home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Handbook of Infosec Terms 2.0
/
Handbook_of_Infosec_Terms_Version_2.0_ISSO.iso
/
text
/
privacy
/
p03_018.txt
< prev
next >
Wrap
Text File
|
1996-09-03
|
30KB
|
606 lines
PRIVACY Forum Digest Wednesday, 28 September 1994 Volume 03 : Issue 18
Moderated by Lauren Weinstein (lauren@vortex.com)
Vortex Technology, Woodland Hills, CA, U.S.A.
===== PRIVACY FORUM =====
The PRIVACY Forum digest is supported in part by the
ACM Committee on Computers and Public Policy.
CONTENTS
No responses in favor of Wiretap Bill received
(Lauren Weinstein; PRIVACY Forum Moderator)
Digitizing signatures (Bob Rahe)
Electronic Signatures (Terrence P. Maher)
More Electronic Signatures (John French)
Looking for Help (Mary Zahn Hanin)
FBI Wiretap Bill (Marc Rotenberg)
Another Civil Liberty Group Opposes Wiretap Bill (Dave Banisar)
ACLU release and letter on FBI wiretap bill (ACLU Information)
Privacy & American Business conference in DC next week
(Lance J. Hoffman)
*** Please include a RELEVANT "Subject:" line on all submissions! ***
*** Submissions without them may be ignored! ***
-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond. The
moderator will choose submissions for inclusion based on their relevance and
content. Submissions will not be routinely acknowledged.
ALL submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored. Excessive "signatures" on submissions are
subject to editing. Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com". Mailing list problems should be reported to
"list-maint@vortex.com". All submissions included in this digest represent
the views of the individual authors and all submissions will be considered
to be distributable without limitations.
The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp.vortex.com",
in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password. The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access. PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system. Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive. All PRIVACY Forum materials are available
through the Internet Gopher system via a gopher server on site
"gopher.vortex.com". Access to PRIVACY Forum materials is also available
through the Internet World Wide Web (WWW) via the Vortex Technology WWW home
page at the URL: "http://www.vortex.com/".
For information regarding the availability of this digest via FAX, please
send an inquiry to privacy-fax@vortex.com, call (818) 225-2800, or FAX
to (818) 225-7203.
-----------------------------------------------------------------------------
VOLUME 03, ISSUE 18
Quote for the day:
"If anything should happen to me, you must go to Gort.
You must say these words: Klaatu, Barada, Nickto.
Please repeat that."
-- Klaatu (Michael Rennie)
"The Day the Earth Stood Still" (1951)
----------------------------------------------------------------------
Date: Wed, 28 Sep 94 20:45 PDT
From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: No responses in favor of Wiretap Bill received
Greetings. As you'll see, the PRIVACY Forum received a number of items
opposed to the current "FBI Wiretap Bill" in the current cycle. Though I
recently suggested here in the digest that persons in favor of the bill
(I know you're out there) send in their thoughts so that all sides of the
issues can be discussed, no articles in favor of the bill were received.
I'd like to emphasize again that it is important that different points of
view be presented, even where particular views might be perceived to be
minority ones amongst the readership. However, if proponents don't submit
items, only the points of views of those who do send in articles can be seen.
Regardless of how we feel as individuals about this and other controversial
topics, a well-rounded discussion would be to everyone's advantage.
--Lauren--
------------------------------
Date: Wed, 21 Sep 1994 10:08:31 EDT
From: bob@hobbes.dtcc.edu (Bob Rahe)
Subject: Digitizing signatures
In Digest Volume 03, Issue 17 Bill Hensley worries about a local store
apparantly getting his signature electronicly when he signed a credit card
slip on a 'funny' pad.
Altho there may be risks to privacy with the storing of someone's signature
like that, it would not seem that this is raising that risk by a significant
amount. It merely means the store doesn't have to take the slip to a scanner
to get it digitized. Makes it only marginally easier to get.
