Date: Tue, 18 May 93 16:34:21 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@PICA.ARMY.MIL Subject: Computer Privacy Digest V2#043 Computer Privacy Digest Tue, 18 May 93 Volume 2 : Issue: 043 Today's Topics: Moderator: Dennis G. Rears Re: [Newsbytes Editorial] Caller Line ID DMV rcds Re: Credit Card without SSN Re: privacy vs banks (was: Re: I won one!) NIST Privacy Conf. - Clipper Chip and Public Key Crypto The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@pica.army.mil and administrative requests to comp-privacy-request@pica.army.mil. Back issues are available via anonymous ftp on ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- Date: Sat, 15 May 93 22:52 PDT From: John Higdon Organization: Green Hills and Cows Subject: Re: [Newsbytes Editorial] Caller Line ID Carl M Kadie quotes Robert Jacobson: > What killed Caller ID, ultimately, wasn't the restrictions imposed > by state regulators but business's lack of interest. Caller ID relied > upon a high "take" by telemarketers, direct marketers, and other > commercial institutions who wanted access to telephone numbers. They > already get enough information from 800 and 900 numbers, since those > calls are self-screened by customers who want to conduct some sort of > business transaction. Caller ID promised a deluge of information that > only the very biggest organizations could sift through and employ. > And the bad press surrounding Caller ID discouraged those institutions > from getting in too deep. This is the most ignorant nonsense that I have ever heard from someone parading around a Ph.D and proporting to know how to even dial a phone. Big business has its own "Caller ID". It has had it for years. It could not care less about the CLASS offering which is limited to SS7-equipped offices and is frequently subject to blocking. 800 and 900 ANI is not blockable, is virtually universal, works everywhere (including California), and does not depend upon SS7 connectivity. It is essentially perfect. Also, Jacobson talks as though California is the be-all and end-all of everything. His references to the "death" of Caller ID ring somewhat hollow in light of the fact that the service is offered in more than two-thirds of the United States. It is not going away. It offers to Everyman what the big boys have enjoyed for many years; and Everyman will eventually demand it and get it. Yes, this is a personal issue with me. We patiently waited for Caller ID to be approved in California so that we could offer a specialized service that performs the automatic establishment of open accounts. The transaction requires the recording of the caller's number. When the decision came down, it required us to install direct trunks to a long distance carrier, install (and pay for usage on) an 800 number, and use the ANI instead of the much easier and cheaper Caller ID. Consequently our service must cost more to recover the costs of the carrier trunks and the 800 service. What I see here is an interesting irony. People of Jacobson's ilk who would deny the common man the ability to see who is calling him are in reality advocating a class (no pun intended) separation. People in California who want Caller ID badly enough (and can, like big corporations, pay for it) have it via 800 and 900 service. Ordinary individuals cannot have it. It is a classic case of "haves" vs "have-nots". So you fellow Californians who order "pay-per-view" with an 800 number should realize that you are paying for the fact that your cable company cannot simply use ordinary POTS lines. > But the demise of Caller ID has a larger, ironic outcome: Jacobson, get a grip. To paraphrase Mark Twain, reports of the death of Caller ID have been highly exaggerated. > Editor's Note: Robert Jacobson, Ph.D., is former principal > consultant/staff director of the Assembly Utilities and > Commerce Committee, California Legislature, 1982-1989. If Robert Jacobson, Ph.D is an example of the caliber of people in and around our state government, it is no wonder California is rapidly going down the drain. His fact-poor irrelevant emotionalism serves no one, particularly the citizens of this state who are in desperate need of new technologies and the tools to remain competitive. Hopefully what can only be described as "ignorant elitism" will give way to rational thinking on the part of those in power. -- John Higdon | P. O. Box 7648 | +1 408 264 4115 | FAX: john@ati.com | San Jose, CA 95150 | 10288 0 700 FOR-A-MOO | +1 408 264 4407 ------------------------------ Date: Sun, 16 May 93 11:50:51 PDT From: Jim Warren Subject: DMV rcds Hi, Just noticed your post in Computer Privacy Digest V2 #040. > I know that California makes it illegal to have such records. Absolutely not so. Any private investigator can get them (but has to keep records of why they are requesting them, and those records are audited). Also any organization with a "legitimate business intereste" (I think that's how the statute is phrased) can get 'em. All for a fee, of course -- this is a significant profit center, uh, "revenue" center for the State DMV. --jim ------------------------------ From: Penio Penev Subject: Re: Credit Card without SSN Reply-To: penev@venezia.rockefeller.edu Organization: Rockefeller University Date: Sun, 16 May 1993 18:50:48 GMT On Fri, 14 May 1993 14:08:42 GMT Cristy (cristy@eplrx7.es.dupont.com) wrote: | I just received my first VISA card without submitting my SSN. I applied | to over 10 different offers I got in the mail. They all turned me down | because I did not submit my SSN except for one. I am in the situation of seeking a (secured with a long-term CD) credit card, without specifying my SSN. I've tried only two times and my third one is under way, with a greater possibility for not getting the card. My situation is even worse, because I do not have a credit history yet. I'm ready to secure my credit card line with a long term CD, though. I was determined to try out all banks before I surrender, but this message is encouraging. Will you direct me to the right bank and/or procedure? -- Penio Penev x7423 (212)327-7423 (w) Internet: penev@venezia.rockefeller.edu Disclaimer: All oppinions are mine. ------------------------------ From: "Wm. L. Ranck" Subject: Re: privacy vs banks (was: Re: I won one!) Date: 17 May 1993 14:38:27 GMT Organization: Virginia Tech, Blacksburg, Virginia Jonathan Thornburg (jonathan@hermes.chpc.utexas.edu) wrote: : Indeed, they're required by law to get an SSN any time they pay interest. : This is so they can report the interest to the IRS, who can in turn : cross-match this with your tax return to make sure you report that : interest as income. I believe that banks are still required to report interest that you pay them. In other words the IRS still gets some form telling them how much interest I paid on my Visa card even though that is no longer deductable. -- ******************************************************************************* * Bill Ranck (703) 231-9503 Bill.Ranck@vt.edu * * Computing Center, Virginia Polytchnic Inst. & State Univ., Blacksburg, Va. * ******************************************************************************* ------------------------------ From: "Curtis D. Frye" Subject: NIST Privacy Conf. - Clipper Chip and Public Key Crypto Organization: The MITRE Corporation, McLean, VA Date: Mon, 17 May 1993 15:59:11 GMT Folks- I came across this announcement through email with a colleague and post it for your information. NIST will be hosting a public forum on the Clipper Chip and public key encryption / privacy issues from 2-4 June 1993 in Bethesda, MD. I believe all the relevant information is included in the post, but if you have any questions mail or call NIST as I don't represent them or any other part of the US government. -----Begin included file----- From: Clipper-Capstone Chip Info Organization: National Institute of Standards and Technology (NIST) Subject: NIST Advisory Board Seeks Comments on Crypto This file will be made available for anonymous ftp from csrc.ncsl.nist.gov, filename pub/nistgen/cryptmtg.txt and for download from the NIST Computer Security BBS, 301-948-5717, filename cryptmtg.txt. Note: The following notice is scheduled to appear in the Federal Register this week. The notice announces a meeting of the Computer System Security and Privacy Advisory Board (established by the Computer Security Act of 1987) and solicits public and industry comments on a wide range of cryptographic issues. Please note that submissions due by 4:00 p.m. May 27, 1993. DEPARTMENT OF COMMERCE National Institute of Standards and Technology Announcing a Meeting of the COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD AGENCY: National Institute of Standards and Technology ACTION: Notice of Open Meeting SUMMARY: Pursuant to the Federal Advisory Committee Act, 5 U.S.C. App., notice is hereby given that the Computer System Security and Privacy Advisory Board will meet Wednesday, June 2, 1993, from 9:00 a.m. to 5:00 p.m., Thursday, June 3, 1993, from 9:00 a.m. to 5:00 p.m., and Friday, June 4, 1993 from 9:00 a.m. to 1:00 p.m. The Advisory Board was established by the Computer Security Act of 1987 (P.L. 100-235) to advise the Secretary of Commerce and the Director of NIST on security and privacy issues pertaining to Federal computer systems and report its findings to the Secretary of Commerce, the Director of the Office of Management and Budget, the Director of the National Security Agency, and the appropriate committees of the Congress. All sessions will be open to the public. DATES: The meeting will be held on June 2-4 1993. On June 2 and 3, 1993 the meeting will