Back to the Cyberculture Archive


(c) Copyright 1993 L. Detweiler.  Not for commercial use except by
  permission from author, otherwise may be freely copied.  Not to be
  altered.  Please credit if quoted.


Information on email and account privacy, anonymous mailing and
posting, encryption, and other privacy and rights issues associated
with use of the Internet and global networks in general.

(Search for <#.#> for exact section. Search for '_' (underline) for
next section.)

====== (this file)

<1.1> What is `identity' on the internet?
<1.2> Why is identity (un)important on the internet?
<1.3> How does my email address (not) identify me and my background?
<1.4> How can I find out more about somebody from their email address?
<1.5> Why is identification (un)stable on the internet?
<1.6> What is the future of identification on the internet?

<2.1> What is `privacy' on the internet?
<2.2> Why is privacy (un)important on the internet?
<2.3> How (in)secure are internet networks?
<2.4> How (in)secure is my account?
<2.5> How (in)secure are my files and directories?
<2.6> How (in)secure is X Windows?
<2.7> How (in)secure is my email?
<2.8> How am I (not) liable for my email and postings?
<2.9> How do I provide more/less information to others on my identity?
<2.10> Who is my sysadmin?  What does s/he know about me?
<2.11> Why is privacy (un)stable on the internet?
<2.12> What is the future of privacy on the internet?

<3.1> What is `anonymity' on the internet?
<3.2> Why is `anonymity' (un)important on the internet?
<3.3> How can anonymity be protected on the internet?
<3.4> What is `anonymous mail'?
<3.5> What is `anonymous posting'?
<3.6> Why is anonymity (un)stable on the internet?
<3.7> What is the future of anonymity on the internet?

====== (next file)


<4.1> What is the Electronic Frontier Foundation (EFF)?
<4.2> Who are Computer Professionals for Social Responsibility (CPSR)?
<4.3> What was `Operation Sundevil' and the Steve Jackson Game case?
<4.4> What is Integrated Services Digital Network (ISDN)?
<4.5> What is the National Research and Education Network (NREN)?
<4.6> What is the FBI's proposed Digital Telephony Act?
<4.7> What is U.S. policy on freedom/restriction of strong encryption?
<4.8> What other U.S. legislation is related to privacy?
<4.9> What are references on rights in cyberspace?
<4.10> What is the Computers and Academic Freedom (CAF) archive?


<5.1> What is the Clipper Chip Initiative?
<5.2> How does Clipper blunt `cryptography's dual-edge sword'?
<5.3> Why are technical details of the Clipper chip being kept secret?
<5.4> Who was consulted in the development of the Clipper chip?
<5.5> How is commerical use/export of Clipper chips regulated?
<5.6> What are references on the Clipper Chip?
<5.7> What are compliments/criticisms of the Clipper chip?
<5.8> What are compliments/criticisms of the Clipper Initiative?
<5.9> What are compliments/criticisms of the Clipper announcement?
<5.10> Where does Clipper fit in U.S. cryptographic technology policy?

====== (last file)


<6.1> What UNIX programs are related to privacy?
<6.2> How can I learn about or use cryptography?
<6.3> What is the cypherpunks mailing list?
<6.4> What are some privacy-related newsgroups?  FAQs?
<6.5> What is internet Privacy Enhanced Mail (PEM)?
<6.6> What are other Request For Comments (RFCs) related to privacy?
<6.7> How can I run an anonymous remailer?
<6.8> What are references on privacy in email?
<6.9> What are some email, Usenet, and internet use policies?


<7.1> What is ``digital cash''?
<7.2> What is a ``hacker'' or ``cracker''?
<7.3> What is a ``cypherpunk''?
<7.4> What is `steganography' and anonymous pools?
<7.5> What is `security through obscurity'?
<7.6> What are `identity daemons'?
<7.7> What standards are needed to guard electronic privacy?


<8.1> What is the background behind the Internet?
<8.2> How is Internet `anarchy' like the English language?
<8.3> Most Wanted list
<8.4> Change history

* * *


<1.1> What is `identity' on the internet?

  Generally, today people's `identity' on the internet is primarily
  determined by their email address in the sense that this is their
  most unchanging 'face' in the electronic realm.   This is your
  login name qualified by the complete address domain information,
  for example ``''.  People see
  this address when receiving mail or reading USENET posts from you
  and in other situations where programs record usage.  Some obsolete
  forms of addresses (such as BITNET) still persist.

  In email messages, additional information on the path that a message
  takes is prepended to the message received by the recipient.  This
  information identifies the chain of hosts involved in the
  transmission and is a very accurate trace of its origination.  This
  type of identify-and-forward protocol is also used in the USENET
  protocol to a lesser extent.  Forging these fields requires
  corrupted mailing software at sites involved in the forwarding and
  is very uncommon.  Not so uncommon is forging the chain at the
  origination point, so that all initial sites in the list are faked
  at the time the message is created.  Tracing these messages can be
  difficult or impossible when the initial faked fields are names of
  real machines and represent real transfer routes.

<1.2> Why is identity (un)important on the internet?

  The concept of identity is closely intertwined with communication,
  privacy, and security, which in turn are all critical aspects of
  computer networks. For example, the convenience of communication
  afforded by email would be impossible without conventions for
  identification.  But there are many potential abuses of identity
  possible that can have very severe consequences, with massive
  computer networks at the forefront of the issue, which can
  potentially either exacerbate or solve these problems.

  Verifying that an identity is correct is called `authentication',
  and one classic example of the problems associated with it is
  H.G. Well's ``War of the Worlds'' science fiction story adapted to a
radio broadcast that fooled
  segments of the population into thinking that an alien invasion was
  in progress.  Hoaxes of this order are not uncommon on Usenet and
  forged identities makes them more insidious.  People and their
  reputations can be assaulted by forgery.

  However, the fluidity of identity on the internet is for some one of
  its most attractive features. Identity is just as useful as it is
  harmful.  A professor might carefully explain a topic until he
  finds he is talking to an undergraduate. A person of a particular
  occupation may be able to converse with others who might normally
  shun him.  Some prejudices are erased, but, on the other hand, many
  prejudices are useful!  A scientist might argue he can better
  evaluate the findings of a paper as a reviewer if he knows more
  about the authors.  Likewise, he may be more likely to reject it
  based on unfair or irrelevant criteria.  On the other side of the
  connection,  the author may find identities of reviewers useful in
  exerting pressure for acceptance.

  Identity is especially crucial in establishing and regulating
  `credit' (not necessarily financial) and `ownership' and `usage'.
  Many functions in society demand reliable and accurate techniques
  for identification. Heavy reliance will be placed on digital
  authentication as global economies become increasingly electronic.
  Many government functions and services are based on identification,
  and law enforcement frequently hinges on it.  Hence, employees of
  many government organizations push toward stronger identification
  structures.  But when does identification invade privacy?

  The growth of the internet is provoking social forces of massive
  proportions. Decisions made now on issues of identity will affect
  many future users, especially as the network becomes increasingly
  global, universal, widespread, and entrenched; and the positive or
  adverse affects of these actions, intended and inadvertent,  will
  literally be magnified exponentially.

<1.3> How does my email address (not) identify me and my background?

  Your email address may contain information that influences people's
  perceptions of your background.  The address may `identify' you as
  from a department at a particular university, an employee at a
  company, or a government worker.  It may contain your last name,
  initials, or cryptic identification codes independent of both.  In
  the US some are based on parts of social security numbers.  Others
  are in the form 'u2338' where the number is incremented in the
  order that new users are added to the system.

  Standard internet addresses  also can contain information  on your
  broad geographical location or nationhood.  However, none of this
  information is guaranteed to be correct or be there at all.  The
  fields in the domain qualification of the username are based on
  rather arbitrary organization, such as (mostly invisible) network
  cabling distributions.  The only point to make is that early fields
  in the address are more specific (such as specific computer names
  or local networks) and the later ones the most general (such as
  continental domains).  Typically the first field is the name of the
  computer receiving mail.

  Gleaning information from the email address alone is sometimes an
  inspired art or an inconsistent and futile exercise.  (For more
  information, see the FAQs on email  addresses and known
  geographical distributions below.)  However, UNIX utilities exist
  to aid in the quest (see the question on this).

  Common Suffixes

  .us    United States
  .uk    United Kingdom
  .ca    Canada
  .fi    Finland
  .au    Australia

  .edu   university or college
  .com   commercial organization
  .org   'other' (e.g. nonprofit organization)
  .gov   government
  .mil   military site

<1.4> How can I find out more about somebody with a given email address?

  One simple way is to send email to that address, asking.  Another
  way is to send mail to the postmaster at that address (i.e.
  postmaster@address), although the postmaster's job is more to help
  find user ID's of particular people given their real name and solve
  mail routing problems.  The sysadmin (i.e. `root@address') may also
  be able to supply information.  Users with related email address
  may have information.  However, all of these methods rely on the
  time and patience of others so use them minimally.

  One of the most basic tools for determining identity over the
  internet is the UNIX utility 'finger'.  The basic syntax is:

    finger user@here.there.everywhere

  This utility uses communication protocols to query the computer
  named in the address for information on the user named.  The
  response is generated completely by the receiving computer and may
  be in any format.  Possible responses are as follows:

  - A message `unknown host' meaning some aspect of the address is
    incorrect, two lines with no information and '???'.

  - A message 'In real life: ???' in which case the receiving computer
    could not find any kind of a match on the username. The finger
    utility may return this response in other situations.

  - A listing of information associated with multiple users. Some
    computers will search only for matching user IDs, others will
    attempt to find the username you specified as a substring of all
    actual full names of users kept in a local database.

  At some sites 'finger' can be used to get a list of all users on the
  system with a `finger @address'.  In general this is often
  considered weak security, however, because `attackers' know valid
  user ID's to `crack' passwords.

        More information on the fields returned by `finger' is given below.
        More information on `finger' and locating people's email addresses
        is given in the email FAQ (such as the WHOIS lookup utility).  Just
        as you can use these means to find out about others, they can use
        them to find out about you.  You can `finger' yourself to find out
        what is publicly reported by your UNIX system about you.  Be
        careful when modifying `finger' data; virtually anyone with
        internet access worldwide can query this information.  In one
        famous case, the New York Times writer J. Markoff uncovered the
        identity of R. Morris, author of the Internet Worm,  through the
        use of `finger' after an anonymous caller slipped by revealing his
        initials which were also his login ID.  See the book Cyberpunk by
        K. Hafner and J. Markoff.

<1.5> Why is identification (un)stable on the internet?

  Generally, identity is an amorphous and almost nonexistent concept
  on the Internet for a variety of reasons.  One is the inherent
  fluidity of `cyberspace' where people emerge and submerge
  frequently, and absences are not readily noted in the `community'.
  Most people remember faces and voices, the primary means of casual
  identification in the 'real world'.  The arbitary and cryptic
  sequences of letters and digits comprising most email addresses are
  not particularly noticeable or memorable and far from a unique
  identification of an individual, who may use multiple accounts on
  multiple machines anywhere in the world.

  Currently internet users do not really have any great assurances
  that the messages in email and USENET are from who they appear to
  be. A person's mailing address is far from an identification of an

  - Anyone with access to the account, e.g. they know the password,
    either legitimately or otherwise, can send mail with that address
    in the From: line.

  - Email addresses for an individual tend to change frequently as
    they switch jobs or make moves inside their organizations.

  - As part of current mailing protocol standards, forging the From:
    line in mail messages is a fairly trivial operation for many

  The status and path information prepended to messages by
  intermediate hosts is generally unforgeable. In general, while
  possible, forgeries are fairly rare on most newsgroups and in
  email.  Besides these pathological cases abve there are many basic
  problems with today's internet protocols affecting identification
  on the internet:

  - Internet mail standards, described in RFC-822, are still evolving
    rapidly and not entirely orderly.  For example, standards for
    mail address `munging' or `parsing' tend to vary slightly between
    sites and frequently mean the difference between finding
    addresses and bouncing mail.

  - Domain names and computer names are frequently changed at sites,
    and there are delays in the propagation of this data.

  - Addresses cannot be resolved when certain critical computers
    crash, such as the receiving computer or other computers involved
    in resolving names into addresses called `nameservers'.

  - A whole slew of problems is associated with  `nameservers'; if
    they are not updated they will not find name addresses, and even
    the operation of what constitutes `updating' has different
    interpretations at different sites.

  The current internet mailing and addressing protocols are slightly
  anachronistic in that they were created when the network was
  somewhat obscure and not widespread, with only a fraction of the
  traffic it now sees.  Today a large proportion of internet traffic
  is email, comprising  millions of messages.

<1.6> What is the future of identification on the internet?

  Some new technologies and standards are introducing facial images
  and voice messages  into mail and these will improve the sense of
  community that comes from the familiarity of identification.
  However, they are not currently widespread, require large amounts
  of data transfer, standardized software, and make some compromises
  in privacy.

  Promising new cryptographic techniques may make 'digital signatures'
  and 'digital authentication' common (see below).  Also, the trend
  in USENET standards is toward greater authentication of posted
  information.  On the other hand, advances in ensuring anonymity
  (such as remailers) are forthcoming.  See below.


