home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Handbook of Infosec Terms 2.0
/
Handbook_of_Infosec_Terms_Version_2.0_ISSO.iso
/
text
/
privacy
/
p02_005.txt
< prev
next >
Wrap
Text File
|
1996-09-03
|
42KB
|
949 lines
PRIVACY Forum Digest Sunday, 7 February 1993 Volume 02 : Issue 05
Moderated by Lauren Weinstein (lauren@cv.vortex.com)
Vortex Technology, Topanga, CA, U.S.A.
===== PRIVACY FORUM =====
The PRIVACY Forum digest is supported in part by the
ACM Committee on Computers and Public Policy.
CONTENTS
Caller-ID a danger ? Not by itself. (A. Padgett Peterson)
The REAL problem with Caller ID (Larry Seiler)
Re: SSN and new baby, Schools and SSNs (Ed Tripp)
OECD Guidelines cont'd (Marc Rotenberg)
New Law appealed (Rafael Fernandez Calvo)
Revised Computer Crime Sent (Dave Banisar)
IEEE conference (Dr. William J. Kelly)
Program for 1993 Security and Privacy Symposium (Ira Greenberg)
*** Please include a RELEVANT "Subject:" line on all submissions! ***
*** Submissions without them may be ignored! ***
-----------------------------------------------------------------------------
The PRIVACY Forum is a moderated digest for the discussion and analysis of
issues relating to the general topic of privacy (both personal and
collective) in the "information age" of the 1990's and beyond. The
moderator will choose submissions for inclusion based on their relevance and
content. Submissions will not be routinely acknowledged.
ALL submissions should be addressed to "privacy@cv.vortex.com" and must have
RELEVANT "Subject:" lines. Submissions without appropriate and relevant
"Subject:" lines may be ignored. Subscriptions are by an automatic
"listserv" system; for subscription information, please send a message
consisting of the word "help" (quotes not included) in the BODY of a message
to: "privacy-request@cv.vortex.com". Mailing list problems should be
reported to "list-maint@cv.vortex.com". All submissions included in this
digest represent the views of the individual authors and all submissions
will be considered to be distributable without limitations.
The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "cv.vortex.com",
in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password. The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access. PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system. Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.
For information regarding the availability of this digest via FAX, please
send an inquiry to privacy-fax@cv.vortex.com, call (310) 455-9300, or FAX
to (310) 455-2364.
-----------------------------------------------------------------------------
VOLUME 02, ISSUE 05
Quote for the day:
"Don't let them turn back the clock!
Save Standard Time!"
--- From a Daylight Savings Time protest
promo shown in Ohio theaters in the
late 1950's.
----------------------------------------------------------------------
Date: Sat, 16 Jan 93 21:12:42 -0500
From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
Subject: Caller-ID a danger ? Not by itself.
>From: scott@cs.rochester.edu
>Subject: Op-ed piece on telephone Calling Number ID
> Unless you act immediately, your name, address, and telephone number are
>about to be added to the marketing lists of a whole new set of telephone soli-
>citors and direct-mail advertisers. How? Through the "Call ID" facility
>recently introduced by Rochester Telephone.
First, let me say that I am a firm believer in the potential of Caller-ID
to be an invisible layer of access control to computer systems.
Given that, my feeling is that the controversy centers around two, not one,
situations.
1) Captured CNID information can be stored electronically.
2) Once stored, the CNID can be used to extract information from public
databases that the caller might prefer not to be disclosed.
What is not commonly appreciated is that element (1) is available in the
form of ANI on any number of common business calls to anyone with the
proper service (e.g. 800 and 900 area code calls). The difference between
this and Caller-ID (CNID) is the cost threshold.
Given that the information is already available for (1), the answer would
to be the amount of information derived in (2). True, reverse phone books
provide additional information, but all is based on the information provided
by the telco. There are many areas/exchanges which, by the virue of being
small, do not have reverse directories available (I used to live in one in
Texas).
Further, even where reverse directories are available, they are based on
the information provided electronically (for a fee) by the telco. There
are any number of ways to prevent dissemination of this.
The two best known are touted as extra cost "features" by the Telco -
unpublished and unlisted numbers. There is a third means that may be
used at no cost however. Simply specify that only the name of the person
having that number be listed (e.g. direct that no address or only the
city be listed). There is nothing in the tarrifs that requires
street addresses to be listed in the phone book and several compelling
reasons why individual safety would dictate not - but few people ever take
advantage of this.
