TUCoPS :: Privacy :: priv_223.txt

Privacy Digest 2.23 7/2/93

PRIVACY Forum Digest        Friday, 2 July 1993        Volume 02 : Issue 23

          Moderated by Lauren Weinstein (lauren@vortex.com)
                Vortex Technology, Topanga, CA, U.S.A.
	
                     ===== PRIVACY FORUM =====

   	  The PRIVACY Forum digest is supported in part by the 
	      ACM Committee on Computers and Public Policy.


CONTENTS
	Clinton Admin Information Policy (Press Release and Info)
	   (Lauren Weinstein; PRIVACY Forum Moderator)
	Using just last four digits of SSN (Avi Gross)
	Re: using Soc. Security number in passwords (Paul E. Black)
	The other side of Clipper (A. Padgett Peterson)


 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

ALL submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to
"list-maint@vortex.com".  All submissions included in this digest represent
the views of the individual authors and all submissions will be considered
to be distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system.  Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.  All PRIVACY Forum materials are also
available through the Internet Gopher system via a gopher server on
site "gopher.vortex.com".

For information regarding the availability of this digest via FAX, please
send an inquiry to privacy-fax@vortex.com, call (310) 455-9300, or FAX
to (310) 455-2364.
-----------------------------------------------------------------------------

VOLUME 02, ISSUE 23

   Quote for the day:

	"Whatever Lola wants, Lola gets."

			-- Lola (Gwen Verdon)
		           "Damn Yankees" (1958)

----------------------------------------------------------------------

Date:    Fri, 2 Jul 93 13:03 PDT
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Clinton Admin Information Policy (Press Release and Info)

Greetings.  The following press release arrived here a few days ago.
Another copy of the release itself, as well as the entire document
referred to by the release, have been placed into the PRIVACY Forum
archive.  Note that it is a fairly long file (~140K bytes uncompressed).

To access:

Via Anon FTP: From site "ftp.vortex.com": /privacy/omb-a-130.Z
				          or: /privacy/omb-a-130

Via e-mail: Send mail to "listserv@vortex.com" with the line:

  get privacy omb-a-130

as the first text in the BODY of your message.

Via gopher: From the gopher server on site "gopher.vortex.com"
in the "*** PRIVACY Forum ***" area under "omb-a-130".

--Lauren--

		      	     --------------------


Title:OMB Announces New A-130 Circular  6.28.93
Date:28 Jun 93 21:44:26 UT
Almanac-Area:

FOR IMMEDIATE RELEASE                        Contact: Barry Toiv
June 28, 1993                                     (202) 395-3080  
                                                                 


     CLINTON ADMINISTRATION AIMS FOR OPEN INFORMATION POLICY


     The Clinton Administration has taken a major step to improve
the Federal government's policies and capabilities for making
information available to the American people.

     Office of Management and Budget (OMB) Director Leon E.
Panetta issued new policies on June 25 for managing government
information that encourage agencies to utilize new technologies
to improve public access.

     Sally Katzen, Administrator of OMB's Office of Information
and Regulatory Affairs (OIRA), which is charged with developing
and implementing the government's information policies, said that
the revisions of OMB Circular A-130 "will help bring the Federal
government into the information age.  This is a major step toward
realizing the vision of a government that uses technology better
to communicate with the American people."  

     OMB Circular A-130, entitled "Management of Federal
Information Resources," establishes policy that Federal agencies
will follow when acquiring, using, and distributing government
information.

     "These long-awaited revisions to Circular A-130 are an
integral part of the President and Vice-President's technology
initiative, announced February 22, 1993," said Katzen.  "We will
use information technology to make government information
available to the public in a timely and equitable manner, via a
diverse array of sources, both public and private.  We will also
ensure that privacy and security interests are protected." 

     The new circular emphasizes integrated management of
information dissemination products.  Agency electronic
information products, whether computer tapes, CD-ROMs, or on-line
services, will fall under the same policy umbrella as printed
publications or audiovisual materials.  The circular asks
agencies to develop and maintain indexes and other tools to make
it easier for the public to locate government information. 

