PRIVACY Forum Digest Tuesday, 15 April 1997 Volume 06 : Issue 05 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. ===== PRIVACY FORUM ===== ------------------------------------------------------------------- The PRIVACY Forum is supported in part by the ACM (Association for Computing) Committee on Computers and Public Policy, "internetMCI" (a service of the Data Services Division of MCI Telecommunications Corporation), and Cisco Systems, Inc. - - - These organizations do not operate or control the PRIVACY Forum in any manner, and their support does not imply agreement on their part with nor responsibility for any materials posted on or related to the PRIVACY Forum. ------------------------------------------------------------------- CONTENTS Privacy and Remote Sensing Ethics (Terry Slonecker) Article on new encryption bills (David J. Loundy) Privacy [Going?] Down Under (Roger Clarke) OECD Crypto Guidelines (Marc Rotenberg) FCC Releases staff Working Paper on Internet policy (Kevin Werbach) Social Insecurity (Simson L. Garfinkel) Criminals' names&addrs on WWW (also privacy vs. criminals) (Mark Seecof) Iris scanning (Phil Agre) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com"; full keyword searching of all PRIVACY Forum files is available via WWW access. ----------------------------------------------------------------------------- VOLUME 06, ISSUE 05 Quote for the day: "I never forget a face." -- Khan (Ricardo Montalban) "Star Trek II: The Wrath of Khan" (Paramount; 1982) ---------------------------------------------------------------------- Date: Thu, 27 Feb 1997 16:25:09 -0500 From: Terry Slonecker Subject: Privacy and Remote Sensing Ethics Privacy And Remote Sensing Ethics Terrence Slonecker Environmental Scientist U.S. Environmental Protection Agency The science of remote sensing is defined as methods that employ electromagnetic energy to detect, record and measure characteristics of a target, such as the earth's surface (Sabins, 1986). Aerial photography and satellite imaging, two of the more traditional forms of remote sensing, have been frequently employed for purposes such as weather forecasting, mapping, intelligence gathering, global process research, land use planning, conservation, and drug interdiction and control. Additionally, a new generation of increasingly sophisticated remote sensing techniques are likely to play an increasingly significant role in the future of an information-driven society. Of particular significance is the expanding use of remote sensing technology as related to personal privacy, constitutional guarantees against unreasonable search, and law enforcement. Remote sensing techniques offer inherent advantages to the practice of monitoring through the efficiency of areal perspective, temporal definition, change detection, and accurate mensuration capabilities. Aerial photographs dating back to the 1930s and satellite images from the 1960s and 1970s are routinely available and have long played a key, albeit subtle, role in public programs and policy development. Aerial photographs and data from satellite systems have been successfully used for a variety of litigation purposes (Brennan and Macauley, 1995). Remote sensing is currently undergoing a dramatic revolution in terms of technical monitoring capabilities. Advances in spectral and spatial resolutions, new sensors, new platforms, and continually improving digital analysis and communications techniques are changing and expanding the level and types of detail that may be extracted from raw imagery. Previously fundamental imaging restrictions on scale, resolution, availability, location and cost are becoming largely irrelevant. Also, the growing number of orbital and airborne sensors and the subsequent volume of available imaging data is dramatically changing the overall global capability for overhead monitoring. There is also an evolving and dramatic change in terms of remote sensing information management, data control and communication. The current economic restructuring of the remote sensing community has resulted in a clear trend of foreign governments and multi-national corporations entering the remote sensing market. This diversification, coupled with the development of a global information infrastructure, has created a fundamentally different world in the distribution and analysis of high resolution spatial and spectral data. These developing changes in spatial and spectral monitoring capabilities, coupled with emerging global information management systems, have created a significant potential for the misuse of remotely sensed data (Slonecker and Shaw, 1996) To this end, the American Society for Photogrammetry and Remote Sensing (ASPRS), one of the leading professional societies in the field of remote sensing, has recently agreed to review and possibly revise its professional code of ethics. At the Denver GIS/LIS meeting in November 1996, the ASPRS Executive Committee and Board of Directors agreed in principle to revising the Society's Code of Ethics. Especially important to the privacy concept is the wording of Item 7 of the current ASPRS Code of Ethic: "Recognize the proprietary interests and rights of others." (ASPRS 1996) Potential New Wording of Item 7: "Recognize the proprietary interests and rights of others. This not only refers to adoption of these principles in the general conduct of business and professional activities, but also as they relate specifically to the appropriate and honest application of photogrammetry, remote sensing, geographic information systems and related technologies. Subscribers to this Code shall not condone, promote, advocate, or tolerate any organization's or individual's use of these technologies in a manner that knowingly contributes to: a. Deception through data alteration; b. Circumvention of the law; c. Transgression of reasonable and legitimate expectation of privacy; d. Deterioration of environmental quality or deleterious exploitation of natural resources; e. Exacerbation of human conflict, injustice, or suffering." (Lillesand 1996) In an age where the gradual erosion of individual privacy rights seems to be commonplace, the ASPRS should be commended for its vision and initiative in dealing with potential privacy problems that its members may soon face with the explosion of remote sensing data and technology. Additional background information may be found in Brennan and Macauley (1995) and Slonecker and Shaw (1996). REFERENCES ASPRS, 1996. Code Of Ethics Of The American Society For Photogrammetry And Remote Sensing. Photogrammetric Engineering and Remote Sensing, 62(5):548. Brennan, T.J. and M.K. Macauley, 1995. Remote Sensing Satellites and Privacy: A Framework For Policy Assessment. Resources For The Future. Washington D.C. Lillesand T. 1996. Electronic Communication. Sabins, Floyd F. Jr., 1986. Remote Sensing: Principles and Interpretation. W. H. Freeman and Company, New York. Slonecker, E.T. and D.M. Shaw. 1996. Emerging Legal Issues In Advanced Remote Sensing Technology. IN PROCEEDINGS: PECORA XIII, Sioux Falls, South Dakota, August 20-22, 1996. (In Press) NOTICE: The U.S. Environmental Protection Agency (EPA), through its Office of Research and Development (ORD), funded and performed the work described here. It has been subjected to the Agency's peer review and approved by EPA for publication. Mention of trade names or commercial products does not constitute endorsement or recommendation for use. ------------------------------ Date: Tue, 25 Mar 1997 15:02:01 -0500 From: "David J. Loundy" Subject: Article on new encryption bills Published in the Chicago Daily Law Bulletin, March 13, 1997 at page 5. Reprinted with permission. Congress scrambles to address encryption issues. Copyright 1997 by David Loundy Past columns archived at http://www.Loundy.com/ Once again, Congress is being faced with a crucial though somewhat esoteric issue-- U.S. encryption policy. Three bills have recently been introduced in Congress that would liberalize current export restrictions and derail some of the Clinton administration's attempts to guarantee access to encrypted communications. The results of the debate will have profound implications on electronic commerce, communications, and law enforcement. At the heart of the issue is how the law should be updated to account for changes in technology and the political environment. Electronic commerce and the security of electronic messages rely on encryption. Traditionally, encryption was used by spies and governments during the Cold War to keep secret plans to sink submarines and blow up embassies and the like. With this in mind, encryption hardware and software, certain technical data, and discussions of the higher math that forms the basis of cryptography have been treated by the U.S. as munitions. Nowadays, however, much stronger forms of encryption than those which were used during the last few world wars are used to protect the $5 smart-card you may use to buy a Slurpee at the local 7-11. Nonetheless, the law has not changed to match the evolving role of the technology, or the environment in which that technology is used. The Clinton administration has been broadly criticized over its policies concerning data security and privacy. The Clinton administration's initial "Clipper Chip" data standard would require use, in some situations, of a secret encryption standard which would necessitate that the government have access to the content of your secret messages when proper conditions are met. The Clipper Chip plan started to unravel not so much due to the popular outcry against the government's standard, but as a result of scientists demonstrating that the standard was flawed and would not work as promised. The initial Clipper Chip proposal was followed by "Clipper II" and "Clipper III." All the while, the Clinton administration has maintained its need for access to encrypted communications in order to thwart the four horsemen of the Internet apocalypse-- the money launderer, the drug dealer, the child pornographer and the international terrorist. Some legislators decided that this was entirely the wrong idea, and proposed legislation to liberalize controls on cryptography. The legislation was never passed. In the mean time, lawsuits were filed in two federal courts over export controls on encryption, and a third suit was filed over restrictions on teaching about encryption-- in the U.S.