<2.1> What is `privacy' on the internet?

  Generally, while `privacy' has multiple connotations in society and
  perhaps even more on the internet, in cyberspace most take it to
  mean that you have exclusive use and access to your account and the
  data stored on and and directed to it (such as email), and you do
  not encounter arbitrary restrictions or searches.  In other words,
  others may obtain data associated with your account, but not
  without your permission.  These ideas are probably both fairly
  limiting and liberal in their scope in what most internet users
  consider their private domains.  Some users don't expect or want
  any privacy, some expect and demand it.

<2.2> Why is privacy (un)important on the internet?

  This is a somewhat debatable and inflammatory topic, arousing
  passionate opinions.  On the internet, some take privacy for
  granted and are rudely surprised to find it tenuous or nonexistent.
  Most governments have rules that protect privacy (such as the
  illegal search and seizure clause of the U.S. constitution, adopted
  by others) but have many that are antithetical to it (such as laws
  prohibiting secret communications or allowing wiretapping). These
  rules generally carry over to the internet with few specific rules
  governing it.  However, the legal repercussions of the global
  internet are still largely unknown and untested (i.e. no strong
  legal precedents and court cases).  The fact that internet traffic
  frequently passes past international boundaries, and is not
  centrally managed, significantly complicates and strongly
  discourages its regulation.

<2.3> How (in)secure are internet networks?

  - `Theoretically' people at any site in the chain of sites with
    access to hardware and network media that transmits data over the
    Internet  could potentially monitor or archive it. However, the
    sheer volume and general 'noise' inherent to this data makes
    these scenarios highly improbable, even by government agencies
    with supposedly vast funding and resources.

  - Technologies exist to `tap' magnetic fields given off by
    electrical wires without detection.  Less obscurely, any machine
    with a network connection is a potential station for traffic
    detection, but this scenario requires knowledge and access to
    very low-level hardware (the network card) to pursue, if even

  - A company Network General Inc. is one of many that manufactures
    and markets sophisticated network monitoring tools that can
    'filter' and read packets by arbitrary criteria for
    troubleshooting purposes, but the cost of this type of device is
    prohibitive for casual use.

  Known instances of the above types of security  breaches at a major
  scale (such as at network hubs) are very rare. The greatest risks
  tend to emerge locally.  Note that all these approaches are almost
  completely defused with the use of cryptography.

<2.4> How (in)secure is my account?

  By default, not very.  There are a multitude of factors that may
  reinforce or compromise aspects of your privacy on the internet.
  First, your account must be secure from other users. The universal
  system is to use a password, but if it is `weak' (i.e. easy to
  guess) this security is significantly diminished.  Somewhat
  surprisingly and frighteningly to some, certain  users of the
  system, particularly the administrator, generally have unlimited
  access regardless of passwords, and may grant that access to
  others.  This means that they may read any file in your account
  without detection.

  Furthermore, not universally known, most UNIX systems keep fairly
  extensive accounting records of when and where you logged in, what
  commands you execute, and when they are executed (in fact, login
  information is usually public). Most features of this `auditing' or
   `process accounting' information are enabled by default after the
  initial installation and the system administrator may customize it
  to strengthen or weaken it to satisfy performance or privacy aims.
  This information is frequently consulted for troubleshooting
  purposes and may otherwise be ignored.  This data tracks
  unsuccessful login attempts and other 'suspicious' activities on
  the system. A traditional part of the UNIX system that tracks user
  commands is easily circumvented by the user with the use of
  symbolic links (described  in 'man ln').

        UNIX implementations vary widely particularly in tracking features
        and new sophisticated mechanisms are introduced by companies
        regularly. Typically system adminstrators augment the basic UNIX
        functionality with public-domain programs and locally-developed
        tools for monitoring, and use them only to isolate `suspicious'
        activity as it arises (e.g. remote accesses to the 'passwd' file,
        incorrect login attempts, remote connection attempts, etc.).

  Generally, you should expect little privacy on your account for
  various reasons:

  - Potentially, every keystroke you type could be intercepted by
    someone else.

  - System administrators make extensive backups that are completely
    invisible to users which may record the states of an account over
    many weeks.

  - Erased files can, under many operating systems, be undeleted.

  - Most automated services keep logs of use for troubleshooting or
    otherwise; for example FTP sites usually log the commands and
    record the domain originations of users, including anonymous

  - Some software exacerbates these problems.  See the section on
    ``X Windows (in)security''.

  Indepedent of malevolent administrators are fellow users, a much
  more commonly harmful threat. There are multiple ways to help
  ensure that your account will not be accessed by others, and
  compromises can often be traced to failures in these guidelines:

  - Choose a secure password.  Change it periodically.
  - Make sure to logout always.
  - Do not leave a machine unattended for long.
  - Make sure no one watches you when you type your password.
  - Avoid password references in email.
  - Be conservative in the use of the .rhost file.
  - Use utilities like `xlock' to protect a station, but be

  Be wary of situations where you think you should supply your
  password.  There are only several basic situations where UNIX
  prompts you for a password: when you are logging in to a system or
  changing your password.  Situations can arise in which prompts for
  passwords are forged by other users, especially in cases where you
  are talking to them (such as Internet Relay Chat).  Also, be  aware
  that forged login screens are one method to illegitimately obtain

  (Thanks to Jim Mattson  for contributions

<2.5> How (in)secure are my files and directories?

  The most important privacy considerations are related to file
  rights, and many lapses can be traced to their misunderstood nature
  or haphazard maintenance. Be aware of the rights associated with
  your files and directories in UNIX. If the `x' (`execute') right on
  your parent directory is off for users, groups, and other, these
  users cannot gain information on anything in your directories.
  Anything less may allow others to read, change, or even delete
  files in your home directory. The rights on a directory supersede
  the rights associated with files in that directory. For a
  directory, 'x' means that access to the files (or subdirectories)
  in the directory is possible -- if you know their names.  To list
  the contents of the directory, however, requires the 'r' right.

  By default most accounts are accessable only to the owner, but the
  initial configuration varies between sites based on administrator
  preference.  The default file mode specifies the initial rights
  associated with newly created files, and can be set in the shell
  with `umask'.  The details of rights implementations tend to vary
  between versions of UNIX.  Consult man pages on `chmod' and `ls'.


    traver.lance % ls -ld ~
    drwx------ 15 ld231782     1536 Jan 31 21:22 /users/ld231782/

  Here is a listing of the rights associated with a user's home
  directory, denoted by `~'.  The columns at the left identify what
  rights are available. The first column identifies the entry as a
  directory, and the next three columns mean that read, write, and
  execute rights, respectively, are permitted for that user.  For
  directories, the `x' right means that contents (file and
  subdirectory names) within that directory can be listed. The
  subsequent columns indicate that no other users have any rights to
  anything in the directory tree originating at that point.  They
  can't even `see' any lower files or subdirectories; the hierarchy
  is completely invisible to them.

    traver.lance % ls -l msg
    -rw-r--r--  1 ld231782   35661 Jan 29 23:13 msg
    traver.lance % chmod u=rw,g=,o= msg
    traver.lance % ls -l msg
    -rw-------  1 ld231782   35661 Jan 29 23:13 msg

  Here the modes on the file `msg' were changed to take away rights
  from `group' and `other'.

  Note that `ls -l ' requires both the 'r' right to get the list
  of files and subdirectories, and the 'x' right to access the files
  and subdirectories in order to get their size, etc. For example,
  suppose the directory `foo' has rights dr--r--r--,  the following
  is possible:

    ls foo

  These commands would fail independent of file rights:

    ls -l foo
    ls -l foo/file
    cat foo/file
    cd foo

  If the directory `foo' has rights d--x--x--x, the following are
  possible if it is known beforehand that `foo' contains an 'r'
  readable file named `file':

    ls -l foo/file
    cat foo/file
    cd foo

  The following commands fail:

    ls foo
    ls -l foo

  (Thanks to Uwe Waldmann  for contributions here.)

<2.6> How (in)secure is X Windows?

  X Windows is the primary software developed by the MIT Athena
  project (1983-1991) which was funded by commercial grants
  primarily from DEC and IBM to develop
  applications to harness the power of networks in enhancing
  computational tasks, particularly the human-computer interface.
  The software implements a client-server interface to a computer via
  graphical windows. In this case the `client' is the application
  requesting or utilizing  graphical resources (such as windows or a
  mouse) and the `server' is the machine that provides them.  In many
  situations the client is an application program running on the same
  machine as the server.

  The great utility of X Windows comes from its complete dissociation
  of the client and server so that windows may be `broadcast' to a
  server at a remote location from the  client. Unfortunately this
  dynamic power also introduces many deep, intricate, and complicated
  security considerations.  The primary security and privacy issue
  associated with X Windows is that much more sensitive data may be
  sent over a network, and over wider regions, than in the case where
  the human is situated near the host computer.  Currently there is
  no encryption of data such as screen updates and keystrokes in X

        Due to either intentional design decisions or unintentional design
        flaws,  early versions of the X Window system are extremely
        insecure (the decision may have been made not to attempt to
        overcome existing vulnerabiliies in the Unix system). Anyone with
        an account on the server machine can disrupt that display or read
        it electronically based on access to the device unix:0.0 by any
        regular user.   There are no protections from this type of access
        in these versions.   The problem arises because the security is
        completely based on machine addresses rather than users, such that
        any user at a `trusted' machine is himself trusted. Quoting from X
        documentation (man Xsecurity):

  > Any client on a host in the host access control list is allowed
  > access to the X server. This system can work reasonably well in
  > an environment where everyone trusts everyone, or when only a
  > single person can log into a given machine...This system does not
  > work well when multiple people can log in to a single machine and
  > mutual trust does not exist.

  With the access control list, the `xhost' command may prevent some
  naive attempts (i.e. those other than the direct-access unix:0.0
  evasion); the syntax as typed on the host machine is  ``xhost
  +[name]'' where [name] is the domain name or internet address of an
  authorized client machine. By default clients running nonlocal to
  the host are disabled.  Public domain programs to disrupt a display
  momentarily (such as 'flip' or slowly mirror the screen image, or
  cause pixels to 'melt' down to the bottom) have been circulating on
  the internet among hackers for several years and played as pranks
  on unsuspecting or inexperienced users.  Much more serious security
  breaches are conceivable from similar mechanisms exploiting this
  inherent weaknesses.  (The minimal, easily-bypassed `trusted'
  security mode of `xhost' has been jokingly referred to as ``X
  Hanging Open, Security Terrible.'').

  New versions of the X Window system (X11R5 and higher) by default
  make server access as secure as the file system using a .Xauthority
  file and 'magic cookies'.  Remote machines must have a code in the
  .Xauthority file in the home directory that matches the code
  allowed by the server.  Many older programs and even new
  vendor-supplied code does not support or is incompatible with
  `magic cookies'. The basic magic cookie mechanism is vulnerable to
  monitoring techniques described earlier because no encryption of
  keys occurs in transmission.  X11R5 also includes other
  sophisticated encryption mechanisms.  Try `man Xsecurity' to find
  out what is supported at your site.  Even though improved security
  mechanisms have been available in X Windows since ~1990, local
  sites often update this software infrequently because installation
  is extremely complex.

  (Thanks to Marc Vanheyningen ,
  Jim Mattson , and Bill Marshall
   for contributions here.)

<2.7> How (in)secure is my email?

  By default, not very.  The characters that you are reading are
  almost certainly encoded in ASCII, the American Standard Code for
  Information Interchange that maps alphabetic and symbolic
  characters onto numeric codes and vice versa.  Virtually every
  computer system uses this code, and if not, has ways of converting
  to and from it.  When you write a mail message, by default it is
  being sent in ASCII,  and since the standard is virtually
  universal, there is no intrinsic privacy.  Despite milleniums worth
  of accumulated cryptographic knowledge, cryptographic technologies
  are only recently being established that afford high priority to
  privacy as a primary criteria in computer and network design.  Some
  potential pitfalls in privacy are as follows:

  - The most serious threats are instances of immature or unscrupulous
    system operators reading private mail in the `spool files' at a
    local site (i.e. at the source or destination of the message),
    such as a university.

  - System administrators may also release files to law enforcement
    agencies, but conventions and protocols for warrants involving
    computer searches have still not been strongly established and
    tested legally.

  - Note that bounced messages go to postmasters at a given site in
    their entirety.  This means that if you address mail with an
    incorrect address it has a good chance of being seen by a human
    other than the recipient.

  - Typically new user accounts are always set up such that the local
    mail directory is private, but this is not guaranteed and can be

  - Finally, be aware that some mailing lists (email addresses of
    everyone on a list) are actually publicly accessable via mail
    routing software mechanisms.  This `feature' can be disabled.

  Most potential compromises in email privacy can be thoroughly
  avoided with the use of strong end-to-end cryptography, which has
  its own set of caveats (for example, unscrupulous administrators
  may still be a threat if the encryption site is shared or
  nonlocal).  See the sections on ``email privacy'' and ``email

<2.8> How am I (not) liable for my email and postings?

