Computer Privacy Digest V2#040
Date: Fri, 07 May 93 16:22:34 EST
Errors-To: Comp-privacy Error Handler <comp-privacy-request@PICA.ARMY.MIL>
From: Computer Privacy Digest Moderator <comp-privacy@PICA.ARMY.MIL>
To: Comp-privacy@PICA.ARMY.MIL
Subject: Computer Privacy Digest V2#040
Computer Privacy Digest Fri, 07 May 93 Volume 2 : Issue: 040
Today's Topics: Moderator: Dennis G. Rears
Virginia Voters and SSNs
I won one!
driver's license for jurors (was: Re: SSN)
privacy vs banks (was: Re: I won one!)
stories about SSN misuse (e-mail only)
New NIST/NSA Revelations
DMV Records
The Computer Privacy Digest is a forum for discussion on the
effect of technology on privacy. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy
(Moderated). Submissions should be sent to
comp-privacy@pica.army.mil and administrative requests to
comp-privacy-request@pica.army.mil.
Back issues are available via anonymous ftp on ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
From: Craig Wagner <Craig.Wagner@p2.f120.n109.z1.fidonet.org>
Date: Wed, 28 Apr 1993 12:00:38 -0500
Subject: Virginia Voters and SSNs
A while back, some interest was shown in a court ruling against the
Commonwealth of Virginia's combined constitutional (if I recall
correctly) requirement of the use of a SSN to register to vote and
legislated policy of making such lists, along with the SSN, available
to the general public.
A week or two ago, while voting in a special election in Arlington,
Virginia, I noticed a list of voters, with their SSNs, posted on a wall
in the polling place. I wrote to the Board of Voter Registration the
next day to express my concern. Their reply, which may be of interest
to others here, was as follows:
"Thank you for your letter of April 21. The list you saw on the wall
was the list of those purged for not voting in a four year period. The
Code of Virginia requires that this list be posted in each precinct at
each election.
"The Fourth Circuit Court recently reversed the Federal District Court
with its unanimous decision in the social security case of Greidinger
v. Davis, and remanded the case to the District Court in order to give
the Commonwealth the responsibility to either delete their requirement
that a social security number be provided for voter registration or to
eliminate the use of the social security number in records open to
public inspection and those provided to eligible recipients pursuant to
Section 24.1-23 (8) of the Code of Virginia.
"The State Board of Elections has advised all electoral boards and
registrars that this does not have the effect of changing the
procedures we are mandated to follow at this time.* The State Board of
Elections, the Court, and the Attorney General are reviewing our
current registration and election procedures to eliminate the public
display of social security numbers. They will notify us as soon as
possible as to any action and decisions they make.
"Therefore, you may be assured that your number will not appear on such
a list in future elections.
"If you have any questions, please give me a call.
"Sincerely yours,
(name omitted)
General Registrar"
* the three words preceeding this asterisk were in Bold typeface.
------------------------------
From: Henry Mensch <henry@ads.com>
Date: Fri, 30 Apr 93 13:47:14 -0700
Subject: I won one!
Date: Thu, 29 Apr 93 00:08:23 GMT
From: Bear Giles <bear@eagle.fsl.noaa.gov>
1. The _very_ first thing the rep did was call a telephone number to
"verify" my SSN. Said verification was nothing more than verifying
that SSN had actually been assigned to a person (I don't recall if
she read my name or not), but a completely bogus SSN will _not_ work.
not true. the number she calls connects to a service which banks
subscribe to ... they report all their "bad" banking relationships to
the service, and if your number turns up bad then they give you a slip
which tells you why they will decline your business.
