TUCoPS :: Privacy :: priv_127.txt

Privacy Digest 1.27 12/8/92

PRIVACY Forum Digest     Tuesday, 8 December 1992     Volume 01 : Issue 27

         Moderated by Lauren Weinstein (lauren@cv.vortex.com)
                Vortex Technology, Topanga, CA, U.S.A.
	
                     ===== PRIVACY FORUM =====

   	  The PRIVACY Forum digest is supported in part by the 
	      ACM Committee on Computers and Public Policy.


CONTENTS
	PRIVACY Brief (Lauren Weinstein; PRIVACY Forum Moderator)
	Reminder: Privacy is YOU! (Lauren Weinstein; PRIVACY Forum Moderator)
	DOJ Authorizes Keystroke Monitoring (Dave Banisar)
	Errors in Large Databases and their Social Implications
           (Bob Anderson)


 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The PRIVACY Forum is a moderated digest for the discussion and analysis of
issues relating to the general topic of privacy (both personal and
collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

ALL submissions should be addressed to "privacy@cv.vortex.com" and must have
RELEVANT "Subject:" lines.  Submissions without appropriate and relevant
"Subject:" lines may be ignored.  Subscriptions are by an automatic
"listserv" system; for subscription information, please send a message
consisting of the word "help" (quotes not included) in the BODY of a message
to: "privacy-request@cv.vortex.com".  Mailing list problems should be
reported to "list-maint@cv.vortex.com".  All submissions included in this
digest represent the views of the individual authors and all submissions
will be considered to be distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "cv.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system.  Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.

For information regarding the availability of this digest via FAX, please
send an inquiry to privacy-fax@cv.vortex.com, call (310) 455-9300, or FAX
to (310) 455-2364.
-----------------------------------------------------------------------------

VOLUME 01, ISSUE 27

   Quote for the day:

	"Never trust a rich spy!"

		-- Vesper Lynd "007" (Ursula Andress)
		   "Casino Royale" (1967)
		   
----------------------------------------------------------------------

PRIVACY Brief (from the Moderator)

---

In a unanimous decision today, the Supreme Court ruled that the U.S.
Constitution's protection against unreasonable police searches and seizures
can apply to the taking of property, even when the owner's specific privacy
rights were not violated.

The decision reinstated a civil rights lawsuit that had been brought by an
Elk Grove, Illinois family after their mobile home was hauled away from a
trailer park (by trailer park employees accompanied by Cook County
sheriff's deputies) before the required eviction notice had been obtained.

Lower courts had ruled that since the trailer had not been searched prior to
removal, the deputies had not interfered with either the privacy rights
or liberties of the family, saying that "a pure deprivation of property"
doesn't trigger the Fourth Amendment's unreasonable seizures provisions.

"As a result of the state action in this case, the Soldals' domicile was not
only seized, it literally was carried away, giving new meaning to the term
`mobile home,"' Justice Byron R. White wrote for the Supreme Court.

The Supreme Court decision leaves it to a federal trial judge to make
further rulings on the merits of the reinstated suit itself.

------------------------------

Date:	 Mon, 7 Dec 92 21:10 PST
>From:    lauren@cv.vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Reminder: Privacy is YOU!

Greetings.  The PRIVACY Forum digest readership has been growing by leaps
and bounds lately, and now includes subscribers in nearly every corner of
the planet (and judging from the complexity of some e-mail addresses,
possibly on some other planets as well...)

However, *input* to the digest has been running quite slow--apparently
everyone wants to be a reader, but few want to actually submit items.

This is a gentle reminder that *you* make the digest by what you
contribute.  Don't feel that a submission must be of a grammatic quality to
get an "A" from your old "English 1" professor!  Nor must it be a stylistic
gem that will call down praises from the ether.  If it's thoughtful, edited
properly, and appropriate for presentation to a very large audience of
persons interested in privacy-related topics, it has a high probability
of appearing in the digest.  Questions, concerns, personal anecdotes--
any of these formats, and many more, can form the basis of an excellent
digest submission.

The digest really is YOU.

--Lauren--

------------------------------

Date:    Mon,  7 Dec 1992 22:48:06 +0000
>From:    Dave Banisar <banisar@washofc.cpsr.org>
Subject: DOJ Authorizes Keystroke Monitoring

 CA-92:19                         CERT Advisory
                                 December 7, 1992
                             Keystroke Logging Banner

 -----------------------------------------------------------------

 The CERT Coordination Center has received information from the United States
 Department of Justice, General Litigation and Legal Advice Section, Criminal
 Division, regarding keystroke monitoring by computer systems administrators,
 as a method of protecting computer systems from unauthorized access.

 The information that follows is based on the Justice Department's advice
 to all federal agencies.  CERT strongly suggests adding a notice banner
 such as the one included below to all systems.  Sites not covered by U.S.
 law should consult their legal counsel.

 ------------------------------------------------------------------

     The legality of such monitoring is governed by 18 U.S.C. section 2510
     et seq.  That statute was last amended in 1986, years before the words
     "virus" and "worm" became part of our everyday vocabulary.  Therefore,
     not surprisingly, the statute does not directly address the propriety
     of keystroke monitoring by system administrators.

     Attorneys for the Department have engaged in a review of the statute
     and its legislative history.  We believe that such keystroke monitoring
     of intruders may be defensible under the statute.  However, the statute
     does not expressly authorize such monitoring.  Moreover, no court has
     yet had an opportunity to rule on this issue.  If the courts were to
     decide that such monitoring is improper, it would potentially give rise
     to both criminal and civil liability for system administrators.
     Therefore, absent clear guidance from the courts, we believe it is
     advisable for system administrators who will be engaged in such
     monitoring to give notice to those who would be subject to monitoring
     that, by using the system, they are expressly consenting to such
     monitoring.  Since it is important that unauthorized intruders be given
     notice, some form of banner notice at the time of signing on to the
     system is required.  Simply providing written notice in advance to only
     authorized users will not be sufficient to place outside hackers on
     notice.

     An agency's banner should give clear and unequivocal notice to
     intruders that by signing onto the system they are expressly consenting
     to such monitoring.  The banner should also indicate to authorized
     users that they may be monitored during the effort to monitor the
     intruder (e.g., if a hacker is downloading a user's file, keystroke
     monitoring will intercept both the hacker's download command and the
     authorized user's file).  We also understand that system administrators
     may in some cases monitor authorized users in the course of routine
     system maintenance.  If this is the case, the banner should indicate
     this fact.  An example of an appropriate banner might be as follows:

        This system is for the use of authorized users only.
        Individuals using this computer system without authority, or in
        excess of their authority, are subject to having all of their
        activities on this system monitored and recorded by system
        personnel.

        In the course of monitoring individuals improperly using this
        system, or in the course of system maintenance, the activities
        of authorized users may also be monitored.

        Anyone using this system expressly consents to such monitoring
        and is advised that if such monitoring reveals possible
        evidence of criminal activity, system personnel may provide the
        evidence of such monitoring to law enforcement officials.

 -------------------------------------------------------------------
 Each site using this suggested banner should tailor it to their precise
 needs.  Any questions should be directed to your organization's legal
 counsel.

 --------------------------------------------------------------------
 The CERT Coordination Center wishes to thank Robert S. Mueller, III,
 Scott Charney and Marty Stansell-Gamm from the United States Department
 of Justice for their help in preparing this Advisory.

 ---------------------------------------------------------------------
 If you believe that your system has been compromised, contact the CERT
 Coordination Center or your representative in FIRST (Forum of Incident
 Response and Security Teams).

 Internet E-mail: cert@cert.org
 Telephone: 412-268-7090 (24-hour hotline)
            CERT personnel answer 7:30 a.m.-6:00 p.m. EST(GMT-5)/EDT(GMT-4),
            on call for emergencies during other hours.

