Computer Privacy Digest Tue, 18 May 93
Date: Tue, 18 May 93 16:34:21 EST
Errors-To: Comp-privacy Error Handler <comp-privacy-request@PICA.ARMY.MIL>
From: Computer Privacy Digest Moderator <comp-privacy@PICA.ARMY.MIL>
To: Comp-privacy@PICA.ARMY.MIL
Subject: Computer Privacy Digest V2#043
Computer Privacy Digest Tue, 18 May 93 Volume 2 : Issue: 043
Today's Topics: Moderator: Dennis G. Rears
Re: [Newsbytes Editorial] Caller Line ID
DMV rcds
Re: Credit Card without SSN
Re: privacy vs banks (was: Re: I won one!)
NIST Privacy Conf. - Clipper Chip and Public Key Crypto
The Computer Privacy Digest is a forum for discussion on the
effect of technology on privacy. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy
(Moderated). Submissions should be sent to
comp-privacy@pica.army.mil and administrative requests to
comp-privacy-request@pica.army.mil.
Back issues are available via anonymous ftp on ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
Date: Sat, 15 May 93 22:52 PDT
From: John Higdon <john@zygot.ati.com>
Organization: Green Hills and Cows
Subject: Re: [Newsbytes Editorial] Caller Line ID
Carl M Kadie <kadie@cs.uiuc.edu> quotes Robert Jacobson:
> What killed Caller ID, ultimately, wasn't the restrictions imposed
> by state regulators but business's lack of interest. Caller ID relied
> upon a high "take" by telemarketers, direct marketers, and other
> commercial institutions who wanted access to telephone numbers. They
> already get enough information from 800 and 900 numbers, since those
> calls are self-screened by customers who want to conduct some sort of
> business transaction. Caller ID promised a deluge of information that
> only the very biggest organizations could sift through and employ.
> And the bad press surrounding Caller ID discouraged those institutions
> from getting in too deep.
This is the most ignorant nonsense that I have ever heard from someone
parading around a Ph.D and proporting to know how to even dial a phone.
Big business has its own "Caller ID". It has had it for years. It could
not care less about the CLASS offering which is limited to SS7-equipped
offices and is frequently subject to blocking. 800 and 900 ANI is not
blockable, is virtually universal, works everywhere (including
California), and does not depend upon SS7 connectivity. It is
essentially perfect.
Also, Jacobson talks as though California is the be-all and end-all of
everything. His references to the "death" of Caller ID ring somewhat
hollow in light of the fact that the service is offered in more than
two-thirds of the United States. It is not going away. It offers to
Everyman what the big boys have enjoyed for many years; and Everyman
will eventually demand it and get it.
Yes, this is a personal issue with me. We patiently waited for Caller
ID to be approved in California so that we could offer a specialized
service that performs the automatic establishment of open accounts. The
transaction requires the recording of the caller's number. When the
decision came down, it required us to install direct trunks to a long
distance carrier, install (and pay for usage on) an 800 number, and use
the ANI instead of the much easier and cheaper Caller ID. Consequently
our service must cost more to recover the costs of the carrier trunks
and the 800 service.
What I see here is an interesting irony. People of Jacobson's ilk who
would deny the common man the ability to see who is calling him are in
reality advocating a class (no pun intended) separation. People in
California who want Caller ID badly enough (and can, like big
corporations, pay for it) have it via 800 and 900 service. Ordinary
individuals cannot have it. It is a classic case of "haves" vs
"have-nots". So you fellow Californians who order "pay-per-view" with
an 800 number should realize that you are paying for the fact that your
cable company cannot simply use ordinary POTS lines.
> But the demise of Caller ID has a larger, ironic outcome:
Jacobson, get a grip. To paraphrase Mark Twain, reports of the death of
Caller ID have been highly exaggerated.
> Editor's Note: Robert Jacobson, Ph.D., is former principal
> consultant/staff director of the Assembly Utilities and
> Commerce Committee, California Legislature, 1982-1989.
If Robert Jacobson, Ph.D is an example of the caliber of people in and
around our state government, it is no wonder California is rapidly
going down the drain. His fact-poor irrelevant emotionalism serves no
one, particularly the citizens of this state who are in desperate need
of new technologies and the tools to remain competitive.
Hopefully what can only be described as "ignorant elitism" will give way
to rational thinking on the part of those in power.