-- in classes with foreign students enrolled. Finally, at the end of last year, the Clinton administration changed its policy again, loosening export controls if the governments' "key recovery" plan is used to allow government decryption of any messages using the stronger means of encryption which would now be allowed for export. Needless to say, this plan was also not well received. Not only did the plan go against the findings various security experts who have suggested substantially more secure forms of encryption and who oppose any "key-recovery" or "key escrow" plan, but the latest Clinton administration encryption plan also ignores studies commissioned by the same administration which recommended loosening of restrictions on cryptography and its export. Furthermore, one manufacturer of security software offered a reward to the first person who could crack the strongest level of encryption which would be readily allowed for export under the administration's liberalized policy-- it took a college student only three and a half hours to collect. While U.S. residents may use more robust encryption schemes (which use longer and therefore more secure encryption keys) these schemes may not be exported, as has been mentioned. What this means is that software companies must either use the weaker forms of encryption in products intended for international distribution, or they must create domestic and international versions of their software using different strengths of encryption in each version. At the same time, their foreign competitors do not have such restrictions-- they may create one version of their software for internal or foreign use, and they may use strong encryption. U.S. software companies argue that this has the affect of putting U.S. companies at a competitive disadvantage-- in essence, U.S. cryptographic policy amounts to 'export jobs, not cryptography.' All of these concerns bring us to the current proposed federal legislation. On February 12, Congressman Bob Goodlate, R-Va., re-introduced H.R. 695, the Security and Freedom Through Encryption (SAFE) Act, which is identical to legislation he had proposed last year. The broad bi-partisan support for the bill (55 initial co-sponsors) includes Representatives Tom Ewing and Don Manzullo, both Republicans from Illinois. The SAFE bill begins by spelling out that any U.S. citizen shall have the right to use encryption, of any type, and of any strength or "key length" and in any medium. It also prohibits federal and state governments from requiring that users of encryption products turn over their keys to an escrow agent. The bill does, however, provide additional penalties for anyone who uses encryption in the furtherance of the commission of a criminal offense. Furthermore, the legislation eases export restrictions on any "generally available" or public domain software with a cryptographic component unless there is "substantial evidence that such software will be (A) diverted to a military end-use or an end use supporting international terrorism; (B) modified for military or terrorist end-use; or (C) reexported [without any required authorization]." The second bill is S376 IS, the Encrypted Communications Privacy Act of 1997, proposed on February 27, 1997 by Senators Patrick Leahy, Conrad Burns, Patty Murray, and Ron Wyden. This bill also guarantees the right to use encryption of any strength or form domestically. The bill also prohibits federal or state governments from mandating any form of key recovery or escrow of people's secret keys. As does the SAFE bill, this bill would provide similar loosening of export controls on readily accessible encryption software. The bill would also provide for additional penalties for persons caught using cryptography to impede law enforcement investigation of a felony. This Encrypted Communication Privacy Act bill goes further than the SAFE bill in that it provides sections which address the responsibility of an escrow agent who is voluntarily entrusted with the responsibility of holding the secret key to an individuals encrypted data. The provision provides for civil and possibly criminal liability for an unauthorized disclosure, and it provides a procedure for law enforcement access to an escrowed key in certain circumstances. The final bill entitled the Promotion of Commerce Online in the Digital Era (or Pro-CODE)-- S. 377, was also introduced on February 27, 1997 by Senators Burns and Leahy (and 16 other co-sponsors). This bill is similar to legislation with the same name that the senators introduced last year. While this bill shares many of the same traits as the other two, there are some noticeable differences. The Pro-CODE bill would prohibit the Secretary of Commerce from establishing an encryption standard or policy for any group other than the government itself-- in other words, it prohibits a Clipper IV. Another difference that has resulted in this bill being more popular among civil liberties groups than some of the others is that it does not contain additional sanctions or punishments for those who use encryption in the course of committing acts that are already illegal and subject to punishment. The Pro-CODE bill also calls for the creation of an information security board to foster coordination between government and industry, and to collect and disseminate non-proprietary information about cryptography. The Pro-CODE bill has created some controversy, however, as a result of one of the exceptions contained in the bill. In addition to the exceptions that the SAFE or Encrypted Communications Privacy Act bills contain preventing export of cryptography products if they are likely to be coopted for military or terrorist use, this bill would prohibit export of certain software or hardware to an individual, organization, or country if the Secretary of Commerce determines that there is substantial evidence that the software or hardware will be used intentionally "to evade enforcement of United States law or taxation by the United States or by any State or local government." Such a prohibition would actually constitute an extension of current law, and critics claim the bill could be used to outlaw untraceable electronic cash or anonymous remailers (which strip identifying information off of e-mail messages before passing them on to their destinations). While all of these bills have certain strengths and weaknesses, what is important is what they represent-- an awareness that this is a foundational technology behind the future of commerce and business conducted in a networked environment. The currently exportable standard of encryption does not provide adequate protection for particularly sensitive data. Harder math is more secure. An important element behind a good cryptographic system is not needing to trust others to preserve your privacy-- which is one reason why any sort of key-escrow or key-recovery is so antithical to many users and designers of cryptographic products. Trust math, not the government. On the other hand, the government does have a legitimate concern in its desire to allow law enforcement to do its job. The Constitution, however, provides for a right to privacy-- not a right for the government to be able to read my mail. Thus, I believe these bills offer a promise to do more good than evil. -- David J. Loundy | E-Mail: David@Loundy.com | WWW: http://www.Loundy.com/ ------------------------------ Date: Thu, 27 Mar 1997 15:35:42 +1100 (EST) From: Roger Clarke Subject: Privacy [Going?] Down Under During the mid-1990s, Australian industry and privacy advocates have been in agreement that the country's privacy legislation needed to be extended beyond government agencies, to cover the private sector. They were even agreed on the approach to be taken, namely industry codes of practice developed in consultation with the Privacy Commissioner and administered by the industry, supervised by the Privacy Commissioner, and subject to statutory backing. The term being used in Australia for that approach is 'co-regulatory'. A series of government and parliamentary reports recommended action, and the approach was adopted in the platforms of both major parties. In September 1996, a Discussion Paper was issued by the Attorney-General, indicating the intended shape of the initiative. See: http://www.agps.gov.au/customer/agd/clrc/privacy.htm It therefore appeared that action was imminent. For a brief review, see: http://www.anu.edu.au/people/Roger.Clarke/DV/FedLeg.html But, abruptly on 21 March 1997, the dry-as-a-bone Prime Minister issued a four-para. press release, announcing that "the Commonwealth will not be implementing privacy legislation for the private sector", and citing compliance costs as the justification for the decision. This announcement appears to have been made without consultation with the Cabinet, the Attorney-General or the Privacy Commissioner. It would appear that the Prime Minister was captured by a narrow and uninformed lobby group, most likely the major banks. [A review of the financial system by people from the right end of town is about to report ('the Wallis Enquiry'), and the finance sector lobbyists feel that they're on a roll]. A summit of privacy advocacy groups has been held, and plans are being formulated as to how to correct the Prime Minister's aberration, and get the process back on the right track. The summit's co-ordinators are: Chris Connolly Tim Dixon Further details follow. Some key facts are: - - the Liberal Party was elected on a platform that included the adoption of "a co-regulatory approach to privacy within the private sector, comparable with best international practice" - - the Attorney-General's Discussion Paper of late 1996 envisaged a scheme consistent with that platform, and held that line in speeches as late as 19 February and 12 March - - associations representing relevant parts of the private sector have been arguing for just such an approach, including formal submissions in response to the Discussion Paper - - privacy interest groups have been arguing for just such an approach - - successive reports by government and parliamentary committees have recommended that action of this kind be taken - - at least two State Governments are encouraging just such an approach, as a means of balancing privacy against other interests, and to ensure public confidence in applications of information technology generally, and of electronic services delivery in particular - - the European Union's Directive has the effect that Australia needs to enact privacy laws that satisfy international norms; otherwise Australian companies will be disadvantaged in international trade. This argument was run by The Australian Financial Review on 27 March. __ Roger Clarke http://www.anu.edu.au/people/Roger.Clarke/ http://www.etc.com.au/Xamax/ Xamax Consultancy Pty Ltd, 78 Sidaway St, Chapman ACT 2611 AUSTRALIA Tel: +61 6 288 1472, and 288 6916 mailto:Roger.Clarke@anu.edu.au Visiting Fellow, Faculty of Engineering and Information Technology The Australian National University Canberra ACT 0200 AUSTRALIA Information Sciences Building Room 211 Tel: +61 6 249 3666 ------------------------------ Date: Thu, 27 Mar 1997 16:46:02 -0500 From: Marc Rotenberg Subject: OECD Crypto Guidelines The OECD Cryptography Policy Guidelines were formally