The following document is from the PRIVACY Forum Archive at Vortex Technology, Woodland Hills, California, U.S.A. For direct web access to the PRIVACY Forum and PRIVACY Forum Radio, including detailed information, archives, keyword searching, and related facilities, please visit the PRIVACY Forum via the web URL: http://www.vortex.com ----------------------------------------------------------------------- PRIVACY Forum Digest Sunday, 7 February 1993 Volume 02 : Issue 05 Moderated by Lauren Weinstein (lauren@cv.vortex.com) Vortex Technology, Topanga, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy. CONTENTS New Law appealed (Rafael Fernandez Calvo) Revised Computer Crime Sent (Dave Banisar) Program for 1993 Security and Privacy Symposium (Ira Greenberg) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. ALL submissions should be addressed to "privacy@cv.vortex.com" and must have RELEVANT "Subject:" lines. Submissions without appropriate and relevant "Subject:" lines may be ignored. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@cv.vortex.com". Mailing list problems should be reported to "list-maint@cv.vortex.com". All submissions included in this digest represent the views of the individual authors and all submissions will be considered to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "cv.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. For information regarding the availability of this digest via FAX, please send an inquiry to privacy-fax@cv.vortex.com, call (310) 455-9300, or FAX to (310) 455-2364. ----------------------------------------------------------------------------- VOLUME 02, ISSUE 05 Quote for the day: "Don't let them turn back the clock! Save Standard Time!" --- From a Daylight Savings Time protest promo shown in Ohio theaters in the late 1950's. ---------------------------------------------------------------------- Date: Sun, 07 Feb 1993 21:19:15 EST From: " Rafael Fernandez Calvo" Subject: New Law appealed LL II CCCC LL II CC LL II -- N E W S FROM S P A I N --- Feb. 7, 93 CCCC LLLLLL II COMMISSION for LIBERTIES and INFORMATICS (*) NEW PERSONAL DATA PROTECTION LAW APPEALED BY OMBUDSMAN ----------------------------------------------------- Since Jan. 31, the Data Protection Law is in force in Spain. The law receives the official name of "Organic Law on Regulation of Automated Processing of Personal Data" and its also known as LORTAD, according to its Spanish initials. The law had been approved by the Senate in October '92. On Jan. 28, an appeal on several articles of the law was individually addressed to the Constitutional Court by the Ombusdman, the Peoples's Party (the main opposition party, with a center-right orientation) and the Regional Parliament of Catalonia. All of them had received a request from CLI in that sense, along with a solid juridic report. CLI's request had also received strong support of other entities, such as other two major political parties the two main trade unions. Although, according to the Spanish legislation, an appeal does not prevent a law awaiting for a decision of the Constitutional Court to be applied (the Court takes usually a couple of years to settle an appeal), media have underlined that is the first time an Organic Law is appealed by three entitled entities and have highlighted the role played by CLI in promoting the appeal and in increasing the awareness of the people about this sensitive topic. The appeals regard articles that have to do with the two following weak points of the law, that CLI had been ponting out to since the very begining: a) The bill gives excessive and uncontrolled power to Policy Forces over collection and computerization of highly sensitive data: ideology, religion, beliefs, racial origin, health and sexual orientation. b) Computerized personal data records in the hands of all branches of Public Administrations are in many cases excluded from the rights (access, modification, cancellation) given to citizens with regard to the same kind of data in the hands of private companies. In a Press Conference held in Madrid last week, CLI voiced its position about the law. It can be summarized as follows: - The law does not fulfill the expectations arisen, although it is a step forward in comparison with the current situation of "allegality" that has been source of severe abuse against privacy for years. - The best side of the law is the regulation of personal data files in the hands of companies and private entities. Citizens will have wide rights to access, modification and cancellation of this kind of records. Companies can be punished with fines upto 1 million dollar and blocking of the files involved. - The Data Protection Agency that will watch over proper observance of the law will have scarce autonomy from the