# henry mensch / booz, allen & hamilton, inc. / <henry@ads.com>
# "fight the real enemy." -- sinead o'connor, and many others.
------------------------------
From: Jonathan Thornburg <jonathan@hermes.chpc.utexas.edu>
Subject: driver's license for jurors (was: Re: SSN)
Organization: U of Texas at Austin / Physics Dept / Center for Relativity
Date: Sat, 1 May 93 05:03:57 GMT
In article <comp-privacy2.39.6@pica.army.mil> Charles Mattair <mattair@synercom.hounix.org> writes:
| Texas has just started using DLs instead of voter registration rolls (there
| was a perception many people were not registering to avoid jury duty :-( ).
|
| The result has been, shall we say, a very mixed success. On the positive
| side, the pool of potential jurors is definitely up. Other positives
| include - actually, the courts and the DA say that's it. Negatives are:
| much higher rate of no-shows; lower average level of educational attainment;
| lower socio-economic status (that is, much higher percentage of un/under
| employeed); much higher percentage of undocumented workers and non-English
| speakers; jurors who serve but really don't participate in the process; in
| general, a lower quality juror pool.
I was under the impression that few of these "negatives" were
constitutional grounds for disqualifying prospective jurors. Let's
see... perhaps we should only allow prison inmates to serve as jurors,
since that way we could really cut the rate of no-shows? Other than
not being a US citizen, it seems to me that *none* of the other
"negatives" you mention are relevant -- not being poor, not being less
educated, not not speaking English, and not being unenthusiastic.
Indeed, in order for a jury system to be in any sense fair, it *must*
include a representative fraction of people who *are* poor, less
educated, don't speak English, etc.
It must also include a representative fraction of people who don't have
driver's licenses, but the Texas "motor votor" law merely *adds* the
driver's license list to the other existing lists they already use, so
that's not a problem.
- Jonathan Thornburg (temporarily living in Texas, but not an USA citizen)
<jonathan@einstein.ph.utexas.edu> or <jonathan@hermes.chpc.utexas.edu>
[until 31/Aug/93] U of Texas at Austin / Physics Dept / Center for Relativity
[thereafter] U of British Columbia / {Astronomy,Physics}
"One million Americans have two homes; four million Americans have no homes."
------------------------------
From: Jonathan Thornburg <jonathan@hermes.chpc.utexas.edu>
Subject: privacy vs banks (was: Re: I won one!)
Organization: U of Texas at Austin / Physics Dept / Center for Relativity
Date: Sat, 1 May 93 05:13:03 GMT
In article <comp-privacy2.39.7@pica.army.mil> Bear Giles <bear@eagle.fsl.noaa.gov> writes:
>I just opened a new checking and savings account (since my former bank
>forgot who hired whom) and several interesting things happened:
>
>The bad news:
>
>1. The _very_ first thing the rep did was call a telephone number to
> "verify" my SSN. Said verification was nothing more than verifying
> that SSN had actually been assigned to a person (I don't recall if
> she read my name or not), but a completely bogus SSN will _not_ work.
>
> (I hadn't been paying attention because I thought she was verifying
> my driver's license).
>
>2. I asked about this and she said the bank _requires_ SSNs for any
> account. If I went in with $1000 in cash and tried to open a
> savings account, agreeing that 33% of all interest will be paid
> to the IRS (and 5% to Colorado) to cover any possible income tax,
> _they would refuse my business_.
Indeed, they're required by law to get an SSN any time they pay interest.
This is so they can report the interest to the IRS, who can in turn
cross-match this with your tax return to make sure you report that
interest as income.
Note, however, that most financial institutions will, if you ask them,
agree to use something other than your SSN for your account number,
so it's at least not printed on all your cheques...
>3. After providing my legal name, I asked if the records could be marked
> a/k/a for my use-name. After a bit of hemming and hawing (since I
> don't have court documents to force them to do this) they agreed to
> accept both names _and_ to print my use-name on the checks. My previous
> bank insisted on court papers, but it was an existing account when
> I inquired.
You're under no obligation to get your cheques through your financial
institution. In particular, I don't believe there's any law against
your obtaining cheques printed with your account number and the name
"Bill Clinton". Whether or not your financial institution will honor
them, of course, is up to them...
>4. When I handed over my standard "a condition of me doing business with
> you is _no_ _mailing_ _lists_" letter she said that the Bank did not
> release the names of its customers [ ... ]
And you *believed* her?