The important thing to remember is that the subscriber does have some
control over *what* is listed, and this is what is reported to outside
parties.
Meanwhile, I have Caller-ID at home and my personal dislike is that finding
out before installation what numbers you can receive and which will
report "out-of-area" is like pulling teeth. Fully a third of the local
calls received report this including those that originate from a subdivision
less than five miles from my home (and I have been assured that the callers
did not block CNID), yet there is no discount for such "partial" service
(*all* of the calls received today were "out-of-area"). IMHO, until it is
nationwide, it will not be really effective (expect it in under two years).
Warmly,
Padgett
------------------------------
Date: Tue, 19 Jan 93 15:53:57 EST
From: "Larry Seiler, x223-0588, MLO5-2 19-Jan-1993 1515"
<seiler@rgb.enet.dec.com>
Subject: The REAL problem with Caller ID
As noted by Michael Scott in digest #03, Caller ID is almost exclusively
a marketing tool. At one time I thought it had value for finding the
identity of nuiscance callers, but that can now be easily accomplished by
the phone company at their offices -- CNID isn't necessary.
However, I feel that it is important understand that the real privacy
problem of CNID is NOT the fact that businesses can know who is calling them.
In most cases, I don't think people expect to be anonymous to the companies
they do business with. I do think that most people feel it is nobody else's
business who they choose to do business with.
So the privacy problem comes from the compilation and sale of databases
of that information -- plus inferences drawn from the caller information.
CNID facilitates invasions of privacy on a broader scale than before,
because it makes it easier to gather the data. But it is what is done
with the data that violates privacy -- not (usually) its collection.
This is an important distinction. CNID is just a tool. We should fight to
limit CNID on privacy grounds, since it is such an effective tool. But the
real fight is to outlaw the distribution of personal data except with the
permission of the people about whom the data was collected.
Enjoy,
Larry
------------------------------
Date: Sun, 17 Jan 93 00:18 EST
From: et@tdslab.cmhnet.org (Ed Tripp)
Subject: Re: SSN and new baby, Schools and SSNs
I have to respond to the assumption being made that the IRS can finally
force the registration of all children in this country or deny the valid
tax exemptions for them.
My three children were all born at home, in the same bed, with the assistance
of midwives. I filed the birth certificates and at least one of them has me
as the only witness to the birth. My children have no SSNs and they will not
have them until they are working and registered for Social Security tax
purposes. The original law requiring registration of children of ages 5 and
up was put through as a way to control AFDC fraud. A rider on a bill two
years (I think) later changed the age to 2 and was written so as to be
essentially invisible to the reader. The whole statement was one line
amending "5" to "2" in a referenced paragraph in another document (the
original bill).
I first encountered these laws when the bank demanded SSNs to avoid backup
withholding from my children's bank accounts. I opened an account with $100
for each one at birth the same way my parents had done for me. The idea was
to encourage saving. Since the amount involved was so small, I let the bank
take the tax as a necessary expense of freedom. The next demand came in the
form of a statement that a $50 penalty could be assessed for not having the
numbers. I closed the accounts, bought savings bonds for the kids, and made
sure the the bank knew exactly why. This kind of nonsense only survives when
people don't care enough to do anything about it.
About that time, the tax forms started requiring the numbers for dependents
or a statement that they had been requested. I wrote numerous letters to
Congress and the ACLU on the issue. The ACLU is actively pursuing this issue
with respect to privacy concerns. I got a letter from Jesse Helms stating
that he had never realized what the Congress had passed when the registration
requirement was passed and he "would look into it". As for the tax returns,
every year I file with "no numbers - see attachment" written across the area
reserved for the SSNs. Each year, I give the government a new set of copies
of my childrens' birth certificates. Those are public record and I don't
mind them having them or having to deal with them.
Given the incredible abuse of the SSN by American businesses and government
agencies at all levels I can clearly state that it will be a cold day in hell
before I give in on this issue. I should also note that my two oldest
children are in the public school system here (Upper Arlington, Ohio). As
far as I know, they are the only two in the entire system who do not have
SSNs. When the school office called me about the missing number on my
daughter's registration and I replied that she did not have one and would
not have one, the reply was "Oh yes, you're the one". They remembered the
encounter when my oldest son was enrolled. This time there was no further
discussion. In fact, the only thing the woman I was talking to could think
of that required a number for the schools was requests for copies of high
school transcripts. I assume my children will have them legitimately by then.
I would be interested in feedback from anyone who knows whether the material
I am including below is still relevant to this issue. When I read it, it
appeared that I had actually been exceeding what was necessary to keep the
IRS off my back. However, that may have changed recently given the efforts
of a number of people to establish a "New World Order" for everyone inside
and outside of this country. This is excerpted from a file available at
eff.org and I assume a number of other sites:
-----------------------------------------------------------------------
Archive-Name: ssn-privacy
What to do when they ask for your Social Security Number
by Chris Hibbert
Computer Professionals
for Social Responsibility
--------- much deleted material ---------
Children
The Family Support Act of 1988 (42 USC 1305, 607, and 602) apparently
requires states to require parents to give their Social Security Numbers in
order to get a birth certificate issued for a newborn. The law allows the
requirement to be waived for "good cause", but there's no indication of what
may qualify.
The IRS requires taxpayers to report SSNs for dependents over one year of
age, but the requirement can be avoided if you're prepared to document the
existence of the child by other means if challenged. The law on this can be
found at 26 USC 6109.
-----------------------------------------------------------------------
By the way, I am a computer "professional" if that term means that I make
my living teaching about, designing, building, programming, and otherwise
being obsessed with computers. Computers are tools. They can be used for
great good and great evil. My determination to fight the use of the SSN
as a universal identifier has to do with avoiding the latter. And no, I
do not trust my government on this issue since abuses of intelligence
and police powers are commonplace events and commercial use of the SSN
is totally uncontrolled in spite of the often repeated desire of Congress
to avoid the creation of a "national identity number".
Ed Tripp (et@tdslab.cmhnet.org)
------------------------------
Date: Mon, 18 Jan 1993 15:16:10 EST
From: Marc Rotenberg <Marc_Rotenberg@washofc.cpsr.org>
Subject: OECD Guidelines cont'd
Padget Peterson makes a good point in Privacy Forum Vol. 2, Issue 3. The
character of vulnerabilies has changed. Failure is more difficult to
localize in networked environments. Look at the recent problems with the
phone network or the Cornell Worm.
It is important to point out that the words Padget quotes
("Society has become very dependent on technologies that are not yet
sufficiently dependable") are from the OECD press release and not from
CPSR. We are generally more skeptical about the prospects for absolute
dependability.
Still, openness in design in important. The OECD expert group tried to
address this concern with the "Awareness Principle" which states
"In order to foster confidence in information systems, owners,
providers and users of information systems and other parties should readily
be able, consistent with maintaining security, to gain appropriate knowledge
of and be informed about the existence and general extent of measures,
practices and procedures for the security of information systems. However,
I disagree with one point in Padgett's note. Openness in design does not
come at a cost in privacy. In some circumstances, just the opposite is
true."
The principle could have been stated less ambiguously, but the idea is there.
I disagree with one point in Padget's note. Openness does not necessarily
lead to a trade off with personal privacy. In many circumstances, the
opposite is true.
Consider the FBI's digital telephony proposal which would facilitate
wiretapping of the communications network. CPSR has pushed the FBI through
the Freedom of Information Act to be more forthcoming about the technical
issues surrounding wire surveillance. The FBI is reluctant to provide the
information, even though the General Service Administration has now sent us
a document which said that the proposal would "make it easier for criminals,
terrorists, foreign intelligence and computer hackers to electronically
penetrate the phone network and pry into areas not previously open to
snooping."
Privacy is not secrecy.
Marc Rotenberg
CPSR Washington office
------------------------------
Date: Sun, 07 Feb 1993 21:19:15 EST
From: " Rafael Fernandez Calvo" <rfcalvo@guest2.atimdr.es>
Subject: New Law appealed
LL II
CCCC LL II
CC LL II -- N E W S FROM S P A I N --- Feb. 7, 93
CCCC LLLLLL II
COMMISSION for LIBERTIES
and INFORMATICS (*)
NEW PERSONAL DATA PROTECTION LAW APPEALED BY OMBUDSMAN
-----------------------------------------------------
Since Jan. 31, the Data Protection Law is in force in Spain. The law
receives the official name of "Organic Law on Regulation of Automated
Processing of Personal Data" and its also known as LORTAD, according to
its Spanish initials. The law had been approved by the Senate in October
'92.