Government, that will nominate and dismiss its Director. CLI has advanced proposals for a Statute of the Agency in order to overcome, even partially, this danger. - The new Penal Code being presently discussed by the Parliament should properly complement the Personal Data law when highly sensitive data are involved. CLI has advanced proposals in this sense to all the political parties represented in the Spanish Parliament. Since (1) the Data Protecion Agency has not been created yet, (2) the Regions will have to implement their own legislation --following the same approach as in Germany-- and (3) both Public Administrations and companies will have a period of a year to adapt themselves to the provisions of the law, CLI and its regional branches will closely monitor this interim period and, in conjunction with the Ombudsman, will try to respond to the requests of the citizens in the meanwhile. To obtain more information about the law you can contact CLI (*) * SOME WORDS ABOUT CLI The --Commission for Liberties and Informatics, CLI-- is an independent and pluralistic organization that was officially constituted in April '91. Its mission is to "promote the development and protection of citizens' rights, with special regards to privacy, against misuse of Information Technologies". As of January '93, CLI is composed by ten organizations, with a joint membership of about 3,000,000 people. They cover a very wide spectrum of social interest groups: associations of computer professionals, judges, civil rights leagues, trade unions, consumers groups, the main association of direct marketing companies, etc. CLI is confederated with similar bodies created in some other Spanish Regions such as Valencia, Basque Country and Catalonia, and has fluid working relationships with many public and private Data Protection bodies and entities all over the world, including CPSR, and Privacy International. CLI has its headquarters in: Padilla 66, 3 dcha. E-28006 Madrid, Spain Phone: (34-1) 402 9391 Fax: (34-1) 309 3685 E-mail: rfcalvo@guest2.atimdr.es ------------------------------ Date: Sat, 30 Jan 1993 15:12:11 EST From: Dave Banisar Subject: Revised Computer Crime Sent >From Jack King (gjk@well.sf.ca.us) The U.S. Dept. of Justice has asked the U.S. Sentencing Commission to promulgate a new federal sentencing guideline, Sec. 2F2.1, specifically addressing the Computer Fraud and Abuse Act of 1988 (18 USC 1030), with a base offense level of 6 and enhancements of 4 to 6 levels for violations of specific provisions of the statute. The new guideline practically guarantees some period of confinement, even for first offenders who plead guilty. For example, the guideline would provide that if the defendant obtained ``protected'' information (defined as ``private information, non-public government information, or proprietary commercial information), the offense level would be increased by two; if the defendant disclosed protected information to any person, the offense level would be increased by four levels, and if the defendant distributed the information by means of ``a general distribution system,'' the offense level would go up six levels. The proposed commentary explains that a ``general distribution system'' includes ``electronic bulletin board and voice mail systems, newsletters and other publications, and any other form of group dissemination, by any means.'' So, in effect, a person who obtains information from the computer of another, and gives that information to another gets a base offense level of 10; if he used a 'zine or BBS to disseminate it, he would get a base offense level of 12. The federal guidelines prescribe 6-12 months in jail for a first offender with an offense level of 10, and 10-16 months for same with an offense level of 12. Pleading guilty can get the base offense level down by two levels; probation would then be an option for the first offender with an offense level of 10 (reduced to 8). But remember: there is no more federal parole. The time a defendant gets is the time s/he serves (minus a couple days a month "good time"). If, however, the offense caused an economic loss, the offense level would be increased according to the general fraud table (Sec. 2F1.1). The proposed commentary explains that computer offenses often cause intangible harms, such as individual privacy rights or by impairing computer operations, property values not readily translatable to the general fraud table. The proposed commentary also suggests that if the defendant has a prior conviction for ``similar misconduct that is not adequately reflected in the criminal history score, an upward departure may be warranted.'' An upward departure may also be warranted, DOJ suggests, if ``the defendant's conduct has affected or was likely to affect public service