>I had also been told (when investigating banks) that I would be asked for
>a 4-digit identifying number -- they don't use readily available information
>like SSNs for checkcodes. I wasn't asked today, but this may be because
>this rep had recently started.
I think you're thinking of a PIN for an ATM card. You only specify
this if/when you apply for such a card.
- Jonathan Thornburg
<jonathan@einstein.ph.utexas.edu> or <jonathan@hermes.chpc.utexas.edu>
[until 31/Aug/93] U of Texas at Austin / Physics Dept / Center for Relativity
[thereafter] U of British Columbia / {Astronomy,Physics}
"One million Americans have two homes; four million Americans have no homes."
------------------------------
From: noah@cs.washington.edu (Rick Noah Zucker)
Subject: stories about SSN misuse (e-mail only)
Organization: Computer Science & Engineering, U. of Washington, Seattle
Date: Wed, 5 May 93 16:57:17 GMT
I just started a new job (not at the University of
Washington). I recently received ID cards for the company's
medical plan and saw that my social security number was on these cards,
and they must be presented at places like doctor's offices and
pharmacies. When I do try to explain to the company about why having
SSN on these cards is bad (group and employee number would be unique),
I would like to show them some examples of the dangers. So, is there a
good source of stories about misuse of SSNs (book, easily found
magazine or on-line)? You can send me your own too. We all know about
these problems, so there is no need to post.
Rick Noah Zucker
noah@cs.washington.edu
------------------------------
Organization: CPSR Civil Liberties and Computing Project
From: Dave Banisar <banisar@washofc.cpsr.org>
Date: Thu, 6 May 1993 19:31:55 EST
Subject: New NIST/NSA Revelations
New NIST/NSA Revelations
Less than three weeks after the White House announced a
controversial initiative to secure the nation's electronic
communications with government-approved cryptography, newly
released documents raise serious questions about the process that
gave rise to the administration's proposal. The documents,
released by the National Institute of Standards and Technology
(NIST) in response to a Freedom of Information Act lawsuit,
suggest that the super-secret National Security Agency (NSA)
dominates the process of establishing security standards for
civilian computer systems in contravention of the intent of
legislation Congress enacted in 1987.
The released material concerns the development of the
Digital Signature Standard (DSS), a cryptographic method for
authenticating the identity of the sender of an electronic
communication and for authenticating the integrity of the data in
that communication. NIST publicly proposed the DSS in August 1991
and initially made no mention of any NSA role in developing the
standard, which was intended for use in unclassified, civilian
communications systems. NIST finally conceded that NSA had, in
fact, developed the technology after Computer Professionals for
Social Responsibility (CPSR) filed suit against the agency for
withholding relevant documents. The proposed DSS was widely
criticized within the computer industry for its perceived weak
security and inferiority to an existing authentication technology
known as the RSA algorithm. Many observers have speculated that
the RSA technique was disfavored by NSA because it was, in fact,
more secure than the NSA-proposed algorithm and because the RSA
technique could also be used to encrypt data very securely.
The newly-disclosed documents -- released in heavily censored
form at the insistence of NSA -- suggest that NSA was not merely
involved in the development process, but dominated it. NIST and
NSA worked together on the DSS through an intra-agency Technical
Working Group (TWG). The documents suggest that the NIST-NSA
relationship was contentious, with NSA insisting upon secrecy
throughout the deliberations. A NIST report dated January 31,
1990, states that
The members of the TWG acknowledged that the efforts
expended to date in the determination of a public key
algorithm which would be publicly known have not been
successful. It's increasingly evident that it is
difficult, if not impossible, to reconcile the concerns
and requirements of NSA, NIST and the general public
through using this approach.