--
John Higdon | P. O. Box 7648 | +1 408 264 4115 | FAX:
john@ati.com | San Jose, CA 95150 | 10288 0 700 FOR-A-MOO | +1 408 264 4407
------------------------------
Date: Sun, 16 May 93 11:50:51 PDT
From: Jim Warren <jwarren@autodesk.com>
Subject: DMV rcds
Hi,
Just noticed your post in Computer Privacy Digest V2 #040.
> I know that California makes it illegal to have such records.
Absolutely not so. Any private investigator can get them (but has to keep
records of why they are requesting them, and those records are audited). Also
any organization with a "legitimate business intereste" (I think that's how
the statute is phrased) can get 'em. All for a fee, of course -- this is a
significant profit center, uh, "revenue" center for the State DMV.
--jim
------------------------------
From: Penio Penev <penev%rockefeller.edu@PICA.ARMY.MIL>
Subject: Re: Credit Card without SSN
Reply-To: penev@venezia.rockefeller.edu
Organization: Rockefeller University
Date: Sun, 16 May 1993 18:50:48 GMT
On Fri, 14 May 1993 14:08:42 GMT Cristy (cristy@eplrx7.es.dupont.com) wrote:
| I just received my first VISA card without submitting my SSN. I applied
| to over 10 different offers I got in the mail. They all turned me down
| because I did not submit my SSN except for one.
I am in the situation of seeking a (secured with a long-term CD)
credit card, without specifying my SSN. I've tried only two times and
my third one is under way, with a greater possibility for not getting
the card. My situation is even worse, because I do not have a credit
history yet. I'm ready to secure my credit card line with a long term
CD, though.
I was determined to try out all banks before I surrender, but this
message is encouraging. Will you direct me to the right bank and/or
procedure?
--
Penio Penev x7423 (212)327-7423 (w) Internet: penev@venezia.rockefeller.edu
Disclaimer: All oppinions are mine.
------------------------------
From: "Wm. L. Ranck" <ranck@joesbar.cc.vt.edu>
Subject: Re: privacy vs banks (was: Re: I won one!)
Date: 17 May 1993 14:38:27 GMT
Organization: Virginia Tech, Blacksburg, Virginia
Jonathan Thornburg (jonathan@hermes.chpc.utexas.edu) wrote:
: Indeed, they're required by law to get an SSN any time they pay interest.
: This is so they can report the interest to the IRS, who can in turn
: cross-match this with your tax return to make sure you report that
: interest as income.
I believe that banks are still required to report interest that you pay
them. In other words the IRS still gets some form telling them how much
interest I paid on my Visa card even though that is no longer deductable.
--
*******************************************************************************
* Bill Ranck (703) 231-9503 Bill.Ranck@vt.edu *
* Computing Center, Virginia Polytchnic Inst. & State Univ., Blacksburg, Va. *
*******************************************************************************
------------------------------
From: "Curtis D. Frye" <cfrye@ciis.mitre.org>
Subject: NIST Privacy Conf. - Clipper Chip and Public Key Crypto
Organization: The MITRE Corporation, McLean, VA
Date: Mon, 17 May 1993 15:59:11 GMT
Folks-
I came across this announcement through email with a colleague and post
it for your information.
NIST will be hosting a public forum on the Clipper Chip and public key
encryption / privacy issues from 2-4 June 1993 in Bethesda, MD. I
believe all the relevant information is included in the post, but if you
have any questions mail or call NIST as I don't represent them or any
other part of the US government.
-----Begin included file-----
From: Clipper-Capstone Chip Info <clipper@csrc.ncsl.nist.gov>
Organization: National Institute of Standards and Technology (NIST)
Subject: NIST Advisory Board Seeks Comments on Crypto
This file will be made available for anonymous ftp from
csrc.ncsl.nist.gov, filename pub/nistgen/cryptmtg.txt and for download
from the NIST Computer Security BBS, 301-948-5717, filename
cryptmtg.txt.
Note: The following notice is scheduled to appear in the Federal
Register this week. The notice announces a meeting of the Computer
System Security and Privacy Advisory Board (established by the
Computer Security Act of 1987) and solicits public and industry
comments on a wide range of cryptographic issues. Please note that
submissions due by 4:00 p.m. May 27, 1993.
