims. There has been no opportunity to learn the full extent of the types of investigations that the FBI claims were precluded because of a restriction on their public dissemination. Yet, based on these secret assertions, 91 such incidents were cited by the FBI. On those slim assertions, the public's loss of privacy in digital communications is all but assured and taxpayers will be asked to pay an extraordinary price. H.R. 4922 authorizes $500 million over the next four years to reimburse telecommunications carriers for the costs that would be imposed by the bill. Even if you accept these cost estimates -- the industry puts the real cost in the billions -- we will spending $125 million or $125,000 per wiretap, for the fewer than 1,000 taps that will be conducted each year. As you know, the ACLU has the greatest respect for Congressman Edwards and Senator Leahy. Both have been tireless champions for civil liberties. The Edwards/Leahy proposal is an improvement over earlier versions offered by the FBI and we applaud their efforts to add new privacy protections. The proposed expansion of the Electronic Communications Privacy Act to cordless phones and the requirement that a court order be obtained for transactional data from electronic communication providers both are steps forward and merit separate consideration by the Congress. But they cannot and should not be traded for the unprecedented intrusion represented by H.R. 4922. In several respects, H.R. 4922 is still too broad in its application. For example, earlier versions of the bill would have applied directly to on-line communication and information services such as internet providers, America On Line, Compuserve, Prodigy etc. H.R. 4922 would apply directly only to "telecommunications carriers" such as the Regional Bell Operating Companies. But this provision does not narrow the scope of the bill as much as it might seem. First, with the new presumption that the government is entitled to require private manufacturers to insure its ability to wiretap, law enforcement will undoubtedly be back in future years insisting that this limitation thwarts its efforts and will seek to broaden the coverage to other information providers. Once the basic principle of H.R. 4922 is accepted, what arguments remain to resist its expansion. The limited application of H.R. 4922 is surely temporary; what matters is the basic requirement, not its immediate application. More importantly, law enforcement will still have the opportunity to intercept on-line communications over the internet or commercial on-line networks, by tapping into the facilities of the telecommunications companies. As critics of the earlier versions had noted the coverage of the on-line providers was largely redundant. All these communications still pass over telephone lines. Law enforcement does not need access at every point in a telecommunication in order to intercept it. Access at any one point is sufficient and that would be readily available since ultimately on-line communications must travel over the public switched telephone network which the bill requires be wiretap ready. Moreover, given the commingled nature of digital communication lines, it is inevitable that more private information from third parties will be intercepted than would be the case with analog phones, and the minimization requirements in the bill will not prevent this. In the end, this proposal will make our telecommunications structure more, not less vulnerable. In its original form the FBI Digital Telephony proposal would have given the power to the Attorney General to impose standards on communication providers which would guarantee that their systems were wiretap-ready. Essentially, this would have created a centralized wiretapping system that threatened the privacy of the entire nation and was dependent for its security on a few select people. This raised the real concern that if electronic communications service providers must design their systems to allow and ensure FBI access, then the resulting mandatory "back doors" may become known to and be exploited by "criminals." The new proposal contains the same risks. It would have the technical standards developed by the industry, through trade associations or standard-setting bodies, in consultation with the Attorney General. But it contains a "safe harbor" provision, which protects a carrier from sanction if it is in compliance with standards created by this approach. The safe harbor provision virtually guarantees that the standards developed through the industry-based process will be adopted by all. Whether the standards are directly imposed by government or created by concerted industry action, in consultation with the government, makes little difference. The result is the same. A centralized wiretapping capacity with all of its vulnerabilities will still be created. Finally, we have grave concerns about the encryption provisions. The Edwards/Leahy version has been described as "neutral" on encryption. The bill provides that telecommunications providers do not need to decrypt data, unless they hold the key. In the short term, this is an improvement over the earlier versions of the bill which would have created obligations to decrypt, but there are at least two longer term problems. First, is the new presumption that industry has the affirmative responsibility to create special technical capacity for the government to snoop. Can there be any real doubt that the FBI will be back in the years to come asserting that its ability to intercept communications has been thwarted by easily available encryption and that an industry obligation, analogous to the new obligation to provide wiretap capacity, must be created. Secondly, in some cases the telecommunications providers may well hold the key -- particularly as they expand the services they provide to their customers. H.R. 4922 proposes a radical and expensive change in our telecommunications structure. The threats it poses, now and prospectively, are real, but the need for it far less than evident or proven. We urge that your Committee not rush into consideration of this far reaching measure with so little time left in the session. We thank you for your consideration of our views and we would be happy to sit down with you to discuss these issues. Sincerely, Ira Glasser Laura Murphy Lee --endit-- The ACLU urges interested persons to contact the following members of Congress immediately: Rep. Jack Brooks Sen. Howard Metzenbaum (202) 225-6565 (voice) (202) 224-7494 (voice) (202) 225-1584 (fax) (202) 224-5474 (fax) ------------------------------ Date: Wed, 28 Sep 1994 12:00:39 -0400 (EDT) From: "Lance J. Hoffman" Subject: Privacy & American Business conference in DC next week "Managing the Privacy Revolution" Oct. 4-5, 1994 Features Top Privacy Experts in Landmark Washington Conference Fifty leading privacy experts from the administration, federal and state government, the business community, public interest and advocacy groups, corporate legal representatives, telecommunications, the academic and policy community, national industry associations, the media, and survey research will participate in "Managing the Privacy Revolution," the first annual business/privacy conference sponsored by Privacy & American Business, October 4-5, 1994 at Loews L'Enfant Plaza Hotel, Washington, D.C. (Program, speakers, and P&AB information attached). The conference will also offer the first look at a new P&AB/Louis Harris survey on the Consumer, Interactive Services, and Privacy. Geared to assist those who handle personal information about consumers, clients and employees, the conference is expected to attract those who manage information privacy issues and policy in consumer credit, telecommunications, banking credit cards, employment, life/health/ property insurance, health care, telemessaging, direct marketing and medical records. The conference will lay out the sweeping political, legal, and technological changes affecting the way every U.S. business will handle personal customer and employee information in the future and will provide a forum for addressing the changes. The $595 registration fee for the two day conference includes all sessions, private time with speakers, interaction with fellow conferees, cocktail party and buffet reception, two banquet luncheons, two continental breakfasts, three refreshment breaks. Also a Washington Legislative Briefing Book, a Handbook of Company Privacy Codes, a specially prepared 35-page book of Highlights from 1994 Louis Harris Privacy Surveys and a six-month trial subscription to Privacy & American Business (or a six month renewal of an existing subscription). Special rates for nonprofit organizations, multiple registrations, and a $100 Early Bird registration discount are available. For further conference information, call P&AB, 201-996-1154 or fax 201-996-1883. ------------------------------ End of PRIVACY Forum Digest 03.18 ************************