The civilian agency's frustration is also apparent in a July
21, 1990, memo from the NIST members of the TWG to NIST director
John W. Lyons. The memo suggests that "national security"
concerns hampered efforts to develop a standard:
THE NIST/NSA Technical Working Group (TWG) has held 18
meetings over the past 13 months. A part of every
meeting has focused on the NIST intent to develop a
Public Key Standard Algorithm Standard. We are
convinced that the TWG process has reached a point where
continuing discussions of the public key issue will
yield only marginal results. Simply stated, we believe
that over the past 13 months we have explored the
technical and national security equity issues to the
point where a decision is required on the future
direction of digital signature standards.
An October 19, 1990, NIST memo discussing possible patent issues
surrounding DSS noted that those questions would need to be
addressed "if we ever get our NSA problem settled."
Although much of the material remains classified and withheld
from disclosure, the "NSA problem" was apparently the intelligence
agency's demand that perceived "national security" considerations
take precedence in the development of the DSS. From the outset,
NSA cloaked the deliberations in secrecy. For instance, at the
March 22, 1990, meeting of the TWG, NSA representatives presented
NIST with NSA's classified proposal for a DSS algorithm. NIST's
report of the meeting notes that
The second document, classified TOP SECRET CODEWORD, was
a position paper which discussed reasons for the
selection of the algorithms identified in the first
document. This document is available at NSA for review
by properly cleared senior NIST officials.
In other words, NSA presented highly classified material to NIST
justifying NSA's selection of the proposed algorithm -- an
algorithm intended to protect and authenticate unclassified
information in civilian computer systems. The material was so
highly classified that "properly cleared senior NIST officials"
were required to view the material at NSA's facilities.
These disclosures are disturbing for two reasons. First, the
process as revealed in the documents contravenes the intent of
Congress embodied in the Computer Security Act of 1987. Through
that legislation, Congress intended to remove NSA from the process
of developing civilian computer security standards and to place
that responsibility with NIST, a civilian agency. Congress
expressed a particular concern that NSA, a military intelligence
agency, would improperly limit public access to information in a
manner incompatible with civilian standard setting. The House
Report on the legislation noted that NSA's
natural tendency to restrict and even deny access to
information that it deems important would disqualify
that agency from being put in charge of the protection
of non-national security information in the view of many
officials in the civilian agencies and the private
sector.
While the Computer Security Act contemplated that NSA would
provide NIST with "technical assistance" in the development of
civilian standards, the newly released documents demonstrate that
NSA has crossed that line and dominates the development process.
The second reason why this material is significant is because
of what it reveals about the process that gave rise to the so-
called "Clipper" chip proposed by the administration earlier this
month. Once again, NIST was identified as the agency actually
proposing the new encryption technology, with "technical
assistance" from NSA. Once again, the underlying information
concerning the development process is classified. DSS was the
first test of the Computer Security Act's division of labor
between NIST and NSA. Clipper comes out of the same
"collaborative" process. The newly released documents suggest
that NSA continues to dominate the government's work on computer
security and to cloak the process in secrecy, contrary to the
clear intent of Congress.
On the day the Clipper initiative was announced, CPSR
submitted FOIA requests to key agencies -- including NIST and NSA
-- for information concerning the proposal. CPSR will pursue
those requests, as well as the pending litigation concerning NSA
involvement in the development of the Digital Signature Standard.
Before any meaningful debate can occur on the direction of
cryptography policy, essential government information must be made
public -- as Congress intended when it passed the Computer
Security Act. CPSR is committed to that goal.
***************************************************
David L. Sobel
CPSR Legal Counsel
(202) 544-9240
dsobel@washofc.cpsr.org
------------------------------
Date: Fri, 7 May 93 09:55 EDT
From: Rasch@dockmaster.ncsc.mil
Subject: DMV Records
I am working on a project involving various State laws and regulations
of DMV records, and am interested in knowing which States regulate the
availability of DMV records. I know that California makes it illegal to
have such records. Does anybody know what other states do? In how many
states is this information public, how many is it private, and how many
is it illegal? Is there a dif rference between DMV records (i.e. that
John Smith has DL 123-45-6789) and the actual licence itself with
photograph? Information is appreciated.