 CERT Coordination Center
 Software Engineering Institute
 Carnegie Mellon University
 Pittsburgh, PA 15213-3890

------------------------------

>From:    Bob Anderson <anderson@iris.rand.org>
Subject: ERRORS IN LARGE DATABASES AND THEIR SOCIAL IMPLICATIONS
Date:    Wed, 18 Nov 92 15:33:58 PST

   Dr. Stephen Lukasik has agreed to act as guest editor of a special
issue of "The Information Society" journal addressing errors in large
databases and their social implications.  Attached is a brief prospectus
for this special issue.

   If anyone receiving this message is unfamiliar with the journal and its
focus and interests, I would be happy to supply additional information.

        Bob Anderson

        - - - - - - - - - - - - - - - - - - - - - - - - - - -

                   ERRORS IN LARGE DATABASES AND THEIR
                           SOCIAL IMPLICATIONS

                      Prospectus for a special issue
                    of the Information Society Journal

With the growth of information technology over time, we are becoming
increasingly affected by data in electronic databases.  The social and
business premise is that electronic databases improve productivity and
quality of life.  The dark side of all this is that these databases
contain errors, most trivial but in some cases they contain errors that by
their nature impose a penalty on society.  The penalties can range from
minor annoyance and modest administrative cost in having a record
corrected, to more serious cases where more costly consequences ensue, to
conceivably, loss of life or major loss of property.

The consequences to society of errors in electronic databases can be
expected to increase, probably at an increasing rate.  Some factors
contributing to this expected increase are the increasing extent, in both
size and coverage, of existing databases; increasing capture of data by
automated transaction systems, from text and image scanners and the like;
greater coupling of databases, either by administrative agreements or by
more sophisticated search processes; more "amateur" database
administration with increasingly widespread use of information technology;
increasing use of heuristic search techniques that lack "commonsense;" and
probably other well-meaning but pernicious influences.

The purpose of the proposed issue is to accomplish the following: (a)
increase recognition of, and awareness of the growing nature of the
problem of errors in electronic databases that are increasingly becoming
regulators of modern life; (b) encourage greater attention to the
collection of error rate data and to quantitatively assessing the social
and economic costs deriving from those errors; (c) foster theoretical and
empirical studies of the propagation of errors through the coupling of, or
joint search of, multiple databases; and (d) encourage the formulation of
measures, in both technology and policy domains, designed to limit the
costs accruing from the inherent growth in size and connectivity of
electronic databases.

We seek papers for the issue that will focus on the following aspects of
the problem addressed here: (1) an enumeration of socially relevant
databases, whose errors can have important consequences, either from a
large number of small unit cost consequences or a small number of high
cost consequences; (2) quantitative data on errors in databases,
classified by the nature of the errors and their derivative costs; (3)
obstacles to a full and open discussion of the problem such as those
deriving from concern over legal liability and loss of business from
"owning up" to the problem; and (4) proposals for technical and policy
measures that can limit the growth of the problems addressed.

The premises of the journal issue are: (1) that the problems of errors in
databases can not be minimized until they are adequately recognized and
fixes explored by the professionals in the field; and (2) that we must
move from the anecdotal level, where horror stories abound, to a
quantitative level where the economics of fixes, either in quality control
at the point of data collection, or the quality control of the output of
database searches, can be sensibly analyzed.

Your interest in contributing to this special issue is invited.
Suggestions for possible topics, authors, or an interest in contributing
should be communicated to one of:

     guest editor:                      editor-in-chief:
         Dr. Stephen Lukasik                Dr. Robert H. Anderson
         1714 Stone Canyon Road             RAND, P.O. Box 2138
         Los Angeles CA  90077              Santa Monica CA  90407-2138
         net: lukasik@rand.org              net: anderson@rand.org
         tel: (310) 472-4387                tel: (310) 393-0411 x7597
         fax: (310) 472-0019                fax: (310) 393-4818

------------------------------

End of PRIVACY Forum Digest 01.27
 

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH