PRIVACY Forum Archive Document

PRIVACY Forum Home Page

PFIR - "People For Internet Responsibility" Home Page

Vortex Technology Home Page


PRIVACY Forum Digest      Monday, 8 September 1997      Volume 06 : Issue 12

            Moderated by Lauren Weinstein (lauren@vortex.com)         
              Vortex Technology, Woodland Hills, CA, U.S.A.
        
                       ===== PRIVACY FORUM =====              

    -------------------------------------------------------------------
                 The PRIVACY Forum is supported in part by
               the ACM (Association for Computing Machinery)     
                 Committee on Computers and Public Policy,      
          "internetMCI" (a service of the Data Services Division         
      of MCI Telecommunications Corporation), and Cisco Systems, Inc.
                                 - - -
             These organizations do not operate or control the     
          PRIVACY Forum in any manner, and their support does not
           imply agreement on their part with nor responsibility   
        for any materials posted on or related to the PRIVACY Forum.
    -------------------------------------------------------------------


CONTENTS 
        Backlash to the Death of Princess Diana?
           (Lauren Weinstein; PRIVACY Forum Moderator)
        U-Haul/Credit Cards/Social Security Numbers (M. L. Sproul)
        EPIC Opposes EHI / Experian (Dave Banisar)
        Electronic National ID card project in South Korea (Ko Youngkyong)
        Chip-Based ID: Promise and Peril (Roger Clarke)
        Amended Complaint Filed in Cleveland Crypto Suit (Peter D. Junger)


 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are by an automatic list handling system;
for subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to
"list-maint@vortex.com". 

All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the list handling system.  Please follow the instructions above
for getting the "help" information, which includes details regarding the 
"index" and "get" commands, which are used to access the PRIVACY Forum 
archive via the list handling system.

All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "gopher.vortex.com/".  Access to PRIVACY Forum
materials is also available through the Internet World Wide Web (WWW) via
the Vortex Technology WWW server at the URL: "http://www.vortex.com";
full keyword searching of all PRIVACY Forum files is available via
WWW access.
-----------------------------------------------------------------------------

VOLUME 06, ISSUE 12

   Quote for the day:

        "And remember my sentimental friend, that a heart is not
         judged by how much you love, but by how much you
         are loved by others."

                -- The Wizard (Frank Morgan)
                   "The Wizard of Oz" (MGM; 1939)

----------------------------------------------------------------------

Date:    Sun, 7 Sep 97 22:10 PDT
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Backlash to the Death of Princess Diana?

Greetings.  First, my personal condolences to our British readers
and the rest of the readership, over the untimely death of
Diana, Princess of Wales.  Sometimes horrible events like this
tend to highlight problems in society of which we're all aware, but
that we usually ignore in our everyday lives.

In this case, within hours of the accident, politicians and others in
Britain, and elsewhere, were publicly calling for new "privacy" laws to help
protect public figures from "overenthusiastic" photographers.  The 
behavior of the hardcore "paparazzi" is often deplorable, to be sure.
The extent to which they might have contributed to this accident,
as opposed to other causative factors, is decidedly unclear at this time, so
rushes to judgement from any point of view must be considered unwise.

And the same holds true for rushes to new laws inspired by this event that
sound to be more "press restriction" legislation than real "privacy" laws.
The risks of such legislation interfering with the legitimate investigative
needs of journalists, particularly when dealing with political figures, seems
very great, unless such laws are extremely carefully crafted.

In the U.S. (including right here in Los Angeles), legislators are also
now calling for such new laws.  Whether such legislation will be able to pass
constitutional muster is an open question.  But one thing seems very
clear--legislation hurriedly introduced in a "kneejerk" reaction to dramatic
events is almost always highly problematical, and often does more harm than
good.

This points up a serious risk for the future.  Those in this country who
feel that the "Freedom of Speech" 1st Amendment to the U.S. Constitution
provides inviolate protection should consider that even the original
Constitution and its amendments can be (and have been) changed--that's
exactly what the amendments do, of course.  The 1st Amendment could
potentially be altered with a set of "special circumstances" where it would
no longer be applicable.  Such a move might not be as unlikely as some
might think.  Imagine the political climate that could result after an event
of the sort which just occurred in Britain, or some mass disaster or
terrorist action, where the press, other media, or even the Internet were
implicated as being in the communications path that led to the event.

The desire to "shoot the messenger" in such a case could be overwhelming,
and combined with public emotion, all manner of unwise legislation, up to
and including kneejerk modifications of the Constitution, could be
conceivable.

So from a societal standpoint, it might be wise to look upon the events of
the last week, and the public reactions to them, as a reminder of the great
extent that our legislative systems, and our lives which are so intertwined
with them, can be impacted by singular events of tragic intensity.

--Lauren--
Moderator, PRIVACY Forum
www.vortex.com

------------------------------

Date:    Wed, 13 Aug 1997 21:38:55 -0500
From:    MSproul <msproul@arnet.arn.net>
Subject: U-Haul/Credit Cards/Social Security Numbers

Today I went to the local U-Haul to rent a small trailer to move a lawn
tractor. In the course of filling out the rental agreement I was asked for
my drivers license then asked for my social security number which I refused
to give. (Texas does not have SSN on the driver's license) The agent then
asked for a credit card, which I was planning to use to charge the rental.
During the subsequent discussion the agent told me that since the Oklahoma
bombing if they don't get a SSN they are required to to get a credit card
number as a second form of identification. They can then get the SSN from
the credit card issuer.

Questions: Is this for real?  How wide spread is this?  What does U-Haul do
with your SSN? How difficult is it for someone (company) to get your SSN
when you use your credit card?

M. L. Sproul
Amarillo, TX

                [ Under current law, your SSN is part of what's called
                  "credit header" data, and is (no longer) protected
                  under the FCRA (Fair Credit Reporting Act).  

                  This means that for all intents and purposes, your
                  SSN is public information.

                                -- MODERATOR ]

------------------------------

Date:    Fri, 29 Aug 1997 16:30:13 -0400
From:    Dave Banisar <banisar@epic.org>
Subject: EPIC Opposes EHI / Experian

Press Release
August 29, 1997

The Electronic Privacy Information Center said today that
Experian has misled consumers and ISPs about a new on-line
service that will likely increase the amount of SPAM that
Internet users receive.

In an August 21, 1997 press release Experian claims that "EHI's
program as been reviewed by the Electronic Privacy Information
Center (EPIC) and the Center for Democracy and Technology
(CDT). Both organizations approve of the program's respect
for consumer privacy."

Contrary to Experian claims, EPIC conducted no formal review of
the program, did not approve of the program's practices, and did
not consent to the use of EPIC's name in Experian's promotional
statements.

At a metting in Washington earlier this year, Experian's
Ian Oxman was told repeatedely that EPIC would not and
could not endorse this program. When word got out that
Experian intended to include EPIC's name in the EHI
press release, Mr. Oxman was instructed by an email
to remove EPIC's name.

Marc Rotenberg, director of EPIC, said that "the EHI program
fails to uphold basic fair information practices. There is
no opportunity for users to correct or inspect their
data, nor is there any effort to control secondary use.
EHI offers one model for controlling SPAM, but it is
hardly ideal."

"We are particularly concerned that ISP's would get into the
business tracking preferences and sending SPAM to their own
customers. The privacy implications are staggering."

"We are also less than overwhelmed by Experian's recent
success with on-line database management."

"We urge ISPs that are want to maintain user trust and show
support for consumer privacy not to back the EHI effort,"
Rotenberg said.

                     - END -

------------------------------

Date:    Thu, 04 Sep 1997 05:28:36 +0900
From:    Ko Youngkyong <frontist@member.sing-kr.org>
Subject: Electronic National ID card project in South Korea

Electronic National ID Card Project
               and
Privacy of People in South Korea

The era of electronic surveillance system is coming to Korea.

Korean government is planning to adopt electronic id system (electronic
citizen card system).  With this plan, all the information of people would
be processed through a huge computer network and the government would have a
full access to those information.  This privilege would enable the
government to censor and to restrict every bit of people's lives. Big
Brother may appear in Korea first time in the world.  And this depressing
scenario may come true just in one year. Many social organizations are
actively working to stop this system which dangerously threatens privacy of
people.  Your interest and active participation in this effort is needed.

What is electronic citizen card?

Electronic Citizen Card (official name- Citizen Card) is an IC type
electronic id card.  The card will function as driver's license, medical
card, and social security card. On its IC chip, about 40 different kinds of
information will be recorded.  In the future, the government is planning to
combine it with credit cards and other all IC type cards such as key cards
and traffic cards.  In addition, a huge computer network will be built as
well. All the private information, which used to be taken care by different
sources, will be combined and taken care by the government. 

The concentration and centralization of all private information are the core
purposes of this new system. The government is pushing the plan through
Congress rather fiercely. The cards will be issued starting next April in
selected areas and the rest of Koreans will be required to have one by 1999.
And no one will be able to decide whether he/she will have the card or not
because, without it, no one would be able to drive, get medical service, or
identify oneself when approached by police.  The government is asserting
that this new system is to adopt to the information era of 21st century. But
there is a lot of doubts why the Korean government wants to start with
digitalization of private information.

Possible Problems

Violating Privacy Due to leakage of private information

Dispersed information system is the most ideal in protecting private
information. With the new system, all different networks will be connected
to each other and thus will increase the chance of information leakage when
the private information get concentrated and centralized under one system.
Especially, the concentration of information on wealth, credit, and military
will drastically increase danger of leakage.  There is no one who believes
that such system is safe from possible cracking. It is impossible to avoid a
chance of information leakage caused by mishandling or conspiracy of
government workers. And if such leakage happens, the possible damage would
be detrimental. The Korean government is gambling with the privacy of its
people.

Censorship and Restriction by the Government

With the system, a chance of possible censorship and restriction by the
government will increase. Since the government will take care of the personal
information, KCIA, police, and other government agencies will have easier
access to the people. It is already a known fact that KCIA has secret files
on personal information and this new system will facilitate their
information gathering process even more.  The Korean government is known for
its past history of violation on human rights.  The electronic citizen card
system will enforce the power of governement over its people.

Privacy in Korea

In protecting privacy of people, Korea is one of the worst places in the
world. There are many factors which puts people's privacy in danger.  First,
everyone is currently required to acquire and to carry citizen cards. If one
is approached by a police and asked for the card, one must be able to show
it to him/her, otherwise, the police has a right to arrest the person.
Second, each individual is issued an id number and being treated as a number
by the government. This number is a combination of birthdate, birthplace, and
sex.(i.e.  720309-********) The number works as an important access code for
one's private information since all the information is reported and gathered
under this number. 

There is no real difference between this id number system and the bar code
system of merchandise items.  It is known in the first world countries that
finger prints are used only to identify criminals or foreigners. But in
Korea, everyone over 17 is required to get and to report the finger prints.
The government is making excuses that this system is essential in protecting
people from crimes and identifying victims in accidents. 

Nonetheless, this citizen registration system was started to sort out spies
and gives impression that the government is treating every citizen as a
possible criminal on the first place.  The Korean government already has a
great deal of private information its hands. The government tend to open up
little public information, but on the other hand, the people are required to
report 141 different information to the government periodically.  In
addition, more private information is being gathered by the police and
KCIA. 

The current citizen registration system is extremely powerful and dangerous
system violating many aspects of human rights.  Citizen Registration Cards,
ID number, and finger print system must be revised.  Nevertheless, the
government is going to enforce the system with this electronic system which
will combine and concentrate the private information. There is no doubt that
the new system will worsen the human rights conditions in Korea.  Electronic
Citizen Cards system will transform Korea into an electronic prison. Many
Korean organizations are leading a harsh fight to stop this injustice.  We
request your participation and support in our efforts.

Korean NGO Task Force against Electronic National ID Card
Tel : +82-02-879-0871
FAX : +82-02-874-2935
E-mail: frontist@member.sing-kr.org
WWW: http://kpd.sing-kr.org/idcard/main-e.html

------------------------------

Date:    Sat, 6 Sep 1997 11:38:22 +1000
From:    Roger Clarke <Roger.Clarke@anu.edu.au>
Subject: Chip-Based ID: Promise and Peril

                   Chip-Based ID: Promise and Peril
                             Roger Clarke

    Invited Address to a Workshop on 'Identity cards, with or without
       microprocessors: Efficiency versus confidentiality', at the
   International Conference on Privacy, Montreal, 23-26 September 1997

       http://www.anu.edu.au/people/Roger.Clarke/DV/IDCards97.html


                               Abstract

Multi-purpose identification schemes in general, and national
identification schemes in particular, represent the most substantial of
information technologies' threats to individual liberties.

This is because they concentrate information, and hence power; and because
it is simply inevitable that, at some stage, even in the most apparently
stable and free nations, power will be exercised against the interests of
individuals, and of the public generally. 

Miniaturised computer processors (chips), mounted in such carriers as
'credit-cards', coins, rings and watches, are an important tool. They are
now entering widespread use as a means for identifying inert objects such
as goods on a production-line and in a logistics-chain, and living things
such as valuable animals.

Chips are being proposed as a means of identifying people as well. They
present an opportunity to devise and implement highly repressive
identification schemes; and many corporations and countries are in the
process of harnessing those potentials.

Chips also offer great scope for designing schemes that are
privacy-sensitive, and that balance privacy interests against other social
and economic interests and law and order concerns. Unfortunately, that
scope has to date been almost entirely overlooked or ignored. This paper
argues that the simplistic approaches being adopted by the proponents of
identification schemes are in the process of destroying public confidence,
and hence of undermining the intended return on investment.

This paper builds on the author's substantial prior research and
publications in the area. It reviews the social and political risks
involved in identification schemes. It then identifies ways in which
chip-cards may be applied to address those risks, and achieve balance
between the interests of individuals, on the one hand, and of the society
and State, on the other.

Privacy-sensitive design options include:
- -   'electronic signature cards' rather than 'id cards';
- -   no central storage of biometrics;
- -   two-way device authentication;
- -   less identity authentication, and more eligibility authentication;
- -   fewer identified transaction trails, and more anonymity and
      pseudonymity;
- -   multiple single-purpose ids, rather than multi-purpose ids;
- -   separation between zones within multi-function chips;  and
- -   role-ids as well as person-ids.

Public concerns about privacy-invasive and repressive applications of
information technology must be reflected not only in the designs
implemented by scheme operators, but also in policies implemented by
governments. It is argued that the focus on 'data protection' that has been
adopted during the period 1970-1995 needs to be rapidly matured into a new
orientation towards protection of the interests of people.

Insensitive application of intrusive information technologies (including
consumer and citizen profiling, matching and linkage among personal
databases, video-surveillance, intelligent highways, as well as chip-based
identification) is resulting in heightened public concern about the
exercise of control over individuals by governments and corporations.

Failure to appreciate the intensity of public concerns, to adapt to it, and
to apply chip technologies in privacy-enhancing ways, will result in
further cleavage between people and their institutions. This will result in
decreased compliance by people with schemes about which they are
justifiably suspicious, and failure of chip-based and related technologies
to deliver on their potential.


                                  Contents

Introduction

Human Identification

Identification, Anonymity and Pseudonymity

The Assault on Anonymity

Dataveillance Risks

Threats in Chip-Based Schemes

Threats in Multi-Purpose Identification Schemes

Threats in Chip-Based Multi-Purpose Identification Schemes

Public Policy Options for Chip-Based ID Schemes

Design Options for Chip-Based ID Schemes

Conclusions

References to Other People's Works

References to the Author's Own Works



Roger Clarke              http://www.anu.edu.au/people/Roger.Clarke/
                                        http://www.etc.com.au/Xamax/
Xamax Consultancy Pty Ltd, 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 6 288 1472, and 288 6916     mailto:Roger.Clarke@anu.edu.au

Visiting Fellow,   Faculty of Engineering and Information Technology
The Australian National University     Canberra  ACT  0200 AUSTRALIA
Information Sciences Building Room 211        Tel:  +61  6  249 3666

------------------------------

Date:    Wed, 03 Sep 1997 06:50:46 -0400
From:    "Peter D. Junger" <junger@samsara.LAW.CWRU.Edu>
Subject: Amended Complaint Filed in Cleveland Crypto Suit


                            Press Release


     New Complaint Filed in Suit Challenging Constitutionality of
      Regulations Forbidding Publication of Software on Internet

           Suit Seeks to Enjoin Enforcement of Regulations
                on ``Export'' of  Encryption Software

     Programmers Are Entitled to at Least as Much Constitutional
            Protection as Pornographers, Professor Claims

   ----------------------------------------------------------------

             Cleveland, Ohio, Tuesday, September 2, 1997
                        For Immediate Release

            

                    For More Information Contact:
 

                    Peter D. Junger (216) 368-2535
                    <junger@samsara.law.cwru.edu>

                    Gino Scarselli (216) 291-8601
                    <gscarsel@mail.multiverse.com>

                    Raymond Vasvari (216) 622-1780
                   <freespeech@mail.multiverse.com>

        Or see URL: http://samsara.law.cwru.edu/comp_law/jvc/
 

To be added to, or removed from, the list of those who were sent this
 press release, please send e-mail to <lawsuit@upaya.multiverse.com>.

     _______________________________________________________________
   

Cleveland, Ohio, September 2. -- 


In the wake of last week's decision in Bernstein v. U.S. Department of
State, in which Judge Patel of the federal district court in San
Francisco held that the regulations that forbid the publication of
encryption software on the Internet or the World Wide Web without a
license from the Department of Commerce ``are an unconstitutional
prior restraint in violation of the First Amendment'', lawyers for
Professor Peter Junger of Case Western Reserve University Law School,
in Cleveland, Ohio, filed a an amended complaint in his suit to enjoin
the government from enforcing those same regulations.

The regulations, which were initially part of the International
Traffic in Arms Regulations (``ITAR'') administered by the Department
of State and which are now contained in the Export Administration
Regulations (``EAR'') administered by the Department of Commerce,
originally required one to apply for and obtain a license under the
ITAR before disclosing any cryptographic software in any way to
``foreign persons''.  Under the EAR, however, one is permitted to
export such software in books and other ``hard copy'', but is still
required to obtain a license before publishing the same software on
the Internet or the World Wide Web or in other electronic form or
media.

The amended complaint, which names Secretary of Commerce Daley as the
primary defendant, simplifies the issues by focusing only on the new
version of the regulations that are set out in the EAR.  In that
complaint Professor Junger, who wishes to publish a number of
encryption programs, written by himself and others, on his World Wide
Site as part of the materials used in his course in Computing and the
Law, seeks not only relief for himself but also a ``preliminary and
permanent injunction enjoining the defendants . . .  from
interpreting, applying and enforcing the encryption software and
technology provisions of EAR against any person who desires to
disclose or `export' . . . encryption software and technology.''  The
complaint alleges that those encryption regulation violate the freedom
of speech and of the press that are protected, particularly from prior
restraints such as licensing requirements, by the First Amendment
to the United States Constitution as has already been held by Judge
Patel in the Bernstein case.

The question of whether the export regulations on cryptography should
be relaxed is being hotly debated in Congress at the present time and
the software industry has expended considerable sums lobbying in favor
of weakening or abolishing those regulations, claiming that they cause
severe damage to the software industry in the United States and that
the restriction on the export of cryptographic software written in the
United States is leading to the export of programming jobs from the
United States to other countries without such regulations.

Professor Junger points out, however, that the case involves far more
than the effect of the EAR on the writing and publication of
cryptograpic programs by the software industry.  ``The government's
claim is not that the publication of encryption software is not
protected by the First Amendment,'' he says.  ``Rather its claim is
that no publication of software is protected, because software is
functional.  


``If the government can constitutionally require me to get a license,
which I probably can't get, before I publish encryption software, they
could require me to get a licencse before I publish any sort of
software.  And they just might do that it in order to standardize the
programs that are available and limit competition in favour of certain
selected large companies.  They already have provisions that allow IBM
or Microsoft to get a license to export fairly strong encryption
programs that are not available to me or to any other individual
programmer or small enterprise.''

``What tends to get overlooked,'' Junger adds, ``is that computer
programs are not a floppy disk that one sticks into a computer to make
it work.  Computer programs are written and published by human beings
just as, for example, pornography is.  The Supreme Court recently held
in Reno v. ACLU that the full protection of the First Amendment
extends to pornography in cyberspace.  I find it hard to believe that
programmers are not entitled to at least as much constitutional
protection as pornographers.''

Copies of the amended complaint will shortly be available at
<http://www.jya.com/>; and .

                                 -30-

--
Peter D. Junger--Case Western Reserve University Law School--Cleveland, OH
 EMAIL: junger@samsara.law.cwru.edu    URL:  http://samsara.law.cwru.edu   

------------------------------

End of PRIVACY Forum Digest 06.12
************************


PRIVACY Forum Home Page

Vortex Technology Home Page

Copyright © 2005 Vortex Technology. All Rights Reserved.