On Jan. 28, an appeal on several articles of the law was individually
addressed to the Constitutional Court by the Ombusdman, the Peoples's
Party (the main opposition party, with a center-right orientation) and
the Regional Parliament of Catalonia. All of them had received a request
from CLI in that sense, along with a solid juridic report. CLI's request
had also received strong support of other entities, such as other two
major political parties the two main trade unions.
Although, according to the Spanish legislation, an appeal does not
prevent a law awaiting for a decision of the Constitutional Court to be
applied (the Court takes usually a couple of years to settle an appeal),
media have underlined that is the first time an Organic Law is appealed
by three entitled entities and have highlighted the role played by CLI in
promoting the appeal and in increasing the awareness of the people about
this sensitive topic.
The appeals regard articles that have to do with the two following
weak points of the law, that CLI had been ponting out to since the very
begining:
a) The bill gives excessive and uncontrolled power to Policy Forces
over collection and computerization of highly sensitive data: ideology,
religion, beliefs, racial origin, health and sexual orientation.
b) Computerized personal data records in the hands of all branches
of Public Administrations are in many cases excluded from the rights
(access, modification, cancellation) given to citizens with regard to
the same kind of data in the hands of private companies.
In a Press Conference held in Madrid last week, CLI voiced its position
about the law. It can be summarized as follows:
- The law does not fulfill the expectations arisen, although it is a step
forward in comparison with the current situation of "allegality" that has
been source of severe abuse against privacy for years.
- The best side of the law is the regulation of personal data files
in the hands of companies and private entities. Citizens will have
wide rights to access, modification and cancellation of this kind of
records. Companies can be punished with fines upto 1 million dollar
and blocking of the files involved.
- The Data Protection Agency that will watch over proper observance of
the law will have scarce autonomy from the Government, that will
nominate and dismiss its Director. CLI has advanced proposals for
a Statute of the Agency in order to overcome, even partially, this
danger.
- The new Penal Code being presently discussed by the Parliament should
properly complement the Personal Data law when highly sensitive data are
involved. CLI has advanced proposals in this sense to all the political
parties represented in the Spanish Parliament.
Since (1) the Data Protecion Agency has not been created yet, (2)
the Regions will have to implement their own legislation --following the
same approach as in Germany-- and (3) both Public Administrations and
companies will have a period of a year to adapt themselves to the
provisions of the law, CLI and its regional branches will closely monitor
this interim period and, in conjunction with the Ombudsman, will try to
respond to the requests of the citizens in the meanwhile.
To obtain more information about the law you can contact CLI (*)
* SOME WORDS ABOUT CLI
The --Commission for Liberties and Informatics, CLI-- is an independent
and pluralistic organization that was officially constituted in April
'91.
Its mission is to "promote the development and protection of citizens'
rights, with special regards to privacy, against misuse of Information
Technologies".
As of January '93, CLI is composed by ten organizations, with
a joint membership of about 3,000,000 people. They cover a very
wide spectrum of social interest groups: associations of computer
professionals, judges, civil rights leagues, trade unions, consumers
groups, the main association of direct marketing companies, etc.
CLI is confederated with similar bodies created in some other Spanish
Regions such as Valencia, Basque Country and Catalonia, and has fluid
working relationships with many public and private Data Protection bodies
and entities all over the world, including CPSR, and Privacy
International.
CLI has its headquarters in:
Padilla 66, 3 dcha.
E-28006 Madrid, Spain
Phone: (34-1) 402 9391
Fax: (34-1) 309 3685
E-mail: rfcalvo@guest2.atimdr.es
------------------------------
Date: Sat, 30 Jan 1993 15:12:11 EST
From: Dave Banisar <banisar@washofc.cpsr.org>
Subject: Revised Computer Crime Sent
>From Jack King (gjk@well.sf.ca.us)
The U.S. Dept. of Justice has asked the U.S. Sentencing Commission to
promulgate a new federal sentencing guideline, Sec. 2F2.1, specifically
addressing the Computer Fraud and Abuse Act of 1988 (18 USC 1030), with a
base offense level of 6 and enhancements of 4 to 6 levels for violations of
specific provisions of the statute. The new guideline practically
guarantees some period of confinement, even for first offenders who plead
guilty.
For example, the guideline would provide that if the defendant obtained
``protected'' information (defined as ``private information, non-public
government information, or proprietary commercial information), the offense
level would be increased by two; if the defendant disclosed protected
information to any person, the offense level would be increased by four
levels, and if the defendant distributed the information by means of ``a
general distribution system,'' the offense level would go up six levels.