------------------------------
End of Computer Privacy Digest V2 #040
******************************
Errors-To: Comp-privacy Error Handler <comp-privacy-request@PICA.ARMY.MIL>
From: Computer Privacy Digest Moderator <comp-privacy@PICA.ARMY.MIL>
To: Comp-privacy@PICA.ARMY.MIL
Subject: Computer Privacy Digest V2#040
Computer Privacy Digest Fri, 07 May 93 Volume 2 : Issue: 040
Today's Topics: Moderator: Dennis G. Rears
Virginia Voters and SSNs
I won one!
driver's license for jurors (was: Re: SSN)
privacy vs banks (was: Re: I won one!)
stories about SSN misuse (e-mail only)
New NIST/NSA Revelations
DMV Records
The Computer Privacy Digest is a forum for discussion on the
effect of technology on privacy. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy
(Moderated). Submissions should be sent to
comp-privacy@pica.army.mil and administrative requests to
comp-privacy-request@pica.army.mil.
Back issues are available via anonymous ftp on ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
From: Craig Wagner <Craig.Wagner@p2.f120.n109.z1.fidonet.org>
Date: Wed, 28 Apr 1993 12:00:38 -0500
Subject: Virginia Voters and SSNs
A while back, some interest was shown in a court ruling against the
Commonwealth of Virginia's combined constitutional (if I recall
correctly) requirement of the use of a SSN to register to vote and
legislated policy of making such lists, along with the SSN, available
to the general public.
A week or two ago, while voting in a special election in Arlington,
Virginia, I noticed a list of voters, with their SSNs, posted on a wall
in the polling place. I wrote to the Board of Voter Registration the
next day to express my concern. Their reply, which may be of interest
to others here, was as follows:
"Thank you for your letter of April 21. The list you saw on the wall
was the list of those purged for not voting in a four year period. The
Code of Virginia requires that this list be posted in each precinct at
each election.
"The Fourth Circuit Court recently reversed the Federal District Court
with its unanimous decision in the social security case of Greidinger
v. Davis, and remanded the case to the District Court in order to give
the Commonwealth the responsibility to either delete their requirement
that a social security number be provided for voter registration or to
eliminate the use of the social security number in records open to
public inspection and those provided to eligible recipients pursuant to
Section 24.1-23 (8) of the Code of Virginia.
"The State Board of Elections has advised all electoral boards and
registrars that this does not have the effect of changing the
procedures we are mandated to follow at this time.* The State Board of
Elections, the Court, and the Attorney General are reviewing our
current registration and election procedures to eliminate the public
display of social security numbers. They will notify us as soon as
possible as to any action and decisions they make.
"Therefore, you may be assured that your number will not appear on such
a list in future elections.
"If you have any questions, please give me a call.
"Sincerely yours,
(name omitted)
General Registrar"
* the three words preceeding this asterisk were in Bold typeface.
------------------------------
From: Henry Mensch <henry@ads.com>
Date: Fri, 30 Apr 93 13:47:14 -0700
Subject: I won one!
Date: Thu, 29 Apr 93 00:08:23 GMT
From: Bear Giles <bear@eagle.fsl.noaa.gov>
1. The _very_ first thing the rep did was call a telephone number to
"verify" my SSN. Said verification was nothing more than verifying
that SSN had actually been assigned to a person (I don't recall if
she read my name or not), but a completely bogus SSN will _not_ work.
not true. the number she calls connects to a service which banks
subscribe to ... they report all their "bad" banking relationships to
the service, and if your number turns up bad then they give you a slip
which tells you why they will decline your business.
