The following document is from the PRIVACY Forum Archive at Vortex Technology, Woodland Hills, California, U.S.A. For direct web access to the PRIVACY Forum and PRIVACY Forum Radio, including detailed information, archives, keyword searching, and related facilities, please visit the PRIVACY Forum via the web URL: http://www.vortex.com ----------------------------------------------------------------------- PRIVACY Forum Digest Friday, 20 November 1992 Volume 01 : Issue 26 Moderated by Lauren Weinstein (lauren@cv.vortex.com) Vortex Technology, Topanga, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy. CONTENTS Re: Wire Taps, Key Management, and Privacy (Dorothy Denning) SURVEY RESULTS: Is Big Brother Watching You? (Lorrayne Schaefer) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. ALL submissions should be addressed to "privacy@cv.vortex.com" and must have RELEVANT "Subject:" lines. Submissions without appropriate and relevant "Subject:" lines may be ignored. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@cv.vortex.com". Mailing list problems should be reported to "list-maint@cv.vortex.com". All submissions included in this digest represent the views of the individual authors and all submissions will be considered to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "cv.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. For information regarding the availability of this digest via FAX, please send an inquiry to privacy-fax@cv.vortex.com, call (310) 455-9300, or FAX to (310) 455-2364. ----------------------------------------------------------------------------- VOLUME 01, ISSUE 26 Quote for the day: Psychiatrist: "Tell me Harold, what do you do for fun? What activity gives you a different sense of enjoyment from the others? What do you find fulfilling? What gives you that special satisfaction?" Harold: "I go to funerals." -- G. Wood and Bud Cort "Harold and Maude" (1972) ---------------------------------------------------------------------- Date: Thu, 19 Nov 92 17:57:01 EST From: denning@cs.georgetown.edu (Dorothy Denning ) Subject: Re: Wire Taps, Key Management, and Privacy In PRIVACY Forum Digest V01 #25, Brinton Cooper writes: In RISKS DIGEST 13.87, Dorothy Denning .. spoke of the high costs of lawful surveillance and asserted, "Much of this is related to organized crime," perhaps a scare tactic? Actually the majority of taps goes to narcotics investigations. After that comes racketeering and gambling. According to the FBI, the hierarchy of Organized Crime has been neutralized or destabilized through the use of electronic surveillance, and thirty odd years of successes would be reversed if the ability to conduct court-authorized electronic surveillance was lost. I believe this represents an honest assessment of what they see would happen. Her solution involves nongovernmental "key centers" which, presumably, would not give out keys to anyone without a properly executed court order. By way of context, I'm looking for a way to balance our national interests for privacy and security with those for effective law enforcement. This is one idea I proposed. I am not pushing it as "the solution". In any case, the idea was for users to register their keys with a trustee (key center). Or, using a technique invented by Silvio Micali, you could split your key into parts and register each part with a different trustee. Law enforcement would have to take a court order to each trustee in order to get the pieces and reconstruct the key. She cites that the "...phone companies are so fussy about court orders that they send them back if the semicolons aren't right...," apparently believing that the rights of the citizens are thereby protected. For the following reasons, this is a politically naive position. 1. It provides that our right to protection from illegal governmental search and seizure and/or illegal eavesdropping rests on the good will and integrity of a phone company! Your statement does not follow from what I said. I said the phone companies are fussy. I know of no cases where the phone companies assisted with unauthorized taps. If you do, please cite. They could go out of business if they didn't respect the rights of their customers. Even so, your right to protection does not rest entirely on the phone company. Title 18 makes tapping without a court order illegal. Crypto will make it much more difficult for anyone to tap illegally. If the keys are registered with a trustee other than the phone company, someone would have to subvert both the trustee and the phone company (to get the bits). 3. Court orders, search warrants, and the like protect citizens only when the information or evidence gathered is to be used in court against a suspect. If information is being gathered for political purposes, blackmail, or other subversion of law (Watergate, Iran-Contra, the Italian bank scandal, etc), the purloined information will never see a public forum but can still do great harm to innocent persons. Thus, the constraints of court orders are obviated. I expect that most of this information is not being obtained by wiretapping. It is popular to suggest it is and difficult to refute. If someone in law enforcement is found to be tapping without a court order, they could be convicted of violating Title 18. But in any case, it will be very difficult for LE to intercept without a court order with the new digital technologies and crypto. The FBI needs to fund its own R&D from its own budget, just as the rest of the government at all levels must do. There is talent that can "red team" modern telecommunications and find trapdoors when necessary. Are you suggesting that it would be better for the FBI to break the cryptosystems than go through a trustee with a court order? Dorothy Denning ------------------------------ Date: Fri, 13 Nov 92 09:16:56 EST From: lorrayne@smiley.mitre.org Subject: SURVEY RESULTS: Is Big Brother Watching You? [ These results refer to a survey originally seen here in the PRIVACY Forum on Monday, 6 July 1992 (Volume 01 : Issue 07). The survey size was reported as 100 people. The original survey introduction is included below. -- MODERATOR ] --- The purpose of this survey is to collect data for a presentation that I will give at this year's National Computer Security Conference in October. I would like to thank you for taking the time to fill out this survey. If you have any questions, you can call me at 703-883-5301 or send me email at lorrayne@smiley.mitre.org. Please send your completed survey to: Lorrayne Schaefer The MITRE Corporation M/S Z213 7525 Colshire Drive McLean, VA 22102 1. What is your title? Engineer 31% Manager 14% Computer Scientist 25% Systems Administrator 10% Administrator 4% Student 10% Not Provided 2% Professor 3% Author 1% 2. What type of work does your organization do? Education 24% Software Development 19% Hardware Development 15% Research 11% Not Provided 6% Other 8% Government 6% System Administration 2% Telephone 5% System Development 2% Network Development 2% 3. Does your organization currently monitor computer activity? (Yes/No) Yes 67% No 32% Unknown 1% If yes, what type of monitoring does your company do (e.g., electronic mail, bulletin boards, telephone, system activity, network activity)? All 16% System Activity 17% Bulletin Boards 4% Network Activity & Other 12% Other 3% Telephone Usage 7% E-mail 2% System & Network Activity 5% Unknown 1% N/A 1% 4. If you are considering (or are currently) using a monitoring tool, what exactly would you monitor? How would you protect this information? System Usage 17% N/A 43% Accounting 5% Nothing 11% Everything 4% Network Traffic 10% Don't Know 3% Other 2% Bulletin Board 1% Security 3% E-mail 1% 5. Are you for or against monitoring? Why/why not? Think in terms of whether it is ethical or unethical ("ethical" meaning that it is right and "unethical" meaning it is wrong) for an employer to monitor an employee's computer usage. In your response, consider that the employee is allowed by the company to use the computer and the company currently monitors computer activity. Against 52% For 47% N/A 1% 6. If your company monitors employees, is it clearly defined in your company policy? N/A 35% No 34% Yes 31% 7. In your opinion, does the employee have rights in terms of being monitored? Yes 90% No 8% Don't Know 2% 8. In your opinion, does the company have rights to protect its as sets by using a form of monitoring tool? Yes 91% No 6% Don't Know 3% 9. If you are being monitored, do you take offense? Managers: How do you handle situations in which the employee takes offense at being monitored? No 42% Yes 36% N/A 22% 10. What measures does your company use to prevent misuse of monitoring in the workplace? None 36% Don't Know 17% N/A 22% Policy 6% Control of Information 4% Security 6% Honor System 4% Warnings 3% Other 2% 11. If an employee is caught abusing the monitoring tool, what would happen to that individual? If your company is not using any form of monitoring, what do you think should happen to an individual who abused the tool? Reprimand 64% Don't Know 17% N/A 10% Termination 5% Nothing 4% 12. Is it unethical to monitor electronic mail to determine if the employee is not abusing this company resource (e.g., suppose the employee sends personal notes via a network to others that are not work related)? Why or why not? No 49% Yes 49% N/A 2% ------------------------------ End of PRIVACY Forum Digest 01.26 ************************