The proposed commentary explains that a ``general distribution system''
includes ``electronic bulletin board and voice mail systems, newsletters and
other publications, and any other form of group dissemination, by any
means.''
So, in effect, a person who obtains information from the computer of
another, and gives that information to another gets a base offense level of
10; if he used a 'zine or BBS to disseminate it, he would get a base offense
level of 12. The federal guidelines prescribe 6-12 months in jail for a
first offender with an offense level of 10, and 10-16 months for same with
an offense level of 12. Pleading guilty can get the base offense level down
by two levels; probation would then be an option for the first offender with
an offense level of 10 (reduced to 8). But remember: there is no more
federal parole. The time a defendant gets is the time s/he serves (minus a
couple days a month "good time").
If, however, the offense caused an economic loss, the offense level would be
increased according to the general fraud table (Sec. 2F1.1). The proposed
commentary explains that computer offenses often cause intangible harms,
such as individual privacy rights or by impairing computer operations,
property values not readily translatable to the general fraud table. The
proposed commentary also suggests that if the defendant has a prior
conviction for ``similar misconduct that is not adequately reflected in the
criminal history score, an upward departure may be warranted.'' An upward
departure may also be warranted, DOJ suggests, if ``the defendant's conduct
has affected or was likely to affect public service or confidence'' in
``public interests'' such as common carriers, utilities, and institutions.
Based on the way U.S. Attorneys and their computer experts have guesstimated
economic "losses" in a few prior cases, a convicted tamperer can get whacked
with a couple of years in the slammer, a whopping fine, full "restitution"
and one to two years of supervised release (which is like going to a parole
officer). (Actually, it *is* going to a parole officer, because although
there is no more federal parole, they didn't get rid of all those parole
officers. They have them supervise convicts' return to society.)
This, and other proposed sentencing guidelines, can be found at 57 Fed Reg
62832-62857 (Dec. 31, 1992).
The U.S. Sentencing Commission wants to hear from YOU. Write: U.S.
Sentencing Commission, One Columbus Circle, N.E., Suite 2-500, Washington DC
20002-8002, Attention: Public Information. Comments must be received by
March 15, 1993.
* * *
Actual text of relevant ammendments:
UNITED STATES SENTENCING COMMISSION
AGENCY: United States Sentencing Commission.
57 FR 62832
December 31, 1992
Sentencing Guidelines for United States Courts
ACTION: Notice of proposed amendments to sentencing guidelines,
policy statements, and commentary. Request for public comment.
Notice of hearing.
SUMMARY: The Commission is considering promulgating certain
amendments to the sentencing guidelines, policy statements, and
commentary. The proposed amendments and a synopsis of issues to be
addressed are set forth below. The Commission may report amendments
to the Congress on or before May 1, 1993. Comment is sought on all
proposals, alternative proposals, and any other aspect of the
sentencing guidelines, policy statements, and commentary.
DATES: The Commission has scheduled a public hearing on these
proposed amendments for March 22, 1993, at 9:30 a.m. at the
Ceremonial Courtroom, United States Courthouse, 3d and Constitution
Avenue, NW., Washington, DC 20001.
Anyone wishing to testify at this public hearing should notify
Michael Courlander, Public Information Specialist, at (202) 273-4590
by March 1, 1993.
Public comment, as well as written testimony for the hearing,
should be received by the Commission no later than March 15, 1993,
in order to be considered by the Commission in the promulgation of
amendments due to the Congress by May 1, 1993.
ADDRESSES: Public comment should be sent to: United States
Sentencing Commission, One Columbus Circle, NE., suite 2-500, South
Lobby, Washington, DC 20002-8002, Attention: Public Information.
FOR FURTHER INFORMATION CONTACT: Michael Courlander, Public
Information Specialist, Telephone: (202) 273-4590.
* * *
59. Synopsis of Amendment: This amendment creates a new guideline
applicable to violations of the Computer Fraud and Abuse Act of 1988
(18 U.S.C. 1030). Violations of this statute are currently subject
to the fraud guidelines at S. 2F1.1, which rely heavily on the
dollar amount of loss caused to the victim. Computer offenses,
however, commonly protect against harms that cannot be adequately
quantified by examining dollar losses. Illegal access to consumer
credit reports, for example, which may have little monetary value,
nevertheless can represent a serious intrusion into privacy
interests. Illegal intrusions in the computers which control
telephone systems may disrupt normal telephone service and present
hazards to emergency systems, neither of which are readily
quantifiable. This amendment proposes a new Section 2F2.1, which
provides sentencing guidelines particularly designed for this unique
and rapidly developing area of the law.