  As punishment or whatever, your system administrator can revoke
  certain `privileges' such as emailing, USENET posting or reading
  certain groups, file transferring, remote communications, or
  generally any subset of capabilities available from your account.
  This all is completely at the discretion of the local administrator
  and under the procedures followed at a particular site, which in
  many cases are haphazard and crisis-oriented.  Currently there are
  virtually no widespread, uniform guidelines or procedures  for
  restricting use to any internet services, and local administrators
  are free to make arbitrary decisions on access.

  Today punitive measures are regularly applied in various situations.
  In the typical scenario complaint(s) reach a system adminstrator
  regarding abuses by a user, usually but not necessarily preceded by
  complaints to the user in email, regarding that person's
  objectionable email or postings.  `abusive' posters to USENET are
  usually first given admonitions from their system administrators as
  urged by others on the `net'. (The debate persists endlessly on
  many newsgroups whether this is also used  as a questionable means
  of attacking or silencing `harmless crackpots' or censoring
  unpopular opinions.)

  System administrators at remote sites regularly cooperate to
  'squelch' severe cases of abuse.  In general, however, by tradition
  Usenet readers are remarkably tolerant of diverse views and uses of
  the system, but a colorful vocabularly of slang helps describe
  their alternatives when this patience is sapped: the options
  wielded by the individual user are to simply advance to the next
  message (referred to as ``hitting the `n' key''), or to `plonk'
  annoying posters (according to the Hacker's Dictionary, the sound a
  jerk makes at the end of a fall to the bottom of a kill file).

  In cases where punitive actions are applied, generally system
  administrators are least likely to restrict email.  USENET postings
  are much more commonly restricted, either to individual users or
  entire groups (such as a university campus).  Restrictions are most
  commonly associated with the following `abuses':

  - harassing or threatening notes, `email terrorism'
  - illegal uses, e.g. piracy or propagation of copyrighted material
  - `ad hominem' attacks, i.e. insulting the reputation of the
    poster instead of citing the content of the message
  - intentional or extreme vulgarity and offensiveness
  - inappropriate postings, esp. binary files in regular groups
    `mail-bombing': inundating mail boxes with numerous or massive

  Major problems originate from lack of distinctions in private and
  official email or postings.  Most users have internet access via
  accounts at businesses or universities and their activities on the
  internet can be construed as representative of their parent
  organizations. Many people put disclaimers in their `signatures' in
  an attempt dissociate their identity and activities from parent
  organizations as a precaution. A recent visible political case
  involves the privacy of electronic mail  written by White House
  staff members of the Bush administration.  Following are some

  - Acquaint yourself with your company or university policy.
  - If possible, avoid use of your company email address for private
  - Use a disclaimer.
  - Keep a low profile (avoid `flamewars' or simply don't post).
  - Avoid posting information that could be  construed to be
    proprietary or `internal'.

  The following references are available from
  (see also the section on ``internet use policies''):

    Computer material that was banned/challenged in academia in 1991
    and 1992 including USENET hierarchies.

    This is an on-line collection of information about specific
    computers and academic freedom cases. File README is a detailed
    description of the items in the directory.

    Notes on university liability for Usenet.

<2.9> How do I provide more/less information to others on my identity?

  The public information of your identity and account is mostly
  available though the UNIX utility `finger' described above.

  - You have control over most of this information with the utility
    `chfn', the specifics vary between sites (on some systems use
    `passwd -f').

  - You can provide unlimited information in the .plan file which is
    copied directly to the destination during the fingering.

  - A technique that works at some sites allows you to find out who is
    'finger'ing you and even to  vary the .plan file sent to them.

  - Your signature is determined by the environment variable SIGNATURE

  - USENET signatures are conventionally stored in the .signature file
    in your home directory.

  Providing less information on your online identity is more difficult
  and involved.  One approach is to ask your system adminstrator to
  change or delete information about you (such as your full name).
  You may be able to obtain access on a public account or one from
  someone unrelated to you personally.  You may be able to remotely
  login (via modem or otherwise) to computers that you are not
  physically near.  These are tactics for hiding or masking your
  online activities but nothing is foolproof.  Consult man pages on
  the 'chmod' command and the default file mode.  Generally, files on
  a shared system have good safeguards within the user pool but very
  little protection is possible from corrupt system administrators.

  To mask your identity in email or on USENET you can use different
  accounts. More untraceable are new `anonymous posting' and
  remailing services that are very recently being established.  See

<2.10> Who is my sysadmin?  What does s/he know about me?

  The requirements and screening for getting a system administration
  job (and thereby access to all information on a system) vary widely
  between sites and are sometimes frighteningly lax, especially at
  universities.  Many UNIX systems at universities are largely
  managed by undergraduates with a background in computing and often
  `hacking'.  In general, commercial and industrial sites are more
  strict on qualifications and background, and government sites are
  extremely strict.

  The system adminstrator (root user) can monitor what commands you
  used and at what times.  S/he may have a record (backups) of files
  on your account over a few weeks. S/he can monitor when  you send
  email or post USENET messages, and potentially read either.  S/he
  may have access to records indicating what hosts you are using,
  both locally and elsewhere.  Administrators sometimes employ
  specialized programs to  track `strange' or `unusual' activity,
  which can potentially be misused.

<2.11> Why is privacy (un)stable on the internet?

  For the numerous reasons listed above, privacy should not be an
  expectation with current use of the internet.  Furthermore, large
  parts of the internet are funded by the U.S. NSF (National Science
  Foundation) which places certain restrictions on its use (such as
  prohibiting commercial use).  Some high-level officials in this and
  other government agencies may be opposed to emerging techniques to
  guarantee privacy (such as encryption and anonymous services).

  Historically the major threats to privacy on the internet have been
  local. Perhaps the most common example of this are the widespread
  occurrences of university administrators refusing to carry some
  portion of USENET newsgroups labelled as `pornographic'. The
  `alternative' hierarchy in the USENET system, which has virtually
  no restrictions on propagation and new group creation, is
  frequently targeted (although this material may appear anywhere).

  From the global point of view traffic is generally completely
  unimpeded on the internet  and only the most egregious offenders
  are pursued.  For example,  verbatim transcriptions of copyrighted
  material (such as newspaper or magazine articles) are posted to
  USENET with regularity without major consequences (some email
  complaints may ensue).  More astonishing to some is that currently
  significant portions of USENET traffic, and less so internet
  traffic, is comprised of sexually-explicit digitized images almost
  entirely originating from copyrighted material (newsgroups such as
  `' regularly have the  highest traffic).

<2.12> What is the future of privacy on the internet?

  Some argue that the internet currently has an adequate or
  appropriate level of privacy.  Others will argue that as a
  prototype for future global networks it has woefully inadequate
  safeguards.  The internet is growing to become a completely global,
  international superhighway for data, and this traffic will
  inevitably entail data such as voice messages, postal mail, and
  many other items of extremely personal nature. Computer items that
  many people consider completely private (such as their local hard
  drives) will literally be inches from global network connections.
  Also, sensitive industrial and business information is exchanged
  over networks currently and this volume may conceivably merge with
  the internet.

  Most would agree that, for these basic but sensitive uses of the
  internet, no significant mechanisms are currently in place to
  ensure much privacy. New standards are calling for uniform
  introduction of `privacy enhanced mail' (PEM) which uses encryption
  technologies to ensure privacy, so that privacy protection is
  automatic, and may significantly improve safeguards.

  The same technology that can be extremely destructive to privacy
  (such as with  surreptitious surveilance) can be overwhelmingly
  effective in protecting  it (e.g. with encryption). Some government
  agencies are opposed to unlimited privacy in general, and believe
  that it should lawfully be forfeited in cases of criminal conduct
  (e.g. court-authorized wiretapping).  However, powerful new
  technologies to protect privacy on computers are becoming
  increasingly popular, provoking some to say that ``the cat is out
  of the bag'' and the ``genie can't be put back in the bottle''.  In
  less idiomatic terms, they believe that the spread of strong
  cryptography is already underway will be socially and technically

  To date, no feasible system that guarantees both secure
  communication and government oversight has been proposed (the two
  goals are largely incompatible). Proposals for ``registration'' of
  secret keys (by D. Denning on sci.crypt, for example) have been met
  with hot controversy at best and ridicule and derision at worst,
  mainly because of concerns for the right to privacy and objections
  of inherent feasibility.  Electronic privacy issues, and
  particularly the proper roles of networks and the internet, will
  foreseeably become highly visible and explosive over the next few


<3.1> What is `anonymity' on the internet?

  Simply stated, anonymity is the absence of identity, the
  ultimate in privacy. However, there are several variations on
  this simple theme.  A person may wish to be consistently
  identified by a certain pseudonym or `handle' and establish a
  reputation under it in some area, providing pseudo-anonymity.
  A person may wish to be completely untraceable for a single
  one-way message (a sort of `hit-and-run'). Or, a person may
  wish to be openly anonymous but carry on a conversation with
  others (with either known or anonymous identities) via an
  `anonymous return address'.  A user may wish to appear as a
  `regular user' but actually be untraceable.  Sometimes a user
  wishes to hide who he is sending mail to (in addition to the
  message itself). The anonymous item itself may be directed at
  individuals or groups.  A user may wish to access some
  service and hide all  signs of the association.

  All of these uses are feasible on the internet but are currently
  tricky to carry out in practice, because of all the tracking
  mechanisms inherent to operating systems and network protocols.
  Officials of the NSF and other government agencies may be opposed
  to any of these uses because of the potential for abuse.
  Nevertheless, the inherent facelessness of large networks will
  always guarantee a certain element of anonymity.

<3.2> Why is `anonymity' (un)important on the internet?

  Anonymity is another powerful tool that can be beneficial or
  problematic depending on its use.  Arguably absence of
  identification is important as the presence of it.  It may be the
  case that many strong benefits from electronic anonymity will be
  discovered that were unforeseen and unpredicted, because true
  anonymity has been historically very difficult to establish.

        One can use anonymity to make personal statements to a colleague
        that would sabotage a relationship if stated openly (such as
        employer/employee scenarios).  One can use it to pass information
        and evade any threat of direct retribution.  For example,
        `whistleblowers' reporting on government abuses (economic, social,
        or  political) can bring issues to light without fear of stigma or
        retaliation. Sensitive, personal, potentially damaging information
        is often posted to some USENET groups, a risky situation where
        anonymity allows conversations to be carried on completely
        independent of the identities of the participants.  Some police
        departments run phone services that allow anonymous reporting of
        crimes; such uses would be straightforward on the network.
        Anonymity can be extremely important and potentially lifesaving
        diagnoses and discussions carried out on medical or theurapeutic
        newsgroups. Unfortunately, extortion and harassment become more
        insidious with assurances of anonymity.

<3.3> How can anonymity be protected on the internet?

  The chief means, as alluded to above, are masking identities in
  email and posting. However, anonymous accounts (public accounts as
  accessable and anonymous as e.g. public telephones) may be
  effective as well, but this use is generally not officially
  supported and even discouraged by some system adminstrators and NSF
  guidelines.  The nonuniformity in the requirements of obtaining
  accounts at different sites and institutions makes anonymous
  accounts generally difficult to obtain to the public at large.

  Many communications protocols are inherently detrimental to
  anonymity.  Virtually every protocol in existence currently
  contains information on both sender and receiver in every packet.
  New communications protocols will likely develop that guarantee
  much higher degrees of secure anonymous communication.

<3.4> What is `anonymous mail'?

  One approach to `anonymizing' mail has been to set up an `anonymous
  server' that, when activated by email to its address, responds by
  allocating and supplying an `anonymous ID' that is unique to the
  person requesting it (based on his email address).  This will vary
  for the same person for different machine address email
  originations. To send anonymous mail, the user sends email directed
  to the server containing the final destination. The server
  `anonymizes' the message by stripping of identification information
  and forwards the message, which appears to originate from the
  anonymous server only from the corresponding anonymous user id.
  This is the `interactive' use of anonymity or pseudonymity
  mentioned above.

  Another more `fringe' approach is to run a `cypherpunk' remailer
  from a regular user account (no root system privileges are
  required). These are currently being pioneered by  Eric Hughes and
  Hal Finney . The operator runs a process on
  a machine that anonymizes mail sent to him with certain
  characteristics that distinguish it from his regular incoming mail
  (typically fields in the header). One has been implemented as a
  PERL script running on UNIX.  Several of these are in existence
  currently but sites and software currently are highly unstable;
  they may be in operation outside of system administrator knowledge.
  The remailers don't generally support anonymous return addresses.
  Mail that is incorrectly addressed is received by the operator.
  Generally the user of the remailer has to disavow any
  responsibility for the messages forwarded through his system,
  although actually may be held liable regardless.

  These approaches have several serious disadvantages and weaknesses:

  - The anonymous server approach requires maintaining a mapping of
    anonymous ID's to real addresses that must be maintained
    indefinitely.  One alternative is to allow `deallocation' of
    aliases at the request of the user, but this has not been
    implemented yet.

  - Although an unlikely scenario, traffic to any of these sites could
    conceivably be monitored from the `outside', necessitating the
    use of cryptography for basic protection,.

  - Local administrators can shut them down either out of caprice or
    under pressure from local, network, or government agencies.

  - Unscrupulous providers of the services can monitor the traffic
    that goes through them.