or confidence'' in ``public interests'' such as common carriers, utilities, and institutions. Based on the way U.S. Attorneys and their computer experts have guesstimated economic "losses" in a few prior cases, a convicted tamperer can get whacked with a couple of years in the slammer, a whopping fine, full "restitution" and one to two years of supervised release (which is like going to a parole officer). (Actually, it *is* going to a parole officer, because although there is no more federal parole, they didn't get rid of all those parole officers. They have them supervise convicts' return to society.) This, and other proposed sentencing guidelines, can be found at 57 Fed Reg 62832-62857 (Dec. 31, 1992). The U.S. Sentencing Commission wants to hear from YOU. Write: U.S. Sentencing Commission, One Columbus Circle, N.E., Suite 2-500, Washington DC 20002-8002, Attention: Public Information. Comments must be received by March 15, 1993. * * * Actual text of relevant ammendments: UNITED STATES SENTENCING COMMISSION AGENCY: United States Sentencing Commission. 57 FR 62832 December 31, 1992 Sentencing Guidelines for United States Courts ACTION: Notice of proposed amendments to sentencing guidelines, policy statements, and commentary. Request for public comment. Notice of hearing. SUMMARY: The Commission is considering promulgating certain amendments to the sentencing guidelines, policy statements, and commentary. The proposed amendments and a synopsis of issues to be addressed are set forth below. The Commission may report amendments to the Congress on or before May 1, 1993. Comment is sought on all proposals, alternative proposals, and any other aspect of the sentencing guidelines, policy statements, and commentary. DATES: The Commission has scheduled a public hearing on these proposed amendments for March 22, 1993, at 9:30 a.m. at the Ceremonial Courtroom, United States Courthouse, 3d and Constitution Avenue, NW., Washington, DC 20001. Anyone wishing to testify at this public hearing should notify Michael Courlander, Public Information Specialist, at (202) 273-4590 by March 1, 1993. Public comment, as well as written testimony for the hearing, should be received by the Commission no later than March 15, 1993, in order to be considered by the Commission in the promulgation of amendments due to the Congress by May 1, 1993. ADDRESSES: Public comment should be sent to: United States Sentencing Commission, One Columbus Circle, NE., suite 2-500, South Lobby, Washington, DC 20002-8002, Attention: Public Information. FOR FURTHER INFORMATION CONTACT: Michael Courlander, Public Information Specialist, Telephone: (202) 273-4590. * * * 59. Synopsis of Amendment: This amendment creates a new guideline applicable to violations of the Computer Fraud and Abuse Act of 1988 (18 U.S.C. 1030). Violations of this statute are currently subject to the fraud guidelines at S. 2F1.1, which rely heavily on the dollar amount of loss caused to the victim. Computer offenses, however, commonly protect against harms that cannot be adequately quantified by examining dollar losses. Illegal access to consumer credit reports, for example, which may have little monetary value, nevertheless can represent a serious intrusion into privacy interests. Illegal intrusions in the computers which control telephone systems may disrupt normal telephone service and present hazards to emergency systems, neither of which are readily quantifiable. This amendment proposes a new Section 2F2.1, which provides sentencing guidelines particularly designed for this unique and rapidly developing area of the law. Proposed Amendment: Part F is amended by inserting the following section, numbered S. 2F2.1, and captioned "Computer Fraud and Abuse," immediately following Section 2F1.2: "S. 2F2.1. Computer Fraud and Abuse (a) Base Offense Level: 6 (b) Specific Offense Characteristics (1) Reliability of data. If the defendant altered information, increase by 2 levels; if the defendant altered protected information, or public records filed or maintained under law or regulation, increase by 6 levels. (2) Confidentiality of data. If the defendant obtained protected information, increase by 2 levels; if the defendant disclosed protected information to any person, increase by 4 levels; if the defendant disclosed protected information to the public by means of a general distribution system, increase by 6 levels. Provided that the cumulative adjustments from (1) and (2), shall not exceed 8. (3) If the offense caused or was likely to cause (A) interference with the administration of justice (civil or criminal) or harm to any person's health or safety, or (B) interference with any facility (public or private) or communications network that serves the public health or safety, increase by 6 levels. (4) If the offense caused economic loss, increase the offense level according to the tables in S. 2F1.1 (Fraud and Deceit). In using those tables, include the following: (A) Costs of system recovery, and (B) Consequential losses from trafficking in passwords. (5) If an offense was committed for the purpose of malicious destruction or damage, increase by 4 levels. (c) Cross References (1) If the offense is also covered by another offense guideline section, apply that offense guideline section if the resulting level is greater. Other guidelines that may cover the same conduct include, for example: for 18 U.S.C. 1030(a)(1), S. 2M3.2 (Gathering National Defense Information); for 18 U.S.C. 1030(a)(3), S. 2B1.1 (Larceny, Embezzlement, and Other Forms of Theft), S. 2B1.2 (Receiving, Transporting, Transferring, Transmitting, or Possessing Stolen Property), and S. 2H3.1 (Interception of Communications or Eavesdropping); for 18 U.S.C. 1030(a)(4), S. 2F1.1 (Fraud and Deceit), and S. 2B1.1 (Larceny, Embezzlement, and Other Forms of Theft); for 18 U.S.C. S. 1030(a)(5), S. 2H2.1 (Obstructing an Election or Registration), S. 2J1.2 (Obstruction of Justice), and S. 2B3.2 (Extortion); and for 18 U.S.C. S. 1030(a)(6), S. 2F1.1 (Fraud and Deceit) and S. 2B1.1 (Larceny, Embezzlement, and Other Forms of Theft). Commentary Statutory Provisions: 18 U.S.C. 1030(a)(1)-(a)(6) Application Notes: 1. This guideline is necessary because computer offenses often harm intangible values, such as privacy rights or the unimpaired operation of networks, more than the kinds of property values which the general fraud table measures. See S. 2F1.1, Note 10. If the defendant was previously convicted of similar misconduct that is not adequately reflected in the criminal history score, an upward departure may be warranted. 2. The harms expressed in paragraph (b)(1) pertain to the reliability and integrity of data; those in (b)(2) concern the confidentiality and privacy of data. Although some crimes will cause both harms, it is possible to cause either one alone. Clearly a defendant can obtain or distribute protected information without altering it. And by launching a virus, a defendant may alter or destroy data without ever obtaining it. For this reason, the harms are listed separately and are meant to be cumulative. 3. The terms "information," "records," and "data" are interchangeable. 4. The term "protected information" means private information, non-public government information, or proprietary commercial information. 5. The term "private information" means confidential information (including medical, financial, educational, employment, legal, and tax information) maintained under law, regulation, or other duty (whether held by public agencies or privately) regarding the history or status of any person, business, corporation, or other organization. 6. The term "non-public government information" means unclassified information which was maintained by any government agency, contractor or agent; which had not been released to the public; and which was related to military operations or readiness, foreign relations or intelligence, or law enforcement investigations or operations. 7. The term "proprietary commercial information" means non-public business information, including information which is sensitive, confidential, restricted, trade secret, or otherwise not meant for public distribution. If the proprietary information has an ascertainable value, apply paragraph (b) (4) to the economic loss rather than (b) (1) and (2), if the resulting offense level is greater. 8. Public records protected under paragraph (b) (1) must be filed or maintained under a law or regulation of the federal government, a state or territory, or any of their political subdivisions. 9. The term "altered" covers all changes to data, whether the defendant added, deleted, amended, or destroyed any or all of it. 10. A "general distribution system" includes electronic bulletin board and voice mail systems, newsletters and other publications, and any other form of group dissemination, by any means. 11. The term "malicious destruction or damage" includes injury to business and personal reputations. 12. Costs of system recovery: Include the costs accrued by the victim in identifying and tracking the defendant, ascertaining the damage, and restoring the system or data to its original condition. In computing these costs, include material and personnel costs, as well as losses incurred from interruptions of service. If several people obtained unauthorized access to any system during the same period, each defendant is responsible for the full amount of recovery or repair loss, minus any costs which are clearly attributable only to acts of other individuals. 