Proposed Amendment: Part F is amended by inserting the following
section, numbered S. 2F2.1, and captioned "Computer Fraud and
Abuse," immediately following Section 2F1.2:
"S. 2F2.1. Computer Fraud and Abuse
(a) Base Offense Level: 6
(b) Specific Offense Characteristics
(1) Reliability of data. If the defendant altered information,
increase by 2 levels; if the defendant altered protected
information, or public records filed or maintained under law or
regulation, increase by 6 levels.
(2) Confidentiality of data. If the defendant obtained protected
information, increase by 2 levels; if the defendant disclosed
protected information to any person, increase by 4 levels; if the
defendant disclosed protected information to the public by means of
a general distribution system, increase by 6 levels.
Provided that the cumulative adjustments from (1) and (2), shall
not exceed 8.
(3) If the offense caused or was likely to cause
(A) interference with the administration of justice (civil or
criminal) or harm to any person's health or safety, or
(B) interference with any facility (public or private) or
communications network that serves the public health or safety,
increase by 6 levels.
(4) If the offense caused economic loss, increase the offense
level according to the tables in S. 2F1.1 (Fraud and Deceit). In
using those tables, include the following:
(A) Costs of system recovery, and
(B) Consequential losses from trafficking in passwords.
(5) If an offense was committed for the purpose of malicious
destruction or damage, increase by 4 levels.
(c) Cross References
(1) If the offense is also covered by another offense guideline
section, apply that offense guideline section if the resulting level
is greater. Other guidelines that may cover the same conduct
include, for example: for 18 U.S.C. 1030(a)(1), S. 2M3.2 (Gathering
National Defense Information); for 18 U.S.C. 1030(a)(3), S. 2B1.1
(Larceny, Embezzlement, and Other Forms of Theft), S. 2B1.2
(Receiving, Transporting, Transferring, Transmitting, or Possessing
Stolen
Property), and S. 2H3.1 (Interception of Communications or
Eavesdropping); for 18 U.S.C. 1030(a)(4), S. 2F1.1 (Fraud and
Deceit), and S. 2B1.1 (Larceny, Embezzlement, and Other Forms of
Theft); for 18 U.S.C. S. 1030(a)(5), S. 2H2.1 (Obstructing an
Election or Registration), S. 2J1.2 (Obstruction of Justice), and
S. 2B3.2 (Extortion); and for 18 U.S.C. S. 1030(a)(6), S. 2F1.1
(Fraud and Deceit) and S. 2B1.1 (Larceny, Embezzlement, and Other
Forms of Theft).
Commentary
Statutory Provisions: 18 U.S.C. 1030(a)(1)-(a)(6)
Application Notes:
1. This guideline is necessary because computer offenses often
harm intangible values, such as privacy rights or the unimpaired
operation of networks, more than the kinds of property values which
the general fraud table measures. See S. 2F1.1, Note 10. If the
defendant was previously convicted of similar misconduct that is not
adequately reflected in the criminal history score, an upward
departure may be warranted.
2. The harms expressed in paragraph (b)(1) pertain to the
reliability and integrity of data; those in (b)(2) concern the
confidentiality and privacy of data. Although some crimes will cause
both harms, it is possible to cause either one alone. Clearly a
defendant can obtain or distribute protected information without
altering it. And by launching a virus, a defendant may alter or
destroy data without ever obtaining it. For this reason, the harms
are listed separately and are meant to be cumulative.
3. The terms "information," "records," and "data" are
interchangeable.
4. The term "protected information" means private information,
non-public government information, or proprietary commercial
information.
5. The term "private information" means confidential information
(including medical, financial, educational, employment, legal, and
tax information) maintained under law, regulation, or other duty
(whether held by public agencies or privately) regarding the history
or status of any person, business, corporation, or other
organization.
6. The term "non-public government information" means
unclassified information which was maintained by any government
agency, contractor or agent; which had not been released to the
public; and which was related to military operations or readiness,
foreign relations or intelligence, or law enforcement investigations
or operations.
7. The term "proprietary commercial information" means non-public
business information, including information which is sensitive,
confidential, restricted, trade secret, or otherwise not meant for
public distribution. If the proprietary information has an
ascertainable value, apply paragraph (b) (4) to the economic loss
rather than (b) (1) and (2), if the resulting offense level is
greater.