take place from 9:00 a.m. to 5:00 p.m. and on June 4, 1993 from 9:00 a.m. to 1:00 p.m. Public submissions (as described below) are due by 4:00 p.m. (EDT) May 27, 1993 to allow for sufficient time for distribution to and review by Board members. ADDRESS: The meeting will take place at the National Institute of Standards and Technology, Gaithersburg, MD. On June 2, 1993, the meeting will be held in the Administration Building, "Red Auditorium," on June 3 the meeting will be held in the Administration Building, "Green Auditorium," and on June 4, 1993 in the Administration Building, Lecture Room "B." Submissions (as described below), including copyright waiver if required, should be addressed to: Cryptographic Issue Statements, Computer System Security and Privacy Advisory Board, Technology Building, Room B-154, National Institute of Standards and Technology, Gaithersburg, MD, 20899 or via FAX to 301/948-1784. Submissions, including copyright waiver if required, may also be sent electronically to "crypto@csrc.ncsl.nist.gov". AGENDA: - - Welcome and Review of Meeting Agenda - - Government-developed "Key Escrow" Chip Announcement Review - - Discussion of Escrowed Cryptographic Key Technologies - - Review of Submitted Issue Papers - - Position Presentations & Discussion - - Public Participation - - Annual Report and Pending Business - - Close PUBLIC PARTICIPATION: This Advisory Board meeting will be devoted to the issue of the Administration's recently announced government-developed "key escrow" chip cryptographic technology and, more broadly, to public use of cryptography and government cryptographic policies and regulations. The Board has been asked by NIST to obtain public comments on this matter for submission to NIST for the national review that the Administration's has announced it will conduct of cryptographic-related issues. Therefore, the Board is interested in: 1) obtaining public views and reactions to the government-developed "key escrow" chip technology announcement, "key escrow" technology generally, and government cryptographic policies and regulations; 2) hearing selected summaries of written views that have been submitted, and 3) conducting a general discussion of these issues in public. The Board solicits all interested parties to submit well-written, concise issue papers, position statements, and background materials on areas such as those listed below. Industry input is particularly encouraged in addressing the questions below. Because of the volume of responses expected, submittors are asked to identify the issues above to which their submission(s) are responsive. Submittors should be aware that copyrighted documents cannot be accepted unless a written waiver is included concurrently with the submission to allow NIST to reproduce the material. Also, company proprietary information should not be included, since submissions will be made publicly available. This meeting specifically will not be a tutorial or briefing on technical details of the government-developed "key escrow" chip or escrowed cryptographic key technologies. Those wishing to address the Board and/or submit written position statements are requested to be thoroughly familiar with the topic and to have concise, well-formulated opinions on its societal ramifications. Issues on which comments are sought include the following: 1. CRYPTOGRAPHIC POLICIES AND SOCIAL/PUBLIC POLICY ISSUES Public and Social policy aspects of the government-developed "key escrow" chip and, more generally, escrowed key technology and government cryptographic policies. Issues involved in balancing various interests affected by government cryptographic policies. 2. LEGAL AND CONSTITUTIONAL ISSUES Consequences of the government-developed "key escrow" chip technology and, more generally, key escrow technology and government cryptographic policies. 3. INDIVIDUAL PRIVACY Issues and impacts of cryptographic-related statutes, regulations, and standards, both national and international, upon individual privacy. Issues related to the privacy impacts of the government-developed "key escrow" chip and "key escrow" technology generally. 4. QUESTIONS DIRECTED TO AMERICAN INDUSTRY 4.A Industry Questions: U.S. Export Controls 4.A.1 Exports - General What has been the impact on industry of past export controls on products with password and data security features for voice or data? Can such an impact, if any, be quantified in terms of lost export sales or market share? If yes, please provide that impact. How many exports involving cryptographic products did you attempt over the last five years? How many were denied? What reason was given for denial? Can you provide documentation of sales of cryptographic equipment which were lost to a foreign competitor, due solely to U.S. Export Regulations. What are the current market trends for the export sales of information security devices implemented in hardware solutions? For software solutions? 4.A.2 Exports - Software If the U.S. software producers of mass market or general purpose software (word processing, spreadsheets, operating environments, accounting, graphics, etc.) are prohibited from exporting such packages with file encryption capabilities, what foreign competitors in what countries are able and willing to take foreign market share from U.S. producers by supplying file encryption capabilities? What is the impact on the export market share and dollar sales of the U.S. software industry if a relatively inexpensive hardware solution for voice or data encryption is available such as the government-developed "key escrow" chip? What has been the impact of U.S. export controls on COMPUTER UTILITIES software packages such as Norton Utilities and PCTools? What has been the impact of U.S. export controls on exporters of OTHER SOFTWARE PACKAGES (e.g., word processing) containing file encryption capabilities? What information does industry have that Data Encryption Standard (DES) based software programs are widely available abroad in software applications programs? 4.A.3 Exports - Hardware Measured in dollar sales, units, and transactions, what have been the historic exports for: Standard telephone sets Cellular telephone sets Personal computers and work stations FAX machines Modems Telephone switches What are the projected export sales of these products if there is no change in export control policy and if the government-developed "key escrow" chip is not made available to industry? What are the projected export sales of these products if the government-developed "key escrow" chip is installed in the above products, the above products are freely available at an additional price of no more than $25.00, and the above products are exported WITHOUT ADDITIONAL LICENSING REQUIREMENTS? What are the projected export sales of these products if the government-developed "key escrow" chip is installed in the above products, the above products are freely available at an additional price of no more than $25.00, and the above products are to be exported WITH AN ITAR MUNITIONS LICENSING REQUIREMENT for all destinations? What are the projected export sales of these products if the government-developed "key escrow" chip is installed in the above products, the above products are freely available at an additional price of no more than $25.00, and the above products are to be exported WITH A DEPARTMENT OF COMMERCE LICENSING REQUIREMENT for all destinations? 4.A.4 Exports - Advanced Telecommunications What has been the impact on industry of past export controls on other advanced telecommunications products? Can such an impact on the export of other advanced telecommunications products, if any, be quantified in terms of lost export sales or market share? If yes, provide that impact. 4.B Industry Questions: Foreign Import/Export Regulations How do regulations of foreign countries affect the import and export of products containing cryptographic functions? Specific examples of countries and regulations will prove useful. 4.C Industry Questions: Customer Requirements for Cryptography What are current and future customer requirements for information security by function and industry? For example, what are current and future customer requirements for domestic banking, international banking, funds transfer systems, automatic teller systems, payroll records, financial information, business plans, competitive strategy plans, cost analyses, research and development records, technology trade secrets, personal privacy for voice communications, and so forth? What might be good sources of such data? What impact do U.S. Government mandated information security standards for defense contracts have upon demands by other commercial users for information security systems in the U.S.? In foreign markets? What threats are your product designed to protect against? What threats do you consider unaddressed? What demand do you foresee for a) cryptographic only products, and b) products incorporating cryptography in: 1) the domestic market, 2) in the foreign-only market, and 3) in the global market? 4.D Industry Questions: Standards If the European Community were to announce a non-DES, non-public key European Community Encryption Standard (ECES), how would your company react? Include the new standard in product line? Withdraw from the market? Wait and see? What are the impacts of government cryptographic standards on U.S. industry (e.g., Federal Information Processing Standard 46-1 [the Data Encryption Standard] and the proposed Digital Signature Standard)? 5. QUESTIONS DIRECTED TO THE AMERICAN BUSINESS COMMUNITY 5.A American Business: Threats and Security Requirements Describe, in detail, the threat(s), to which you are exposed and which you believe cryptographic solutions can address. Please provide actual incidents of U.S. business experiences with economic espionage which could have been thwarted by applications of cryptographic technologies. What are the relevant standards of care that businesses must apply to safeguard information and what are the sources of those standards other than Federal standards for government contractors? What are U.S. business experiences with the use of cryptography to protect against economic espionage, (including current and projected investment levels in cryptographic products)? 5.B American Business: Use of Cryptography Describe the types of cryptographic products now in use by your organization. Describe the protection they provide (e.g., data encryption or data integrity through digital signatures). Please indicate how these products are being used. Describe any problems you have encountered in finding, installing, operating, importing, or exporting cryptographic devices. Describe current and future uses of cryptographic technology to protect commercial information (including types of information being protected and against what threats). Which factors in the list below inhibit your use of cryptographic products? Please rank: - -- no need - -- no appropriate product on market - -- fear of interoperability problems - -- regulatory concerns - -- a) U.S. export laws - -- b) foreign country regulations - -- c) other - -- cost of equipment - -- cost of operation - -- other Please comment on any of these factors. In your opinion, what is the one most important unaddressed need involving cryptographic technology? Please provide your views on the adequacy of the government-developed "key escrow" chip technological approach for the protection of all your international voice and data communication requirements. Comments on other U.S. Government cryptographic standards? 6. OTHER Please describe any other impacts arising from Federal government cryptographic policies and regulations. Please describe any other impacts upon the Federal government in the protection of unclassified computer systems. Are there any other comments you wish to share? The Board agenda will include a period of time, not to exceed ten hours, for oral presentations of summaries of selected written statements submitted to the Board by May 27, 1993. As appropriate and to the extent possible, speakers addressing the same topic will be grouped together. Speakers, prescheduled by the Secretariat and notified in advance, will be allotted fifteen to thirty minutes to orally present their written statements. Individuals and organizations submitting written materials are requested to advise the Secretariat if they would be interested in orally summarizing their materials for the Board at the meeting. Another period of time, not to exceed one hour, will be reserved for oral comments and questions from the public. Each speaker will be allotted up to five minutes; it will be necessary to strictly control the length of presentations to maximize public participation and the number of presentations. Except as provided for above, participation in the Board's discussions during the meeting will be at the discretion of the Designated Federal Official. Approximately thirty seats will be available for the public, including three seats reserved for the media. Seats will be available on a first-come, first-served basis. FOR FURTHER INFORMATION CONTACT: Mr. Lynn McNulty, Executive Secretary and Associate Director for Computer Security, Computer Systems Laboratory, National Institute of Standards and Technology, Building 225, Room B154, Gaithersburg, Maryland 20899, telephone: (301) 975-3240. SUPPLEMENTARY INFORMATION: Background information on the government-developed "key escrow" chip proposal is available from the Board Secretariat; see address in "for further information" section. Also, information on the government-developed "key escrow" chip is available electronically from the NIST computer security bulletin board, phone 301-948-5717. The Board intends to stress the public and social policy aspects, the legal and Constitutional consequences of this technology, and the impacts upon American business and industry during its meeting. It is the Board's intention to create, as a product of this meeting, a publicly available digest of the important points of discussion, conclusions (if any) that might be reached, and an inventory of the policy issues that need to be considered by the government. Within the procedures described above, public participation is encouraged and solicited. /signed/ Raymond G. Kammer, Acting Director May 10, 1993 ------------------------------ End of Computer Privacy Digest V2 #043 ******************************