announced today, following an intensive year-long negotiation. EPIC will be posting a complete copy of the Guidelines at our web site [http://www.epic.org/] along with a detailed analysis. Journalists interested in a briefing should contact the Communications Division of the OECD. For further information and inquiries, please contact the Information, Computer and Communications Policy Division (fax (33) 01 45 24 93 32). General information about the OECD may be found at the OECD web site [http://www.oecd.org]. Specific information about the work of the OECD in the areas of security, privacy, intellectual property, and cryptography is available at http://www.oecd.org/dsti/iccp/legal/top-page.html. The OECD Privacy Principles are online at http://www.oecd.org/dsti/iccp/legal/priv-en.html Among the key outcomes: -- Recognition of commercial importance of cryptography. The Guidelines recognize that cryptography is an effective tool for the secure use of information technology by ensuring confidentiality, integrity and availability of data and providing authentication and non-repudiation mechanisms. -- Rejection of key escrow encryption. The US sought endorsement for government access to private keys. Initial drafts of the guidelines included this recommendation. The final draft does not. OECD countries rejected this approach. -- Endorsement of voluntary, market-driven development of crypto products. The OECD emphasized open, competitive markets to promote trade and commerce in new cryptographic methods. -- Endorsement of strong privacy safeguards. The OECD adopted one of strongest privacy principles found in any international agreement, including the obligation to apply the OECD privacy principles to crypto products and services. The OECD also noted favorably the development of anonymous payment schemes which would minimize the collection of personal data. -- Removal of Restriction on Cryptography. The OECD urged member countries to remove, and avoid creating, obstacles to trade based on cryptography policy. This guideline should lead to further liberalization of export control policies among the OECD member countries. EPIC will also provide briefings for organizations interested in the intent and application of the OECD Cryptography Guidelines. Marc Rotenberg Director, EPIC Member, OECD ad hoc Expert Panel on Cryptography Policy ------------------------------ Date: Thu, 27 Mar 1997 12:44:40 -0600 From: Kevin Werbach Subject: FCC Releases staff Working Paper on Internet policy News Release -- March 27, 1997 DIGITAL TORNADO: THE INTERNET AND TELECOMMUNICATIONS POLICY FCC Staff Working Paper on Internet Policy The FCC's Office of Plans and Policy (OPP) today released a staff working paper analyzing the implications of the Internet for the FCC and telecommunications policy. OPP Working Paper No. 29, "Digital Tornado: The Internet and Telecommunications Policy," was written by Kevin Werbach, Counsel for New Technology Policy. OPP periodically issues working papers on emerging areas in communications; these papers represent individual views and are not an official statement by the FCC or any FCC commissioner. "Digital Tornado" represents the first comprehensive assessment of the questions the Internet poses for traditional communications policy. A central theme running through the paper is that the FCC, and other government agencies, should seek to limit regulation of Internet services. In framing his approach, Werbach states: "Because it is not tied to traditional models or regulatory environments, the Internet holds the potential to dramatically change the communications landscape. The Internet creates new forms of competition, valuable services for end users, and benefits to the economy. Government policy approaches toward the Internet should therefore start from two premises: avoid unnecessary regulation, and question the applicability of traditional rules." After providing an analytical framework to understand the forces driving Internet growth, and describing the Internet's development and architecture, the paper addresses three primary areas: CATEGORY DIFFICULTIES Policy and legal questions arising from the fact that Internet- based services do not fit easily into the existing classifications for communications services under federal law or FCC regulations. PRICING AND USAGE Policy questions arising from the economics of Internet access, including assertions by local telephone companies that current Internet pricing structures result in network congestion, and arguments by Internet service providers that telephone companies have not upgraded their networks to facilitate efficient transport of data services. AVAILABILITY OF BANDWIDTH Regulatory and technical issues affecting the deployment of technologies promising to enable high-speed Internet access to the home and to businesses, including the implications for the Internet of the FCC's role in promoting universal service. The paper is available on the FCC World Wide Web site, . The file is available for online viewing in PDF (Adobe Acrobat) format at , or for downloading in WordPerfect format at . Copies may also be purchased from International Transcription Services, Inc., 1919 M Street, NW, Room 246, Washington, DC 20554, (202) 857-3800. -FCC- News media contact: Meribeth McCarrick or David Fiske at 202/418-0500. Office of Plans and Policy contact: Kevin Werbach at 202/418-1597. ------------------------------ Date: Mon, 7 Apr 1997 09:22:47 -0700 From: "Simson L. Garfinkel" Subject: Social Insecurity USA Today, 07 Apr 1997 [Reprinted by permission of the author. Simson's book on Web Security & Commerce will be published in June by O'Reilly & Associates.] Few key bits of info open Social Security records By Simson L. Garfinkel The Social Security Administration, trying to speed service and cut costs by using the Internet, inadvertently has compromised the financial privacy of tens of millions of Americans. Social Security's month-old on-line service is handy for taxpayers looking for instant access to their financial records. But it also gives nosy neighbors, ex-spouses, prying relatives and just about anyone else the ability to view those same files if they have some very basic information. What could they see? How much someone earned every year, going back to 1951. How much someone will get in Social Security benefits after retirement. How much their families would get now if they died. Nearly 28,000 people requested the free information on-line in March at http://www.ssa.gov. "As soon as crooks start exploiting this service to get other people's information, Social Security is going to have a real problem on its hands," warns Evan Hendricks, chairman of the U.S. Privacy Council, a Washington D.C.-based federation of privacy activists. As use of the Internet expands, its lure of convenience is breaking promises of privacy. And as on-line exchanges become as accepted as faxes or automatic teller machines, critics say, the drive to provide new services will continue to outpace appropriate restraints. In this instance, people familiar with the new Social Security system say, there is danger for abuse from many directions: a legal adversary, an employer seeking to learn about an employee's outside income, an ex-spouse contemplating adjustments in support. "I like to see this sort of easy access to your own personal information," Hendricks says, "but we need something to discourage the wolves." Social Security officials don't see a problem. "We have confidence that in the huge majority of cases, the people requesting these things are the right people," says John Sabo, the Social Security Administration's director of the Electronic Services Staff. Last year, the Social Security Administration mailed some 4 million financial reports to taxpayers at a cost of $5.23 each, Sabo says. Delivering the same report over the Internet costs a fraction of a penny. 'Social Security numbers are easy' to get But it's virtually impossible to know if the on-line version of the financial reports, called PEBES - Personal Earnings and Benefit Estimate Statement - is being abused. It's also just about impossible to track down an abuser. The key to opening PEBES: a Social Security number, mother's maiden name and state in which a person was born. That information is not exactly a state secret. "Social security numbers are easy" to get, says Beth Givens, manager of the Privacy Rights Clearinghouse in San Diego. Information vendors used by banks, credit agencies and private detectives can deliver a Social Security Number for a small fee. They also frequently are known by co-workers or spouses. And driver's license numbers in many states are the same as Social Security numbers. A mother's maiden name and place of birth can show up in court papers, marriage licenses or divorce decrees. "Many states have a vital statistics department. You could get it that way. These documents are public record," she says. Mark Welch, an engineer at Netscape Communications in California, makers of popular Internet software, says he's disturbed to see the information so readily available. "I was just thinking of all the ways that people could misuse this information," Welch says. "A potential employer could use this to determine my salary history. My co-workers could use this to determine how much I was making relative to them. My landlord could use this report to decide if I'm making enough money to be able to rent an apartment. I could make a decision on whether or not to sue someone based on how much money I thought they had. "Private investigators would love this kind of information." "It would be a tremendous asset to people who know how to obtain this information," says Paddy Calabrese, owner of Inter-tel Detective Agency in Seattle. "If somebody calls me up and says they want to know somebody's income, I just pop into this thing, I charge them $2,000 and it costs me nothing." Where are the penalties for snooping? There are supposed to be penalties for snooping. A warning appears when someone enters the PEBES website: "I certify that I am asking for information about by my own Social Security record. I understand that if I deliberately request information under false pretenses, I may be guilty of a federal crime and could be fined and/or imprisoned." The warning is nearly identical to banners used on many government agency websites, permitting those entering wrongly to be prosecuted under the Computer Security Act. Prosecutions are exceedingly rare, in part because it is difficult to trace an on-line user, and there is little deterrent to outweigh great potential interest. Officials say they have no evidence that anyone has wrongly accessed a PEBES file. But they probably wouldn't know. With libraries, schools and even coffee shops now giving access to the Internet - as well as access available worldwide - it would be practically impossible to track down a person illegally requesting files. Still, not all privacy advocates are disturbed by PEBES. Marc Rotenberg, director of the Electronic Privacy Information Center, says the ability of people to easily obtain the information outweighs concerns about the few who abuse it. "Promoting first-party access to personal information is often times as important as . . . restricting access," says Rotenberg. "By making these systems more transparent, the government gives individuals greater control over information that has an important impact on retirement planning. I'd like to see more agencies set up these services, though I'd draw a line at tax records and medical information." Other organizations that hold sensitive financial information on Americans have decided against putting their files on the Internet - at least for now. One of the problems in trying to make PEBES more secure is that the current state of technology and government restrictions on the use of encryption, or data scrambling, make it difficult to make the information any tougher to get at. "Ideally, we would prefer if we could authenticate people through some sort of digital identity," says Bruce Carter, who runs the website for the Social Security Administration. "But there just isn't the infrastructure available for that yet." SSA says complaints are of too tight security Here's how a computer user can access PEBES: An Internet user goes to the Social Security Administration's website, clicks a button labeled "PEBES," wades through two pages of warnings and then responds to queries - full name, address, phone number, Social Security Number, mother's maiden name and state of birth. After the information is entered, the user clicks a button on the computer's screen and views the taxpayer's entire financial history - how much has been paid into Social Security, how much into Medicare, expected benefits, yearly income. The Internet user then can print the information or request that the report be sent through the mail. Carter says that while the Social Security Administration has received some complaints about the privacy of the system, most of the complaints received have been that the security is too good: roughly 30% of the people who have attempted to view their reports failed because the information they provided did not exactly match the spelling stored in government computers. After eight failed attempts to view a report, the system locks out the user for 24 hours. Eight attempts is far too many, says Hendricks of the Privacy Council. "I think that this is really a good case of three strikes and you're out," he says. "When you step back, you see that the Social Security Administration has not thought through the privacy and security implications of this." By Simson L. Garfinkel, Special for USA TODAY http://www.packet.com/garfinkel [ Within a day of the largescale publicity regarding this service, hit counts at the SSA site went through the roof. Within another day or so, the site was taken offline due to public concerns over the privacy issues. SSA announced a 60 day period of public hearings and study to determine how to provide the information online with more acceptable security and privacy. -- MODERATOR ] ------------------------------ Date: Thu, 10 Apr 1997 21:16:25 -0700 From: Mark Seecof Subject: Criminals' names&addrs on WWW (also privacy vs. criminals) The National Rifle Association's CRIMESTRIKE project's CrimeWatch Weekly v.3 no.14 (4/8/97) reports (citing Corrections Digest as the source) at http://www.nra.org/pub/ila/1997/97-04-09_crimestrike_killers_life_prison that the State of Florida will place the names and residence plans of more than 2000 about-to-be-released convicts on the WWW (the page will be under http://www.fdle.state.fl.us ). A number of states (including Florida) have previously placed sex-offenders' names & addresses on the WWW and (since the U.S. gov't has pressed them to) the rest of the states will soon do likewise. (California plans to release a CD-ROM with 57,000 names, addresses, and digitized photos of sex offenders very soon. It will probably end up on the WWW.) "Wanted posters" too now appear on gov't and private web sites. However, Florida's plans represent a substantial broadening of exposure for those previously caught, convicted, and imprisoned for non-sexual crimes. (Mind you-all, I (Seecof) do not oppose this.) In the past, mass-media coverage of momentarily infamous criminals (e.g., Jason Brooks in Orange County, California) conveyed such information in spurts, but it was difficult for people outside "law enforcement" who "missed that day's paper" to either track specific criminals or monitor the flux of known criminals in particular places. The ability to offer such data to everyone constitutes a computer RISK. Such information will permit neighbors to shun convicted criminals (or even, unlawfully, to harrass them) and some people (such as Elizabeth Schroeder of the So. Cal. ACLU, writing in the Los Angeles Times 1/28/1997, p.B7) do not approve of this. They suggest that publicity after imprisonment constitutes extra punishment, improperly imposed. On the other hand, the "social control" which many analysts suspect (see James Q. Wilson or even Gertrude Himmelfarb) inhibits crime in less crowded and anonymized societies than our present large cities relies on the flow by informal means of just the information which the "publicity" advocates hope to disseminate via the WWW. It may be that this information will enable, albeit with some rough spots and some metamorphosis, a new and valuable form of "social control" to inhibit crime. Perhaps fear of ostracism will deter criminals more effectively than fear of prison. (Even if it does not, potential victims who use the information to avoid criminals gain and therefore society also gains.) I think that the criminal publication movement ties in with the general diminution of privacy which seems to be the fallout from deployment of information-retrieval systems such as the WWW in the absence of any political consensus as to where we should draw the boundaries between "public" and "private" data. I consider myself a "hard core" privacy advocate. I remain deeply opposed to the distribution of personal information (broadly defined, including address, medical, financial, and other data) without informed, positive, and generally revocable consent from the subject. However, I think we can properly consider criminals who prey on others to have waived their claim to privacy (or alternatively to be liable to punishment by deprivation of privacy). Criminal attacks are public acts by definition--the criminal imposes his selfish interests on unconsenting others, violating the rules of civilized society. At the same time, I recognize the notion that "ex-criminals who have paid their debt to society" ought to enjoy thereafter the same privacy as other citizens. So long as we (everyone including marketeers and politicians) cannot agree on whether law-abiding citizens (~95% of population) hold/deserve privacy rights, we cannot really decide how much, if any, privacy we should afford criminals. I think we ought to draw the line at crimes of serious violence or effects-like-violence (the latter to catch corporate polluters, those like Charles Keating who rob with pens rather than clubs, and sex-offenders). We should keep the felony/misdemeanor distinction (and stop promoting so many little crimes or offenses-against-bureaucratic-impositions like resisting EPA to felonies). Only serious felons should lose their privacy. But they should, indeed, lose it--to the extent that their names, addresses, likenesses, and criminal histories should be widely available. (I think that even criminals should be able to keep their medical records and chequeing accounts private). Mark Seecof ------------------------------ Date: Fri, 11 Apr 1997 09:10:41 -0700 (PDT) From: Phil Agre Subject: Iris scanning An article in the 4/11/97 San Francisco Chronicle (Peter Sinton, ATM Cash For Your Eyes Only: New Device IDs a Customer's Iris, page A1) discusses the use of iris scanning for identification of bank customers. According to the article, the major selling point of the technology is that people can be identified without knowing it. The article quotes Kevin McQuade, who it identifies as "vice president of Sensar, which first developed the technology to detect motion for the U.S. military", as saying, "The real sexiness of this technology is that it is unobtrusive; you don't have to say anything or do anything". Citicorp Chief Technology Officer James Zeanah is quoted as saying, "A lot of people who walk into banks feel we communicate distrust when we ask them for identification. This device could help banks be a lot friendlier". To this end, the article suggests, "Sophisticated iris scanners could spot customers in a crowd and tip off bank personnel to their identity without having to ask for identification". This is because the iris scanners can operate reliably at a distance, which the article reckons at 36 inches although it discusses applications that would require more. The problem here is not the use of biometric identification. Biometric identification can protect privacy rather than eroding it, for example by indexing the individual's biometric signature to a cryptographic key rather than a social security number or other personal identifier. The problem, instead, is the idea of using iris scanning to deceive patrons. People who feel that a bank is expressing distrust by asking them for identification before disbursing their money are fools; organizations routinely draw attention to these people because they help portray all sorts of privacy invasions in warm fuzzy terms as responses to popular demand. It's fitting that this new technology of deception originated in a military context, which presupposes a grossly adversarial relationship between the owners of a system and the people whose persons and lives are represented in the system's records. It would be much better, I think, to get beyond this mentality and design systems that are based on the well-known fair information principles of openness, clear notification, and collection of the minimal information needed to do the job. It's also useful to imagine what could be accomplished by setting up an iris scanning machine on a street corner, or at the front door of a shop. Once databases of individual iris signatures become available, it would become possible to track people's movements surreptitiously. I can almost imagine the PR people explaining to us that participation in this service is perfectly voluntary, given that everyone has the option of wearing sunglasses. Phil Agre, UCSD ------------------------------ End of PRIVACY Forum Digest 06.05 ************************