DEPARTMENT OF COMMERCE
National Institute of Standards and Technology
Announcing a Meeting of the
COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD
AGENCY: National Institute of Standards and Technology
ACTION: Notice of Open Meeting
SUMMARY: Pursuant to the Federal Advisory Committee Act, 5 U.S.C.
App., notice is hereby given that the Computer System Security and
Privacy Advisory Board will meet Wednesday, June 2, 1993, from 9:00
a.m. to 5:00 p.m., Thursday, June 3, 1993, from 9:00 a.m. to 5:00
p.m., and Friday, June 4, 1993 from 9:00 a.m. to 1:00 p.m. The
Advisory Board was established by the Computer Security Act of 1987
(P.L. 100-235) to advise the Secretary of Commerce and the Director of
NIST on security and privacy issues pertaining to Federal computer
systems and report its findings to the Secretary of Commerce, the
Director of the Office of Management and Budget, the Director of the
National Security Agency, and the appropriate committees of the
Congress. All sessions will be open to the public.
DATES: The meeting will be held on June 2-4 1993. On June 2 and 3,
1993 the meeting will take place from 9:00 a.m. to 5:00 p.m. and on
June 4, 1993 from 9:00 a.m. to 1:00 p.m.
Public submissions (as described below) are due by 4:00 p.m. (EDT)
May 27, 1993 to allow for sufficient time for distribution to and
review by Board members.
ADDRESS: The meeting will take place at the National Institute of
Standards and Technology, Gaithersburg, MD. On June 2, 1993, the
meeting will be held in the Administration Building, "Red Auditorium,"
on June 3 the meeting will be held in the Administration Building,
"Green Auditorium," and on June 4, 1993 in the Administration
Building, Lecture Room "B."
Submissions (as described below), including copyright waiver if
required, should be addressed to: Cryptographic Issue Statements,
Computer System Security and Privacy Advisory Board, Technology
Building, Room B-154, National Institute of Standards and Technology,
Gaithersburg, MD, 20899 or via FAX to 301/948-1784. Submissions,
including copyright waiver if required, may also be sent
electronically to "crypto@csrc.ncsl.nist.gov".
AGENDA:
- - Welcome and Review of Meeting Agenda
- - Government-developed "Key Escrow" Chip Announcement Review
- - Discussion of Escrowed Cryptographic Key Technologies
- - Review of Submitted Issue Papers
- - Position Presentations & Discussion
- - Public Participation
- - Annual Report and Pending Business
- - Close
PUBLIC PARTICIPATION:
This Advisory Board meeting will be devoted to the issue of the
Administration's recently announced government-developed "key escrow"
chip cryptographic technology and, more broadly, to public use of
cryptography and government cryptographic policies and regulations.
The Board has been asked by NIST to obtain public comments on this
matter for submission to NIST for the national review that the
Administration's has announced it will conduct of cryptographic-related
issues. Therefore, the Board is interested in:
1) obtaining public views and reactions to the government-developed
"key escrow" chip technology announcement, "key escrow" technology
generally, and government cryptographic policies and regulations;
2) hearing selected summaries of written views that have been submitted,
and
3) conducting a general discussion of these issues in public.
The Board solicits all interested parties to submit well-written,
concise issue papers, position statements, and background materials on
areas such as those listed below. Industry input is particularly
encouraged in addressing the questions below.
Because of the volume of responses expected, submittors are asked to
identify the issues above to which their submission(s) are responsive.
Submittors should be aware that copyrighted documents cannot be
accepted unless a written waiver is included concurrently with the
submission to allow NIST to reproduce the material. Also, company
proprietary information should not be included, since submissions will
be made publicly available.
This meeting specifically will not be a tutorial or briefing on
technical details of the government-developed "key escrow" chip or
escrowed cryptographic key technologies. Those wishing to address the
Board and/or submit written position statements are requested to be
thoroughly familiar with the topic and to have concise,
well-formulated opinions on its societal ramifications.
Issues on which comments are sought include the following:
1. CRYPTOGRAPHIC POLICIES AND SOCIAL/PUBLIC POLICY ISSUES
Public and Social policy aspects of the government-developed "key
escrow" chip and, more generally, escrowed key technology and
government cryptographic policies.
Issues involved in balancing various interests affected by government
cryptographic policies.