8. Public records protected under paragraph (b) (1) must be filed
or maintained under a law or regulation of the federal government, a
state or territory, or any of their political subdivisions.
9. The term "altered" covers all changes to data, whether the
defendant added, deleted, amended, or destroyed any or all of it.
10. A "general distribution system" includes electronic bulletin
board and voice mail systems, newsletters and other publications,
and any other form of group dissemination, by any means.
11. The term "malicious destruction or damage" includes injury to
business and personal reputations.
12. Costs of system recovery: Include the costs accrued by the
victim in identifying and tracking the defendant, ascertaining the
damage, and restoring the system or data to its original condition.
In computing these costs, include material and personnel costs, as
well as losses incurred from interruptions of service. If several
people obtained unauthorized access to any system during the same
period, each defendant is responsible for the full amount of
recovery or repair loss, minus any costs which are clearly
attributable only to acts of other individuals.
13. Consequential losses from trafficking in passwords: A
defendant who trafficked in passwords by using or maintaining a
general distribution system is responsible for all economic losses
that resulted from the use of the password after the date of his or
her first general distribution, minus any specific amounts which are
clearly attributable only to acts of other individuals. The term
"passwords" includes any form of personalized access identification,
such as user codes or names.
14. If the defendant's acts harmed public interests not
adequately reflected in these guidelines, an upward departure may be
warranted. Examples include interference with common carriers,
utilities, and institutions (such as educational, governmental, or
financial institutions), whenever the defendant's conduct has
affected or was likely to affect public service or confidence".
* * *
------------------------------
Date: Fri, 22 Jan 1993 14:23:20 EDT
From: "Dr. William J. Kelly" <m16805@mwvm.mitre.org>
Subject: ieee conference
CALL FOR PAPERS
THE IEEE SOCIAL IMPLICATIONS OF TECHNOLOGY SOCIETY
THE IEEE TECHNICAL POLICY CONFERENCE COMMITTEE
THE IEEE NATIONAL CAPITAL AREA COUNCIL
INVITE CONTRIBUTIONS FOR AN INTERDISCIPLINARY
International Symposium on Technology and Society 1993
(ISTAS '93)
Washington DC October 22-23, 1993
on the theme
TECHNOLOGY: WHOSE COSTS?..WHOSE BENEFITS?
Technology is constantly changing the our world. New ways of doing things
bring benefits undreamed-of just a few years ago. These technologies also
have their price. The costs can be financial, or increased risks, or a less
pleasant way of life.
How do we balance benefits and costs? Do those who enjoy the benefits bear
their fair share of the costs? How can we determine a fair share? If we
can, and don't like the results, what do we change? Is the Government
always the best way to change things? ISTAS '93 will explore these and
related questions, concentrating on three exemplary areas of
technology:
Computers and Communications
Health Care
Energy and the Environment
ISTAS '93 invites significant contributions on these issues from a wide
spectrum of scholarly and concerned individuals. The contributions can be
papers, proposals for a session or panel of invited experts, or proposals
for "poster" or discussion sessions. Please send an extended (two page)
abstract for papers or a two page proposal for sessions, to
the General Chair
Dr. William J. Kelly
Attn IEEE
MITRE Corporation
7525 Colshire Drive
McLean, VA 22102
DEADLINE FOR SUBMISSION: FEBRUARY 28, 1993
Notification of Acceptance: March 31, 1993
Camera Ready Copy: June 30, 1993
In the tradition of the Carnahan Conferences
"Technics: A Delicate Balance" in Los Angeles 1989
"Preparing for a Sustainable Society" in Toronto 1991
ISTAS '93 invites contributors from many disciplines
to illuminate the problems and choices that face us all.