And UPS around here doesn't use paper at all when you sign for packages.
They have an electronic clipboard with a plastic stylus and a window where
you sign and an LCD display that shows what you are scratching.
------------------------------
Date: Wed, 21 Sep 1994 11:05:34 -0500 (CDT)
From: Terrence P Maher <mahert@creighton.edu>
Subject: Electronic Signatures
As I practice credit card and debit card law, I thought a short note on
why VISA/MC/AMEX ("interchange systems") are moving to electronic signatures
was necessary.
Back in the old days, prior to electronic draft capture, in order to get
paid on these tickets, the merchant had to mail them to its bank (or
the bank's processor). These tickets would then be manually keyed into
the interchange systems for payment. The paper stayed with the merchant's
bank, and everything done after that was handled electronically.
Under the interchange rules, if a cardholder disputed a transaction
(a "chargeback" in credit card lingo), the cardholder's bank,
prior to making the chargeback to the merchant's bank, had to request the
merchant's bank to send a copy of the transaction ticket (a "retrieval
request" in credit card lingo). Under the rules, the merchant's bank had a
few days to send a copy of the actual ticket to the cardholder's bank, to
avoid the chargeback. So banks paid people to sift through paper
tickets to identify a ticket that was subject to a retireval request.
Not only was the system slow (the merchant did not get paid on
these tickets until approximately a week after they were mailed), but
many keypunch errors occurred. The paper ticket volume just got to be
too much. It was becoming impossible to store and index all of these
paper tickets. To get rid of the paper. the interchange systems instituted
"electronic draft capture" ("EDC"). Under EDC, all of the information
that the interchange system needs to process a transaction was captured by
those little POS terminals sitting by the register. This included the
merchant's I.D. number, the authorization number, the cardholder's account
number, the total amount of the sale, and the date and time of the sale.
At the end of each shift (or the end of the day), the merchant "closed
the batch" and the electronic "tickets" in that batch were electronically
summarized and transmitted to the merchant's bank for direct submission
to the interchange systems. No mailing of paper tickets or keypunching
was necessary!
Those little paper tickets that the printers on the POS devices kick out
are really only for the cardholder's benefit, the yellow copy never
leaves the merchant's place of business. Under the agreement between the
merchant's bank and the merchant for credit card processing services, the
merchant has to store them for up to 7 years, and has to present a copy
within 5-10 days in case one of those dreaded retrieval requests come
through.
There's the problem - if a retrieval request comes in, the merchant
doesn't want to have pay an employee to search through six months of
tickets in order to send one copy back to the bank within this short
period. Picture a major retailer that might take hundreds of card
transactions a day. It was a mess, and both the merchant's bank (who has
to fund chargebacks if the retrieval request was not timely honored) and
the merchant could suffer unnecessary losses.
The interchange systems' solution? Why not capture the signatures and
transaction information digitially and store them, so the bank can
directly access the files to get a "copy" of the ticket in the event of a
cardholder dispute. With the new data compression systems, these digital
images can be shrunk down to relatively small data files and easily
stored on electronic media or CD_ROM.
That is the rationale, but I agree the materials can be used for other
less honorable purposes.
Terrence (Terry) P. Maher, Esq.
------------------------------
Date: 22 Sep 94 16:02:29 EDT
From: John French <73554.271@compuserve.com>
Subject: More Electronic Signatures
Another example of electronic signatures:
At least some Sears stores have already instituted these systems, and the
national consumer relations department cannot tell me whether the sales
clerk at one store was correct when she told me they are intending to
implement it in all Sears stores. The clerk said it was for the convenience
of the clerks when comparing signatures on the card - they can now compare
it to a signature on their screen as opposed to the receipt just signed by
the customer. Apparently she did not know what Consumer Relations later
admitted to me, that graphics of the signatures are being stored.
I for one will not use the "special pens" when signing my credit
card receipts in the future.