  - Most remailers currently keep logs that may be inspected.

  - The cypherpunk approach tends to be highly unstable because these
    operators are basically  network users who do not own the
    equipment and are accountable  to their own system
    administrators, who may be unaware of the use and unsympathetic
    to the philosophy of anonymity when the operation is discovered,
    regarding it as illicit use.

  - In all cases, a high degree of trust is placed in the anonymous
    server operator by the user.

  Currently the most direct route to anonymity involves using SMTP
  protocols to submit a message directly to a server with arbitrary
  field information.  This practice, not uncommon to hackers, and the
  approach used by remailers, is generally viewed with hostility by
  most system administrators.  Information in the header routing data
  and logs of network port connection information may be retained
  that can be used to track the originating site.  In practice, this
  is generally infeasible and rarely carried out.  Some
  administrators on the network will contact local administrators to
  request a message be tracked and its writer admonished or punished
  more severely (such as revoking the account), all of this actually
  happening occasionally but infrequently.

  See the sections ``known anonymous mail and posting sites'' and
  ``responsibilities associated with anonymity''.

<3.5> What is `anonymous posting'?

  Anonymous servers have been established as well for anonymous Usenet
  posting with all the associated caveats above (monitored traffic,
  capricious or risky local circumstances, logging).  Make sure to
  test the system at least once by e.g. anonymous posting to
  misc.test (however some operators don't recommend this because many
  sites `autorespond' to test messages, possibly causing the
  anonymous server to allocate anonymous IDs for those machines).
  See the ``responsibilties associated with anonymous posting''
  before proceeding.

  Another direct route involves using NNTP protocols to submit a
  message directly to a newserver with arbitrary field information.
  This practice, not uncommon to hackers, is also generally viewed
  with hostility by most system administrators, and similar
  consequences can ensue.

  See the sections ``known anonymous mail and posting sites'' and
  ``responsibilities associated with anonymity''.

<3.6> Why is anonymity (un)stable on the internet?

  As noted, many factors compromise the anonymity currently available
  to the general internet community, and these services should be
  used with great caution.  To summarize, the technology is in its
  infancy and current approaches are unrefined, unreliable, and not
  completely trustworthy.  No standards have been established and
  troubling situations of loss of anonymity and bugs in the software
  are prevalent.  Here are some encountered and potential bugs:

  - One  anonymous remailer reallocated already allocated anonymous
    return addresses.
  - Others passed signature information embedded in messages
  - Address resolution problems resulting in anonymized mail bounced
    to a remailer are common.
  - Forgeries to the anonymous server itself are a problem,  possibly
    allowing unauthorized users to potentially glean anon ID - email
    address  mappings in the alias file.  This can be remedied with
    the use of passwords.
  - Infinite mail loops are possible with chaining remailers.

  Source code is being distributed, tested, and refined for these
  systems, but standards are progressing slowly and weakly.  The
  field is not likely to improve considerably without  official
  endorsement and action by network agencies.  The whole idea is
  essentially still in its infancy and viewed with suspicion and
  distrust by many on the internet, seen as illegitimate or favorable
  to criminality.  The major objection to anonymity over regular
  internet use  is the perceived lack of accountability to system
  operators, i.e. invulnerability to account restrictions resulting
  from outside complaints.  System adminstrators at some sites have
  threatened to filter anonymous news postings generated by the
  prominent servers from their redistribution flows.  This may only
  have the effect of encouraging server operators to create less
  characteristically detectable headers.  Probably the least
  problematic approach, and the most traditional to Usenet, is for
  individual users to deal with anonymous mail however they prefer,
  e.g. ignoring it or filtering it with kill files.

<3.7> What is the future of anonymity on the internet?

  New anonymous protocols effectively serve to significantly increase
  safeguards of anonymity.  For example, the same mechanism that
  routes email over multiple hosts, thereby threatening its privacy,
  can also be used to guarantee it. In a scheme called `chaining' an
  anonymous message is passed through multiple anonymous servers
  before reaching a destination.  In this way generally multiple
  links of the chain have to be `broken' for security to be
  compromised. Re-encryption at each link makes this scenario even
  more unlikely.  Even more significantly the anonymous remailers
  could be spread over the internet globally so that local weaknesses
  (such as corrupt governments or legal wiretapping within a nation)
  would be more unlikely to sacrifice overall security by message
  tracing. However, remailers run by corrupt operators are possible.

  The future of anonymous services on the internet is, at this time,
  highly uncertain and fraught with peril. While specific groups seem
  to benefit significantly from anonymous posting capabilities, many
  feel that unlimited newsgroup scope for anonymous posting is a
  disruptive and dangerous idea and detracts from discussions in
  `serious' groups.   The introduction of unlimited group anonymity
  may have fundamental repercussions on Usenet conventions and
  distribution mechanisms such as moderated and `alt' groups have had
  in the past. For example, as part of new group creation, the
  charter may specify whether `anonymous' posting is (un)welcome.

  Nevertheless, the widespread introduction and use of anonymity may
  be inevitable. Based on traffic statistics, anonymous services are
  in huge demand. Pervasive and readily available anonymity could
  carry significant and unforeseen social consequences.  However, if
  its use is continued to be generally regarded as subversive it may
  be confined to the underground.  The ramifications of the
  widespread introduction of anonymity to Usenet are still largely
  unknown. It is unclear whether it will provoke signficant amounts
  of new traffic or, instead of expansion, cause a shift where a
  greater portion of existing traffic is anonymized.  Conceivably the
  services could play a role in influencing future mainstream social
  acceptance of Usenet.


<4.1> What is the Electronic Frontier Foundation (EFF)?


  > A new world is arising in the vast web of digital, electronic
  > media which connect us.  Computer-based communication media like
  > electronic mail and computer conferencing are becoming the basis
  > of new forms of community.  These communities without a single,
  > fixed geographical location comprise the first settlements on an
  > electronic frontier.
  > While well-established legal principles and cultural norms give
  > structure and coherence to uses of conventional media like
  > newspapers, books, and telephones, the new digital media do not
  > so easily fit into existing frameworks.  Conflicts come about as
  > the law struggles to define its application in a context where
  > fundamental notions of speech, property, and place take
  > profoundly new forms. People sense both the promise and the
  > threat inherent in new computer and communications technologies,
  > even as they struggle to master or simply cope with them in the
  > workplace and the home.
  > The Electronic Frontier Foundation has been established to help
  > civilize the electronic frontier; to make it truly useful and
  > beneficial not just to a technical elite, but to everyone; and to
  > do this in a way which is in keeping with our society's highest
  > traditions of the free and open flow of information and
  > communication.

  EFF was started by the multimillionaire Mitchell Kapor, founder of
  Lotus software, and John Barlow, lyricist for the Grateful Dead
  rock band.  A highly publicized endeavor of the organization
  involved the legal defense of  Steve Jackson Games after an FBI
  raid and an accompanying civil suit  (see section on ``Steve
  Jackson Games'').  The foundation publishes EFF News (EFFector
  Online) electronically, send requests to

  In a letter to Mitchell Kapor from the Chairman of the Subcommittee
  with primary jurisdiction over telecommunications policy dated
  November 5, 1991,  Representative  Edward J. Markey complemented
  Mitchell Kapor on his ``insights on the development of a national
  public information infrastructure'' which ``were appreciated greatly
  by myself and the Members of the Subcommittee'' (complete text in

  > ...we need to pursue policies that encourage the Bell companies to
  > work with other sectors of the communications industry to create
  > a consumer-oriented, public information network. Please let me or
  > my staff know what policies you and others in the computer
  > industry believe would best serve the public interest in creating
  > a reasonably priced, widely available network in which
  > competition is open and innovation rewarded.  I also want to
  > learn what lessons from the computer industry over the past ten
  > to fifteen years should apply to the current debate on
  > structuring the information and communications networks of the
  > future....I ask your help in gaining input from the computer
  > industry so that the Subcommittee can shape policies that will
  > bring this spirit of innovation and entrepreneurship to the
  > information services industry.

    A file of basic information about EFF including goals, mission,
    achievements, and current projects. Contains a membership form.

    EFF mission statement.

    EFF founding press release.

    John Perry Barlow's ``Not Terribly Brief History of the EFF'' (July
    10, 1990).  How EFF was conceived and founded, major legal cases,
    and the organizational directions.

    EFF legal case summary.

<4.2> Who are Computer Professionals for Social Responsibility (CPSR)?

  The Computer Professionals for Social Responsibility have been
  working to protect and promote electronic civil liberties issues
  since ~1982.  The group has three offices (Palo Alto, Cambridge,
  Washington, DC) and 20 chapters. It is involved in  litigation
  against the FBI, The NSA, NIST, the Secret Service and other other
  U.S. government agencies  to declassify and provide documentation
  on issues such as Operation Sundevil, the FBI wiretap proposal,
  NSA's interference in crypography, the breakup of the 2600 raid in
  Arlington, Va in Nov 1992. Members speak frequently in front on
  Congress, state legislators and public utility commissions to
  testify on privacy, information policy, computer security, and
  caller identification.

  CPSR has created an extensive Internet Privacy library available
  via FTP, Gopher, WAIS, and email at, currently comprising
  the largest collection of privacy documents on the internet.  For
  more information, anonymous FTP

  (Thanks to Dave Banisar  for contributions

<4.3> What was `Operation Sundevil' and the Steve Jackson Game case?

  In the early 1990's a fear spread among U.S. law enforcement
  agencies on the illicit activities of `hackers' and
  `phreakers' involved in such activities as computer tampering
  via modem, credit card fraud, and long-distance call
  thievery.  (Descriptions of real `hacking' exploits can be
  found in the book Cyberpunk by J. Markoff and K. Hafner.)

  > `Operation Sundevil,' the Phoenix-inspired crackdown of May
  > 8,1990, concentrated on telephone code-fraud and credit-card
  > abuse, and followed this seizure plan with some success.
  > [Bulletin Board Systems] went down all over America, terrifying
  > the underground and swiftly depriving them of at least some of
  > their criminal instruments.  It also saddled analysts with some
  > 24,000 floppy disks, and confronted harried Justice Department
  > prosecutors with the daunting challenge of a gigantic nationwide
  > hacker show-trial involving highly technical issues in dozens of
  > jurisdictions.

  Massive `show-trials' never materialized, although isolated
  instances of prosecution were pursued.  The movement reached a
  crescendo in Texas with the highly publicized case of illegal
  search and seizure involving the Steve Jackson Games company of
  Austin Texas on March 1, 1990.  From the column GURPS' LABOUR LOST
  by Bruce Sterling  in Fantasy and Science
  Fiction Magazine:

  > In an early morning raid with an unlawful and unconstitutional
  > warrant, agents of the Secret Service conducted a search of the
  > SJG office.  When they left they took a manuscript being prepared
  > for publication, private electronic mail, and several computers,
  > including the hardware and software of the SJG Computer Bulletin
  > Board System.  Yet Jackson and his business were not only
  > innocent of any crime, but never suspects in the first place.
  > The raid had been staged on the unfounded suspicion that
  > somewhere in Jackson's office there `might be' a document
  > compromising the security of the 911 telephone system.

  (A detailed and vivid account of the seizure is documented in the
  book ``The Hacker Crackdown'' by Bruce Sterling.) FBI agents
  involved in the seizure were named in a civil suit filed on behalf
  of Steve Jackson Games by The Electronic Frontier Foundation.  See
  information on EFF below.  From an article by Joe Abernathy in the
  Houston Chronicle ~Feb 1, 1993:

  > AUSTIN -- An electronic civil rights case against the Secret
  > Service closed Thursday with a clear statement by federal
  > District Judge Sam Sparks that the Service failed to conduct a
  > proper investigation in a notorious computer crime crackdown,
  > and went too far in retaining  custody of seized equipment.
  > Secret Service Special Agent Timothy Foley of Chicago, who was in
  > charge of three Austin computer search-and-seizures on March 1,
  > 1990, that led to the lawsuit, stoically endured Spark's rebuke
  > over the Service's poor investigation and abusive computer
  > seizure policies.  While the Service has seized dozens of
  > computers since the crackdown began in 1990, this is the first
  > case to challenge the practice.
  > Sparks grew visibly angry when it was established that the Austin
  > science fiction magazine and game book publisher was never
  > suspected of a crime, and that agents did not do even marginal
  > research to establish a criminal connection between the firm and
  > the suspected illegal activities of an employee, or to determine
  > that the company was a publisher. Indeed, agents testified that
  > they were not even trained in the Privacy Protection Act at the
  > special Secret Service school on computer crime.
  > "How long would it have taken you, Mr. Foley, to find out what
  > Steve Jackson Games did, what it was?" asked Sparks. "An hour?
  > "Was there any reason why, on March 2, you could not return to
  > Steve Jackson Games a copy, in floppy disk form, of everything
  > taken?
  > "Did you read the article in Business Week magazine where it had
  > a picture of Steve Jackson -- a law-abiding, tax-paying citizen
  > -- saying he was a computer crime suspect?
  > "Did it ever occur to you, Mr. Foley, that seizing this material
  > could harm Steve Jackson economically?"
  > Foley replied, "No, sir," but the judge offered his own answer.
  > "You actually did, you just had no idea anybody would actually go
  > out and hire a lawyer and sue you."
  > More than $200,000 has been spent by the Electronic Frontier
  > Foundation in bringing the case to trial. The EFF was founded by
  > Mitchell Kapor amid a civil liberties movement sparked in large
  > part by the Secret Service computer crime crackdown.

  The trial is now recognized as a legal precedent explicitly
  guaranteeing  protection of electronically stored information under
  the Privacy Protection Act, and safeguarding bulletin boards and
  electronic mail by federal wiretap laws limiting government
  surveillance powers. See the Wall Street Journal, 3/18/93, p. B1,
  ``Ruling Gives Privacy a High-Tech Edge''

    A collection of information on Operation SunDevil by the Epic
    nonprofit publishing project. Everything you wanted to know but
    could never find.

    Steve Jackson's response to the charges against him.

<4.4> What is Integrated Services Digital Network (ISDN)?

  ISDN is a high-speed data communications standard that utilizes
  existing copper telephone lines, and is a possible inexpensive and
  intermediate alternative to laying fiber optic cable for phone
  networks.  The speeds involved may be sufficient for audio and
  video transmission applications.  G. V. der Leun in the file /pub/pub-infra/1991-11:

  > Telecommunications in the United States is at a crossroads.  With
  > the Regional Bell Operating Companies now free to provide
  > content, the shape of the information networking is about to be
  > irrevocably altered.  But will that network be the open,
  > accessible, affordable network that the American public needs?
  > You can help decide this question.
  > The Electronic Frontier Foundation recently presented a plan to
  > Congress calling for the immediate deployment of a national
  > network based on existing ISDN technology, accessible to anyone
  > with a telephone connection, and priced like local voice service.
  >  We believe deployment of such a platform will spur the
  > development of innovative new information services, and maximize
  > freedom, competitiveness, and civil liberties throughout the
  > nation.
  > The EFF is testifying before Congress and the FCC; making
  > presentations to public utility commisions from Massachusetts to
  > California; and meeting with representatives from telephone
  > companies, publishers, consumer advocates, and other stakeholders
  > in the telecommunications policy debate.
  > The EFF believes that participants on the Internet, as pioneers on
  > the electronic frontier, need to have their voices heard at this
  > critical moment.

  To automatically receive a description of the platform and details,
  send mail to, with the following line:

    send documents open-platform-overview

  or send mail to  See also the Introduction to the EFF
  Open Platform Proposal in


  ``Digital Data On Demand.'' MacWorld, 2/82 (page 224).
    56Kbps vs. ISDN services and products. See comments by J. Powers

  ``Telephone Service That Rings of the Future.'' By Joshua Quittner.
  Newsday, Tue, Jan 7 1992.
    Implications of ISDN for the masses, written in popular science
    style.   John Perry Barlow (cofounder EFF). Regional telephone
    companies (Ohio Bell).  ISDN as ``Technological Rorschach Test.''
     Anecdotes about McDonald's,  Barbara Bush teleconferencing. See
    complete text in
    Files 1991-11 through 1992-05 containing email from the EFF public
    infrastructure group organized by month.  Opinions and facts on
    the pros and cons of ISDN, Integrated Services Digital Network.
    Uses of ISDN (phone video, audio, etc.)  Japanese model.
    Alternatives to ISDN (HDSL, ADSL, fiber optics). Technical
    specifications of ISDN, implementation details, cost issues,
    political obstacles, (RBOC, Regional Bell Operating Companies or
    `Baby Bells', e.g. NET, New England Telephone).  Influencing
    development of future networks (e.g. ISDN and NREN, National
    Research and Education  Network), encouraging competition (cable
    TV systems). Press releases and news articles.  Letter from Rep.
    E. J. Markey to M. Kapor.

<4.5> What is the National Research and Education Network (NREN)?

  The Nation Research and Education Network was introduced in
  legislation cosponsored by Sen. A. Gore to promote high-speed data
  network infrastructure augmenting the internet with up to 50 times
  faster transmission rates.  The bill passed the House on November
  20, 1991, the Senate on November 22, 1991, and was signed by the
  President on December 9, 1991.

    The complete text of the House-Senate compromise version of S.
    272, the High-Performance Computing Act.

    102nd congress 1st Session. Text of high performance computing
    bill cosponsored by Sen. A. Gore.

    The text of S.2937, the Information Infrastructure and Technology
    Act of 1992 introduced by Senator Gore to expand Federal efforts
    to develop technologies for applications of high-performance
    computing and high-speed networking, and to provide for a
    coordinated Federal program to accelerate development and
    deployment of an advanced information infrastructure.

  By John Markoff, N.Y. Times (~18 Dec 91).
    President Bush's legislation for natiowide computer data
    `superhighway.'  IBM-MCI venture as monopoly destructive to fair
    competition and  innovation?  National Science Foundation NSFnet.
    complete text in  /pub/pub-infra/1991-12.


    ``Proposed Privacy Guidelines for the NREN'' -- Statement of Marc
    Rotenberg, Washington Director Computer Professionals for Social
    Responsibility (CPSR).

    The National Research and Education Network: Two meetings Steve
    Cisler, Senior Scientist Apple Computer Library December 17, 1990
    Summary of meetings exploring educational issues of NREN by
    diverse members of academia and industry.

    Feb. 14 1991 essay by M. Kapor advocating advantages of a private
    National Public  Network, and specific recommendations for open
    NREN policies encouraging  competition.

    An FYI about the proposed NREN setup.

<4.6> What is the FBI's proposed Digital Telephony Act?

  ``Providers of electronic communication services and private branch
  exchange operators shall provide within the United States
  capability and capacity for the government to intercept wire and
  electronic communications when authorized by law...''

  From `BBS Legislative Watch: FBIs Wiretapping Proposal Thwarted' by
  S. Steele in Boardwatch Magazine, Feb. 1993, p. 19-22:

  > In a move that worried privacy experts, software manufacturers and
  > telephone companies, the FBI proposed legislation to amend the
  > Communications Act of 1934 to make it easier for the Bureau to
  > perform electronic wiretapping. The proposed legislation,
  > entitled 'Digital Telephony,' would have required communications
  > service providers and hardware manufacturers to make their
  > systems 'tappable' by providing 'back doors' through which law
  > enforcement officers could intercept communications. Furthermore,
  > this capability would have been provided undetectably, while the
  > communications was in progress, exclusive of any communications
  > between other parties, regardless of the mobility of the target
  > of the FBI's investigation, and without degradation of service.
  > ...under the proposal, the Department of Justice (DOJ) can keep
  > communications products off the market if it determines that
  > these products do not meet the DOJ's own ... guidelines. This
  > [could] result in increased costs and reduced competitiveness for
  > service providers and equipment manufacturers, since they will be
  > unlikely to add any features that may result in a DOJ rejection
  > of their entire product. ...the FBI proposal suggests that the
  > cost of this wiretapping 'service' to the Bureau would have to be
  > borne by the service provider itself...
  > The Electronic Frontier Foundation organized a broad coalition of
  > public interest and industry groups, from Computer Professionals
  > for Social Responsibilty (CPSR) and the ACLU to AT&T and Sun
  > Microsystems, to oppose the legislation. A white paper produced
  > by the EFF and ratified by the coalition, entitled, `An Analysis
  > of the FBI Digital Telephony Proposal,' was widely distributed
  > throughout the Congress.  ... The Justice Department lobbied hard
  > in the final days to get Congress to take up the bill before
  > Congress adjourned, but the bill never ... found a Congressional
  > sponsor (and was therefore never officially introduced). The FBI
  > [may] reintroduce "Digital Telephony" when the 103rd Congress
  > convenes in January.

    A bill to ensure the continuing access of law enforcement to the
    content of wire and electronic communications when authorized by
    law and for other purposes. Version 2 of the bill after FBI
    changes in response to public response.

    House of Rep bill 3515, Telecommunications Law.


    The EFF-sponsored analysis of the FBI's Digital Telephony proposal.

    The Electronic Communications Privacy Act of 1986: A Layman's View.

    Transcript of ABC's Nightline of May 22, 1992, on the FBI,
    Privacy, and Proposed Wire-Tapping Legislation. Featured are Marc
    Rotenberg of the CPSR and William Sessions, Director of the FBI.

    A letter from the Director of the Secret Service to US Rep. Don
    Edwards, D-California, in response to questions raised by
    Edwards' Subcommittee. This copy came from Computer Professionals
    for Social Responsibility in Washington, D.C.

    A description of how information is stored on the FBI's computer

<4.7> What is U.S. policy on freedom/restriction of strong encryption?

  The Clipper announcement says ``we [the Clinton Administration]
  understand the importance of encryption technology in
  telecommunications and computing'' and specifically addresses the
  question,  ``would the Administration be willing to use legal
  remedies to restrict access to more powerful encryption devices?''
  It states that ``The U.S. [is not] saying that  `every American, as
  a matter of right, is entitled to an unbreakable commercial
  encryption product' '' although currently ``the Administration is
  not saying, `since [strong] encryption threatens the public safety
  and effective law enforcement, we will prohibit it outright' as
  some countries have effectively done.''  However, currently no
  U.S. laws regulate domestic cryptography use, although the U.S.
  International Traffic in Arms Regulations classify cryptographic
  devices as `munitions' and regulate export.

<4.8> What other U.S. legislation is related to privacy?

    State computer crime laws:
                                  AL, AK, AZ, CA, CO, CT, DE, FL, GA,
                                  HI, IA, ID, IL, IN, MD, MN, NC, NJ,
                                  NM, NY, OR, TX, VT, VA, WA, WI, WV.

    Current computer crime laws for: The United States (federal
    code), Canada, Ghana, and Great Britain.

    Senate bill 618, addressing registration of encryption keys with
    the government.

    Improvement of Information Access bill.

    Senate bill 516; concerning abuses of electronic monitoring in the

    Title 18, relating to computer crime & email privacy.

    The text of Simon's electronic privacy bill, S. 516. ``To prevent
    potential abuses of electronic monitoring in the workplace.''

<4.9> What are references on rights in cyberspace?

    Laurence Tribe's keynote address at the first Conference on
    Computers, Freedom, & Privacy. `The Constitution in Cyberspace'

    Paper presented to 13th Nat'l Comp Security Conf ``Concerning
    Hackers Who Break into Computer Systems'' by Dorothy E Denning.

    ``Computer Privacy vs First and Fourth Amendment Rights'' by
    Michael S. Borella

    Rights of Expression in Cyberspace by R. E. Baird

    Bill of Rights' meaning in the Electronic Frontier.

<4.10> What is the Computers and Academic Freedom (CAF) archive?

  The CAF Archive is an electronic library of information about
  computers and academic freedom. run by the Computers and Academic
  Freedom group on the Electronic Frontier Foundation FTP site.

  > If you have gopher, the archive is browsable with the command:
  >   gopher -p academic
  > It is available via anonymous ftp to ( in
  > directory `pub/academic'. It is also available via email. For
  > information on email access send email to
  > In the body of your note include the lines `help' and `index'.
  > For more information, to make contributions, or to report typos
  > contact J.S. Greenfield (

    Codifies the application of academic freedom to academic
    computers, reflecting seven months of on-line discussion about
    computers and academic freedom.  Covers free expression, due
    process, privacy, and user participation.

    Directory of book references related to Computers and Academic
    Freedom or mentioned in the CAF discussion. The file books/README
    is a bibliography.

    List of files available on the Computers and Academic Freedom

    Directory of all issues of the Computers and Academic Freedom
    News. A full list of abstracts is available in file `abstracts'.
    The special best-of-the-month issues are named with their month,
    for example, `June'.


<5.1> What is the Clipper Chip Initiative?

  On April 16, 1993 the Clinton Administration announced the Clipper
  Chip Directive in a saturated publicity effort (including postings
  to Usenet newsgroups by NIST) that introduced the  technology and
  `proposal' that had been developed in strict secrecy prior to that
  date.  The `initiative' introduced the Clipper Chip, a high-speed
  and `high-security' encryption device with applications in
  telephones and other network devices, and the government commitment
  to installing it in future select  government telephones with
  potentially much more widespread penetration (e.g. NREN, commercial
  telephones, computers, etc.). The voluntary program seeks to unite
  the federal government and private industry ``to improve the
  security and privacy of telephone communications while meeting the
  legitimate needs of law enforcement'' by use of the chip.  Critical
  aspects of the directive:

  - ``A state-of-the-art microcircuit called the `Clipper Chip' has
    been developed by government engineers'', for use in phones with
    more power than many commercial encryption devices currently
    available. ``The key escrow mechanism will provide Americans with
    an encryption product that is more secure, more convenient, and
    less expensive than others readily available today.''

  - The technology seeks to ``help companies protect proprietary
    information, protect the privacy of personal phone conversations
    and prevent unauthorized release of data transmitted
    electronically'' while preserving ``the ability of federal, state
    and local law enforcement agencies to intercept lawfully the
    phone conversations of criminals''.