# henry mensch / booz, allen & hamilton, inc. / <henry@ads.com>
# "fight the real enemy." -- sinead o'connor, and many others.
------------------------------
From: Jonathan Thornburg <jonathan@hermes.chpc.utexas.edu>
Subject: driver's license for jurors (was: Re: SSN)
Organization: U of Texas at Austin / Physics Dept / Center for Relativity
Date: Sat, 1 May 93 05:03:57 GMT
In article <comp-privacy2.39.6@pica.army.mil> Charles Mattair <mattair@synercom.hounix.org> writes:
| Texas has just started using DLs instead of voter registration rolls (there
| was a perception many people were not registering to avoid jury duty :-( ).
|
| The result has been, shall we say, a very mixed success. On the positive
| side, the pool of potential jurors is definitely up. Other positives
| include - actually, the courts and the DA say that's it. Negatives are:
| much higher rate of no-shows; lower average level of educational attainment;
| lower socio-economic status (that is, much higher percentage of un/under
| employeed); much higher percentage of undocumented workers and non-English
| speakers; jurors who serve but really don't participate in the process; in
| general, a lower quality juror pool.
I was under the impression that few of these "negatives" were
constitutional grounds for disqualifying prospective jurors. Let's
see... perhaps we should only allow prison inmates to serve as jurors,
since that way we could really cut the rate of no-shows? Other than
not being a US citizen, it seems to me that *none* of the other
"negatives" you mention are relevant -- not being poor, not being less
educated, not not speaking English, and not being unenthusiastic.
Indeed, in order for a jury system to be in any sense fair, it *must*
include a representative fraction of people who *are* poor, less
educated, don't speak English, etc.
It must also include a representative fraction of people who don't have
driver's licenses, but the Texas "motor votor" law merely *adds* the
driver's license list to the other existing lists they already use, so
that's not a problem.
- Jonathan Thornburg (temporarily living in Texas, but not an USA citizen)
<jonathan@einstein.ph.utexas.edu> or <jonathan@hermes.chpc.utexas.edu>
[until 31/Aug/93] U of Texas at Austin / Physics Dept / Center for Relativity
[thereafter] U of British Columbia / {Astronomy,Physics}
"One million Americans have two homes; four million Americans have no homes."
------------------------------
From: Jonathan Thornburg <jonathan@hermes.chpc.utexas.edu>
Subject: privacy vs banks (was: Re: I won one!)
Organization: U of Texas at Austin / Physics Dept / Center for Relativity
Date: Sat, 1 May 93 05:13:03 GMT
In article <comp-privacy2.39.7@pica.army.mil> Bear Giles <bear@eagle.fsl.noaa.gov> writes:
>I just opened a new checking and savings account (since my former bank
>forgot who hired whom) and several interesting things happened:
>
>The bad news:
>
>1. The _very_ first thing the rep did was call a telephone number to
> "verify" my SSN. Said verification was nothing more than verifying
> that SSN had actually been assigned to a person (I don't recall if
> she read my name or not), but a completely bogus SSN will _not_ work.
>
> (I hadn't been paying attention because I thought she was verifying
> my driver's license).
>
>2. I asked about this and she said the bank _requires_ SSNs for any
> account. If I went in with $1000 in cash and tried to open a
> savings account, agreeing that 33% of all interest will be paid
> to the IRS (and 5% to Colorado) to cover any possible income tax,
> _they would refuse my business_.
Indeed, they're required by law to get an SSN any time they pay interest.
This is so they can report the interest to the IRS, who can in turn
cross-match this with your tax return to make sure you report that
interest as income.
Note, however, that most financial institutions will, if you ask them,
agree to use something other than your SSN for your account number,
so it's at least not printed on all your cheques...
>3. After providing my legal name, I asked if the records could be marked
> a/k/a for my use-name. After a bit of hemming and hawing (since I
> don't have court documents to force them to do this) they agreed to
> accept both names _and_ to print my use-name on the checks. My previous
> bank insisted on court papers, but it was an existing account when
> I inquired.
You're under no obligation to get your cheques through your financial
institution. In particular, I don't believe there's any law against
your obtaining cheques printed with your account number and the name
"Bill Clinton". Whether or not your financial institution will honor
them, of course, is up to them...
>4. When I handed over my standard "a condition of me doing business with
> you is _no_ _mailing_ _lists_" letter she said that the Bank did not
> release the names of its customers [ ... ]
And you *believed* her?
>I had also been told (when investigating banks) that I would be asked for
>a 4-digit identifying number -- they don't use readily available information
>like SSNs for checkcodes. I wasn't asked today, but this may be because
>this rep had recently started.
I think you're thinking of a PIN for an ATM card. You only specify
this if/when you apply for such a card.
- Jonathan Thornburg
<jonathan@einstein.ph.utexas.edu> or <jonathan@hermes.chpc.utexas.edu>
[until 31/Aug/93] U of Texas at Austin / Physics Dept / Center for Relativity
[thereafter] U of British Columbia / {Astronomy,Physics}
"One million Americans have two homes; four million Americans have no homes."
------------------------------
From: noah@cs.washington.edu (Rick Noah Zucker)
Subject: stories about SSN misuse (e-mail only)
Organization: Computer Science & Engineering, U. of Washington, Seattle
Date: Wed, 5 May 93 16:57:17 GMT
I just started a new job (not at the University of
Washington). I recently received ID cards for the company's
medical plan and saw that my social security number was on these cards,
and they must be presented at places like doctor's offices and
pharmacies. When I do try to explain to the company about why having
SSN on these cards is bad (group and employee number would be unique),
I would like to show them some examples of the dangers. So, is there a
good source of stories about misuse of SSNs (book, easily found
magazine or on-line)? You can send me your own too. We all know about
these problems, so there is no need to post.
Rick Noah Zucker
noah@cs.washington.edu
------------------------------
Organization: CPSR Civil Liberties and Computing Project
From: Dave Banisar <banisar@washofc.cpsr.org>
Date: Thu, 6 May 1993 19:31:55 EST
Subject: New NIST/NSA Revelations
New NIST/NSA Revelations
Less than three weeks after the White House announced a
controversial initiative to secure the nation's electronic
communications with government-approved cryptography, newly
released documents raise serious questions about the process that
gave rise to the administration's proposal. The documents,
released by the National Institute of Standards and Technology
(NIST) in response to a Freedom of Information Act lawsuit,
suggest that the super-secret National Security Agency (NSA)
dominates the process of establishing security standards for
civilian computer systems in contravention of the intent of
legislation Congress enacted in 1987.
The released material concerns the development of the
Digital Signature Standard (DSS), a cryptographic method for
authenticating the identity of the sender of an electronic
communication and for authenticating the integrity of the data in
that communication. NIST publicly proposed the DSS in August 1991
and initially made no mention of any NSA role in developing the
standard, which was intended for use in unclassified, civilian
communications systems. NIST finally conceded that NSA had, in
fact, developed the technology after Computer Professionals for
Social Responsibility (CPSR) filed suit against the agency for
withholding relevant documents. The proposed DSS was widely
criticized within the computer industry for its perceived weak
security and inferiority to an existing authentication technology
known as the RSA algorithm. Many observers have speculated that
the RSA technique was disfavored by NSA because it was, in fact,
more secure than the NSA-proposed algorithm and because the RSA
technique could also be used to encrypt data very securely.
The newly-disclosed documents -- released in heavily censored
form at the insistence of NSA -- suggest that NSA was not merely
involved in the development process, but dominated it. NIST and
NSA worked together on the DSS through an intra-agency Technical
Working Group (TWG). The documents suggest that the NIST-NSA
relationship was contentious, with NSA insisting upon secrecy
throughout the deliberations. A NIST report dated January 31,
1990, states that
The members of the TWG acknowledged that the efforts
expended to date in the determination of a public key
algorithm which would be publicly known have not been
successful. It's increasingly evident that it is
difficult, if not impossible, to reconcile the concerns
and requirements of NSA, NIST and the general public
through using this approach.
The civilian agency's frustration is also apparent in a July
21, 1990, memo from the NIST members of the TWG to NIST director
John W. Lyons. The memo suggests that "national security"
concerns hampered efforts to develop a standard:
THE NIST/NSA Technical Working Group (TWG) has held 18
meetings over the past 13 months. A part of every
meeting has focused on the NIST intent to develop a
Public Key Standard Algorithm Standard. We are
convinced that the TWG process has reached a point where
continuing discussions of the public key issue will
yield only marginal results. Simply stated, we believe
that over the past 13 months we have explored the
technical and national security equity issues to the
point where a decision is required on the future
direction of digital signature standards.
An October 19, 1990, NIST memo discussing possible patent issues
surrounding DSS noted that those questions would need to be
addressed "if we ever get our NSA problem settled."
Although much of the material remains classified and withheld
from disclosure, the "NSA problem" was apparently the intelligence
agency's demand that perceived "national security" considerations
take precedence in the development of the DSS. From the outset,
NSA cloaked the deliberations in secrecy. For instance, at the
March 22, 1990, meeting of the TWG, NSA representatives presented
NIST with NSA's classified proposal for a DSS algorithm. NIST's
report of the meeting notes that
The second document, classified TOP SECRET CODEWORD, was
a position paper which discussed reasons for the
selection of the algorithms identified in the first
document. This document is available at NSA for review
by properly cleared senior NIST officials.
In other words, NSA presented highly classified material to NIST
justifying NSA's selection of the proposed algorithm -- an
algorithm intended to protect and authenticate unclassified
information in civilian computer systems. The material was so
highly classified that "properly cleared senior NIST officials"
were required to view the material at NSA's facilities.
These disclosures are disturbing for two reasons. First, the
process as revealed in the documents contravenes the intent of
Congress embodied in the Computer Security Act of 1987. Through
that legislation, Congress intended to remove NSA from the process
of developing civilian computer security standards and to place
that responsibility with NIST, a civilian agency. Congress
expressed a particular concern that NSA, a military intelligence
agency, would improperly limit public access to information in a
manner incompatible with civilian standard setting. The House
Report on the legislation noted that NSA's
natural tendency to restrict and even deny access to
information that it deems important would disqualify
that agency from being put in charge of the protection
of non-national security information in the view of many
officials in the civilian agencies and the private
sector.
While the Computer Security Act contemplated that NSA would
provide NIST with "technical assistance" in the development of
civilian standards, the newly released documents demonstrate that
NSA has crossed that line and dominates the development process.
The second reason why this material is significant is because
of what it reveals about the process that gave rise to the so-
called "Clipper" chip proposed by the administration earlier this
month. Once again, NIST was identified as the agency actually
proposing the new encryption technology, with "technical
assistance" from NSA. Once again, the underlying information
concerning the development process is classified. DSS was the
first test of the Computer Security Act's division of labor
between NIST and NSA. Clipper comes out of the same
"collaborative" process. The newly released documents suggest
that NSA continues to dominate the government's work on computer
security and to cloak the process in secrecy, contrary to the
clear intent of Congress.
On the day the Clipper initiative was announced, CPSR
submitted FOIA requests to key agencies -- including NIST and NSA
-- for information concerning the proposal. CPSR will pursue
those requests, as well as the pending litigation concerning NSA
involvement in the development of the Digital Signature Standard.
Before any meaningful debate can occur on the direction of
cryptography policy, essential government information must be made
public -- as Congress intended when it passed the Computer
Security Act. CPSR is committed to that goal.
***************************************************
David L. Sobel
CPSR Legal Counsel
(202) 544-9240
dsobel@washofc.cpsr.org
------------------------------
Date: Fri, 7 May 93 09:55 EDT
From: Rasch@dockmaster.ncsc.mil
Subject: DMV Records
I am working on a project involving various State laws and regulations
of DMV records, and am interested in knowing which States regulate the
availability of DMV records. I know that California makes it illegal to
have such records. Does anybody know what other states do? In how many
states is this information public, how many is it private, and how many
is it illegal? Is there a dif rference between DMV records (i.e. that
John Smith has DL 123-45-6789) and the actual licence itself with
photograph? Information is appreciated.
------------------------------
End of Computer Privacy Digest V2 #040
******************************
Comments
Post a Comment