2. LEGAL AND CONSTITUTIONAL ISSUES
Consequences of the government-developed "key escrow" chip technology
and, more generally, key escrow technology and government
cryptographic policies.
3. INDIVIDUAL PRIVACY
Issues and impacts of cryptographic-related statutes, regulations, and
standards, both national and international, upon individual privacy.
Issues related to the privacy impacts of the government-developed "key
escrow" chip and "key escrow" technology generally.
4. QUESTIONS DIRECTED TO AMERICAN INDUSTRY
4.A Industry Questions: U.S. Export Controls
4.A.1 Exports - General
What has been the impact on industry of past export controls on
products with password and data security features for voice or data?
Can such an impact, if any, be quantified in terms of lost export
sales or market share? If yes, please provide that impact.
How many exports involving cryptographic products did you attempt over
the last five years? How many were denied? What reason was given for
denial?
Can you provide documentation of sales of cryptographic equipment
which were lost to a foreign competitor, due solely to U.S. Export
Regulations.
What are the current market trends for the export sales of information
security devices implemented in hardware solutions? For software
solutions?
4.A.2 Exports - Software
If the U.S. software producers of mass market or general purpose
software (word processing, spreadsheets, operating environments,
accounting, graphics, etc.) are prohibited from exporting such
packages with file encryption capabilities, what foreign competitors
in what countries are able and willing to take foreign market share
from U.S. producers by supplying file encryption capabilities?
What is the impact on the export market share and dollar sales of the
U.S. software industry if a relatively inexpensive hardware solution
for voice or data encryption is available such as the
government-developed "key escrow" chip?
What has been the impact of U.S. export controls on COMPUTER UTILITIES
software packages such as Norton Utilities and PCTools?
What has been the impact of U.S. export controls on exporters of OTHER
SOFTWARE PACKAGES (e.g., word processing) containing file encryption
capabilities?
What information does industry have that Data Encryption Standard
(DES) based software programs are widely available abroad in software
applications programs?
4.A.3 Exports - Hardware
Measured in dollar sales, units, and transactions, what have been
the historic exports for:
Standard telephone sets
Cellular telephone sets
Personal computers and work stations
FAX machines
Modems
Telephone switches
What are the projected export sales of these products if there is no
change in export control policy and if the government-developed "key
escrow" chip is not made available to industry?
What are the projected export sales of these products if the
government-developed "key escrow" chip is installed in the above
products, the above products are freely available at an additional
price of no more than $25.00, and the above products are exported
WITHOUT ADDITIONAL LICENSING REQUIREMENTS?
What are the projected export sales of these products if the
government-developed "key escrow" chip is installed in the above
products, the above products are freely available at an additional
price of no more than $25.00, and the above products are to be
exported WITH AN ITAR MUNITIONS LICENSING REQUIREMENT for all
destinations?
What are the projected export sales of these products if the
government-developed "key escrow" chip is installed in the above
products, the above products are freely available at an additional
price of no more than $25.00, and the above products are to be
exported WITH A DEPARTMENT OF COMMERCE LICENSING REQUIREMENT for all
destinations?
4.A.4 Exports - Advanced Telecommunications
What has been the impact on industry of past export controls on other
advanced telecommunications products?
Can such an impact on the export of other advanced telecommunications
products, if any, be quantified in terms of lost export sales or
market share? If yes, provide that impact.
4.B Industry Questions: Foreign Import/Export Regulations
How do regulations of foreign countries affect the import and export
of products containing cryptographic functions? Specific examples of
countries and regulations will prove useful.
4.C Industry Questions: Customer Requirements for Cryptography
What are current and future customer requirements for information
security by function and industry? For example, what are current and
future customer requirements for domestic banking, international
banking, funds transfer systems, automatic teller systems, payroll
records, financial information, business plans, competitive strategy
plans, cost analyses, research and development records, technology
trade secrets, personal privacy for voice communications, and so
forth? What might be good sources of such data?
What impact do U.S. Government mandated information security standards
for defense contracts have upon demands by other commercial users for
information security systems in the U.S.? In foreign markets?
What threats are your product designed to protect against? What
threats do you consider unaddressed?
What demand do you foresee for a) cryptographic only products, and b)
products incorporating cryptography in: 1) the domestic market, 2) in
the foreign-only market, and 3) in the global market?
4.D Industry Questions: Standards
If the European Community were to announce a non-DES, non-public key
European Community Encryption Standard (ECES), how would your company
react? Include the new standard in product line? Withdraw from the
market? Wait and see?
What are the impacts of government cryptographic standards on U.S.
industry (e.g., Federal Information Processing Standard 46-1 [the Data
Encryption Standard] and the proposed Digital Signature Standard)?
5. QUESTIONS DIRECTED TO THE AMERICAN BUSINESS COMMUNITY
5.A American Business: Threats and Security Requirements
Describe, in detail, the threat(s), to which you are exposed and which
you believe cryptographic solutions can address.
Please provide actual incidents of U.S. business experiences with
economic espionage which could have been thwarted by applications of
cryptographic technologies.
What are the relevant standards of care that businesses must apply to
safeguard information and what are the sources of those standards
other than Federal standards for government contractors?
What are U.S. business experiences with the use of cryptography to
protect against economic espionage, (including current and projected
investment levels in cryptographic products)?
5.B American Business: Use of Cryptography
Describe the types of cryptographic products now in use by your
organization. Describe the protection they provide (e.g., data
encryption or data integrity through digital signatures). Please
indicate how these products are being used.
Describe any problems you have encountered in finding, installing,
operating, importing, or exporting cryptographic devices.
Describe current and future uses of cryptographic technology to
protect commercial information (including types of information being
protected and against what threats).
Which factors in the list below inhibit your use of cryptographic
products?
Please rank:
- -- no need
- -- no appropriate product on market
- -- fear of interoperability problems
- -- regulatory concerns
- -- a) U.S. export laws
- -- b) foreign country regulations
- -- c) other
- -- cost of equipment
- -- cost of operation
- -- other
Please comment on any of these factors.
In your opinion, what is the one most important unaddressed need
involving cryptographic technology?
Please provide your views on the adequacy of the government-developed
"key escrow" chip technological approach for the protection of all
your international voice and data communication requirements.
Comments on other U.S. Government cryptographic standards?
6. OTHER
Please describe any other impacts arising from Federal government
cryptographic policies and regulations.
Please describe any other impacts upon the Federal government in the
protection of unclassified computer systems.
Are there any other comments you wish to share?
The Board agenda will include a period of time, not to exceed ten
hours, for oral presentations of summaries of selected written
statements submitted to the Board by May 27, 1993. As appropriate and
to the extent possible, speakers addressing the same topic will be
grouped together. Speakers, prescheduled by the Secretariat and
notified in advance, will be allotted fifteen to thirty minutes to
orally present their written statements. Individuals and
organizations submitting written materials are requested to advise the
Secretariat if they would be interested in orally summarizing their
materials for the Board at the meeting.
Another period of time, not to exceed one hour, will be reserved for
oral comments and questions from the public. Each speaker will be
allotted up to five minutes; it will be necessary to strictly control
the length of presentations to maximize public participation and the
number of presentations.
Except as provided for above, participation in the Board's discussions
during the meeting will be at the discretion of the Designated Federal
Official.
Approximately thirty seats will be available for the public, including
three seats reserved for the media. Seats will be available on a
first-come, first-served basis.
FOR FURTHER INFORMATION CONTACT: Mr. Lynn McNulty, Executive Secretary
and Associate Director for Computer Security, Computer Systems
Laboratory, National Institute of Standards and Technology, Building
225, Room B154, Gaithersburg, Maryland 20899, telephone: (301)
975-3240.
SUPPLEMENTARY INFORMATION: Background information on the
government-developed "key escrow" chip proposal is available from the
Board Secretariat; see address in "for further information" section.
Also, information on the government-developed "key escrow" chip is
available electronically from the NIST computer security bulletin
board, phone 301-948-5717.
The Board intends to stress the public and social policy aspects, the
legal and Constitutional consequences of this technology, and the
impacts upon American business and industry during its meeting.
It is the Board's intention to create, as a product of this meeting, a
publicly available digest of the important points of discussion,
conclusions (if any) that might be reached, and an inventory of the
policy issues that need to be considered by the government. Within
the procedures described above, public participation is encouraged and
solicited.
/signed/
Raymond G. Kammer, Acting Director
May 10, 1993
------------------------------
End of Computer Privacy Digest V2 #043
******************************
Comments
Post a Comment