The following document is from the PRIVACY Forum Archive at Vortex Technology, Woodland Hills, California, U.S.A. For direct web access to the PRIVACY Forum and PRIVACY Forum Radio, including detailed information, archives, keyword searching, and related facilities, please visit the PRIVACY Forum via the web URL: http://www.vortex.com ----------------------------------------------------------------------- PRIVACY Forum Digest Friday, 1 May 1998 Volume 07 : Issue 08 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. http://www.vortex.com ===== PRIVACY FORUM ===== ------------------------------------------------------------------- The PRIVACY Forum is supported in part by the ACM (Association for Computing Machinery) Committee on Computers and Public Policy, "internetMCI" (a service of the Data Services Division of MCI Telecommunications Corporation), Cisco Systems, Inc., and Telos Systems. - - - These organizations do not operate or control the PRIVACY Forum in any manner, and their support does not imply agreement on their part with nor responsibility for any materials posted on or related to the PRIVACY Forum. ------------------------------------------------------------------- CONTENTS Privacy or Technology Questions / Concerns (Lauren Weinstein; PRIVACY Forum Moderator) Cell Phone Jamming (Lauren Weinstein; PRIVACY Forum Moderator) PacBell hard sell on CallerID (Paul Hoffman) Portable fingerprint scanner (Phil Agre) Direct mail (Phil Agre) UK Crypto Policy - govt statement - 27 April 1998 (Keith Parkins) EFC Press Release: Canada's Top Cryptographers Oppose Crypto Regulation (Jeffrey Shallit) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com"; full keyword searching of all PRIVACY Forum files is available via WWW access. ----------------------------------------------------------------------------- VOLUME 07, ISSUE 08 Quote for the day: "I guess I just have a good kisser." -- Audrey Fulquard (Jackie Joseph) "The Little Shop of Horrors" (Allied Artists; 1960) ---------------------------------------------------------------------- Date: Fri, 1 May 98 18:14 PDT From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Privacy or Technology Questions / Concerns Greetings. In the ongoing course of moderating the PRIVACY Forum, I receive a large amount of e-mail from people who aren't submitting messages for possible inclusion in the digest, but rather who want to discuss or get advice regarding particular privacy and/or technology concerns. Within the limits of available time I do my best to help in such situations, though it is impossible to respond personally to every query. To make it somewhat easier for folks with privacy or "technology and society" questions or concerns to send "not for the digest" messages to me, I've created a specific web page with a form for such messages, which can be used instead of e-mail for such materials. The form should not be used for digest submissions. Again, I can't promise to respond to every query sent via the form, but I'm glad to try help where I can. The form can be accessed by following the links through the PRIVACY Forum to: http://www.vortex.com/privform.html --Lauren-- Lauren Weinstein Moderator, PRIVACY Forum http://www.vortex.com ------------------------------ Date: Fri, 1 May 98 17:14 PDT From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Cell Phone Jamming Greetings. I recently viewed an announcement of the development by an Israeli firm of a system for, essentially, the jamming of cellular telephone systems. The proposed uses for the device are to ensure lack of interruption at theaters and other cultural events ("acoustic nuisances"), avoiding cell phone "interference" with medical devices, and various security-oriented applications where it was considered desirable to prevent use of any sort of cell phone (including analog, digital, PCS, etc.) A number of concerns immediately came to mind. Would such a device be legal? What would be the potential liability of an entity that used such a device if an important call or page were blocked? Would there be unscrupulous uses for such a system, perhaps by criminals wishing to prevent calls into or out of a "target" area? Would such a jamming device potentially represent its own interference problems to unrelated devices? The firm's web page states that appropriate licenses are required to use the equipment. Offhand, I don't know of a license in the U.S. that would permit the interfering with common carrier communications in such a manner. I contacted the firm via e-mail and received a rapid response. They suggested that since anyone was free to shield their building from radio signals, the use of an "active" device such as their's was analogous. They also suggested that their device would not affect pagers, only cell phones. As for possible criminal use, they seemed to feel that this was the same problem faced by much technology, including firearms and Internet access. I sent a follow-up message pointing out my concerns over their "shielding equals active jamming" concept. I also pointed out that stand-alone pagers are being rapidly replaced by integral paging systems built into digital cellular and PCS phones. It is not technically possible (as far as I know) to interfere with the voice communications portion of these phones without blocking the paging functions as well. So far, I have not received any response to my follow-up message. Cellular systems, the Global Positioning Satellite system, and other complex radio-based networks have become critically intertwined into our lives. Needless to say, the implications of the availability of devices to jam communications systems, which we all expect to work when needed, are serious indeed. --Lauren-- Lauren Weinstein Moderator, PRIVACY Forum http://www.vortex.com ------------------------------ Date: Sun, 19 Apr 1998 17:52:57 -0700 From: Paul Hoffman Subject: PacBell hard sell on CallerID You may find the following conversation amusing. I called PacBell on Wednesday to have the automatic check payment on my phone numbers switched off because it wasn't working well with Quicken 98. No problem. At the end of the conversation, the PacBell employee asked the customary "is there anything else I can do for you", to which I said no. Thus follows: PacBell Employee: "I notice that you have maximum CallerID blocking on all these lines. Would you like me to change that to selective blocking?" Me: "No, why would I?" PBE: "Well, many customers report they have problems calling some people that do not allow calls from people with CallerID blocking on." Me: "That's only happened once to me, and I didn't care to talk to that person." PBE: "Well, that sounds like a good reason you would want to remove it on all your lines." Me: "Don't touch it. Really. I like having it on." PBE: "OK. We were told to inform customers like you of the problems that CallerID causes for some people." The term "hard sell" comes to mind. --Paul Hoffman ------------------------------ Date: Tue, 28 Apr 1998 14:06:06 -0700 (PDT) From: Phil Agre Subject: portable fingerprint scanner An article in the LA Times (Robert J. Manzano, Portable scanner will speed police fingerprint checks, Los Angeles Times, 17 April 1998, page B2) reports on a new "portable scanner that can read fingerprints [and] compar[e] the prints with a central file within five minutes", together with a system that maintains a database of palm prints. Both systems "are being used by San Francisco police as part of a testing period". Although the police suggest that the devices "make it less likely for innocent people to be arrested", evaluation of the test should determine whether significantly more people are being fingerprinted as a result of the easy availability of the scanner. Police use of such scanners may not pose a significant civil liberties concern in isolation, but it is part of a vastly larger pattern of new identification and tracking technologies that are being applied in a tremendous variety of niches. Phil Agre ------------------------------ Date: Tue, 28 Apr 1998 14:22:21 -0700 (PDT) From: Phil Agre Subject: direct mail The other day I was accosted at a conference by a representative of the direct mail industry who took issue with some statements I had made on this mailing list. He made several arguments that I found peculiar. I do not have a verbatim transcript of his remarks, so the phrases in quotes here are my (inevitably inaccurate) attempts to paraphrase what he said. (1) "It is unreasonable to require individuals to give consent before receiving direct mail because we cannot shut down commerce, and commerce cannot function unless people can hear about opportunities that they do not already know about." The problem with this argument is that people already have many such opportunities, including advertisements in dozens of media. Defenses of unsolicited advertisements through direct mail, therefore, require a more specific justification. Commerce would proceed perfectly well, in other words, if direct mail were outlawed tomorrow. (2) "You are curtailing freedom by preventing people from allowing themselves to receive direct mail." If I understand correctly, the point of this argument is that defenders of "opt-in" schemes would require a separate "opt-in" for every single mailing or mailing list, and would thus outlaw any mechanism by which a person could state to the world a generalized willingness to receive direct mail. This is, of course, absurd and false. The principle is informed consent. An organization that wishes to create a mechanism that allows people to solicit direct mail should be able to structure that mechanism however they like, so long as the solicitation requires an express, fully informed request by the individual, and so long as the data thereby collected is handled in accordance with generally accepted fair information practices. What is more, even *if* such generalized mechanisms were outlawed, "opt-in" schemes would still not curtail individuals' freedom to receive direct mail, inasmuch as everyone could easily check the "yes" box every time they surrender their personal information. Reasonable constraints on the traffic in personal information by direct mailers simply do not abridge the liberty of the people whose personal information is thereby being protected, and it is perverse to suggest otherwise. (3) "It would indeed be wrong if marketers were targeting people as individuals, but they must be able to send mail to people on account of their membership in particular demographic categories." Marketers often assert that they do not target people as individuals, but this statement is nearly meaningless. Marketers target people if they believe that doing so is likely to be profitable, and indeed nobody ever targets anybody else for anything except in terms of their own goals. On the other hand, neither do marketers simply target people based on their demographic characteristics, unless the notion of demographics is expanded to include purchase