  - ``A "key-escrow" system will be established to ensure that the
    "Clipper Chip" is used to protect the privacy of law-abiding
    Americans.''  Keys are released from the escrow agencies to
    ``government officials with legal authorization to conduct a

  - ``The two key-escrow data banks will be run by two independent
    entities.  At this point, the Department of Justice and the
    Administration have yet to determine which agencies will oversee
    the key-escrow data banks.''

  - ``The Attorney General will soon purchase several thousand of the
    new devices.'' to ``demonstrate the effectiveness of this new

  - `Clipper Chip' technology provides law enforcement with ``no new
    authorities to access the content of the private conversations of

  - The Clipper decision was developed and sanctioned by The National
    Security Council, the Justice Department, the Commerce
    Department, and ``other key agencies''.  ``This approach  has
    been endorsed by the President, the Vice President, and
    appropriate Cabinet officials.''

<5.2> How does Clipper blunt `cryptography's dual-edge sword'?

  The Clipper wiretapping initiative refers to  `tension between
  economic vitality and the real challenges of protecting Americans'
  and `previous policies [that] have pitted government against
  industry and the rights of privacy against law enforcement.' The
  Clipper Initiative attempts to find a compromise in encryption's
  ``dual-edge sword'' wherein it ``helps to protect the privacy of
  individuals and industry, but it also can shield criminals and
  terrorists.''   ``The Administration is committed to policies that
  protect all Americans' right to privacy while also protecting them
  from those who break the law.''

  The statement notes that sophisticated encryption technology is
  increasingly being used by Americans to ``protect business  secrets
  and the unauthorized release of personal information'' but also
  ``by terrorists,  drug dealers, and other criminals.'' and declares
  that ``We need the "Clipper Chip" and other approaches that can
  both provide law-abiding citizens with access to the encryption
  they need and prevent criminals from using it to hide their illegal

  Regarding privacy via encryption vs. wiretapping, the Clipper
  announces: ``There is a false `tension' created in the assessment
  that this issue is an "either-or" proposition.  Rather, both
  concerns can be, and in fact are, harmoniously balanced through a
  reasoned, balanced approach such as is proposed with the "Clipper
  Chip" and similar encryption techniques.''

<5.3> Why are technical details of the Clipper chip being kept secret?

  - The algorithm will ``remain classified'' to ``protect the
    security of the key escrow system.''
  - ``Respected experts from outside the government will be offered
    access to the confidential details of the algorithm to assess its
    capabilities and publicly report their findings.''
  - ``We are willing to invite an independent panel of cryptography
    experts to evaluate the algorithm to assure all potential users
    that there are no unrecognized vulnerabilities.''

<5.4> Who was consulted in the development of the Clipper chip?

  - ``The President has directed early  and frequent consultations
    with affected industries, the Congress and groups that advocate
    the privacy rights of individuals.''

  - ``We have briefed members of Congress and industry leaders on the
    decisions related to this initiative'' and ``expect those
    discussions to intensify''.

<5.5> How is commerical use/export of Clipper chips regulated?

  - ``Q. How do I buy one of these encryption devices?  A. We expect
    several manufacturers to consider incorporating the "Clipper
    Chip" into their devices.''

  - ``The government designed and developed the key access encryption
    microcircuits, but ... product manufacturers ... [buy] the
    microcircuits from the chip manufacturer [Mykotronx] that
    produces them.''

  - The chip's (unspecified) `programming function' ``could be
    licensed to other vendors in the future.'' Also, ``We plan to
    review the possibility of permitting wider exportability of these

  - ``Case-by-case review for each export is required to ensure
    appropriate use of these devices'' fitting in with the existing
    program for review of ``other encryption devices.'' ``We expect
    export licenses will be granted on a case-by-case basis for U.S.

<5.6> What are references on the Clipper Chip?

  - ``Government picks affordable chip to scramble phone calls.'' By
    Frank J. Murray. The Washington Times, April 17, 1993 Saturday,
    Final Edition.

    > President Clinton gave a major boost yesterday to one telephone-
    > scrambler technology in a decision its delighted manufacture
    > likens to the choice of VHS over Beta for videotape machines.
    > An administration official said the consideration will be given
    > to banning more sophisticated systems investigators cannot
    > crack, thereby creating a balance between banning private
    > encryption and declaring a public right to unbreakably coded
    > coversations.

  - ``Computer Group, Libertarians Question Clinton Phone Privacy
    Stance.'' By Rory J. O'Connor, San Jose Mercury News, Calif.
    Knight-Ridder/Tribune Business News, ~Apr. 17 1993.

    > SAN JOSE, Calif.--Apr. 17--Civil libertarians and a major
    > computer industry group raised concerns Friday about how much
    > protection a Clinton administration plan would afford private
    > electronic communications, from cellular telephone calls to
    > computer data.
    > "I don't want to sound too stridently opposed to this," said Ken
    > Wasch, executive director of the Software Publishers
    > Association (SPA) in Washington. "But...we feel blindsided."
    > American Telephone & Telegraph Co. announced Friday it would
    > adapt the $1,200 product, called the Telephone Security Device,
    > to use the Clipper Chip by the end of this fiscal quarter. AT&T
    > makes a related device, which encrypts voice and computer data
    > transmissions, that could be converted to the Clipper
    > technology, said spokesman Bill Jones.
    > VLSI, which invented a manufacturing method the company said
    > makes it difficult to "reverse engineer" the chip or discern
    > the encryption scheme,  expects to make $50 million in the next
    > three years selling the device, said Jeff Hendy, director of
    > new product marketing for the company.

  - ``New Scrambler Designed to Protect Privacy, But Allow Police
    Monitoring.'' By Christopher Drew, Chicago Tribune.
    Knight-Ridder/Tribune Business News, ~Apr. 19, 1993.

    > WASHINGTON--Apr. 19--As a step toward the development of vast
    > new data "superhighways," the federal government has designed a
    > powerful device that would protect the privacy of electronic
    > communications by encoding them but still allow police to
    > eavesdrop.
    > "'A.k.a. Big Brother,' that's what I call it," said Stephen
    > Bryen, a former Pentagon official who runs a company developing
    > a rival encryption system.
    > Bryen said it was "very disturbing" that the government has gone
    > so far with the previously classified project "without
    > consulting with experts in the industry" whose investments
    > could be wiped out.
    > To spur the venture, the Justice Department will soon purchase
    > several thousand of the devices. Military and spy agencies also
    > are expected to use them.

  - ``US reveals computer chip for scrambling telephones.'' By John
    Mintz. Washington Post, April, 17 1993.

    > WASHINGTON -- The White House yesterday announced its new plan
    > to prevent criminals, terrorists, and industrial spies from
    > decoding communications over telephones, fax machines, and
    > computers while ensuring the government's ability to eavesdrop.
    > The official White House announcement yesterday was the
    > endorsement of the Clipper Chip, developed by NSA, as the
    > government standard for encryption devices.

  - ``Clinton security plan hints of Big Brother: Clipper Chip would
    let  governemnt eavesdrop on encrypted voice and   data
    communications.'' By Ellen Messmer. Network World, April 19,

    > But government officials had a difficult time last week
    > rebutting the question why any criminal would use a Clipper
    > Chip-based product when the person knows the government could
    > listen in, particularly since there are a host of other
    > encryption products available on the market that are, in
    > theory, unbreakable codes.
    > "A criminal probably wouldn't use it," said Mike Agee, marketing
    > manager for secure products at AT&T, adding that the Clipper
    > Chip is for the rest of the world.

  For additional details, call Mat Heyman, National Institute of
  Standards and Technology, (301) 975-2758.

<5.7> What are compliments/criticisms of the Clipper chip?


  - Chip may protect the law abiding citizen's privacy from the casual
  - Potentially sophisticated and superior algorithm endorsed by the
  - May establish a new standard whereby  companies may be able to
    come up with competing pin-compatible chips.
  - Potential for encrypting `on top' of the Clipper algorithm.
  - May allow diverse law enforcement agency's to retain wiretapping
    ability without serious or impossible obstacles.
  - May enable broad new traffic analysis by law enforcement agencies.


  - Algorithm designed exclusively by the NSA with biased interests.
  - Possibly unsophisticated, inferior, or more costly in comparison
    with current or emerging technology.
  - Compromised keys retroactively weaken all communication ever sent
    over the device.
  - Key generation techniques are `baroque activities in a vault':
    suspicious and unrealistic-sounding.
  - Impossible to ensure secrecy of a chip in the face of today's
    technology and inevitable intense independent inquiry and
    scrutiny,  and dependence on it weakens security.
  - No specific assurance that key generation is impartial and safe.
  - Secrecy of the algorithm prevents serious inquiry and sabotages
    trust in the algorithm. No guarantee against `back door'.

<5.8> What are compliments/criticisms of the Clipper Initiative?


  - Brings privacy and encryption issues into the limelight.
  - Sharpens the public debate on the role, extent, and legitimacy of
    wiretapping practices.
  - Exposes previously concealed high-level agenda in U.S. government
    to manage cryptographic technology.
  - Potential new option for individuals and companies interested in
    protecting privacy.
  - Suggests Clinton administration has strong interest in technology,
    reaching compromises, and encouraging competitiveness.


  - Evasion of critical aspects (such as key agencies) and
    preoccupation with others (references to criminals) ``begs the
    question'' of inherent public desireability and support of plan.
  - Legality within framework of paramount constitutional guarantees
    on freedom of speech and freedom from  unreasonable search and
    seizure wholly unaddressed.
  - Unilaterally imposed, i.e. no involvement from the parties it
    purports to represent.
  - Funded with taxpayer money with no meaningful public oversight and
  - Represents a fundamental switch in the government's role in
    wiretapping from passive to active.
  - Potentially criminals won't use the technology and will easily
    evade it, while law-abiding citizens will be inconvenienced
    and/or sacrifice rights.
  - Does not protect the individual from corrupt government officials.
  - Secrecy of the algorithm may amount to `security through
    obscurity,' i.e. the algorithm security may rely on aspects of
    chip operation staying confidential and undiscovered.
  - Government appears to be colluding with private companies and
    using leverage to intentionally create a monopoly.
  - Possibility of taxpayer funds effectively subsidizing chip sales
    not addressed.
  - Secrecy of the chip design prevents inquiries into its precise
  - ``government engineers'' in competition with private industries,
    with special favoritism in policies of the Clinton
  - may require new vast and superfluous government bureacracies.

<5.9> What are compliments/criticisms of the Clipper announcement?


- Shows unequivocal commitment to wiretapping drug dealers,
  criminals, and terrorists.
- Publicizes previously secret development and processes regarding
  Clipper in particular and cryptography in general.
- Well publicized within some circles. Usenet press  release
  unprecedented and sophisticated.
- Shows Clinton administration  commitment to developing national
  policies on  `information infrastructure' and the intrinsic role
  of encryption  technology.
- Masterpiece of propaganda for study by future generations.


- States that Clipper is better than many encryption technologies
  available today but does not indicate that many are recognized to
  be weak and new and more powerful technologies are already under
- Vague on critical aspects such as who the key escrow agencies are.
- Appears to assume that Americans wish to preserve wiretapping
  capabilities by law enforcement agencies in the face of new
  unbreakable encryption technologies.
- Specifically does not commit to freedom of encryption and hints
  that failure of Clipper-style approaches may lead to restrictions
  on strong cryptography.
- Gives the impression that Congress and private industry was
  involved when their participation is minimal to nonexistent.
- Authoritarian, dictatorial, and Orwellian undertones.
- Evades mention of the NSA's specific involvement.
- Refers to the chip as `state of the art' without evidence.
- Refers to ``drug dealers, criminals, and terrorists'' with terms
  such as `alleged,' `suspected,' `reputed,' and `accused'
  conspicuously absent.
- Does not specifically commit to unrestrained public policy review
  and  appears to evade it.
- Evades mention of the history of the plan and erroneously implies
  that Clinton administration involvement is primary.

<5.10> Where does Clipper fit in U.S. cryptographic technology policy?

  The Clipper chip is part of a large-scale plan that  involves ``the
  creation of new products to accelerate the development and use of
  advanced and secure telecommunications networks and wireless
  communications links'' utilizing the chip.

  - ``we [of the Clinton Administration] understand the importance of
    encryption technology in telecommunications and computing and are
    committed to working with industry and public-interest groups to
    find innovative ways to protect Americans' privacy, help
    businesses to compete, and ensure that law enforcement agencies
    have the tools they need to fight crime and terrorism.''

  - ``The President has directed government agencies to develop a
    comprehensive policy on encryption'' and ``explore new approaches
     like the key-escrow system'' which ``is just one piece of what
    must be the comprehensive approach to encryption technology,
    which the Administration is developing.''

  - The `broad policy review' will also address the role of
    cryptography in ``the development of a  National Information
    Infrastructure or `information superhighways''' and consider
    ``the need of U.S. companies to manufacture and export high
    technology products.''

  - ``The Federal Government must act quickly to develop consistent,
    comprehensive policies regarding its use'' and ``as we carry out
    our review of encryption policy'' the ``on-going discussions with
    Congress and industry on encryption issues'' are expected to


<6.1> What UNIX programs are related to privacy?

