PRIVACY Forum Digest Tuesday, 5 December 1995 Volume 04 : Issue 25 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. ===== PRIVACY FORUM ===== ------------------------------------------------------------------- The PRIVACY Forum is supported in part by the ACM Committee on Computers and Public Policy, "internetMCI" (a service of the Data Services Division of MCI Telecommunications Corporation), and Cisco Systems, Inc. - - - These organizations do not operate or control the PRIVACY Forum in any manner, and their support does not imply agreement on their part with nor responsibility for any materials posted on or related to the PRIVACY Forum. ------------------------------------------------------------------- CONTENTS PRIVACY Forum on "NBC Nightly News" (Lauren Weinstein; PRIVACY Forum Moderator) National Caller ID Debuts--Almost (Lauren Weinstein; PRIVACY Forum Moderator) Re: Businesses monitoring employee e-mail (Nick Avery) Applied Cryptography case filings on the Web (Phil Karn) Re: Getting your clearance on the net (David M. Kennedy) Re: S. 1360 - Medical Privacy - CPT statement for today's hearing (Jim Warren) Privacy Watchdog Outs Big Brother Companies (Dave Banisar) Senate Holds Hearings on Medical Privacy (Marc Rotenberg) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com". ----------------------------------------------------------------------------- VOLUME 04, ISSUE 25 Quote for the day: "Mr. President, we must not allow a mine shaft gap!" -- General "Buck" Turgidson (George C. Scott) "Dr. Strangelove: Or, How I Learned to Stop Worrying and Love the Bomb" (1964) ---------------------------------------------------------------------- Date: Tue, 5 Dec 95 14:28 PST From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: PRIVACY Forum on "NBC Nightly News" Greetings. I'd like to thank everyone who has commented on the appearance of the PRIVACY Forum (and your loyal moderator) during a segment regarding privacy issues on "NBC Nightly News" (and some NBC-affiliated venues, such as CNBC) a week ago. While obviously the amount of time available during a thirty minute national newscast for such pieces is quite limited, I feel that NBC did a great job of calling to people's attention the fact that the technologies of computers and computer networks can bring great benefits but also need to be managed with care to avoid creating new privacy intrusions. Thanks again! --Lauren-- ------------------------------ Date: Tue, 5 Dec 95 14:23 PST From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: National Caller ID Debuts--Almost Another milestone (millstone?) in the ongoing saga of Calling Number ID (CNID) services passed on Dec. 1, when national CNID theoretically began to function. What this really meant is that with some notable exceptions, telcos and long distance companies are now required (as per an FCC order) to pass calling party numbers on interstate calls, for display on caller ID units. This follows a long chain of events which ultimately resulted in the mandated universal provision of per-call ID blocking on interstate calls (and in most areas, on intrastate calls as well) and the permitting of per-line ID blocking of both interstate and intrastate calls (where mandated in individual states) with per-call unblocking. The exceptions to the universal national availability of CNID information are delays granted to some smaller telcos whose equipment is not yet capable of passing the information; delays for technical reasons involving payphones, PBX systems, hotel phones, and the like; and the entire state of California. Since no California telcos have met the state PUC mandated public education requirements regarding CNID services and ID blocking options (e.g., *67 for per-call blocking, how to order per-line blocking, etc.) the FCC has granted California telcos a six month extension. Theoretically, this means that California telcos should *not* be sending out calling party numbers on interstate calls at this time, and CNID itself will not be made available in California until the education requirements are met. It's worth noting, however, that there are reports that some California caller numbers have been creeping across state lines anyway, probably due to switch misconfigurations by some local telcos. It might be wise for everyone to start getting into the habit of dialing *67 at the start of all calls (if their local switch will accept it yet) if they wish to protect their numbers, at least until such a time (if any) that per-line ID blocking options become available. Remember also that calls to 800 and 900 numbers have caller number information delivered via a different (ANI) system, and are not subject to ID blocking. --Lauren-- ------------------------------ Date: Sun, 19 Nov 1995 00:25:27 From: Nick Avery Subject: Re: Businesses monitoring employee e-mail Surely the issue here is that the computers and all data on it are the property of the company. This includes e-mail. My recommendation to employers is that a Security policy should exist and be publicised to staff which makes this clear. If there is no expectation or implied promise of privacy, then nobody's rights are affected. Nick Avery, Liverpool - <> ------------------------------ Date: Mon, 20 Nov 1995 21:00:06 -0800 From: Phil Karn Subject: Applied Cryptography case filings on the Web The government has filed its Motion to Dismiss, or In The Alternative, For Summary Judgment in the case of Karn vs State Dept. This case challenges the arbitrary Commodity Jurisdiction Request rulings made for the book Applied Cryptography and for a floppy disk containing the same source code printed in the book. I've begun scanning in and HTMLizing the various government documents, some of which are sizeable. As I finish them I'm putting them up on my web page. Please feel free to pass around this URL: http://www.qualcomm.com/people/pkarn/export/index.html --Phil ------------------------------ Date: Wed, 22 Nov 1995 13:22:21 -0500 From: David M Kennedy Subject: Re: Getting your clearance on the net Name withheld on request (Risks 17.41) discusses a relatively new system used by the Defense Investigative Service for submission of Personnel Security Questionnaires (PSQ) called, not surprisingly, the EPSQ. The current version is 1.2. >You obviously don't sign the form (no digital signature capability); at > some point in the future they said I'll be asked to sign a hardcopy. I have applicants sign the form prior to transmission. We terminate any applicant who lies on their forms. >The risks of sending any sort of confidential information over the net > have been described to death, so there's nothing new. It just amazes > me that the U.S. government office responsible for handing out > clearances could be so unaware of the risks as to allow it. ....yadda, yadda, yadda. The data is encrypted by the EPSQ program as it creates the disk file. The program uses FUNCky a product of dLESKO, Inc of Jersey City, NJ. Before the encrypted file is transmitted, it's zipped using PKWARE and the program requires the user to use PKZIP's encryption feature. FUNCky has not been evaluated to meet FIPS 140-1 requirements for cryptographic modules and the DIS recognizes it is not equal to DES. Most security-aware professionals know of the plethora of PKZip crackers available. So Name Withheld's data was double encrypted before being sent over the net, and it's stored in a file that can't easily be read. This begs the question of how much security is necessary to protect Name Withheld's data? After all, we're not talking launch codes here. DIS recognizes the need to use FIPS 140-1 compliant encryption and is moving in that direction. In the mean time they've put something in the hands of security managers in the field that provides adequate safeguards considering the value of the data and the risks associated with it's compromise. Version 2.0 of the EPSQ will have more robust encryption. Among the products under consideration are RSA's BE SAFE and AT&T's SURITY. Both Name Withheld and DavidG3276@aol.com demonstrate the RISKS of posting without checking the facts beforehand. For PRIVACY Forum Digest readers: DavidG whined about the risks of the US Army's use of computers to assist in field artillery fire control, something we've done since Vietnam. Dave Kennedy [US Army MP] [CISSP] (husband of a former Artillery Officer) a.k.a. 76703.2557@compuserve.com volunteer SysOp National Computer Security Association forum on CompuServe GO NCSAFORUM ------------------------------ Date: Wed, 15 Nov 1995 08:24:26 -0800 From: jwarren@well.com (Jim Warren) Subject: Re: S. 1360 - Medical Privacy - CPT statement for today's hearing Jamie Love from Ralph Nader's group just posted a lengthy comment/analysis of the privacy problems re Senate Bill 1360. This excerpts his lead, plus ending pointers to where full information can be obtained. --jim Jim Warren, GovAccess list-owner/editor (jwarren@well.com) Advocate & columnist, MicroTimes, Government Technology, BoardWatch, etc. === >These were our comments at today's hearing on S. 1360. We did not >testify. (only one opponent of the bill was permitted to testify today). >jamie > > > Comments of Consumer Project on technology > on > S. 1360 - the Medical Records Confidentiality Act of 1995 > submitted to the Senate Committee on Labor and Human Resources* > > James P. Love > November 14, 1995 > >Introduction > > The following comments of the Consumer Project on Technology >(CPT) outline our suggestions for improvements in S. 1360, the >Medical Records Confidentiality Act. While we join others in >applauding the sponsors of S. 1360 for focusing attention on the >important issue of privacy of medical records, we cannot support >the bill as introduced. ... > > ... > > The Consumer Project on Technology has created an Internet >discussion list for this issue, called med-privacy, which >available for subscriptions from listproc@essential.org. Send a >note to listproc@tap.org, with the message: > > subscribe med-privacy yourfirstname yourlastname > > Our World Wide Web page has additional information, and is >located at: > > http://www.essential.org/cpt/privacy/privacy.htm. > > The Consumer Project on Technology (CPT) is a project of the >Center for Study of Responsive Law. The CPT was created by Ralph >Nader this year to study a number of issues related to new >technologies, including telecommunications regulation, pricing of >pharmaceutical drugs, intellectual property rights, and the >impact of computers on privacy. The URL for CPT is >http://www.essential.org/cpt/cpt.html. > >---------------------------------------------------------------------- >James Love, love@tap.org >P.O. Box 19367, Washington, DC 20036; v. 202/387-8030; f. 202/234-5176 >Consumer Project on Technology; http://www.essential.org/cpt/cpt.html >Taxpayer Assets Project; http://www.essential.org/tap/tap.html ------------------------------ Date: 4 Dec 1995 10:32:25 -0500 From: "Dave Banisar" Subject: Privacy Watchdog Outs Big Brother Companies MEDIA RELEASE Contact: Simon Davies, Privacy International Davies@privint.demon.co.uk PRIVACY WATCHDOG OUTS BIG BROTHER COMPANIES New report uncovers a massive international surveillance trade funded by the arms industry and led by the UK On Monday 4 December, Privacy International will publish Big Brother Incorporated, a 150 page report which investigates the global trade in repressive surveillance technologies. The report, to be published on several Web sites on the Internet, shows how technology companies in Europe and North America provide the surveillance infrastructure for the secret police and military authorities in such countries as China, Indonesia, Nigeria, Angola, Rwanda and Guatemala The reports primary concern is the flow of sophisticated computer-based technology from developed countries to developing countries - and particularly to non-democratic regimes. The report demonstrates how these companies have strengthened the lethal authority of the world's most dangerous regimes. The report lists the companies, their directors, products and exports. In each case, source material is meticulously cited. Privacy International is publishing the report in digital form in several sites on the Internet to ensure its accessability by interested parties anywhere in the world. Surveillance technologies are defined as technologies which can monitor, track and assess the movements, activities and communications of individuals. More than 80 British companies are involved, making the UK the world leader in this field. Other countries, in order of significance, are the United States, France, Israel, the Netherlands and Germany. _Big Brother Incorporated_ is the first investigation ever conducted into this trade. Privacy International intends to update the report from time to time using trade fair documents and leaked information from whistleblowers. The surveillance trade is almost indistinguishable from the arms trade. More than seventy per cent of companies manufacturing and exporting surveillance technology also export arms, chemical weapons, or military hardware. Surveillance is a crucial element for the maintenance of any non-democratic infrastructure, and is an important activity in the pursuit of intelligence and political control. Many countries in transition to democracy also rely heavily on surveillance to satisfy the demands of police and military. The technology described in the report makes possible mass surveillance of populations. In the past, regimes relied on targeted surveillance. Much of this technology is used to track the activities of dissidents, human rights activists, journalists, student leaders, minorities, trade union leaders, and political opponents. It is also useful for monitoring larger sectors of the population. With this technology, the financial transactions, communications activity and geographic movements of millions of people can be captured, analysed and transmitted cheaply and efficiently. Western surveillance technology is providing invaluable support to military and totalitarian authorities throughout the world. One British computer firm provided the technological infrastructure to establish the South African automated Passbook system, upon which much of the functioning of the Apartheid regime British surveillance cameras were used in Tianamen Square against the pro-democracy demonstrators. In the 1980s, an Israeli company developed and exported the technology for the computerised death list used by the Guatemalan police. Two British companies routinely provide the Chinese authorities with bugging equipment and telephone tapping devices. Privacy International was formed in 1990 as a non-government, non-profit organisation. It brings together privacy experts, human rights advocates and technology experts in more than 40 countries, and works toward the goal of promoting privacy issues worldwide. The organisation acts as an impartial watchdog on surveillance activities by governments and corporations. For further information or interview, contact Simon Davies in London at davies@privint.demon.co.uk. The address of the web site is http://www.privacy.org/pi/reports/big_bro/ David Banisar (Banisar@privacy.org) * 202-544-9240 (tel) Privacy International Washington Office * 202-547-5482 (fax) 666 Pennsylvania Ave, SE, Suite 301 * HTTP://www.privacy.org/pi/ Washington, DC 20003 ------------------------------ Date: Wed, 22 Nov 1995 00:54:06 -0800 From: "Marc Rotenberg" Subject: Senate Holds Hearings on Medical Privacy [ From EPIC Alert 2.15 -- MODERATOR ] On Tuesday, November 14, the Senate Committee on Labor and Human Resources held a hearing on the controversial Medical Record Confidentiality Act (S. 1360). The committee heard from the sponsors, several industry groups, an AIDS advocacy group supporting the bill and a patients rights group opposing the bill. The hearing was contentious and most witnesses and Senators in attendance agreed that substantial changes in the bill were necessary. Dr. Denise Nagel, a practicing psychiatrist and the President of the Coalition for Patient Rights of New England testified that the bill would "codify some of the most egregious breaches of ethics, morals and the Hippocratic oath that this country has ever seen." Dr. Nagel pointed to weaknesses in the consent provision: "Senate Bill 1360 not only permits some types of such extremely objectionable disclosures to third parties without notification or consent, but its procedures will mislead patients in this respect. The patient not only will be unaware of this further dispersion of his personally-identified information, but will be cruelly tricked by the initial assurance that the disclosure will be solely for treatment and payment." The Consumer Project on Technology (CPT) submitted a detailed statement to the Committee with comments on how to improve the bill. CPT Director James Love described the bill as "fundamentally flawed" and said it would "legitimize and contribute to the continued erosion of personal privacy." Evan Hendricks, chairman of the U.S. Privacy Council, wrote that "the current proposal will do more harm than good by legitimizing a large database surveillance system while leaving Americans without sufficient choices or remedies to retain a satisfactory level of privacy." Despite early predictions that the bill would be adopted by the Senate before Thanksgiving, quick action now appears unlikely. It is expected that the Senate will take up the bill again after the Christmas break. More information about medical privacy, including the testimony of Dr. Nagel and the text of S. 1360, is available at: http://www.epic.org/privacy/medical/ ------------------------------ End of PRIVACY Forum Digest 04.25 ************************