histories and an increasingly wide variety of other information. It was on the basis of these arguments that this individual portrayed my views as utterly beyond the pale of reasonable discourse. It is distressing to think that such arguments continue to succeed, year in and year out, in postponing common-sense regulatory measures that overwhelming majorities of Americans support in polls. Phil Agre ------------------------------ Date: Fri, 01 May 1998 18:32:33 +0100 From: Keith Subject: UK Crypto Policy - govt statement - 27 April 1998 'In principle it's voluntary; but, de facto, it's compulsory. This is exactly what so many of us in the US have worked very hard to stop.' -- Phil Zimmermann, InfoSec98 In the early hours of Tuesday 28 April 1998 I tuned into the BBC World Service News to hear a detailed report on the UK Crypto Policy - strange no mention on UK news. The report started with an announcement that the British Government was growing increasingly concerned at the amount of encrypted traffic on the Internet, traffic that it could not read. >From the description of the policy that followed, it appeared to be the same tired, old, discredited policy that the government introduced a year ago (shelved by the slight inconvenience of an election). By coincidence, later in the day I attended a security conference InfoSec98 addressed by Nigel Hickson (UK, DTI). What he put forward appeared to be no different to the policies of a year ago. He dragged in the same old red herring of crime - this completely ignores the fact that it will be 'voluntary' to hand over keys, no criminal is going to voluntarily relinquish their keys. Hickson spoke of legislation within the next year - we are now on the fast track. The reception Hickson received was not welcoming, and his proposals were widely criticised by fellow speaker Phil Zimmermann. What was recognised was the need for standards, but as stated by Phil Zimmermann, these are best served by the Internet Task Forces. The only role for local legislation/regulation, would be to ensure that those signing keys, only do so on positive proof of ID (whatever that may be), and that those escrowing keys are subjected to heavy penalties if they release unauthorised keys. Phil concentrated on the human rights issues and 'voluntary'. He noted with some concern the level of CCTV monitoring on the streets of London, and the frittering away of civil rights. 'Voluntary' - yes it's voluntary, but don't expect government contracts, don't expect government grants. Don't expect government to recognise keys unless certified by their own approved agencies. In a couple of years time when the voluntary scheme fails it is likely to become mandatory. The reason for the sudden reawakening of interest is that proposals were laid before Parliament the previous day in response to a written question (ie Mon 27 April 1998). Secure Electronic Commerce Statement Summary of Responses Hickson did give some positive messages. The need for standards and interoperability. He highlighted, without naming names, Certifying Authorities, who, on receipt of an e-mail (and of course a suitable fee), will, with no ID, sign keys. From a quick survey of many of the bogus products at InfoSec over the last two years, most are peddling snake oil, I would add that there is a need to weed out much of this garbage. I had hoped to talk to Nigel Hickson, but unfortunately he had to immediately leave for another meeting. Wednesday 29 April 1998, I received a copy of the proposals, plus summary to previous proposals. Secure Electronic Commerce Statement Summary of Responses >From a quick scan, it appears little changed. The response, as much rumoured, was widespread rejection of the proposals. It is easy to take liberties with people. In this case people will be denied rights that they did not even realise they had. It is incumbent upon everyone who uses encryption, to encourage its widespread use, and to organise opposition to these plans. In particular encourage human rights groups, social reform groups, environmental groups and campaigning groups to use encryption. These are the groups who most need it, and are best placed to run effective campaigns. The proposals will by stealth introduce a Police State into the UK. More information http://www.heureka.clara.net/sunrise/spooks.htm http://www.heureka.clara.net/sunrise/ukdtittp.htm If the need arises, I will produce a new Web page to update current events. Anyone organising opposition, please let me know and I'll provide a free link. Copies of the UK proposals may be obtained direct from Nigel Hickson. Nigel Hickson Communication and Information Industries Directorate Department of Trade and Industry 151 Buckingham Palace Road LONDON SW1W 9SS tel +44 171 215 1315 ................... after reading both papers ................ Summary Well written, virtually what is contained within my own submission http://www.heureka.clara.net/sunrise/ukdtittp.htm Statement Poorly written waffle. TTPs are to go from mandatory to voluntary, handing over of keys to be voluntary (unless of course subjected to a warrant). The one ominous feature is the involvement of the Home Office. The driving force to date has been the DTI whose primary concern has been a secure environment for business, any involvement of the Home Office bodes ill for civil liberties. Further consultation and the issue of a White Paper later in the year. Duncan Campbell has an excellent article in The Guardian, OnLine section, 'Coded message', Thurs 30 April 1998. His comment 'It's a classic case of Neanderthal thinking - no safeguard at all' is an apt summing up. http://www.guardian.co.uk/online Keith Parkins ------------------------------ Date: Mon, 20 Apr 1998 11:04:55 -0400 (EDT) From: Jeffrey Shallit Subject: EFC Press Release: Canada's Top Cryptographers Oppose Crypto Regulation ELECTRONIC FRONTIER CANADA (EFC) --- PRESS RELEASE (For immediate release --- April 20, 1998) CANADA'S LEADING CRYPTOGRAPHERS OPPOSE CRYPTOGRAPHY REGULATION Fourteen of Canada's leading cryptographers -- experts in the coding and decoding of messages -- have signed letters opposing government regulation of cryptography. The letters were delivered to the Task Force on Electronic Commerce today at a roundtable meeting on cryptography hosted by Industry Canada. The letters were written in response to a February 1998 Industry Canada report entitled "A Cryptography Policy Framework for Electronic Commerce", which listed possible scenarios for government regulation of cryptographic hardware and software. Dr. David Jones, president of Electronic Frontier Canada, a non-profit civil liberties group, delivered the letters this morning in Ottawa. "Cryptography is essential for the transition to a wired society," said Jones. "It is the key enabling technology that will allow Canadians to keep our personal information and communications private without fear of eavesdropping, as well as safeguard the security of our online transactions, without fear of fraud. If the government places restrictions on the use of cryptography, it would likely do more harm than good." The Industry Canada report suggests that, in deference to law enforcement and national security concerns, one policy option might be to ban cryptographic products that do not allow the government to listen in. But Canada's leading cryptographers claim such a ban would be infeasible. Dr. Charles Rackoff, professor of computer science at the University of Toronto and author of several fundamental papers on cryptography, stated that prohibition of such products "would be unenforceable in practice, since the basic mathematical methods are published and well known and can be easily implemented in software by any bright high-school student." Indeed, three of the signers, Dr. Scott Vanstone and Dr. Alfred J. Menezes of the University of Waterloo, and Dr. Paul C. van Oorschot of Entrust Technologies, have written and published a book entitled _Handbook of Applied Cryptography_ (CRC Press, 1997) that describes the mathematics of encryption in great detail. Canada's cryptographers also expressed concern that export controls on cryptographic products would adversely affect the fledgling Canadian cryptography industry. Additional restriction would "severely handicap Canadian products and technology as they compete in the global market for information security products," said Dr. Menezes. Dr. Jeffrey Shallit, Vice-President of Electronic Frontier Canada agreed: "Cryptographic software and hardware has the potential to be a billion-dollar industry. If Canada is to take part, it must ease its export restrictions, not strengthen them." Electronic Frontier Canada is a non-profit educational organization devoted to ensuring the rights and freedoms enshrined in the Charter of Rights and Freedoms are preserved as new computing and communications technologies emerge. The list of signers of the the letters follows. AFFILIATIONS ARE FOR IDENTIFICATION PURPOSES ONLY. Signers do not speak for the institutions that employ them, and the opinions of the signers do not necessarily reflect those of the employing institution. === Scott Vanstone, Ph. D., University of Waterloo (co-author, Handbook of Applied Cryptography, CRC Press, 1997) Charles Rackoff, Ph. D., University of Toronto rackoff@cs.toronto.edu Carlisle M. Adams, Ph. D., Entrust Technologies cadams@entrust.com Sharon Boeyen, Senior Consultant, Advanced Security Technology Group, Entrust Technologies Helmut Jurgensen, Ph. D., University of Western Ontario helmut@uwo.ca Alfred Menezes, Ph. D., University of Waterloo (co-author, Handbook of Applied Cryptography, CRC Press, 1997) ajmeneze@math.uwaterloo.ca Robert J. Zuccherato, Ph. D., Entrust Technologies Paul C. van Oorschot, Ph. D., Entrust Technologies (co-author, Handbook of Applied Cryptography, CRC Press, 1997) paulv@entrust.com Michael J. Wiener, Ph. D., Senior Cryptologist, Entrust Technologies wiener@entrust.com Howard Heys, Ph. D., Memorial University of Newfoundland howard@engr.mun.ca Hugh C. Williams, Ph. D., University of Manitoba Hugh_Williams@macmail.cs.umanitoba.ca Gordon Agnew, Ph. D., University of Waterloo gbagnew@crypto1.uwaterloo.ca Ian Goldberg, Researcher, Internet Security, Authentication, Applications, and Cryptography Research Group, University of California, Berkeley iang@cs.berkeley.edu Rob Lambert, Certicom Corporation rlambert@certicom.com - 30 - EFC Contact Information: Electronic Frontier Canada Dr. David Jones phone: (905) 525-9140 x24689 fax: (905) 546-9995 email: djones@efc.ca [Dr. Jones will be in Ottawa on Monday, April 20, and hence unavailable for comment.] Dr. Jeff Shallit phone: (519) 888-4804 fax: (519) 885-1208 email: shallit@efc.ca Dr. Richard Rosenberg phone: (604) 822-4142 fax: (604) 822-5485 email: rosen@efc.ca Electronic Frontier Canada, online archives: URL: http://www.efc.ca/ EFC Fax: (519) 745-0941 (if busy, call (519) 743-8754) ------------------------------ End of PRIVACY Forum Digest 07.08 ************************