13. Consequential losses from trafficking in passwords: A defendant who trafficked in passwords by using or maintaining a general distribution system is responsible for all economic losses that resulted from the use of the password after the date of his or her first general distribution, minus any specific amounts which are clearly attributable only to acts of other individuals. The term "passwords" includes any form of personalized access identification, such as user codes or names. 14. If the defendant's acts harmed public interests not adequately reflected in these guidelines, an upward departure may be warranted. Examples include interference with common carriers, utilities, and institutions (such as educational, governmental, or financial institutions), whenever the defendant's conduct has affected or was likely to affect public service or confidence". * * * ------------------------------ Date: Wed, 3 Feb 93 13:30:02 -0800 From: Ira Greenberg Subject: program for 1993 Security and Privacy Symposium 1993 IEEE SYMPOSIUM ON RESEARCH IN SECURITY AND PRIVACY May 24-26, 1993 Claremont Resort, Oakland, California Sponsored by the IEEE Technical Committee on Security and Privacy In cooperation with the International Association of Cryptologic Research Symposium Committee Teresa Lunt, General Chair Cristi Garvey, Vice Chair Richard A. Kemmerer, Program Co-Chair John Rushby, Program Co-Chair PRELIMINARY PROGRAM MONDAY 9:00--9:30: Welcoming Remarks: Teresa Lunt and Dick Kemmerer 9:30--10:30: VIRUSES AND INTRUSION DETECTION Doug McIlroy, Session Chair 9:30--10:00: Measuring and Modeling Computer Virus Prevalence Jeffrey Kephart and Steve White 10:00--10:30: USTAT: A Real-Time Intrusion Detection System for UNIX Koral Ilgun 10:30---11:00: BREAK 11:00--12:00: CAUSALITY AND INTEGRITY: George Dinolt, Session Chair 11:00--11:30: Preventing Denial and Forgery of Causal Relationships in Distributed Systems Michael Reiter and Li Gong 11:30--12:00: Message Integrity Design Stuart Stubblebine and Virgil Gligor 12:00--2:00: LUNCH 2:00--3:30: PANEL: Privacy Enhanced Mail Panelists: TO BE ANNOUNCED 3:30--4:00: BREAK 4:00--5:00: AUTHENTICATION PROTOCOLS: Teresa Lunt, Session Chair 4:00--4:30 Authentication Method with Impersonal Token Cards Refik Molva and Gene Tsudik 4:30--5:00: Interconnecting Domains with Heterogeneous Key Distribution and Authentication Protocols Frank Piessens, Bart DeDecker and Phil Janson 6:00: POSTER SESSIONS TUESDAY 9:00--10:30: TIMING CHANNELS: John Rushby, Session Chair 9:00-- 9:30: Modelling a Fuzzy Time System Jonathan Trostle 9:30--10:00: On Introducing Noise into the Bus-Contention Channel James Gray 10:00--10:15: Discussant: TO BE ANNOUNCED 10:15--10:30: Open Discussion 10:30--11:00: BREAK 11:00--12:00: INFORMATION FLOW: John McLean, Session Chair 11:00--11:30 A Logical Analysis of Authorized and Prohibited Information Flows Frederic Cuppens 11:30--12:00 The Cascade Vulnerability Problem J. Horton, R. Harland, E. Ashby, R. Cooper, W. Hyslop, B. Nickerson, W. Stewart, and K. Ward 12:00--2:00: LUNCH 2:00--3:30: PANEL: The Federal Criteria Panelists: TO BE ANNOUNCED 3:30--4:00: BREAK 4:00--5:00: DATABASE SECURITY: Marv Schaefer, Session Chair 4:00--4:30: A Model of Atomicity for Multilevel Transactions Barbara Blaustein, Sushil Jajodia, Catherine McCollum and LouAnna Notargiacomo 4:30--5:00: Achieving Stricter Correctness Requirements in Multilevel Secure Database Vijayalakshmi Atluri, Elisa Bertino and Sushil Jajodia 5:00: TC MEETING 6:00: POSTER SESSIONS WEDNESDAY 9:00--10:30: ANALYSIS OF CRYPTOGRAPHIC PROTOCOLS: Yacov Yacobi, Session Chair 9:00-- 9:30: Trust Relationships in Secure Systems -- A Distributed Authentication Perspective Raphael Yahalom, Birgit Klein and Thomas Beth 9:30--10:00: A Logical Language for Specifying Cryptographic Protocol Requirements Paul Syverson and Catherine Meadows 10:00--10:30: A Semantic Model for Authentication Protocols Thomas Woo and Simon Lam 10:30--11:00: BREAK 11:00--12:00: SYSTEMS: Virgil Gligor, Session Chair 11:00--11:30: Detection and Elimination of Inference Channels in Multilevel Relational Database Systems X. Qian, M. Stickel, P. Karp, T. Lunt and T. Garvey 11:30---12:00 Assuring Distributed Trusted Mach Todd Fine 12:00: SYMPOSIUM ADJOURN - - ------------------------------------------------------------------- Symposium Registration: Dates strictly enforced by postmark. Advance Member (to 4/12/93) $240* Late Member (4/13/93-4/30/93) $290* *Registration must include IEEE number to qualify. Advance Non-Member $300 Late Non-Member $370 Advance Student $50 Late Student $50 Mail registration to: Cristi Garvey R2/2104 TRW Defense Systems Group One Space Park Redondo Beach, CA 90278 (310) 812-0566 NO REGISTRATIONS BY EMAIL ------------------------------ End of PRIVACY Forum Digest 02.05 ************************