  For more information, type `man [cmd]' or `apropos [keyword]' at the
  UNIX shell prompt.

    passwd - change password
    finger - obtain information about a remote user
    chfn   - change information about yourself obtainable by remote
             users (sometimes `passwd -f')
    chmod  - change the rights associated with a file or directory
    umask  - (shell) change the default (on creation) file access
    ls     - list the rights associated with files and directories
    xhost  - allow or disable access control of particular users to an
             Xwindow server
    last   - list the latest user logins on the system and their
    who    - list other users, login/idle times, originations
    w      - list other users and what they are running
    xhost  - access control list for X Window client use
    xauth  - control X Window server authentication

    .signature  - file in the home directory appended to USENET posts
    .forward    - file used to forward email to other accounts
    .Xauthority - file used for X Window server authentication keys
    $SIGNATURE  - variable used for name in email and USENET postings

  The 'tcpdump' packet-tracing program is loosely based on SMI's
  "etherfind".  It was originally written by Van Jacobson, Lawrence
  Berkeley Laboratory, as part of an ongoing research project to
  investigate and improve tcp and internet gateway performance.  A
  current version is available via anonymous ftp from host (currently at address file
  tcpdump.tar.Z (a compressed Unix tar file).

<6.2> How can I learn about or use cryptography?

  A general introduction to mostly theoretical cryptographic issues,
  especially those frequently discussed in sci.crypt, is available
  in FAQ form:

  >  Compiled by:
  > (Carl Ellison)
  >        Gwyn@BRL.MIL (Doug Gwyn)
  > (Steven Bellovin)

  NIST (U.S. National Institute for Standards and Technology)
  publishes an introductory paper on cryptography, special
  publication 800-2 ``Public-Key Cryptograhy'' by James Nechvatal
  (April 1991).  Available via anonymous FTP from (, file pub/nistpubs/800-2.txt.
  Also via available anonymous FTP from as crypt.txt.Z
  in the crypto directory.  Covers technical mathematical aspects
  of encryption such as number theory.

  More general information can be found in a FAQ by Paul Fahn of RSA
  Labortories via anonymous FTP from in /pub/  See
  the `readme' file for information on the `tex' version.  Also
  available as hardcopy for $20 from   RSA Laboratories, 100 Marine
  Parkway, Redwood City, CA  94065.  Send questions to

  Phil Zimmerman's PGP (Pretty Good Privacy) package for public key
  encryption is available at numerous sites, and is in widespread use
  over the internet for general PC-, Macintosh-, and UNIX-based file
  encryption (including email).  Consult the archie FTP database.
  Also see the newsgroup  Mailing list requests to

  From the RIPEM FAQ by Marc VanHeyningen
   on news.answers:

  > RIPEM is a program which performs Privacy Enhanced Mail (PEM)
  > using the cryptographic techniques of RSA and DES.  It allows
  > your electronic mail to have the properties of authentication
  > (i.e. who sent it can be confirmed) and privacy (i.e. nobody can
  > read it except the intended recipient.)
  > RIPEM was written primarily by Mark Riordan
  > . Most of the code is in the public domain,
  > except for the RSA routines, which are a library called RSAREF
  > licensed from RSA Data Security Inc.
  > RIPEM is available via anonymous FTP to citizens and permanent
  > residents in the U.S. from; cd to rsaref/ and read the
  > README file for info.
  > RIPEM, as well as some other crypt stuff, has its `home site' on
  >, which is open to non-anonymous FTP for users in
  > the U.S. and Canada who are citizens or permanent residents.  To
  > find out how to obtain access, ftp there, cd to pub/crypt/, and
  > read the file GETTING_ACCESS.

  Note: cryptography is generally not well integrated into email yet
  and some system proficiency is required by users to utilize it.

<6.3> What is the cypherpunks mailing list?

  Eric Hughes  runs the `cypherpunk' mailing list
  dedicated to ``discussion about technological defenses for privacy
  in the digital domain.''  Send email to to be added or subtracted from the
  list. From the charter:

  > The most important means to the defense of privacy is encryption.
  > To encrypt is to indicate the desire for privacy.  But to encrypt
  > with weak cryptography is to indicate not too much desire for
  > privacy. Cypherpunks hope that all people desiring privacy will
  > learn how best to defend it.

<6.4> What are some privacy-related newsgroups?  FAQs?

    Moderated and unmoderated issues related to academic freedom and
    privacy at universities. Documented examples of violated
    privacy in e.g. email.  Documented examples of `censorship' as
    in e.g. limiting USENET groups local availability.

    Virtual reality, (science) fiction by William Gibson and Bruce
    Sterling, cyberpunk in the mainstream.

    USENET Network News Transfer Protocol (NNTP) posting mechanisms,
    Simple Mail Transfer Protocol (SMTP), `obligatory hack' reports.

    General privacy issues involving taxpaying, licensing, social
    security numbers, etc.

    Spillover of debate on news.admin.policy regarding anonymous servers.

    Group dedicated to discussing technical/political aspects of the
    Clipper chip.
    Computer related security issues.  FAQ in news.answers below.
    Dedicated to discussing public domain cryptographic software
    packages: PGP, or ``Pretty Good Privacy'' Software developed by
    Phil Zimmerman for public key encryption, and RIPEM by Mark
    Riordan for public key and DES encryption.

    Privacy issues associated with computer technologies.  Examples:
    caller identification, social security numbers, credit
    applications, mailing lists, etc.  Moderated.
    Moderated and unmoderated groups associated with the Electronic
    Frontier Foundation started by Mitch Kapor for protecting civil
    and constitutional rights in the electronic realm.

    Concerns of news administrators.  NNTP standards and mechanisms.

    USENET traffic distributions.  Most frequent posters, most
    voluminous groups, most active sites, etc.

    Considers scientific and social issues of cryptography.
    Examples: legitimate use of PGP, public-key patents, DES,
    cryptographic security, cypher breaking, etc.


  FAQs or ``Frequently-Asked Questions'' are available in the
  newsgroups *.answers or via anonymous FTP to
  [] (also  from the directory
  /pub/usenet/news.answers/[x] where [x] is the archive name. This
  FAQ is archived in the file `net-privacy'.   Others are:

    Sources of information about the Internet and how to connect to
    it, through the NSF or commercial vendors.

    Computer related security issues arising in and, mostly UNIX related.

    Privacy issues associated with the use of the U.S. Social
    Security number (SSN).

    Public dialup internet accounts list.

    How to find email addresses for undergraduate and graduate
    students, faculty and staff at various colleges and

    Information on RIPEM, a program for public key mail encryption
    officially sanctioned by Public Key Partners Inc., the company
    that owns patents on public key cryptography.

    Frequently-asked questions about UNIX, including information on
    `finger' and terminal spying.

     Known geographic, university, and network distributions.

<6.5> What is internet Privacy Enhanced Mail (PEM)?

  Internet drafts on Privacy Enhanced Mail (PEM) describe a standard
  under revision for six years delineating the official protocols for
  email encryption.  The standard has only recently stabilized and
  implementations are being developed.

  - RFC-1421: ``Privacy Enhancement for Internet Electronic Mail:
    Part I: Message Encryption and Authentication Procedures.'' J.
    Linn <>

  - RFC-1422: ``Privacy Enhancement for Internet Electronic Mail: Part
    II: Certificate-Based Key Management'' S. Kent 

  - RFC-1424: ``Privacy Enhancement for Internet Electronic Mail:
    Part IV: Key Certification and Related Services'' B. Kaliski

  - RFC-1423: ``Privacy Enhancement for Internet Electronic Mail: Part
    III: Algorithms, Modes, and Identifiers'' D. Balenson

  Send email to for more information.  See ``RFCs
  related to privacy'' for information on how to obtain RFCs.

<6.6> What are other Request For Comments (RFCs) related to privacy?

  RFC-822:  SMTP, Simple Mail Transfer Protocol
  RFC-977:  NNTP, Network News Transfer Protocol
  RFC-1036: Standard for interchange of network news messages
  RFC-1208: Glossary of Networking Terms
  RFC-1207: Answers to ``experienced Internet user'' questions
  RFC-1206: Answers to ``new Internet user'' questions
  RFC-1355: Privacy issues in Network Information center databases

  RFC-1177 is ``FYI: Answers to commonly asked ``new internet user''
  questions, and includes: basic terminology on the Internet (TCP/IP,
  SMTP, FTP), internet  organizations such as IAB (Internet
  Activities Board) and IETF  (Internet Enbgineering Task Force), and
  a glossary of terms.  Also from

  > RFCs can be obtained via FTP from NIC.DDN.MIL, with the pathname
  > RFC:RFCnnnn.TXT or RFC:RFCnnnn.PS (where `nnnn' refers to the
  > number of the RFC).  Login with FTP, username `anonymous' and
  > password `guest'.  The NIC also provides an automatic mail
  > service for those sites which cannot use FTP.  Address the
  > request to SERVICE@NIC.DDN.MIL and in the subject field of the
  > message indicate the RFC number, as in `Subject: RFC nnnn' (or
  > `Subject: RFC nnnn.PS' for PostScript RFCs).
  > RFCs can also be obtained via FTP from NIS.NSF.NET.  Using FTP,
  > login with username `anonymous' and password `guest'; then
  > connect to the RFC directory (`cd RFC').  The file name is of the
  > form RFCnnnn.TXT-1 (where `nnnn' refers to the number of the
  > RFC).  The NIS also provides an automatic mail service for those
  > sites which cannot use FTP.  Address the request to
  > NIS-INFO@NIS.NSF.NET and leave the subject field of the message
  > blank.  The first line of the text of the message must be `SEND
  > RFCnnnn.TXT-1', where nnnn is replaced by the RFC number.

<6.7> How can I run an anonymous remailer?

  Cypherpunk remailer source is at in the
  /pub/cypherpunks directory.  It's written in PERL, and is
  relatively easy to install (no administrative rights are required)
  although basic familiarity with UNIX is necessary. Karl Barrus
   has more information and modifications.
  Also, most remailer operators mentioned above are amenable to
  discussing features, problems, and helping new sites become
  operational. Address all points in the section ``responsibities of
  anonymous use'' in this document prior to advertising your service.
  You should be committed to the long-term stability of the site and
  avoid running one surreptitiously.

<6.8> What are references on privacy in email?

  Brown, Bob. ``EMA Urges Users to Adopt Policy on E-mail Privacy.''
  Network World (Oct 29, 1990), 7.44: 2.

  Bairstow, Jeffrey. ``Who Reads your Electronic Mail?'' Electronic
  Business  (June 11, 1990) 16 (11): 92.

  ``Electronic Envelopes - the uncertainty of keeping e-mail private''
  Scientific American, February 1993.

    Article on the rights of email privacy. by Ruel T. Hernandez.

    ``Computer Electronic Mail and Privacy'', an edited version of a
    law school seminar paper by Ruel T. Hernadez.

    Compilation of bibliography on E-Mail and its privacy issues (part
    2 of the work).  Compiled by Stacy B. Veeder (12/91).

    The author at Digital Research tried to formalize their employee
    privacy policy on E-Mail.  The casesightings are divided into two
    groups: US Constitutional law, and California law.

    Formulating a Company Policy on Access to and Disclosure of
    Electronic Mail on Company Computer Systems by David R. Johnson
    and John Podesta for the Electronic Mail Assocation

    Information on Alcor Co., an e-mail privacy suit.

    Email privacy search at Berkeley.

<6.9> What are some email, Usenet, and internet use policies?

  The Computer Policy and Critiques Archive is a collection of the
  computer policies of many schools and networks, run by the
  Computers and Academic Freedom group on the Electronic Frontier
  Foundation FTP site. The collection also includes critiques of some
  of the policies.

  > If you have gopher, the archive is browsable with the command:
  > gopher -p academic/policies
  > The archive is also accessible via anonymous ftp and email. Ftp
  > to ( It is in directory
  > `pub/academic/policies'. For email access, send email to
  > Include the line:
  > send acad-freedom/policies 
  > where  is a list of the files that you want. File
  > README is a detailed description of the items in the directory.
  > For more information, to make contributions, or to report typos
  > contact J.S. Greenfield ( Directory `widener'
  > contains additional policies (but not critiques).

    Acceptable Use Policies for various networks, including CompuServe
    (file `compuserve'), NSFNET (file `nsfnet') with information on
    research and commercial uses. See /pub/cud/networks/index.

    Policies from various sysadmins about how they handle the issue of
    email privacy,  control, and abuse, compiled by T. Hooper

    Computer use policies of a number of schools. See schools/Index
    for a full list and description.


    Opinions on the best academic computer policies.

    Do any universities treat email and computer files as private?

    Policies on what users write on Usenet.

    Policies on what users read on Usenet: should my university remove
    (or restrict) Netnews newsgroups because some people find them

    What guidance is there for creating or evaluating a university's
    academic computer policy?


<7.1> What is ``digital cash''?

  With digital encryption and authentication technologies, the
  possibility of a widespread digital cash system may someday be
  realized.  A system utilizing codes sent between users and banks
  (similar to today's checking system except entirely digital) may
  be one approach.  The issues of cryptography, privacy, and
  anonymity are closely associated with transfer of cash in an
  economy.  See the article in Scientific American by David Chaum

  An experimental digital bank is run by Karl Barrus
   based on suggestions by Hal Finney on the
  cypherpunks mailing list.  To use the server send mail to message with the following text:

    command: help


  where `user@host' is your email address.

<7.2> What is a ``hacker'' or ``cracker''?

  These terms arouse strong feelings by many on their meaning,
  especially on the internet.  In the general news media in the past
  a person who uses computers and networks to malicious ends (such as
  breaking into systems) has been referred to as a hacker, but most
  internet users prefer the term ``cracker'' for this.  Instead, a
  ``hacker'' is perceived as a benign but intensely ambitious,
  curious, and driven computer user who explores obscure areas of a
  system, for example---something of a proud electronic pioneer and
  patriot.  This is the sense intended in this document.  See also
  the ``Hacker's Dictionary'' and the FAQ `alt-security-faq'.

<7.3> What is a ``cypherpunk''?

  From the charter of the cypherpunk mailing list:

  > Cypherpunks assume privacy is a good thing and wish there were
  > more of it.  Cypherpunks acknowledge that those who want privacy
  > must create it for themselves and not expect governments,
  > corporations, or other large, faceless organizations to grant
  > them privacy out of beneficence.  Cypherpunks know that people
  > have been creating their own privacy for centuries with whispers,
  > envelopes, closed doors, and couriers.  Cypherpunks do not seek
  > to prevent other people from speaking about their experiences or
  > their opinions.

  See information on the cypherpunk mailing list below.

  See also the CryptoAnarchist Manifesto and the Cryptography Glossary

<7.4> What is `steganography' and anonymous pools?

  Closely associated with encryption is `steganography' or the
  techniques for not only pursuing private (encrypted) communication
  but concealing the very  existence of the communication itself.
  Many new possibilities in this area are introduced with the
  proliferation of computer technology.  For example, it is possible
  to encode messages in the least-significant bits of images,
  typically the most 'noisy'. In addition, when such an item is
  posted in a public place (such as a newsgroup), virtually
  untraceable  communication can take place between sender and
  receiver.  For  steganographic communications in the electronic
  realm one another possibility is setting up a mailing list where
  individual messages get broadcast to the entire list and individual
  users decode particular messages with their unique key.   An
  anonymous pool has been set up by Miron Cuperman
  ( for experiments.  Send email to
    with one of the following
  commands in the subject line:


<7.5> What is `security through obscurity'?

  `Security through obscurity' refers to the attempt to gain
  protection from system weaknesses by hiding sensitive information
  or programs relating to them.  For example, a company may not make
  public information on its software's encryption techniques to evade
  `attacks' based on knowledge of it. Another example would be
  concealing data on the existence of security holes or bugs in
  operating systems.  Or, some reliance may be made on the fact that
  some standard or mechanism with potential problems is serious
  because they are ``not widely known'' or ``not widely used.'' This
  argument is occasionally applied to mechanisms for email and Usenet
  posting `forgery'. `Security through obscurity' is regarded as a
  very feeble  technique at best and inappropriate and ineffective at
  worst (also called the ``head-in-the-sand approach''). See the FAQ

  Some remarks of John Perry Barlow, cofounder of the Electronic
  Frontier Foundation, directed to NSA agents at the First
  International Symposium on National Security & National
  Competitiveness held in McLean, Virginia  Dec. 1, 1992:

  > Digitized information is very hard to stamp classified or keep
  > contained. ... This stuff is incredibly leaky and volatile.  It's
  > almost a life form in its ability to self-propagate.  If
  > something hits the Net and it's something which people on there
  > find interesting it will spread like a virus of the mind.  I
  > believe you must simply accept the idea that we are moving into
  > an environment where any information which is at all interesting
  > to people is going to get out.  And there will be very little
  > that you can do about it.  This is not a bad thing in my view,
  > but you may differ...

<7.6> What are `identity daemons'?

  RFC-931 describes a protocol standard that allows UNIX programs to
  query a remote user's login name after connection to a local
  communication socket (a connection of this type is established
  during FTP and TELNET sessions, for example).  The standard is not
  widely supported, perhaps 10% of internet sites currently implement
  it but the number is increasing.  The mechanism is detrimental to
  anonymity.  Regular users cannot disable it but system
  adminstrators can circumvent it.  This standard may represent a
  trend toward greater authentication mechanisms.

<7.7> What standards are needed to guard electronic privacy?


  - Stable, secure, protected, officially sanctioned and permitted,
    publicly and privately operated anonymous servers and hubs.
  - Official standards for encryption and anonymity in mail and USENET
  - Truly anonymous protocols with source and destination information
    obscured or absent and hidden routing mechanisms (chaining,
    encrypted addresses, etc.)
  - Standards for anonymous email addressing, embedding files, and
    remailer site chaining.


  - Recognition of anonymity, cryptography, and related privacy
    shields as legitimate, useful, desirable, and crucial by the
    general public and their governments.
  - Widespread use and implementation of these technologies
    by systems designers into
    hardware, software, and standards, implemented `securely,'
    `seamlessly,' and `transparently'.
  - General shift of use, dependence, and reliance to means other than
    wiretapping and electronic surveillance by law enforcement
  - Publicity, retraction, and dissolution of laws and government
    agencies opposed to privacy, replaced by structures dedicated to
    strengthening and protecting it.


<8.1> What is the background behind the Internet?

  The article ``Internet'' in Fantasy and Science Fiction by Bruce
  Sterling  contains general and nontechnical
  introductory notes on origins of the Internet, including the role
  of the RAND corporation, the goal of network resilience in face of
  nuclear attack, MIT, UCLA, ARPANET, TCP/IP, NSF, NREN, etc.:

  > ARPANET itself formally expired in 1989, a happy victim of its
  > own overwhelming success.  Its users scarcely noticed, for
  > ARPANET's  functions not only continued but steadily improved.
  > The use of  TCP/IP standards for computer networking is now
  > global.  In 1971, a  mere twenty-one years ago, there were only
  > four nodes in the  ARPANET  network.  Today there are tens of
  > thousands of  nodes in  the Internet,  scattered over forty-two
  > countries, with more coming  on-line every day.   Three million,
  > possibly four million people use  this gigantic
  > mother-of-all-computer-networks.
  > The Internet is especially popular among scientists, and is
  > probably the most important scientific instrument of the late
  > twentieth century.   The  powerful, sophisticated access that it
  > provides to specialized data and personal communication  has sped
  > up the pace of scientific research enormously.
  > The Internet's pace of growth in the early 1990s is  spectacular,
  > almost ferocious.  It is spreading faster than cellular phones,
  > faster  than fax machines.  Last year the Internet was growing at
  > a rate of  twenty percent a *month.*  The number of `host'
  > machines with direct  connection to TCP/IP has been doubling
  > every year since  1988.   The Internet is moving out of  its
  > original base in military and  research institutions,  into
  > elementary and high schools, as well as into  public libraries
  > and the commercial sector.


  Bowers, K., T. LaQuey, J. Reynolds, K. Roubicek, M. Stahl, and A.
  Yuan, ``Where to Start - A Bibliography of General Internetworking
  Information'' (RFC-1175), CNRI, U Texas, ISI, BBN, SRI, Mitre,
  August 1990.

  The Whole Internet Catalog & User's Guide by Ed Krol.  (1992)
  O'Reilly  and Associates, Inc.
    A clear, non-jargonized introduction to the  intimidating business
    of network literacy written in humorous style.

  Krol, E., ``The Hitchhikers Guide to the Internet'' (RFC-1118),
  University of Illinois Urbana, September 1989.

  ``The User's Directory to Computer Networks'', by Tracy LaQuey.

  The Matrix: Computer Networks and Conferencing Systems Worldwide.
  by John Quarterman.  Digital Press: Bedford, MA. (1990)
    Massive and highly technical compendium detailing the
    mind-boggling scope and  complexity of global internetworks.

  ``!%@:: A Directory of Electronic Mail Addressing and Networks'' by
  Donnalyn Frey and Rick Adams.

  The Internet Companion, by Tracy LaQuey with Jeanne C. Ryer (1992)
  Addison Wesley.
    ``Evangelical'' etiquette guide to the Internet featuring
    anecdotal tales of life-changing Internet experiences.  Foreword
    by  Senator Al Gore.

  Zen and the Art of the Internet: A Beginner's Guide by Brendan P.
  Kehoe (1992)  Prentice Hall.
    Brief but useful Internet guide with  plenty of good advice on
    useful databases.

  See also  (Thanks to Bruce Sterling
   for contributions here.)


  Cunningham, Scott and Alan L. Porter. ``Communication Networks: A
  dozen  ways they'll change our lives.'' The Futurist 26, 1
  (January-February,  1992): 19-22.

  McGraw-Hill, 1992) ISBN# 0-390-03083-X
    Essays on information infrastructure.  Policy and design issues,
    research and NREN, future visions, information markets.  See
    table  of contents in

  Shapard, Jeffrey. ``Observations on Cross-Cultural Electronic
  Networking.'' Whole Earth Review (Winter) 1990: 32-35.

  Varley, Pamela. ``Electronic Democracy.'' Technology Review
  (November/December, 1991): 43-51.

<8.2> How is Internet `anarchy' like the English language?

  According to Bruce Sterling :

  > The Internet's `anarchy' may seem strange or even unnatural,  but
  > it makes a certain deep and basic sense.  It's rather like the
  > `anarchy' of the English language.  Nobody rents English, and
  > nobody  owns English.    As an English-speaking person, it's up
  > to you to learn  how to speak English properly  and make whatever
  > use you please  of it (though the government provides certain
  > subsidies to help you  learn to read and write a bit).
  > Otherwise, everybody just sort of  pitches in, and somehow the
  > thing evolves on its own, and somehow  turns out workable.  And
  > interesting.   Fascinating, even.   Though a lot  of people earn
  > their living from using and exploiting  and teaching  English,
  > `English' as an institution is public property, a public good.
  > Much the same goes for the Internet.   Would English  be improved
  > if  the `The English Language, Inc.'  had a board of directors
  > and a chief  executive officer, or a President and a Congress?
  > There'd probably be  a lot fewer new words in English, and a lot
  > fewer new ideas.

<8.3> Most Wanted list

  Hopefully you have benefitted from this creation, compilation, and
  condensation of information from various sources regarding privacy,
  identity, and anonymity on the internet.  The author is committed
  to keeping this up-to-date and strengthening it, but this can only
  be effective with your feedback, especially on sections of
  interest.  In particular, the following items are sought:

  - Short summaries of RFC documents and other references listed,
    esp. CPSR files.
  - More data on the specific uses and penetration of RFC-931.
  - Internet traffic statistics.  How much is email?  How much
    USENET?  What are the costs involved?
  - Famous or obscure examples of compromised privacy
    on the internet.
  - FTP site for the code (NOT the code) to turn the .plan file into a
    named pipe for sensing/reacting to remote `fingers'.
  - X Windows, EFF, CPSR FAQhood in news.answers.

  Commerical use of this document is negotiable and is a way for the
  author to recoup from a significant time investment. Email feedback
  to  Please note where you saw
  this (which newsgroup, etc.).

<8.4> Change history

  5/7/93 v3.0 (current)

    Revisions/additions to Anonymity history.  Anonymity history &
    commentary moved to new FAQ. Information on the Clipper chip
    initiative.  Minor miscellaneous corrections. Crosslink program
    info deleted. Some EFF out-of-date file pointers not fixed.

  3/3/93 v2.1

    CPSR pointer, new UNIX mode examples, digital telephony act,
    Steve Jackson incident, additions/ reorganization to
    anonymity section, part 3.  Note: v2.0 post to sci.crypt,
    alt.privacy, news.answers, alt.answers, sci.answers was cancelled
    by J. Kamens because of incorrect subject line.

  2/14/93 v2.0

    Major revisions.  New section for X Windows.  Some email privacy
    items reorganized to network security section.  New sections for
    email liability issues, anonymity history and responsibilities.
    Split into three files.  Many new sources added, particularly
    from EFF and CAF in new `issues' part. `commentary' from
    news.admin.policy.  21 day automated posting starts.

  2/3/93 v1.0

    More newsgroups & FAQs added.  More `Most Wanted'.  Posted to
    news.answers.  Future monthly posting to sci.crypt, alt.privacy.

  2/1/93 v0.3

    Formatted to 72 columns for quoting etc. `miscellaneous,'
    `resources' sections added with cypherpunk servers and use
    warnings.  More UNIX examples (`ls' and `chmod').  Posted to
    alt.privacy, comp.society.privacy.

  1/29/93 v0.2

    `Identity' and `Privacy' sections added.  `Anonymity' expanded.
    Remailer addresses removed due to lack of information and
    instability.  Posted to sci.crypt.

  1/25/93 v0.1

    Originally posted to the cypherpunks mailing list on 1/25/93 as a
    call to organize a list of anonymous servers.

  email for earlier versions.

* * *

This is Part 3 of the Privacy & Anonymity FAQ, obtained via anonymous
  FTP to or
  newsgroups news.answers, sci.answers, alt.answers every 21 days.
Written by L. Detweiler .
All rights reserved.

Back to the Cyberculture Archive