     The circular provides that, generally, the Federal
government should recoup only those costs associated with the
dissemination of information, and not those associated with its
creation or collection.  Similarly, it provides that agencies
should not attempt to restrict the secondary uses of their
information products.  

     "These policies build on the tradition of open information
flow reflected in the Freedom of Information Act," Katzen
observed.

     "This revision of Circular A-130 marks the beginning, not
the end, of our efforts to improve access by and service to the
citizen," she added.  

     She noted that OMB will take other steps to improve the
management of information, as part of the Administration's
efforts to "reinvent government" and the National Performance
Review's mandate to improve all areas of Federal management.  In
cooperation with the other agencies in the Information
Infrastructure Task Force called for in the President's
technology initiative, OMB will:

     o    sponsor a coordinated initiative to improve electronic
          mail among agencies; 

     o    promote the establishment of an agency-based Government
          Information/Inventory Locator System (GIILS) to help
          the public locate and access public information; and,

     o    use the Paperwork Reduction Act to encourage agencies
          to convert paper documents such as purchase orders,
          invoices, health insurance claims, environmental
          reports, customs declarations and other regulatory
          filings to electronic form.

     In addition, the Administration will work with Congress to
update the Freedom of Information Act with respect to electronic
records.

     OMB first issued Circular A-130 in 1985.  OMB is revising
the Circular in two phases.  The first phase, issued today,
focuses on information policy.  An earlier version was the
subject of extensive public comment, and the final document
reflects those comments.  The second phase, to be proposed
shortly, will revise the way the government manages its
information technology resources.

     The revised Circular will be published in the Federal
Register on July 2.  It is available from the OMB Publications
Office (202-395-7332).  

     The Circular is also available in electronic form.  On the
Internet use anonymous File Transfer Protocol (FTP) from
nis.nsf.net as /omb/omb.a130.rev2 (do not use any capital letters
in the file name).  For those who do not have FTP capability, the
document can be retrieved via mail query by sending an electronic
mail message to nis-info@nis.nsf.net with no subject, and with
send omb.a130.rev2 as the first line of the body of the message. 
It is also available on the Commerce Department's FEDWORLD
bulletin board.  (Dial 703-321-8020 (N-8-1).  New users should
register as "NEW".)

------------------------------

Date:    Mon Jun 28 11:51:12 EDT 1993
From:    avi@pegasus.att.com
Subject: Using just last four digits of SSN

I am following up on a message by Ohringer@DOCKMASTER.NCSC.MIL regarding the 
use of the last four digits of the social (in)security number as part of a 
password scheme. (S)he expressed concern about privacy issues.

I am not happy with having any part of my social security number used in any 
way. In my organization, we have a similar setup where we have group logins 
for access to a major resource and we protect it with a secondary prompt for 
your username/password. Unfortunately, the password is the last 4 digits of 
the SS and can not be changed. Since I, and many others, have access to a 
database of hundreds of thousands of users that includes their entire social 
security number, this means that it is easy to log in as someone else. During 
a recent crisis, I needed to allow people to get in this way that have not 
been set up in our database. I had to let them log in as "me" by giving them 
my number. Unlike a standard choosable password, this has leaked my number 
permanently.

I note that once people start using the same thing, it becomes dangerous. I 
can picture banks, etc, starting to use the last digits as PIN numbers, and 
then anyone having access to this information (or the full SS#) can get in to 
other accounts of yours.

While on this topic, I recently was on a Federal Jury and I noticed sign-in 
sheets for prospective (and actual) jurors sitting in public and containing 
full names, addresses AND social security numbers! They neglected to include 
phone numbers. I complained about this and was told that people were "too 
busy" to read your social security number. They refused to change the system. 
Every day they print a new printout and then use the signed entries to set you
up to be reimbursed for your time and transportation. My guess is that they 
key in your SS# rather than name.

This was in marked contrast to what happens in the courtroom. After making you
publicly announce your name, home town (but not address) and even your choice 
of newspapers, they tell the chosen jury to avoid talking to any lawyers, 
defendants, etc, while the trial is in progress. However, should they want to 
annoy you, or even cause you problems, they can just walk up and get all this 
information by flipping through the pages.

Avi Gross, avi@pegasus.att.com, XXX-XX-1234

------------------------------

Date:    Mon, 28 Jun 93 09:41:31 PDT
From:    pblack@kangaroo.Berkeley.EDU (Paul E. Black)
Subject: re: using Soc. Security number in passwords

On Fri, 18 Jun 93 22:27 EDT, Ohringer@DOCKMASTER.NCSC.MIL writes:
> An organization is planning to use the last four digits of employees
> Social Security Numbers as part of a scheme for assigning computer
> passwords.  I am not asking about the security aspects of this, but am
> wondering about the privacy implications.  Is there anything particular
> that needs to be considered about the last four digits as opposed to
> four other digits?  Is this an acceptable use of (part of) social
> security numbers?  Would it matter if the last nine digits (all of) or
> the last one digit were used?

I believe this is the wrong thing to do.  Using Social Security
numbers in passwords makes the passwords easier to guess when
something is known about the user (similar to the user having first
name, spouse's name, or birthdate in the password).  So the passwords
will be weaker.  In addition the password may go places where the
Social Security number might not have, thus spreading some information
about the number even farther.  Thus there are distinct disadvantages.
The number of digits merely strengthens or weakens the above
arguments.

Since the last four digits of numbers are not unique, making passwords
unique must be done another way.

The only advantage I can see, making the password easier to remember,
can be achieved other ways: make passwords a combination of two words,
e.g. doverCel (Dover is a city in the state of DELaware), creating
words which *sound* real, but are not, e.g. phondate (a syllable
generator hooked to a dictionary filter), etc.

In short, I see no advantage to using *any* digits of a social
security number, and several disadvantages.

Paul E. Black			CS Division, 571 Evans Hall
School: pblack@cs.berkeley.edu	University of California at Berkeley
Home: paul@beehive.cirrus.com	Berkeley, California   94720
Voice: +1 510 643 6261		USA

------------------------------

Date:    Mon, 28 Jun 93 12:27:14 -0400
From:    padgett@tccslr.dnet.mmc.com 
	 (A. Padgett Peterson, P.E. Information Security)
Subject: The other side of Clipper

   From:    "Barry Jaspan" <bjaspan@gza.com>
   Subject: Re: The other side of Clipper (padgett@tccslr.dnet.mmc.com)

   >Undeniably.  The question is who will be able to using STU-IIIs
   >without causing themselves potential problems.  The answer is "the
   >government, and no one else."

   From:    Bob Leone <leone@gandalf.ssw.com>
   Subject: The other side of Clipper

   >False. There would not be a flood. What would happen, if the govt made
   >non-Capstone encryption illegal, is that it would be considered prima-facie
   >evidence of criminal conspiracy (since only a criminal would want his
   >comm secure against monitoring by law-enforcement agents, right? Sure).

I respectfully disagree. While this is possible, what the criminals will
do is to first encrypt using a secure mechanism and *then* feed it to the
Clipper chip. In this manner, Clipper will actually slow down the process
since the gov will need a wiretap authorization *first* before they will
be able to accuse anyone of malfeasence. 

Further IMHO the current furor over seizures where no criminal charges are 
is indicative that the pendulum is swinging away from easy court orders. The
gov may still tap communications as a matter of course, but prosecution may
become more difficult. Besides, as I have said, the real target audience for
Clipper/Capstone will not *care* if the gov listens.

				Warm & muggy today, tuggy tomorrow,
						Padgett

------------------------------

End of PRIVACY Forum Digest 02.23
************************

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH