[Prev][Next][Index][Thread]
INLS310 Anonymity & Privacy Update for 10 Feb 1997
INLS310 Anonymity & Privacy Update for 10 Feb 1997
CONTENTS:
* Anonymity/Privacy in the News
* Hands-on Help
* Tools
* Policy
|:|:|:|:|:|:|:|:|:|:|:|:|:|:|:|:|:|:|::|:|:|:|:|:|:|:|:|:|:|:|:|:|:|:|:|:|:|
***
***ISSUE: A/P in the News
***
U.S. Envoy Outlines Foreign Encryption Policies
Foreign encryption policies, markets and legal access were among the
topics of a January 28 speech by Ambassador David Aaron, Special Envoy for
Cryptography to the RSA Data Security Conference in San Francisco.
U.S. allies "support the concept of lawful access by governments" to
encrypted files and communications, reports Ambassador Aaron. He explained
that "many governments in the interest of public safety, want stronger
controls than we have."
"The international encryption market will not be a wide-open affair," he
said. Addressing the RSA Data Security Conference, Ambassador Aaron said
that as the encryption industry plans for the future, it should "take into
consideration the likelihood that lawful access and key recovery will be a
growing international requirement."
The Administration seeks to encourage the widespread use of encryption
where users, in an emergency, can recover access to their keys needed to
descramble their data. This would also enable law enforcement, under
judicial authority, to gain access to encrypted data, as they do now with
unscrambled evidence.
Despite our trading partners misgivings about the decision last October to
relax U.S. export controls on encryption, Ambassador Aaron says that "all
are willing to cooperate with us to work out the needed international
arrangements" to make strong encryption work across international borders
"while ensuring that public safety is not jeopardized."
Ambassador Aaron cited several cases where encryption was used in
terrorist plots, drug dealing, child pornography and espionage. He
stressed that despite the risks, the Clinton Administration policy on
encryption "in no way seeks to expand the powers of law enforcement nor
reduce the privacy of individuals. The intent is to maintain, in the face
of technological change, the current legal instruments it has."
"Domestic use of key recovery will be voluntary, he emphasized. "All
Americans will remain free to use any encryption system in the United
States." Ambassador Aaron expressed appreciation for the contribution made
by private industry to this policy initiative and called for even more
dialogue and cooperation. He said that the result of such cooperation "can
be a level of privacy and confidentiality never before available to both
individuals and business."
[From the Bureau of Export Administration (Commerce Dept.) Read Aaron's
full speech at: http://www.bxa.doc.gov/aaron.htm ]
***
***ISSUE: Hands-on Help
***
Netscape's Navigator browser has a "feature" that allows web sites you
visit to create a file (called "cookies.txt") on your hard drive
containing information about your visits to the site. This can be
useful in some cases, but some people don't like having profiles being
maintained about their surfing behavior. While you can set NetNav
to prompt you for confirmation for each cookie that is requested to
be set (Options|Network Preferences:Protocols), the default is "OK",
so there is the chance that you may set one by accident. You can
automatically delete the cookie file that is created when this happens
by putting the following lines in your autoexec.bat file, replacing
"c:\path" with the directory where your cookies.txt file is located (the
same directory where the rest of the netscape files are):
REM Removes Netscape cookie file
IF EXIST c:\path\cookies.txt ECHO Eating cookies....
IF EXIST c:\path\cookies.txt DEL c:\path\cookies.txt
***
***ISSUE: Tools
***
Depending upon your threat model, you might find the Secure Shell program
useful.
"Ssh (Secure Shell) is a program to log into another computer over a
network, to execute commands in a remote machine, and to move files from
one machine to another. It provides strong authentication and secure
communications over insecure channels. Its features include the following:
"Strong authentication. Closes several security holes (e.g., IP, routing,
DNS spoofing, and listening for passwords from the network). New
authentication methods: .rhosts together with RSA based host
authentication, and pure RSA authentication.
"All communications are automatically and transparently encrypted.
Encryption is also used to protect against spoofed packets and hijacked
connections.
"Client RSA-authenticates the server machine in the beginning of every
connection to prevent trojan horses (by routing or DNS spoofing) and
man-in-the-middle attacks. The server RSA-authenticates the client
machine before accepting .rhosts or /etc/hosts.equiv authentication (to
prevent DNS, routing, or IP spoofing)."
See:
http://escert.upc.es/others/ssh/
and
http://www.uni-karlsruhe.de/~ig25/ssh-faq/
***
***ISSUE: Policy
***
CDT COMPARISON OF ISP PRIVACY POLICIES
The Center for Democracy and Technology has a nice comparison chart of the
privacy policies of four of the major ISPs: AOL, Compuserv, Prodigy, and
The Microsoft Network.
Some of the policies examined:
- Whether personal data is sold "downstream" to advertisers or others
- Whether email is archived after it has been downloaded/deleted
- To what extent transaction data is collected and used
- Whether the ISP monitors chatrooms and other messages
See: http://www.cdt.org/privacy/online_services/chart.html
|:|:|:|:|:|:|:|:|:|:|:|:|:|:|:|:|:|:|::|:|:|:|:|:|:|:|:|:|:|:|:|:|:|:|:|:|:|
Send comments or suggestions to: macmw@ils.unc.edu
Previous A/P Updates are archived at: http://ils.unc.edu/bitbucks/310