------------------------------
Date: Thu, 22 Sep 1994 09:51:06 -0500
From: mzhanin@omnifest.uwm.edu (Mary Zahn Hanin)
Subject: Looking for Help
Greetings! I am a reporter for the Milwaukee Sentinel (Milwaukee's morning
newspaper) and have been assigned to put together a comprehensive series of
articles on personal privacy in the age of computers. We are specifically
interested in showing people how much information can be gathered about them
without their knowledge. We are hopeful that someone on this list will have
some ideas on how we can go about this; or, in the alternative, have some
stories of their own to share. This is a major issue which few newspapers have
looked at closely. We hope to educate the public and policy makers so that
informed decisions about privacy issues can be made in the future. If you can
help, please send your responses to my E-Mail address.
One word of caution. The university which handles my Internet account is
changing computers on Monday and Tuesday and will not be functioning. Please
send me responses on or before Sunday or after next Tuesday (Sept 27).
Thanks for the help. Mary Zahn Hanin.
------------------------------
Date: Fri, 23 Sep 1994 10:15:12 EST
From: Marc Rotenberg <rotenberg@washofc.epic.org>
Subject: FBI Wiretap Bill
The Electronic Privacy Information Center has begun a campaign to stop the
FBI wiretap bill that is now pending in Congress. EPIC has compiled 100
Reasons to oppose the legislation. The Reasons cover a range of issues from
the history of wiretap law to examples of recent abuse. Some of the Reasons
explore specific ramifications of the wiretap legislation, others look more
broadly on the possible impact on network development.
Reason 32 and Reason 36 listed below look at the possible impact on network
security and innovation. The views are based on documents obtained from
federal agencies under the Freedom of Information Act.
To maximize public awareness of the issue while minimizing the flow of
duplicate messages, EPIC is posting the Reasons to different news groups.
The postings are unique, the same Reasons are not posted to more than one
list.
There is less than two weeks left in this session of Congress. If you are
interested in this issue and would like to express your views, look at the
posting for more information.
========================================================================
100 Reasons to Oppose the FBI Wiretap Bill
Reason 32: The FBI wiretap bill is likely to slow and to distort the
development of communications technology
A confidential memorandum obtained from the Department of Commerce under
the Freedom of Information Act had this to say about the FBI
wiretap bill: "The proposed bill could obstruct or distort
telecommunications technology development by limiting fiber optic
transmission, ISDN, cellular services and other technologies until they are
modified to avoid impeding lawful government access."
----------------------
Reason 36: The FBI wiretap bill is likely to jeopardize the
security of electronic communications.
A confidential memorandum obtained from the Department of Commerce under
the Freedom of Information Act had this to say about the FBI wiretap bill:
"The proposal could impair the security of business communications by
requiring system modifications that could facilitate not only lawful
government interception, but unlawful interception by others. For certain
industries, such as banking and financial services, communications security
is critical."
-> 9/28 NEWS UPDATE: Senate Judiciary Committee approves wiretap
-> plan, but opposition from individual Senators still likely. Rep. Brooks
-> to consider bill.
------------------------------------------------------------------------
What To Do: Contact your Senator. Urge a no vote on S. 2375, the FBI
Wiretap proposal. Fax Rep. Jack Brooks 202/225-1584. Express your
concerns. Staff in both the House and Senate report that these
messages are making a difference..
------------------------------------------------------------------------
100 Reasons is a project of the Electronic Privacy Information Center
(EPIC) in Washington, DC. For more information: 100.Reasons@epic.org.
------------------------------
Date: Fri, 23 Sep 1994 20:07:10 EST
From: Dave Banisar <banisar@washofc.epic.org>
Subject: Another Civil Liberty Group Opposes Wiretap Bill
The American Civil Liberties Union (ACLU) today wrote to Rep. Jack Brooks,
Chairman of the House Judiciary Committee, "to express the ACLU's opposition
to the FBI Wiretap Access Bill, H.R. 4922." The organization's position is
the latest indication that the legislation is running into serious trouble
in Congress for several reasons, including strong opposition from civil
liberties and privacy advocates. The bill's proponents had initially hoped
to bring it to a vote on the floors of the House and Senate by
mid-September. Instead, the bill remains in committees of both houses and
is the object of a grassroots campaign to prevent its enactment.
Excerpts from the ACLU letter:
"The principal problem remains that any digital telephone bill
which mandates that communications providers make technological
changes for the sole purpose of making their systems wiretap-
ready creates a dangerous and unprecedented presumption that
government not only has the power, subject to warrant to
intercept private communications, but that it can require private
parties to create special access. It is as if the government had
required all builders to construct new housing with an internal
surveillance camera for government use. ...
"Moreover, the FBI has not borne the burden of proving why such
an extraordinary requirement is necessary. ...
"H.R. 4922 proposes a radical and expensive change in our
telecommunications structure. The threats it poses, now and
prospectively, are real, but the need for it is far less than
evident or proven. We urge that your Committee not rush into
consideration of this far reaching measure with so little time
left in the session."
The Electronic Privacy Information Center (EPIC) is urging all
concerned individuals and organizations to contact the following
members of Congress immediately:
Rep. Jack Brooks Sen. Howard Metzenbaum
(202) 225-6565 (voice) (202) 224-7494 (voice)
(202) 225-1584 (fax) (202) 224-5474 (fax)
For more information about the FBI Wiretap Bill, check the Voters
Telecomm Watch (VTW) gopher site (gopher.panix.com) or send
e-mail to <info@epic.org>.
------------------------------
Date: Mon, 26 Sep 1994 17:52:45 -0400
From: ACLU Information <infoaclu@aclu.org>
Subject: ACLU release and letter on FBI wiretap bill
ACLU * ACLU * ACLU * ACLU * ACLU * ACLU * ACLU * ACLU * ACLU
NEWS RELEASE * NEWS RELEASE * NEWS RELEASE * NEWS RELEASE
ACLU Opposes FBI Wiretap Access Bill;
Legislation Would Create Dangerous Precedent
For IMMEDIATE RELEASE
September 26, 1994
Contact: Barry Steinhardt
BarryS @ aclu.org
or Kathy Parrent, 212-944-9800, ext. 424
The American Civil Liberties Union today called on the House
Judiciary Committee to reject the FBI Wiretap Access Bill, H.R. 4922,
which would require private electronics manufacturers to insure that the
FBI can wiretap using developing telecommunications technologies.
In a letter sent to Congressman Jack Brooks, Chair of the House
Judiciary Committee, the ACLU stated that the bill "... creates a
dangerous and unprecedented presumption that government not only has the
power, subject to warrant to intercept private communications, but that it
can require private parties to create special access. It is as if the
government had required all builders to construct new housing with an
internal surveillance camera for government use."
"Moreover, the FBI has not borne the burden of proving why such an
extraordinary requirement is necessary..." the letter said.
A copy of the full letter with the ACLU's detailed objections
follows.
___________________________________________________________________________
September 22, 1994
Honorable Jack Brooks
Congressman, State of Texas
2449 Rayburn House Office Building
Washington, D.C. 20515-4309
Dear Congressman Brooks:
We are writing to you to express the ACLU's opposition to the
FBI-Wiretap Access Bill, H.R. 4922. While we were not actively involved
in Subcommittee deliberations, we have reviewed the legislation and we
have several major concerns.
The principal problem remains that any digital telephone bill
which mandates that communications providers make technological changes
for the sole purpose of making their systems wiretap-ready creates a
dangerous and unprecedented presumption that government not only has the
power, subject to warrant, to intercept private communications, but that
it can require private parties to create special access. It is as if the
government had required all builders to construct new housing with an
internal surveillance camera for government use. Even if such use were
triggered only by a judicial warrant, such a requirement would be strongly
resisted by the American people. H.R. 4922 establishes a similar
requirement, and is without precedent.
Moreover, the FBI has not borne the burden of proving why such an
extraordinary requirement is necessary. In 1993, there were fewer than
1,000 wiretaps authorized and many of them failed to yield any substantive
evidence while intercepting many innocent conversations. It is far from
clear that digital telephones will substantially obstruct legitimate law
enforcement efforts. Without further public discussion and debate, the
public will not have a sufficient opportunity to weigh the loss of privacy
against the FBI's claims. There has been no opportunity to learn the full
extent of the types of investigations that the FBI claims were precluded
because of a restriction on their public dissemination. Yet, based on
these secret assertions, 91 such incidents were cited by the FBI. On
those slim assertions, the public's loss of privacy in digital
communications is all but assured and taxpayers will be asked to pay an
extraordinary price.
H.R. 4922 authorizes $500 million over the next four years to
reimburse telecommunications carriers for the costs that would be imposed
by the bill. Even if you accept these cost estimates -- the industry puts
the real cost in the billions -- we will spending $125 million or $125,000
per wiretap, for the fewer than 1,000 taps that will be conducted each
year.
As you know, the ACLU has the greatest respect for Congressman
Edwards and Senator Leahy. Both have been tireless champions for civil
liberties. The Edwards/Leahy proposal is an improvement over earlier
versions offered by the FBI and we applaud their efforts to add new
privacy protections.
The proposed expansion of the Electronic Communications Privacy
Act to cordless phones and the requirement that a court order be obtained
for transactional data from electronic communication providers both are
steps forward and merit separate consideration by the Congress. But they
cannot and should not be traded for the unprecedented intrusion
represented by H.R. 4922.
In several respects, H.R. 4922 is still too broad in its
application.
For example, earlier versions of the bill would have applied
directly to on-line communication and information services such as
internet providers, America On Line, Compuserve, Prodigy etc. H.R. 4922
would apply directly only to "telecommunications carriers" such as the
Regional Bell Operating Companies.
But this provision does not narrow the scope of the bill as much
as it might seem. First, with the new presumption that the government is
entitled to require private manufacturers to insure its ability to
wiretap, law enforcement will undoubtedly be back in future years
insisting that this limitation thwarts its efforts and will seek to
broaden the coverage to other information providers. Once the basic
principle of H.R. 4922 is accepted, what arguments remain to resist its
expansion. The limited application of H.R. 4922 is surely temporary; what
matters is the basic requirement, not its immediate application.
More importantly, law enforcement will still have the opportunity
to intercept on-line communications over the internet or commercial
on-line networks, by tapping into the facilities of the telecommunications
companies. As critics of the earlier versions had noted the coverage of
the on-line providers was largely redundant. All these communications
still pass over telephone lines.
Law enforcement does not need access at every point in a
telecommunication in order to intercept it. Access at any one point is
sufficient and that would be readily available since ultimately on-line
communications must travel over the public switched telephone network
which the bill requires be wiretap ready.
Moreover, given the commingled nature of digital communication
lines, it is inevitable that more private information from third parties
will be intercepted than would be the case with analog phones, and the
minimization requirements in the bill will not prevent this.
In the end, this proposal will make our telecommunications
structure more, not less vulnerable.
In its original form the FBI Digital Telephony proposal would have
given the power to the Attorney General to impose standards on
communication providers which would guarantee that their systems were
wiretap-ready.
Essentially, this would have created a centralized wiretapping
system that threatened the privacy of the entire nation and was dependent
for its security on a few select people.
This raised the real concern that if electronic communications
service providers must design their systems to allow and ensure FBI
access, then the resulting mandatory "back doors" may become known to and
be exploited by "criminals."
The new proposal contains the same risks. It would have the
technical standards developed by the industry, through trade associations
or standard-setting bodies, in consultation with the Attorney General.
But it contains a "safe harbor" provision, which protects a carrier from
sanction if it is in compliance with standards created by this approach.
The safe harbor provision virtually guarantees that the standards
developed through the industry-based process will be adopted by all.
Whether the standards are directly imposed by government or created by
concerted industry action, in consultation with the government, makes
little difference. The result is the same. A centralized wiretapping
capacity with all of its vulnerabilities will still be created.
Finally, we have grave concerns about the encryption provisions.
The Edwards/Leahy version has been described as "neutral" on encryption.
The bill provides that telecommunications providers do not need to decrypt
data, unless they hold the key.
In the short term, this is an improvement over the earlier
versions of the bill which would have created obligations to decrypt, but
there are at least two longer term problems.
First, is the new presumption that industry has the affirmative
responsibility to create special technical capacity for the government to
snoop. Can there be any real doubt that the FBI will be back in the years
to come asserting that its ability to intercept communications has been
thwarted by easily available encryption and that an industry obligation,
analogous to the new obligation to provide wiretap capacity, must be
created.
Secondly, in some cases the telecommunications providers may well
hold the key -- particularly as they expand the services they provide to
their customers.
H.R. 4922 proposes a radical and expensive change in our
telecommunications structure. The threats it poses, now and
prospectively, are real, but the need for it far less than evident or
proven. We urge that your Committee not rush into consideration of this
far reaching measure with so little time left in the session.
We thank you for your consideration of our views and we would be
happy to sit down with you to discuss these issues.
Sincerely,
Ira Glasser Laura Murphy Lee
--endit--
The ACLU urges interested persons to contact the following members of
Congress immediately:
Rep. Jack Brooks Sen. Howard Metzenbaum
(202) 225-6565 (voice) (202) 224-7494 (voice)
(202) 225-1584 (fax) (202) 224-5474 (fax)
------------------------------
Date: Wed, 28 Sep 1994 12:00:39 -0400 (EDT)
From: "Lance J. Hoffman" <hoffman@seas.gwu.edu>
Subject: Privacy & American Business conference in DC next week
"Managing the Privacy Revolution" Oct. 4-5, 1994 Features Top Privacy
Experts in Landmark Washington Conference
Fifty leading privacy experts from the administration, federal and state
government, the business community, public interest and advocacy groups,
corporate legal representatives, telecommunications, the academic and policy
community, national industry associations, the media, and survey research
will participate in "Managing the Privacy Revolution," the first annual
business/privacy conference sponsored by Privacy & American Business,
October 4-5, 1994 at Loews L'Enfant Plaza Hotel, Washington, D.C. (Program,
speakers, and P&AB information attached).
The conference will also offer the first look at a new P&AB/Louis Harris
survey on the Consumer, Interactive Services, and Privacy.
Geared to assist those who handle personal information about consumers,
clients and employees, the conference is expected to attract those who
manage information privacy issues and policy in consumer credit,
telecommunications, banking credit cards, employment, life/health/ property
insurance, health care, telemessaging, direct marketing and medical
records.
The conference will lay out the sweeping political, legal, and technological
changes affecting the way every U.S. business will handle personal customer
and employee information in the future and will provide a forum for
addressing the changes.
The $595 registration fee for the two day conference includes all sessions,
private time with speakers, interaction with fellow conferees, cocktail
party and buffet reception, two banquet luncheons, two continental
breakfasts, three refreshment breaks. Also a Washington Legislative
Briefing Book, a Handbook of Company Privacy Codes, a specially prepared
35-page book of Highlights from 1994 Louis Harris Privacy Surveys and a
six-month trial subscription to Privacy & American Business (or a six month
renewal of an existing subscription). Special rates for nonprofit
organizations, multiple registrations, and a $100 Early Bird registration
discount are available.
For further conference information, call P&AB, 201-996-1154 or fax
201-996-1883.
------------------------------
End of PRIVACY Forum Digest 03.18
************************