Regards
Bill
------------------------------
Date: Wed, 3 Feb 93 13:30:02 -0800
From: Ira Greenberg <ira@csl.sri.com>
Subject: program for 1993 Security and Privacy Symposium
1993 IEEE SYMPOSIUM ON RESEARCH IN SECURITY AND PRIVACY
May 24-26, 1993
Claremont Resort,
Oakland, California
Sponsored by the
IEEE Technical Committee on Security and Privacy
In cooperation with the
International Association of Cryptologic Research
Symposium Committee
Teresa Lunt, General Chair
Cristi Garvey, Vice Chair
Richard A. Kemmerer, Program Co-Chair
John Rushby, Program Co-Chair
PRELIMINARY PROGRAM
MONDAY
9:00--9:30: Welcoming Remarks: Teresa Lunt and Dick Kemmerer
9:30--10:30: VIRUSES AND INTRUSION DETECTION Doug McIlroy, Session Chair
9:30--10:00: Measuring and Modeling Computer Virus Prevalence
Jeffrey Kephart and Steve White
10:00--10:30: USTAT: A Real-Time Intrusion Detection System for UNIX
Koral Ilgun
10:30---11:00: BREAK
11:00--12:00: CAUSALITY AND INTEGRITY: George Dinolt, Session Chair
11:00--11:30: Preventing Denial and Forgery of Causal Relationships
in Distributed Systems
Michael Reiter and Li Gong
11:30--12:00: Message Integrity Design
Stuart Stubblebine and Virgil Gligor
12:00--2:00: LUNCH
2:00--3:30: PANEL: Privacy Enhanced Mail
Panelists: TO BE ANNOUNCED
3:30--4:00: BREAK
4:00--5:00: AUTHENTICATION PROTOCOLS: Teresa Lunt, Session Chair
4:00--4:30 Authentication Method with Impersonal Token Cards
Refik Molva and Gene Tsudik
4:30--5:00: Interconnecting Domains with Heterogeneous Key
Distribution and Authentication Protocols
Frank Piessens, Bart DeDecker and Phil Janson
6:00: POSTER SESSIONS
TUESDAY
9:00--10:30: TIMING CHANNELS: John Rushby, Session Chair
9:00-- 9:30: Modelling a Fuzzy Time System
Jonathan Trostle
9:30--10:00: On Introducing Noise into the Bus-Contention Channel
James Gray
10:00--10:15: Discussant: TO BE ANNOUNCED
10:15--10:30: Open Discussion
10:30--11:00: BREAK
11:00--12:00: INFORMATION FLOW: John McLean, Session Chair
11:00--11:30 A Logical Analysis of Authorized and Prohibited
Information Flows
Frederic Cuppens
11:30--12:00 The Cascade Vulnerability Problem
J. Horton, R. Harland, E. Ashby, R. Cooper,
W. Hyslop, B. Nickerson, W. Stewart, and K. Ward
12:00--2:00: LUNCH
2:00--3:30: PANEL: The Federal Criteria
Panelists: TO BE ANNOUNCED
3:30--4:00: BREAK
4:00--5:00: DATABASE SECURITY: Marv Schaefer, Session Chair
4:00--4:30: A Model of Atomicity for Multilevel Transactions
Barbara Blaustein, Sushil Jajodia,
Catherine McCollum and LouAnna Notargiacomo
4:30--5:00: Achieving Stricter Correctness Requirements in
Multilevel Secure Database
Vijayalakshmi Atluri, Elisa Bertino and
Sushil Jajodia
5:00: TC MEETING
6:00: POSTER SESSIONS
WEDNESDAY
9:00--10:30: ANALYSIS OF CRYPTOGRAPHIC PROTOCOLS: Yacov Yacobi,
Session Chair
9:00-- 9:30: Trust Relationships in Secure Systems
-- A Distributed Authentication Perspective
Raphael Yahalom, Birgit Klein and Thomas Beth
9:30--10:00: A Logical Language for Specifying Cryptographic
Protocol Requirements
Paul Syverson and Catherine Meadows
10:00--10:30: A Semantic Model for Authentication Protocols
Thomas Woo and Simon Lam
10:30--11:00: BREAK
11:00--12:00: SYSTEMS: Virgil Gligor, Session Chair
11:00--11:30: Detection and Elimination of Inference Channels
in Multilevel Relational Database Systems
X. Qian, M. Stickel, P. Karp, T. Lunt and
T. Garvey
11:30---12:00 Assuring Distributed Trusted Mach
Todd Fine
12:00: SYMPOSIUM ADJOURN
- - -------------------------------------------------------------------
Symposium Registration: Dates strictly enforced by postmark.
Advance Member (to 4/12/93) $240*
Late Member (4/13/93-4/30/93) $290*
*Registration must include IEEE number to qualify.
Advance Non-Member $300
Late Non-Member $370
Advance Student $50
Late Student $50
Mail registration to:
Cristi Garvey
R2/2104
TRW Defense Systems Group
One Space Park
Redondo Beach, CA 90278
(310) 812-0566
NO REGISTRATIONS BY EMAIL
------------------------------
End of PRIVACY Forum Digest 02.05
************************
