Document Sample
p85-hoffman Powered By Docstoc
					Computers and Privacy: A Survey
,StanJord L~near Accelerato~ Center,* ~tanJord Umver~ty, Stanford, CahJorma

             T h e problem of access control a n d privacy in c o m p u t e r s y s t e m s is s u r v e y e d in
             t e r m s of existing s y s t e m s a n d c u r r e n t proposals. A review of s u g g e s t e d legal a n d
             a d m i n i s t r a t i v e s a f e g u a r d s is given T h e bulk of the dmcusslon deals w i t h t h e
             c u r r e n t technology, its l i m i t a t i o n s , a n d some additional s a f e g u a r d s w h i c h h a v e
             been proposed b u t not i m p l e m e n t e d . Finally, a few p r o m i s i n g c o m p u t e r science
             research problems m the field are o u t h n e d A p a r t i a l l y a n n o t a t e d b l b h o g r a p h y of
             h t e r a t u r e in the area is included.

             Key words and phrases: privacy, access control, confidentiality, p r i v a c y
             t r a n s t o r m a t i o n s , social l m p h c a t i o n s , public utility, time-sharing, legmlation,
             regulation, profesmonalmm, access m a n a g e m e n t , d a t a bank, dossiers, ethics,
             a u t h o r i t y 1terns
             CR categories: 2.11, 2 12, 2 2, 2.3, 4.30

THE PRIVACY PROBLEM                                                     Social scmntlsts and statisticians, for ex-
                                                                     ample, have suggested the creation and
In the last several years, computer sys-                             lnalntenance of a national data bank [34].
tems used as public utlhties have moved                              Its use would remedy many defects of cur-
from dream to reality. There are now a                               rent files and procedures which result in
large number of multiterminal, on-line,                              information unresponsive to the needs of
time-sharing systems in both commercial                              vital policy decisions. Some of these de-
and academic environments [13, 15, 42, 49,                           fects, as p~)mted out by Dunn [21] are:
50]. M a n y people fully expect a public
"data bank grid" to come into existence                                 - - I m p o r t a n t historical records are sometimes
                                                                     lost because of the absence oi a donslstent polic:~
in the very near future; they point out                              and procedure lor establishing and maintaining
[47] that "it is as inevitable as the rail,                          "u'chlves.
telephone, telegraph, and electrical power
                                                                        - - T h e absence of appropriate standards and
grids that have preceded it, and for the                             procedures for file maintenance and documenta-
same reasons. I t is much less expensive                             tion lead to low quality files t h a t contain many
and more efficient to share information than                         L(,chnlcal limitations in statistical usage.
to reproduce it."                                                       - - M a n y useful records are produced as a by-
   Unfortunately, current reformation net-                           p~oduct of administrative or regulatory proce-
                                                                     dures by agencies t h a t are n o t equipped to per-
works do not have adequate safeguards for                            form a genera[ purpose statistical service function.
the protection of sensitive information.
                                                                         - - N o adequate reference exists t h a t would al-
However, since the benefits derivable from                           low u~ers to determine easily whether or not rec-
automation of large data banks are so                                olds have the charactemstlcs of quality and com-
great, pressure in some circles [17, 20, 33,                         p a t i b i h t y t h a t are approprmte to their analytical
34] is building up to "computerize now."                             i equlrements.
Automation offers benefits in both economy                              --Procedures for collecting, coding and tabu-
and performance over many current sys-                               ia~mg data that were appropriate when developed
tems.                                                                now lead to some incompatibilities m record asso-
                                                                     oration and usage required by current policy prob-
* C o m p u t a t i o n Group. This work was supported               lems and made possible by computer techniques.
b., Ihe US Al[omlc Energy Commission                                    - - T h e r e are serious gaps m existing data recolds

                                                                                        Computing Surveys, Vol. I, No. 2, June 1969
 86         •       LanceJ. Hoffman
      CONTENTS                                        that stand in the way of bringing together records
                                                      of greatest relevance for today's problems
                                                         --The need to by-pass problems of record m-
                                                      compatlbfllty in developing statistics approprmte
                                                      for policy analysis, places severe strains upon regu-
                                                      lations restricting the disclosure of reformation
                                                      about individuals. Technical possibilities for using
                                                      the computer to satisfy these statistical require-
      The Prwacy Problem
                                                      ments without in any way violating personal
                                                      privacy have not generally been developed and
      Legal and Admlmstratlve Safeguards              made available by the agencies
      Techmeal Methods Proposed to Date
       Access Control m Conventional Tune-Sharing       To take advantage of the economies and
         Systems                                      capabilities of the computer, governmental
       Some Proposed Safeguards for the Privacy of
         Information m Files                          agencies and private organizations such as
      Promising Research Prob]ems                     credit bureaus are making use of com-
                                                     puter-based personal dossier systems. The
                                                      New York State Identffication and Intel-
                                                     ligence System (NYSIIS) provides rapid
                                                      access to criminal histories, stolen property
                                                     files, intelligence information, etc., for use
                                                      by [26] "qualified agencies." Santa Clara
                                                      (California) County's L O G I C system [17]
                                                     will include a person's name, alias, social
                                                     security number, address, birth record,
                                                     driver and vehicle data, as well as other
                                                     data if the person has been involved with
                                                     the welfare or health departments, the
                                                     district attorney, adult or juvenile proba-
                                                     tion, sheriff, court, etc. Other munici-
                                                     palities have created similar systems.
                                                         These large data banks will make it easy
                                                      for the citizen in a new environment to
                                                      establish "who he is" and thereby to ac-
                                                     quire quickly those conveniences which
                                                      follow from possession of a reliable credit
                                                     rating and a social character acceptable to
                                                     his new community. At the same time,
                                                     commercial or governmental interests will
                                                     know much more about the person they
                                                     are dealing with. We can expect a great
                                                     deal of information about social, per-
                                                     sonal, and economic characteristics to be
                                                     supplied    voluntarily--often eagerly--in
                                                     order to enjoy the benefits of the economy
                                                     and the government [40].
                                                        There is another side to the coin, how-
                                                     ever. Since much more information on a
                                                     person will be stored in the same place,
                                                     less effort will be necessary to acquire
                                                     certain "sensitive" data. If insufficient con-
                                                     sideration is given to access control and to
                                                     keeping the price of sensitive information
                                                     "high enough," the temptation to demand

Computing Surveys, Vol. 1, No 2, June 1969
                                                     Computers and Privacy: A Survey                •       87

or to buy this information will increase,                sharing would be enormously impeded.
since these new systems could be illicitly               Furthermore, without public trust, infor-
probed for derogatory information on an                  mation systems could well be fed so much
individual [59].                                         false, misleading or incomplete information
   Systems with insufficient input check-                as to make them useless. Thus it becomes
ing might be given false and slanderous                  imperative not only to devise proper safe-
data about a person which, when printed                  guards to data privacy, but also to con-
out on computer output sheets as the re-                 vlnce the public and agencies which might
sult of an mqmry, looks quite "official"                 contribute to a system that these safe-
and hence is taken as true. "On the horizon              guards are indeed being planned, and that
in technology is a laser scanning process                they will work."
that would enable a twenty-page dossier                    Fortunately, the Federal Government is
to be compiled on each of the 200 million                aware of the computer privacy problem
citizens of the United States. Such refor-               and has been unreceptive, even hostile, to
mation could be stored on a single plastic               proposals which do not consider the costs
tape reel. Under such conditions it might                and effectiveness of safeguards necessary
be cheaper to retain data than to dis-                   to protect privacy in a centralized data
card it." [9] Clearly, we must decide what               bank [56, 57, 68]. Most states, however,
reformation to keep and when to keep                     lag seriously in awareness of contemporary
it. As Paul Baran points out [4], we face                data processing capabilities and tech-
a balance problem. How do we obtain                      niques. A few of the more highly com-
the greatest benefit from computer data                  puterized areas are, however, trying to
banks with the least danger?                             approach the idea of regional data banks
                                                         m a rational manner. At least one state
                                                         (California) has an intergovernmental
LEGAL AND ADMINISTRATIVE SAFEGUARDS                      board on automatic data processing which
                                                         has solicited and received comments from
The problem of controlling access to com-                concerned members of the technical com-
puter files--how to safeguard the processes              munity on confidentiality and the invasion
of inputting to and retrieving from com-                 of privacy.
puter data banks--has recently gained
                                                            As Senator Sam J. Ervm, Jr. has pointed
more and more attention from concerned
                                                         out [24], the threat to privacy comes from
citizens. We examine some of this new
                                                         men, not machines; it comes from the
interest m this section, deferring mention
                                                         motives of political executives, the in-
of the technical solutions to the next sec-
                                                         genuity of managers, and the carelessness
                                                         of technicians. Too often, he says, an or-
   Bauer has given a brief but sound dis-                ganization may seize upon a device or
cussion of policy decisions facing the de-               technique with the best intentions in the
signers of a computer data bank and has                  world of achieving some laudable goal but
pointed out [6] that we now have the                     in the process may deny the dignity of the
 "special but fleeting o p p o r t u n i t y . . . t o   individual, the sense of fair play, or the
explore the issue of privacy with objectiv-              right of the citizen in a free society to
ity and in some leisure . . . . the public's             the privacy of his thoughts and activities.
fears of dossier-type police information
systems have been thoroughly aroused;                      "The computer industry, the data proc-
left unchecked they may become so strong                 essing experts, the programmers, the ex-
as to in fact prevent the creation of any                ecutives-all need to set their collective
publicly supported information systems.                  minds to work to deal with the impact of
The reactions to proposals for a Federal                 their electronic systems on the rights and
data center are a case in point. Were such               dignity of individuals.
blanket prohibitions to be imposed the                     "While there is stlll time to cope with
development of socially useful information-              the problems, they must give thought to

                                                                    Computing Surveys, Vol. I, N o 2, June 1969
88        •      Lance J. Hoffman

 the contents of professional ethical codes             --The rules governing access to the files are
 for the computer industry and for those             definite and well publicized, and the programs
                                                     that wdl enforce these rules are open to any in-
 who arrange and operate the computer's              terested party, including, for example, the Ameri-
 processes.                                          can ClVd Libertms Umon.
    " I f self-regulation and self-restraint are        --An individual has the right to read his own
 not exercised by all concerned with                 file, to challenge certain kinds of entrms m his file
 automatic data processing, public concern           and to ~mpose certain restrictions on access to his
 will soon reach the stage where strict legis-          --Every time someone consults an individual's
 lative controls will be enacted, government         file this event is recorded, together with the au-
appropriations for research and develop-             thorization for the access.
ment will be denied. And the computer will              --If an orgamzation or an individual obtains
become the villain of our society. I t is            access to certain reformation in a file by deceit,
potentially one of the greatest resources of         this is a crime and a civil wrong. The injured in-
                                                     dividual may sue for invasion of privacy and be
our civilization, and the tragedy of slow-           •~warded damages.
 ing its development is unthinkable." [24]
                                                        Additional suggestions have been made
    Though Senator Ervin gave t h a t speech
                                                     concerning legislative methods of safe-
 on 1 M a y 1967, so far only Chairman
                                                     guarding privacy. In 1967 the United
Watson of I B M , of all the computer manu-
                                                     States government proposed a Rights to
facturers, has commented publicly on the
                                                     Privacy Act banning wiretapping and
subject [60]. The Washington, D.C. Chap-
                                                     electronic eavesdropping. (In 1968, how-
ter of the ACM has gone on record as
opposing the creation of a national data             ever, the pendulum swung the other way
                                                     and the United States Congress passed a
bank until the proposers can show t h a t
                                                     "safe streets" and crime-control bill which
 [58] "such a system is still economically
                                                     granted broad authority for wiretapping
attractive under the legal and technical
                                                     and eavesdropping, even without a court
constraints necessary to protect individual
liberties in the American society." (It has          order, for a limited period of time.)
been alleged, however, t h a t this vote re-            Even if a statute controlling access to
flects the views of a minority of that               sensitive information in files of the Fed-
chapter's members and cannot neces-                  eral Government were passed, the com-
sarily be taken to represent the view of             puter privacy problem would still be a
the chapter.)                                        long way from solved. A t h r e a t which is
   We often forget that no "right to pri-            possibly even more serious is the misuse of
vacy," similar to the "right to freedom of           data in the files of private organizations or
speech" or the "right to vote," exists in the        in the files of state or local governments.
Constitution. Thus, the amount of privacy            Medical records in the files of hospitals,
an individual is entitled to and the                 schools, and industrial organizations con-
situations in which that privacy m a y be            tain privileged information. When these
violated v a r y according to the whim of a          records are kept in a computer-based
particular court or legislative body [24, 36,        system, there must be control over access
62]. Prosser, of the University of Cali-             to them. Some disconcerting examples of
fornia School of Law at Berkeley, has                what has happened when controls are lax
compiled an excellent review of this sub-            are mentioned in a paper by Baran [4].
ject [45].                                              California has recently passed into law
   Recently, significant efforts have been           legislation which (1) recognizes an in-
made to create a more satisfactory situa-            dividual's right of privacy, and (2) recog-
tion. In 1966 John M c C a r t h y suggested a       nizes computerized data in state files as
"computer bill of rights." Some of the               "public records." This legislation m a y well
rights he proposed were these [38]:                  prove to be a landmark in the fight to es-
   --No organization, governmental or private, is    tablish a "right to privacy" and would
allowed to maintain files that cover large numbers   seem to guarantee the right of an individ-
of people outside of the general system.             ual to read his own file.

Computing Surveys, Vol. 1, N o 2, June 1969
                                              Computers and Privacy: A Survey               •      89

   The licensing or "professionalization" of    is generally obtained by denying the user
(at least some) computer scientists, pro-       certain "privileged" instructions, which
grammers, and operators seems to be the         may be executed only by "privileged"
most frequent suggestion in the papers on       programs, such as the operating system.
computer privacy which are not written             The former is generally provided by
solely for computer scientists. In addition     memory protection schemes such as reloca-
to Ervin (see above), advocates of this         tion and bounds registers [14], segmenta-
measure include Michael [7], Brictson           tion [12, 31], paging [51], and memory
[10], and Ramey [47]. Parker has been           keys which allow limited (e.g. read-only)
the main supporter of the ACM Guidelines        access [32].
for Professional Conduct in Information            All these access control methods protect
Processing [41], but Brictson makes the         contiguous portions of (real or virtual)
best argument the author has seen for these     computer memory from alteration by an
to date [10]. With such current and po-         errant program. They do not, however,
tential outside interest in professional con-   provide protection of a user file from un-
duct of computer people, there has been         authorized access. Toward this end, soft-
very little published discussion about          ware schemes have augmented the hardware
these matters. In view of Senator Ervin's       schemes described above.
unsettling predictions (above), perhaps            Methods which enhance data privacy.
the computer community should give              With respect to the methods which enhance
these problems more attention than it has
                                                the privacy of data in a shared system,
to date.                                        Paul Baran observed in 1966 [5] that "It
  This concludes the discussion of legal        is a very poorly studied problem.. There
and administrative safeguards for the pro-      is practically nothing to be found in the
tectlon of sensitive information. We can        computer literature on the subject." Since
now turn our attention to the technical         then, awareness has grown, largely as a
solutions that have been proposed.              result of Congressional interest [56, 57]. An
                                                entire session of the AFIPS 1967 Spring
                                                Joint Computer Conference was devoted
                                                to this issue. But only very recently has
                                                there been developed a working system
                                                 with more than password protection at
Access Control in Conventional Time-Sharing      the file level [29].
Systems                                            In nearly all systems to date, a user's
   Various technical methods for control-       password (see Figure 1) will get him into
ling access to the content of computer          his file directory and into any file refer-
memories have been suggested. In this dis-      enced in that directory. The most elaborate
cussion these methods are broken up into        scheme so far is that of Daley and Neu-
two categories--those which are necessary       mann [16], which features directories
for proper operation of a time-sharing sys-     nested to any level used in conjunction
tem and those which enhance the privacy         with passwords. Each file has access con-
of data in a shared system.                     trol information associated with itself. Un-
  Methods necessary ]or a properly oper-        less one has the "key" to a file, one cannot
ating time-sharing system. First let us         get at the information in that file. Password
consider the controls required in any time-     schemes permit a small finite number of
sharing system. A means must be provided        specific types of access to files, although
to lock out each user from the program          Daley and Neumann [16] effectively pro-
and data of all other (unauthorized) users.     vide more flexible control via a type which
In addition, a user must not be allowed to      allows a user-written program to decide
interfere with the time-sharing monitor by      whether each requested access to a file is
improper use of input/output commands,          allowed.
halt commands, etc. The latter capabihty           Limitations o] these methods. The meth-

                                                            Computing Surveys, Vol. 1, No. 2, June 1969
90          •          Lance J. Hoffman

                     STANDARD METHOD


                              FILE ~ M E ~

                                     BETTER METHOD WITH THREAT MONITORING

                     LOGIN,M&Ne793,~CC r5-17-e.                                          I~FIk~L    ct   :1 ,~ , b-{I-~,     LLCI¢

                           ~ b S ' ~ O I D ( 5 7 a P ) :?
                                                                          lC.14    53
                           TRY ~GAIN.            PhSSWOqD(9360)=?
                           FILE N~MF?
                                                                          1C.1(    ~5    i[lYih.t   9,   ,i~P   --~J~tL~--      iLL

                     SORT RECORDS BY D~TE,                                IC l ~ - c C

                                                                    FIG. 1.   P a s s w o r d use

ods above necessary for properly operating                                           it can be used by all persons with access
a time-sharing system perform their task                                             to that pool. The problem of what to do
 acceptably--they guarantee system in-                                               when certain information in a file should
tegrity. However, the password methods                                               be available to some but not all legal
fall short of providing adequate software                                            users of the file is not well studied. In the
protection for sensitive files. Password                                              Multics system [12], for example, it is
schemes can be compromised by wiretap-                                               currently the case that if a user has a file
ping or electromagnetic pickup, to say                                               which in part contains sensitive data, he
nothing of examining a console typewriter                                            just cannot merge all his data with that
ribbon. Moreover, in some systems the                                                of his colleagues. He must separate the
work factor, or cost, associated with trying                                         sensitive data and save that in a separate
different passwords until the right one is                                           file; the common pool of data does not
 found is so small that it is worthwhile                                             contain this sensitive and possibly highly
for an interested but unauthorized user to                                           valuable data. Moreover, he and those he
do just that. Centralized systems tend to                                            allows to access this sensitive data must,
have relatively low work factors, since                                              ]f they also want to make use of the non-
breaking a code in a centralized system                                              sensitive data, create a distinct merged
generally allows access to more informa-                                             file, thus duplicating information kept in
tion than in a decentralized system. Some                                            the system; if some of this duplicated data
methods used to raise the work factor back                                           must later be changed, it must he changed
to at least the level of a decentralized sys-                                        in all files, instead of only one (see Figure
tem are given below.                                                                 2). If there was a method for placing data
   There is an even more serious problem                                             with varying degrees of sensitivity into
with password systems. In most current                                               common files such that suitable access
systems, information is protected at the                                             control over each piece of data was guar-
file level only--it has been tacitly as-                                             anteed, all the data could be aggregated
sumed that all data within a file was of the                                         and processed much more easily. Indeed,
same sensitivity. The real world does not                                            many social scientists are in favor of a
conform to these assumptions. Informa-                                               national data bank for this very reason
tion from various sources is constantly                                              [8, 20]. On the other hand, precisely be-
coming into common data pools, where                                                 cause the problem has not been solved

Computing       Surveys,   Vol    1, N o       2, J u n e   1969
                                                     Computers and Privacy:         A Survey           •      91

satisfactorily, lawyers [22, 48] scientists     EXISTING FILE SYSTEM            DESIRABLE FILE SYSTEM
[5, 11, 19, 28, 54], urban planners [65], and

the general pubhc [53, 55, 63] have become
concerned about such a system.
    In a recent thesis, Hsmo [29] has sug-
gested and implemented files which contain       A                 C
"authority items"; these authority items
control access to records in files. Other                                                        B
proposals which treat access control as a                  B
functmn of the user rather than the data • Unnecessonly Duphcoted                  I---IAccess Control
have been advanced by Evans and Le-              Informohon                              Informohon
Clerc [66] and by Bingham [64]. Hsiao's        FIG. 2. Use of c o m p u t e r s t o r a g e m file s y s t e m s
scheme, however, is the first working sys-
tem which controls access at a level lower have been proposed. G r a h a m [27] has sug-
than the file level. The implementation de- gested a technique involving concentric
pends on a multilist [46] file structure, "rmgs" of l~otection which m a y prove
but the concept of an authority item as- a reasonable way to provide flexible but
sociated with each user is independent of controlled access by a number of different
the structure of the file. The accessibil-
                                              users to shared data and procedures. Den-
ity of a record depends on whether the file
                                              nis and Van Horn [18] have proposed t h a t
owner has allowed access to the requester.
                                              higher-level programs grant access privi-
This information is carried in the author-
                                              leges to lower-level programs by passing
ity item. Capabilities [18] (such as read
                                              them "capability lists."
only, read and write, write only) appear
to reside with the file rather than with         Graham's scheme has several disadvan-
each record.                                  tages. I t assumes a computer with demand
                                              hardware segmentation; since, in the opin-
    A problem with Hsiao's scheme is the
                                              ion of the author, no large computer sys-
duplication in each pertinent authority
                                              tems (of the type t h a t would be necessary
stem of entrms for protected fields of one for a public utility) with these hardwat'e
 file. If there are J users of the system facilities are as yet serving a large user
 and each has K private fields in each of
                                              community in an acceptable manner, this
L files, and if each user has access to the
                                              assumption m a y be premature, particularly
 files of S other users, then S × K × L
                                              in light of the alternatives, such as mono-
entries must be made in each authority
                                              programming systems which use extended
item for user protection. Since there are
                                               core storage bulk memories [30, 37]. The
 J users, T = J × S x K x L entries must
                                              Graham scheme effectively rules out the
 be maintained in the authority items by
                                              use of one-level memories such as as-
the system. For the not unlikely case
                                              sociative memories [25], Lesser memories
 J = 200, K = 3, L = 2, S = 10, we
                                               [35], etc., given the current hardware state-
 calculate T = 12,000. Depending on the
                                              of-the-art. If the data bank has many
 amount of storage used per entry, this
                                               different data fields with m a n y different
 price in storage and maintenance m a y
                                               levels of access, the swap times necessary
 prove too much to pay in m a n y
                                               to access each datum in its own (two-word
 instances. As S approaches J - 1, not only
                                               or so) segment will rapidly become pro-
 does this price become higher but the sys-
                                               hibitive using today's technology. In ad-
 tem also becomes inefficient (since it main- dition, the Graham scheme imposes a
 tains lists of authorized rather than un- hierarchy on all information m the data
 authorized file users). Of course, if S = base; this is not desirable m every m-
 J - 1, the entire protection system is stance. The scheme of Dennis and Van
 unnecessary.                                  Horn suffers from all the drawbacks of
     Some other methods for access control the Graham scheme except the last. Corn-

                                                                        Computing Surveys, Vol. I, No. 2, June 1969
 92       •      Lance J. Hoffman

 T A B L E I. SOME THREATS TO INFORMATION PRIVACY  authenticatwn of a user's identification.
                 (Extracted from [44])             Peters [43] has suggested using one-time
  Accidental                                      passwords: lists of randomly selected pass-
    User error                                    words would be stored in the computer
    System error
  Dehberate, passive                              and maintained at the terminal or kept by
    Electromagnetic pwk-up                        the user. "After signing in, the user takes
    Wiretapping                                   the next work (sic) on the list, transmits
  Dehberate, active                                it to the processor and then crosses it off.
    Browsing                                      The processor compares the received pass-
    Masquerading as another user                  word with the next word in its own list
    "Between hnes" entry while user is machve but and permits access only when the two
      on channel                                   agree. Such password lists could be
    "Piggy back" entry by interception and trans- stored in the terminal on punched paper
      mitting an "error" message to the user      tape, generated internally by special cir-
    Core dumping to get residual information
                                                  cuits, or printed on a strip of paper. The
                                                  latter could be kept in a secure housing
 pensating for this relative simplicity in the    with only a single password visible. A
 control structure, however, is the fact that special key lock would be used to advance
 a very large number of their meta-instruc- the list." [44] Another method, based on
 tions must be executed for each attempt to random-number generation, has been sug-
 access data which is not in a file open to gested by Baran [3].
 every user.                                          A novel idea based on the same prin-
                                                  c i p l e - t h e high work factor [3] associated
 Some Proposed Safeguards for the Privacy of with breaking encoded messages appear-
                                                  ing as pseudorandom or random number
 Information in Files
                                                  strings [52]--has been suggested by Les
    We now discuss countermeasures that
                                                  Earnest [23]. He proposes that the user log
 have been proposed to more adequately in-
                                                  m and identify himsclf, whereupon the
sure against unauthorized access to infor-
                                                  computer supplies a pseudorandom number
 mation in files. Petersen and Turn have
                                                  to the user (see Figure 1). The user per-
published an excellent paper [44] on the
                                                  forms some (simple) mental transforma-
threats to information privacy, and much
                                                  tion T on the number and sends the result
of the material of this section has been
                                                  of that transformation to the computer.
drawn from that paper.
                                                  The computer then performs the (pre-
    The most important threats to informa- sumably) same transformation, using an
tion privacy are shown in Table I. We algorithm previously stored in (effective)
can counter these threats by a number of execute-only memory at file creation time.
techniques and procedures. Petersen and In this way, while the user has performed
Turn have organized the various counter- T on x to yield y = T ( x ) , any "enemy"
measures into several classes: access tapping a line, even if the information is
management,         privacy    transformations, sent in the clear, sees only x and y. Even
threat monitoring, and processing restric- simple T's, e.g.
tions. They have one other class, integrity
management (of hardware, software, and T ( x ) = [ ( , o ~ d i g i t / o f x) 3'2]
personnel), which is not discussed here.
                                                                             -k (hour of the day),
   Access management. These techniques
attempt to prevent unauthorized users are almost impossible to figure out, and
from gaining access to files. Historically, the "cost per unit dirt" [2] is, hopefully,
passwords have been almost synonymous much too high for the enemy. Petersen
with access management. Passwords alone, and Turn point out that one-time pass-
however, are not enough, as shown above. words are not adequate against more
The real issue in access management is sophisticated "between lines" entries by

Cflmloutmg Surveys, Vol 1, No 2, June 1969
                                             Computers and Privacy: A Survey                •       93

 mfiltrators who attach a terminal to the           2. Size of the key space. The number
 legitimate user's line. "Here the infiltrator   of different privacy transformations avail-
 can use his terminal to enter the system        able should be as large as possible to dis-
 between communications from the legit-          courage trial-and-error approaches, as
 1mate user." [44] As a solution, they           well as to permit the assignment of
 suggest one-time passwords applied to mes-      unique keys to large numbers oi users and
 sages (as opposed to sessions), imple-          changing of keys at frequent intervals.
 mented by hardware in the terminal and             3. Complexity. The cost of implemen-
 possibly in the central processor. This         tation of the pmvacy system is affected by
 solution may, however, be too costly for        requiring more hardware or processing
 most apphcatlons. Also, placing access con-     time, but the work factor may also be
 trol at the datum level, rather than at         improved.
 the file level, would eliminate many               4. Error sensitivity. The effect of trans-
  (though not all) problems associated with      mission errors or processor malfunctioning
 this type of infiltration.                      may make decoding impossible.
    Babcock [1] mentions a "dial-up and             Other criteria are, of course, the cost
 call-back" system for very sensitive files.     of implementation and the processing time
 When a sensitive file is opened by the pro-     requirements which depeild, in part, on
 gram of a user who ~s connected to the          whether the communication channel or the
 computer via telephone line A, a message        files of the system are involved.
 is sent to the user asking him to telephone
 the password of that file to the operator          More detailed information on uses of
over a different telephone line B. The           privacy transformations is given in Peter-
 legal user can alter the password at will       sen and Turn [44]. A good unclassified dis-
 by informing the data center.                   cusslon of encrypting and eryptanalysis
    Privacy trans]ormations. Privacy trans-      methods, with particular attention paid
 formations are reversible encodings of          to "distributed" communication networks
data used to conceal information. They are       (many terminals, many message switching.
useful for protecting against wiretapping,       centers, etc.) has been written by Baran
monitoring of electromagnetic radiation          [3]. He also has suggested [2] that we should
from terminals, "piggy back" infiltration        always make use of minimal privacy trans-
 (see Table II), and unauthorized access         formations in the storage and transmission
to data in removable files. Substitution (of     of sensitive data.
one character string for another), trans-           Privacy transformations can be per-
position (rearrangement of the ordering of        formed by appropriate software in ter-
characters in a message), and addition           minals and central processors. When de-
 (algebrmcally combining message char-           sirable, hardware can be used instead. One
acters with "key" characters to form en-         current system, for example, uses basically
coded messages) are three major types of         a transposition method and is handled
privacy transformations, which can be            with preset plastic scrambler wheels ;
 (and are) combined to increase the work         changes of these wheels are accomplished
factor necessary to break a code. This           by time coordination [39].
work factor depends (among others) on the           Threat Monitoring. Petersen and Turn
following criteria [52] :                        give a good description of threat monitor-
    1. Length of the key. Keys reqmre            mg [44]: "Threat monitoring concerns de-
storage space, must be protected, have to        tection of attempted or actual penetrations
be communicated to remote locations and          of the system or files either to provide a
entered into the system, and may even            real-time response (e.g. invoking job can-
require memorization. Though generally           cellation, or starting tracing procedures)
a short key length seems desirable, better       or to permit post ]acto analysis. Threat
protection can be obtained by using a key        monitoring (see Figure 1) may include the
as long as the message itself.                   recording of all rejected attempts to enter

                                                            Computing Surveys, Vol. 1, No. 2, June 1969
94       •         Lance J. Hoffman

the system or specific files, use of illegal                    possible misuse or tampering, and prompt
access procedures, unusual activity revolv-                     stepped-up auditing along with a possible
ing a certain file, attempts to write into                      real-time response."
protected files, attempts to perform re-                          Threat monitoring also will help im-
stricted operations such as copying files,                      prove the efficiency of the system by report-
excessively long periods of use, etc. Periodic                  ing widespread use of particular system
reports to users on file activity may reveal                    facilities. These system facilities can be

             T A B L E II          OF
                                        (extracted from [44])
        ~...~asure                             Privacy                                 Threat Monitoring
                                                                                         (audits, logs)
     Threat          ~

       User e r r o r          No protection if depend on p a s s -           Identifies the "accident prone";
                               word; otherwise good protection                provides post facto knowledge
                                                                              of possible loss

       System e r r o r        Good protection in case of commun-             May help in diagnosis or provide
                               ication system switching e r r o r s           post facto knowledge

       Electromagnetic         Reduces susceptibility; work factor            No protection
       pick-up                 determines the amount of protectmn

       Wiretapping             Reduces susceptibility; work factor            No protection
                               determines the amount of protection

       "Browsing"              Good protection                                Identifies unsuccessful attempts;
                                                                              may provxde post facto knowledge
                                                                              or operate r e a l - t i m e alarms

      ,tMasquerading,,         No protection if depends on p a s s -          Idcntffms unsuccessful attempts;
                               word; otherwise, sufficient                    may provide post facto knowledge
                                                                              or o p e r a t e - r e a l - h m e alarms

       "Between lines"         Good protection if privacy t r a n s f o r -   Post facto analyms of activity
       entry                   mations changed in less time than              may provide knowledge of pos-
                               required by work factor                        sible loss

       "Piggy back"            Good protection if privacy t r a n s f o r -   Post facto analyms of activity
       entry                   mations changed m less time than               may provide knowledge of pos-
                               required by work factor                        sible loss

       Entry by system         Work factor, unless depend on p a s s -        P0st facto analysis of activity
       personnel               word and masquerading is successful            may provide knowledge of pos-
                                                                              sible loss

       Entry via "trap         Work factor, unless access to keys             Possible alarms, post facto
       doors"                  obtained                                       analysis

       Core dumping to         No protection unless encoded p r o -           Possible alarms, post facto
       get residual            cessing feasible                               analysis

       Physical acquisi-       Work factor, unless a c c e s s to keys        Post facto knowledge form (sic)
       tion of removable       obtained                                       audit of personnel movements

                                                                       Computing Smvoys, Vol. 1, No. 2, June 1969
                                                                        Computers and Privacy: A Survey                          •        95

"tuned," or, if need be, the facilities can                                    the normal memory protection features
be altered to ehminate bottlenecks. If some                                    mentioned 'in the first part of this section,
security restriction is unduly interfering                                     some processing restrictions may be de-
with system operation, threat monitoring                                       sirable. Suggestions have included the
should help pinpoint the offending restric-                                    mounting of removable files on drives with
tion.                                                                          disabled circuits which must be authenti-
   Processing restrictions. In addition to                                     cated before access [44], erasure of core

                                                        T A B L E II           Continued

       ~asure                      A c c e s s Control (password,                          Processing Restrictions (storage,
                                  authentication, authorization)                           protected privileged operations)

   User error                  Good protection, u n l e s s the e r r o r              Reduce susceptibility
                               produces c o r r e c t p a s s w o r d

   System e r r o r            Good protection, u n l e s s b y p a s s e d            Reduce susceptibility
                               due to e r r o r

   Electromagnetic             No protection                                           No protection

   Wiretapping                 No protection                                           No protection

   "Browsing"                  Good protection (may make                               Reduces e a s e to obtain d e s i r e d
                               masquerading necessary)                                 information

  ~Masquerading"               Must know authenticating p a s s -                      Reduces e a s e to obtain d e s i r e d
                               words (work factor to obtain                            infcrmation

   "Between lines"             No protection u n l e s s u s e d for                  Limits the infiltrator to the s a m e po-
   entry                       every m e s s a g e                                    tential as the u s e r whose h n e he s h a r e s

   "Piggy back"                No protection but r e v e r s e                        L i m i t s the infiltrator to the s a m e po-
   entry                       ( p r o c e s s o r - t o - u s e r ) authen-          tentml a s the u s e r whose line he s h a r e s
                               tication m a y help

   Entry by s y s t e m        May have to m a s q u e r a d e                         Reduces e a s e of obtaining d e s i r e d
   personnel                                                                           information

   Entry via "trap             No protection                                           Probably no protection

   Core dumping to             No protection                                          E r a s e private c o r e a r e a s at swapping
   get r e s i d u a l                                                                time

   Physical a c q u i s i -    Not applicable                                          Not applicable
   tion of r e m o v a b l e

                                                                                            Computing Surveys, Vol. 1, No. 2, June 1969
 96    •     Lance J. Hoffman

 memories after swapping a program and its        tormg, privacy transformations, access
 data out to an auxiliary storage device, and     management, etc. Some hardware counter-
 bmlt-in hardware codes which peripheral         measures, such as physical keys which
 devices would transmit to other system          record the key number on a file or output
 components when necessary. Software             device, have also been suggested. Unfor-
which limits access rights by terminal is        tunately, no systems, hardware or soft-
 already part of several systems [69].           ware, simulated or actual, have been built
   There is a real question as to what           whic~ enable us to evaluate the various
price one is willing to pay for a given          costs of processing time, storage space, etc.,
amount of privacy [61]. In some instances,       of these methods. There is almost a com-
one might desire a whole processor to            plete absence of implementation of nearly
implement the entire file control and pri-       all the proposed techniques. Consider, for
vacy system [44]. Most users, however,           example, just one of these techniques, pri-
will probably settle for less privacy at less    vacy transformations. Petersen and Turn
cost. This has been the experience so far        [44] discuss the further work that is
of Allen-Babcock Corporation--they have          needed: "Special attention must be de-
not implemented their "dial-up and call-         voted to establishing the economic and
back" privacy technique, since none of their     operational practicality of privacy trans-
customers has demanded it.                       formations: determining applicable classes
   Petersen and Turn have summarized             of transformations and establishing their
their countermeasures to threats against         work factors; designing economical de-
information integrity, and the major part        vices for encoding and decoding; consider-
of the table they present is reproduced in       ing the effects of query langauge structure
Table II.                                        on work factors of privacy transforma-
                                                 tion; and determining their effects on proc-
                                                 essing time and storage requirements."
PROMISING RESEARCH PROBLEMS                         The implementation of a (real or simu-
                                                 lated) system which uses many counter-
In this section we briefly outline some          measure techniques would be a very
technical problems which offer promising        desirable undertaking. It would enable us
avenues for research in the future. We          to evaluate the effectiveness and the costs
raise relevant questions, but no answers         of each technique. A suitably designed sys-
are proposed in this paper.                     tem would at the same time allow us to
                                                vary the structure of a file. Since the struc-
   For reasons mentioned in the section         ture of a file may affect quite strongly
on the limitations of proposed protection       the access control method used, a number
methods, the methods of protection which        of interesting experiments could be per-
effectively pass privileges from one pro-       formed. For example, one might consider
gram to another are unsatisfactory. We          physically separating the more sensitive
also saw there that protecting data by          data in a hierarchical tree-structured file
associating controls with the data at the       from the less sensitive data. The more sen-
file level only is not sufficient. What is      sitive data could be stored in a memory
needed is some means of controlling             which was logically at a low level and
access to each individual datum. Such a         physically removed from higher-level data.
means should (1) be efficient, and (2) not      This solution would not be feasible in
unduly penalize the user who only wants         certain types of associative memories, since
a small part of his file protected. The         the control would require all data to be at
mechanism may reside in program, data,          the same level.
indexes into an inverted file, authority
                                                    As another example, the existence of in-
items [29], or elsewhere.
                                                dexes into a tree-structured file (i.e. the
  Several types of controls have been pro-      use of an inverted file) might strongly
posed to insure privacy: threat moni-           alter the operating characteristics of the

                                                     C o m p u t i n g Surveys, Vol. I, No 2, June 1969
                                                                   Computers and Privacy:        A Survey           •      97

access control m e c h a n i s m by a l l o w i n g                      Vol. 27, Pt. 2, Thompson Book Co., Washing'-
                                                                         ton. D. C, pp. 45-49.
control i n f o r m a t i o n to reside in the indexes
                                                                           A well-thought-out general discussion of the
r a t h e r t h a n (say) w i t h the d a t a itself.                      privacy problem which overlaps somewhat
F u r t h e r m v e s t i g a t m n of this r e l a t i o n s h i p        with Baran's testimony before the Gallagher
is also w a r r a n t e d .                                                subcommittee (see [56]). Some specific pro-
                                                                           posals are presented to deal with the prob-
                                                                       3 BAaA~, P. On distributed commumcations.
SUMMARY                                                                  IX. Security, secrecy and tamper-free con-
                                                                         stderatlons. Doc. RM-3765-PR, Rand Corp.,
                                                                         Santa Momca, Calif., Aug. 1964.
I t is hoped t h a t this p a p e r m a y help in-
crease a w a r e n e s s of the c o m p u t e r p r i v a c y              A consideration of the security aspects of a
                                                                           distributed communication system, written
p r o b l e m a n d the need for f u r t h e r i n v e s t i -             from the viewpoint that we should fully anti-
gation. P a u l B a r a n p u t s it well [2] :                            cipate the existence of spies within our
                                                                            ostQnslbly secure communications secrecy
     " W h a t a wonderful opportunity awaits                              protection structure; ".Hence, our primary
the c o m p u t e r engineer to exercise a new                             interest should be in raising the 'price' of
                                                                           espmd reformation to a level which becomes
form of social r e s p o n s i b i l i t y . T h e a d v e n t             excessive." The proposed system combines
of        the        new      computer-communications                      end-to-end and link-by-link cryptography,
t e c h n o l o g y need n o t be feared with t r e p i -                  automahc error detection and repeat trans-
                                                                           mission, path changing, and use of a scheme
d a t i o n as we a p p r o a c h 1984. R a t h e r , we                   requiring complete and correct reception of
h a v e in our power a force which, if prop-                               all previous traffic in a conversation m order
erly t a m e d , can aid, n o t hinder, r a i s i n g our                  to decrypt subsequent message blocks. It
                                                                           assumes enemy infiltration and takes these
p e r s o n a l r i g h t of p r i v a c y .                               countermeasures: key bases split over N (>
     "If we fail to exercise this u n s o u g h t                          1) individuals; filtering tests; key change for
                                                                           each conversation; heavy system use for un-
power t h a t we c o m p u t e r engineers alone                           classified traffic Contents: I. Introduction ;
hold, the word 'people' m a y become less a                                II The Paradox of Secrecy about Secrecy:
                                                                           III Some Fundamentals of Cryptography;
d e s c r i p t i o n of i n d i v i d u a l h u m a n beings              IV Imphcatlons for the Distributed Network
l i v i n g in a n open society a n d more a mere                          System, V. A "Devil's Advocate" Examina-
collective n o u n .                                                       tion.
                                                                              This paper gives a clear, well-written dis-
     " I t m a y seem a p a r a d o x , b u t a n open                     ('ussion of an often "touchy" subject. Rele-
society d m t a t e s a r i g h t - t o - p r i v a c y a m o n g          vant points are brought out by good dia-
                                                                           grams. It is one of the clearest expositions of
its m e m b e r s , a n d we will h a v e t h r u s t u p o n              real-hfe problems and solutions to be found
us m u c h of the r e s p o n s i b i l i t y of p r e s e r v i n g       m the open literature
this right."                                                           4. BARAN,P. Remarks on the question of privacy
                                                                          raised by the automatmn of mental health
                                                                          records. Doc. P-3523, Rand Corp.. Santa
                                                                          Monica, Cahf., Apr. 1967.
ACKNOWLEDGMENTS                                                              Remarks invited for presentation before the
                                                                             American Orthopsychiatric Association Work-
The author w~shes to thank Professor Wdham F.                                shop. "The Invasion of Privacy," held in
Miller and Mr. John V. Levy for their encourage-                             Washington, D. C., 21-23 March 1967. This
ment during the preparatmn of this paper.                                    speech of Baran presents to an intelligent
                                                                             group of computer laymen a view of com-
                                                                             puter privacy invasion whmh heretofore has
                                                                             been available only to people in the com-
                                                                             puter field. Some tales of medical record
                       BIBLIOGRAPHY                                          leaks are recalled. The famous tale of the
 1. BARCOCK,J. D. A brief description of privacy                             MIT freshman who programmed the com-
    measures in the RUSH time-sharing system.                                puter to dial simultaneously every telephone
    Proc. AFIPS 1967 Spring Joint Comput. Conf.,                             extension m the school is retold, thus the
    Vol. 30, Thompson Book Co.. Washington.                                  importance of "people-proof" systems is
    D. C, pp. 301-302.                                                     , graphically illustrated.
                                                                                It is a very good paper which can be used
      A brief summary of the file security proce-                            to alert intelligent the lmphcatmns
      dures m RUSH. This artmle contains some                                of the computer age for privacy.
      good but short discussion of possible threa(s
      and countermeasures.                                             5. BARAN,P. Statement in [56], pp. 119-135.
 2 BARAN, P. Communications, computers and                             6. BAUER, K. G. Progress report to U. S. Public
    people. AFIPS 1965 Fall Joint COmput. Conf                            Health Service on contract PH 110-234 Joint

                                                                                   Computing Surveys, Vol, 1, No. 2, June 1969
98         •       Lance J . Hoffman

     Center for Urban Studies of M I T and Harvard,                     [41] by Parker. I~lve gmdelines for pubhc
     Cambridge, Mass., Jan. 1968. (Mimeographed)                        pohcy makers are suggested: (1) specifica-
      The report contains a nine-page section on                        tions of benefits; (2) catalogue of potential
       the privacy issue as it relates to a proposed                    risks; (3) directory of preventive safeguards
      healttl iniormatlon system lor the Boston                         and controls; (4) inventory of antidotes and
       area. " . . . Right now our project has a unique                 countermeasures, (5) index oi penahtles and
      opportunity to propose saleguards to pri-                         sanctions.
      vacy in the design of an information system                          A very good paper for the layman and in-
      at a time when the crucial operational deci-                      terested computer scmntlst.
      sions have not yet been made . . . . " The sec-               II.CALDWELL, L. K. (Ed.)  Science, Technology,
      tion discusses present safeguards to record                     and Pubhc Pohcy--A Selected and Annotated
      disclosure Currently, privacy is not really                     B~bhography (Volume 1). Dep. of Government,
      insured, and only the excessive cost ot get-                    Indiana U., Bloomington, Ind., 1968, pp. 207-
       ring sensitive information (because of the                     210.
      unwmldiness of current noncomputerized sys-
       teins) prevents almost all unauthorized                          Pages 207-210 comprise Section 6A, "Pri-
       access. "... With proper safeguards computeri-                   vacy," and contain an annotated bibhography
      zation makes such information far easier to                       of 13 entries. [40] and [22] are included, and
       g u a r d . . . " - - w h y this is the case is explained.       [62] is based on two other entries in the
       A broad framework of new saieguarcls, com-                       bibliography. The others deal with privacy as
       bining legal, technological, and administra-                     an aspect of human dignity, lie detectors,
       tive measures is being urged, and these are                      wiretapping, concepts ot consent and con-
       gone into very briefly, with references to a                     fidentiahty, and eavesdropping. The entire
       tew papers The committee hopes during the                        bibliography should be useiul to students of
       coming months to define levels of security                       sociology Its sections are.
       and to suggest specific access rules and rights                      1. Blbhographms and Research Tools
       of patients that should be kept in mind.                             2. Philosophy of Science
                                                                            3 History of Science and Technology
7 BERKELEY, E. C. Individual privacy and cen-                               4. Nature and I m p a c t of Science and
  tral computerized files. Comput. Automat. 15,10                              Technology
    (Oct. 1966), 7.                                                         5. Science, Politics, and Government
      This article discusses a privacy bill of nghts                        6. Science, Technology, and the Law
      initially suggested by Professor John Mc-                             7. Science, Education, and the Univer-
      Carthy m [38].                                                           sities
 8. BOWMAN,R.W. Statement in [56].                                          8. Scientific and Technical Personnel
                                                                            9 Scientific Organizations and Institutions
 9. BaIcTSON, R. C. Computers and p m v a c y - - m l -                    10. Organization and Management of Re-
    phcatmns of a management tool ].)oc. SP-2953/                              search and Development
    001/00, System Development Corp., Santa                                11. Science, the Humanities, and Religion
    Monlca, Calif., 14 Mar. 1968.                                          12. Science and Society
10. BalcTSO~, R. C. Some thoughts on the social                     12. CoaBATO, F. J., A~D VYSSOTSKY, V. A. Intro-
    implications of computers and privacy. Doc.
    SP-2953, System Development Corp., Santa                            duction and overview of the Multlcs system.
     Monlca, Calif., 25 Sept 1967.                                      Proc. A F I P S 1965 Fall Joint Comput. Conf.,
                                                                        Vol. 27, Pt. 1, Spartan Books, New York, pp
      This is a reprint of a talk presented to the                      185-196.
      American Society for Industrial Security as
      part of a panel, "Problems in the Age oi the                  13 Computer Research Corp. Time-sharing sys-
      Computer," 13th annual seminar, 12-14 Sep-                        tem scorecard, No. 5. Computer Research Corp.,
       tember 1967, Los Angeles, California. Briefly                    Newton, Mass, 1967.
      discussed are (1) the computer as an inno-                    14 Control D a t a Corp. Control D a t a 6400/6600
      vation and tool, along with some of the                           computer systems reference manual. Pub. No.
      anxieties it creates, (2) a framework for an                      60100000, Control D a t a Corp., St. Paul, Minn.,
      lnqmry into the problem, (3) responslbdltles                      1966.
      of organizations and the establishment, (4)
      SOclahzation--the preparation of new mem-                     15. CR1sMAN, P. A. (Ed.). The Compatible Tzme-
      bers for entry into society, (5) some examples                    Sharing System--A Programmer's Guide (Sec-
      reflecting issues, and (6) possible remedies.                     ond ed.). M I T Press, Cambridge, Mass., 1965.
       In eleven short pages a quite readable discus-               16. DALEY, R. C., AND NEUMANN, P. G. A general-
      sIon, understandable to the lay person, is                        purpose file system for secondary storage. Proc.
      given. The framework suggested for investi-                       A F I P S 1965 Fall Joint Comput. Conf., Vol. 27,
      gation seems quite reasonable, and represents                     Pt.1, Spartan Books, New York, pp. 213-229.
       one of the few attempts to define the general
       problem before rushing off to tackle it. This                      Tlus system places access control on the
      structure considers information from the                            branches of a tree-structured file directory.
       standpoint of (1) acquisition; (2) access;                         Five modes of control are allowed--trap,
       (3) dissemination; (4) retention; (5) revi-                        read, execute, write, and append. The paper
       stun, including updating, rejoinder and re-                        contains some of the best thinking yet about
       dress, (6) destruction; and (7) time cycles.                       a practical, general solution to lower-level
       Brief examples are given for acquisition and                       access control. One of the "Multics papers,"
       protection. A good case (and a brief one)                           this is must reading for data base system
       for the existence of professional ethics codes                      designers.
       is made, much better than the discussion in                  17. DAVIES, L. E Computer plan for personal

Computing Surveys, Vol. 1, No. 2, June 1069
                                                            Computers and Privacy."             A Survey             •       99

   "dossiers" in Santa Clara stiis fears of in-                       tall, but relevant references are given for the
   vasion of privacy. The New York Tzme~, 1                           reader interested in a more advanced techni-
   Aug 1966, p. 27.                                                   cal discussmn
18. DENNIS, J. B , AnD VAN HOR.X, E . C . Program-             23. EARNEST, L.      Private communication.
    ming semantics for multiprogrammed computa-                24 ERVIN, S. J. T h e c o m p u t e r - - i n d i v i d u a l pri-
    tmns Comm ACM 9,3 ( M a r 1966), 143-155                      vacy. V~lal Speeches o] the Day 33, 14 (1 M a y
      A n u m b e r of meta-mstructions are defined               1967), 421-426
      which relate to programming operatmns m                       Senator E r v m discusses the impact of the
      multiprogrammed systems These are related                     computer on national hfe m a speech to the
      to parallel programming, p r o t e c h o n of sepa-           American      M a n a g e m e n t Association. H e
      rate computations, sharing of files, and                      thmks t h a t m order to avoid street legislative
      meinory. Some very good and long-neglected                    controls and the denial of g o v e r n m e n t re-
      ideas are set forth here. Capabilities of a com-              search and d e v e l o p m e n t funds, the industry
      putation are related to segments. I n practice,               must devise safeguards against improper data
      capabilities should be related to some smaller                access, illegal tapping, and purloined data in
      basra units, e.g. nodes of a tree                             shared systems. He hkes the idea of an in-
19 D~.UTSCH. L P Snooping by computer (letter                       dustry ethical code.
    to the editor). San Fra~e2sco Chromcle, 19 July            25. FELDMAN, J A. Aspects of associative process-
    1968                                                          iug. Tech. N o t e 1965-13, Lincoln Laboratory,
      A computer scmnhst experienced in h m e -                   M I T , Cambridge, Mass., 1965
      sharing systems warns against misuse of com-                        If,
                                                               26 GALLS, R. R. J. T h e New York State Iden-
      puters In parhcular, he laments the lack of                 tification and lntelhgence system. I n [56], pp.
      ;idequate protectmn in the California Depart-               159-168.
      ment of Socml Weir'ire data bank
                                                               27 GRAUAM. R. M. P r o t e c h o n m an reformation
20. Du.~N, E. S., JR. S t a t e m e n t m [56], pp 92-95          processing utility. Comm. ACM 11, 5 ( M a y
21.Du.xN, E S , JR. The idea of a national data                   1968), 365-369.
    center and the issue of personal privacy Amer                   A good five-page paper on the topic A solu-
    Stat~s 21 (Feb. 1967), 21-27                                    tion to the file access problem is given which
      An a t t e m p t by the author of the Bureau                  revolves rings or spheres of protection for
      of the Budget report which recommended the                    b o t h data and programs (in particular, for
      establishment of a national data center to                    segments, as at Project M A C ) . T h e main
      correct "certain obvious misinterpretations                   drawbacks are (1) the method is tied to seg-
      and set forth more explicitly stone vmws on                   ments, whlcli in practice are fairly large
      the very i m p o r t a n t issue of personal privacy."        blocks of m e m o r y , protection of a smaller
      He maintains t h a t we can immediately begin                 area wastes the rest of the segment; and (2)
      to save much "harmless" data in a "statlsh-                   parallel processes or processors m a y render
      cal" data bank and t h a t we have 10 or 15                   parameters or data m v a h d ff proper safe-
      years to figure out how to protect privacy                    guards are not taken. If these problems are
      The trade-offs for and against some sort                      solved, this m e t h o d provides flexible b u t
      of national data b a n k are more clearly                     controlled access by a n u m b e r of different
      delineated t h a n in the original report                     users to shared data and procedures
22 Duke Umverslty School of Law. Privacy. Law                  28 HARRISON, A. T h e problem of privacy in the
    and Contemporary Problems 31, 2 (Spring                       computer age: an a n n o t a t e d bibliography Doc
    1966), 251-435                                                R M - 5 4 9 5 - P R / R C , Rand Corp., S a n t a Monica,
      This is an entire issue of Law and Con-                     Calif., Dec. 1967.
      temporary Problems devoted to privacy. Its                    This is a must document. This 300-entry
      contents are: Clark C. Havlghurst, "Fore-                     biblmgraphy is well-annotated and indexed
      word"; Willmm M. Beanv, " T h e R i g h t to                  by author as well as b y each of the following
      Privacy and American Law", Milton R                           categories, cashless-checkless society, time-
      Konwtz, "Privacy and the Law: A Philo-                        sharing, data banks, media, social scmntists'
      sophical Prelude"; Edward Shils, "Privacy                     views, bill of rlglits, electronic eavesdropping
      Its Constitution and Vicissitudes"; Sidney                    and wiretapping, computer utilities, Con-
      M Jourard, "Some Psychological Aspects of                     gresslonal view of privacy, legal views, sys-
      Privacy";        Glenn Negley, "Philosophical                 tem security, technologists' views.
      Views on the Value of Privacy"; Harry
      Kalven, J r , "Privacy in T o r t L a w - - W e r e      29 HsIAo, D. K    A File System ]or a Problem
      Warren and Brandeis W r o n g ? " ; K e n n e t h L          Solving Facdity. Ph.D. Dlss. m Electrical
      Karst. " 'The Files'. Legal Controls Over the                Engineering, U. of Pennsylvania, Philadelphia,
      Accuracy and AccessIbihty of Stored Per-                     Pa.. 1968.
      sonal D a t a " , Joel F. Handler and Margaret                 An i m p o r t a n t new concept is introduced and
      K. Rosenheim, " P u b h c Assistance and                       m~plemented on the file system at Penn. This
      Juvenile Justice", William A Creech, "The                      concept, ~Lhat of the authority item, allows
       Privacy of G o v e r n m e n t Employees."                    control within files over data access. Each
         T h e issue contains nothing on computer.~                  field in a file can be protected from u n a u t h o r -
      except in the K a r s t paper, which has about                 ized access. D a t a records need n o t be reproc-
       four pages on the effect of automation. The                   essed if a change m a record's protection
      possible solutions to this aspect of the pri-                  status or in a user's level of aecesslblhty oc-
      vacy problem are dealt with in superficml de-                  curs T h e capability to read only, write only,

                                                                                 Computing Surveys, Vol. I, No. 2, June 1969
 100          •        Lance J . H o f f m a n

          etc., goes with an authority item and n o t                             puter technology to file and collate "per-
          with a record. Protected records are com-                               sonal" facts a b o u t private citizens and even
          pletely nonexistent as far as the unauthorized                          to telemeter the populace. W h a t are the lm-
          user Is concerned. T h e system as currently                            phcatlons for traditional ideas of freedom
          i m p l e m e n t e d is d e p e n d e n t on the file struc-           and privacy "~ Will sucn progress be m e t with
          ture (multihsts). However, the idea of au-                              constitutional objections or with public ac-
          thority items is n o t and is an i m p o r t a n t new                  qumscence ? - - A u t h o r ' s Abstract
          concept. This thesis should be examined by                                  Tills well-written non~ecnmcal paper makes
          those who have the responsibility for access                            some valid and oIt-overlooked points. I t
          control in their own tlle systems. I t appears                          outlines iactors which, in the past, h a v e made
          to be the first working system with protection                          privacy invasion dlthcult (1) data available
          below the file level.                                                   but uncollected and uncollated, (2) data n o t
30. HUMPHREY, T. A. Large core storage utihza-                                    recorded with precision and variety necessary
      tlon in theory and in practice. Proc. A F I P S                             to gain new or deeper insight into the private
      1967 Spring J o i n t Comput. Conf., Vol. 30,                               person, (3) dlffculty of keeping track of a
      T h o m p s o n Book Co., Washington, D . C , pp.                           particular person in a large and highly mobile
      719-727.                                                                    population; (4) difficulty oi access to already
                                                                                  bled data a b o u t the private person; (5) dflh-
3 1 . I B M System/360 Model 67 functional charac-                                culty of detecting and interpreting potentially
      teristics. F o r m A27-2719-0, I B M Corp., Kings-                          self-reveahng private m l o r m a t i o n within
      ton, N. Y., 1967.                                                           available data.
32. I B M System/360 principles of operation. F o r m                                 P o i n t s for a central data b a n k are validly
      A22-6821-2, I B M Corp., Poughkeepsie, N. Y.,                               and tellingly made, and the point is made
      1966.                                                                       t h a t now, as in the past, people m a y give up
                                                                                  some freedom to protect or enhance another
33. JANsSEN, R F. Administration studies plan to                                  freedom. Ways in which corruptible program-
     generalize data, hopes to avoid "police state"                               mers m a y become privy quite legally to
      mlage. Wall ,Street J., 11 N o v 1966, p. 6.                                p n v d e g e d information are discussed. A short
34. KAYsEN, C. D a t a banks and dossiers. The                                    and worthwhile paper.
     Pubhe Interest (Spring 1967), also in [57], p.                       41. PARKER, D. B. Rules of ethics in i n f o r m a t i o n
      265.                                                                    processing. Comm. ACM 11,3 ( M a r . 1968),
         T h e case "for" a national d a t a bank, in the                     198-201.
         light of the mauling this proposal got before
         the Gallagher subcommittee.                                      42. PARKER, R. W. T h e S A B R E system. Datama-
                                                                              t~on 11, 9 (Sept. 1965), 49-52.
35. LESSER, V. R. A multi-level computer orgam-
     zatlon designed to separate data-accessing Irom                      43. PETERS, B. Security considerations m a multi-
     the computation. Tech. Rep. CS90, Comput.                                p r o g r a m m e d computer system. Proc. A F I P S
     Sci. Dep., Stanford U., Stanford, Calif., 11 Mar.                        1967 Spring J o i n t Comput. Conf., Vol. 30,
      1968.                                                                   T h o m p s o n Book Co., Washington, D.C., pp.
36. LIcKSON, C. P. T h e right of privacy in the
      computer age. IEItE Comput. Group News 2, 1                                 A specific list of desirable and necessary
      (Jan. 1968), 13-17.                                                        security safeguards for file systems is given.
                                                                                  Hardware, software, and administrative safe-
         A nontechnical five-page paper which de-                                 guards are discussed
         fines privacy, examines some historical court
         cases dealing with it, and tries to pinpoint                     44. PETERSEN, H . E., AND TURN, R. System impli-
         current legislative trends in this area.                             cations of information privacy. Proc. A F I P S
         "... Legislation and court decisions can catch                       1967 Spring J o i n t C o m p u t . C o n f , Vol. 30,
         up to the state of the art." A good general                          T h o m p s o n Book Co., Washington, D.C., pp.
         overview from a nontechnical standpoint,                             291-300. (Also available as Doc. P-3504, R a n d
         the article is well-referenced.                                      Corp., S a n t a Momca, Calif., Apr. 1967.)
37. MAcDouGALL,, 1V~. H. Simulation of an ECS-                                    "Various questions of providing information
     based operating system. Proc A F I P S 1967                                  privacy for remotely accessible on-hne, time-
     Spring J o i n t Comput. Conf., Vol. 30, T h o m p -                         shared i n f o r m a t i o n systems are explored . . . .
     son Book C o , Wasnlngton, D C., pp. 735-741.                                A range of protective countermeasures is dis-
                                                                                  cussed, and their choice and implication con-
38. McCARTHY, J. Information. Sc, Amer. 215,                                     sldered. I t appears possible to counter a given
    3 (Sept. 1966), 64-73.                                                        level of t h r e a t w i t h o u t unreasonable expendi-
      M c C a r t h y , in a very good survey article                             tures of resources. T h e protective techniques
                                                                                 d l s c u s s e d . . . l n c l u d e : shielding to reduce elec-
      on compu*.ation, proposes a computer bill of                                tromagnetm e m a n a t i o n s ; use of once-only
      rights which would help to guarantee privacy                               passwords for access control; application of
      in computer-based d a t a files                                             privacy transformations to conceal reforma-
39. McLAUGHLIN, F . X . P r i v a t e commumcation.                               tion in u s e r - p r o c e s s o r c o m m u n i c a t i o n s a n d in
                                                                                 data files; recording of a t t e m p t e d penetra-
40. MICHAEL, D. •. Speculations on the relation                                   tions; and systematic verification of the hard-
    of the computer to individual freedom and the                                ware and software l n t e g n t y . " - - A u t h o r s ' ab-
    right to privacy. George Washzngton Law Rev.                                  stract
    83(1964-65), 270-286.                                                            This is must reading. I t contains a detailed
      Between now and 1984, business and govern-                                  and well-written discussion of threats to file
      m e n t will use extraordinary advances in corn-                           security and countermeasures against these

Computing Surveys, Vol. I, No. 2, June 1969
                                                      Computers and Privacy: A Survey                   *       101

       threats. In partmular, problems at the proces-              leads to methods for constructing systems
       sor, the files, the terminals, and the com-                 which reqmre a large amount of work to
       municatmn hnes are discussed. A good blbh-                  solve. Finally, a certain incompatibility
       ography is given.                                           among the various desirable qualities of
45•PRosszR, W . L . Privacy• Cah]orma Law Rev.                     secrecy systems is discussed• An excellent
    ~8,3 (Aug. 1960), 383--423.                                    paper, and doubly so for the nonfamthearted
                                                                   in mathematics (particularly probablhty and
       A revmw of court cases deahng with a "right                 modern algebra)•
       to privacy•" The revmw appears to be com-
       prehensive (to this layman at law). The             53. Social workers balk at computers. San Fran-
       author, then Dean of the Umversity of Cali-              cisco Chromcle, 16 July 1968, p. 2.
       fornia Law School at Berkeley, contends that                This newspaper article describes how over
      four distinct kinds of privacy invasion cases                20 state social workers picketed the state de-
       can be described: (1) intrusmn upon seclusmn                partment of social welfare in protest over a
       or sohtude, or into private affairs; (2) pubhc              new departmental regulation requiring them
       disclosure of embarrassing private facts; (3)               to supply computers with "intimate facts"
       pubhclty which places the plaintiff m a false               about the mental illness of their clients• The
       hght m the pubhc eye, (4) approprmtion, for                 data was linked to the client's social secumty
       the defendant's advantage, of the plaintiff's               number•
      name or likeness. The article is well-written
       and interesting. As a final filhp, I can not con-   54. SQUIRES, B. E., JR. Statement in [56].
       clude without prmsmg the author for making          55. STAR, J. The computer data bank• will it kill
       me aware of "a possible nommatmn for the                your freedom? Look (25 June 1968), 27-29.
       all-time prize law rewew title, m the note                  A short, very well-written popular survey of
       'Crimmatmn of Peeping Toms and Other                        computers and privacy. Some well-detailed
       Men of Vision,' Ark Law Rev. 5(1951), 388."                 accounts of uses computer data banks are
46. PRYwES, N. S. A storage retrieval system for                   being put to today are presented.
    real-time problem solving. Rep. No. 66-05, U.          56. U. S. Congress• The computer and the invasion
    of Pennsylvania Moore School of Electrical                 of privacy--hearings before a subcommittee of
    Engineering, Philadelphm, Pa., 1966.                       the Committee on Government Operations,
47. RaM~.Y, J . W . Computer informatmn sharing--              House of Representatives, 89th Congress, Sec-
    threat to individual freedom. Proc. of the                 ond Session (Gallagher Report), U• S. Govern-
    Amer. Documentatmn Institute, 1967, pp. 273-               ment Printing Office, Washington, D.C., 26--28
    277.                                                       July 1966.
      This paper discusses, for a lay audmnce, why                 Pro and con on a national "statlstmal" data
      centralized data banks threaten privacy. It                  bank--the full testimony.
      proposes hcensmg of computer professionals,          57. U. S. Congress. Computer privacy--hearings
      much as CPA's are hcensed now. It also pro-              before the Subcommittee on Administrative
      poses legislation to allow an individual to              Practice and Procedure of the Committee on
      respect his entire dossmr, delete inaccuracies           the Judiciary, United States Senate, 90th Con-
      vm court order, and prohibit transfer of in-             gress, First Session (Long Report), U. S.
      formation identffiable with himself to a                 Government Printing Office, Washington, D.C,
      linked data bank without hm express consent.             14-15 March 1967.
48. REICh, C.A. Statement in [56].                                The full testimony before the Long subcom-
                                                                   mittee on computer privacy.
49. ScHwARTZ, J. I. The SDC time-sharing sys-
    tem. Datamation 10,11 (Nov. 1964), 28--31.             58. WARRURTON,P. Letter to the editor. Comput.
                                                               Automat. 16,5 (May 1967), 8.
50. SchwARTZ, J. I. The SDC time-sharing sys-
    tem. Datamation 10,12 (Dec. 1964), 51-55.                     A "Resolution on the National Data Center
                                                                  and Personal Privacy " propose d by the
51.Scientffic Data Systems• SDS 940 computer                      Washington, D.C. Chapter of the Association
    reference manual• Pub. No. 90 06 40A, Scmntific               for Computing Machinery is given
    Data Systems, Santa Monica, Calif., Aug. 1966.
                                                           59. WARE, W. H. Security and privacy in com-
52. SHANNOn, C. E. Communication theory of                     puter systems• Proc. AFIPS 1967 Spring Joint
    secrecy systems. Bell Syst. Tech. J. 28, 4 (Oct.           Comput. Conf., Vol. 30, Thompson Book Co.,
    1949), 656-715.                                            Washington, D.C., pp. 279-282.
      A mathematmal theory of secrecy systems is                  This is a general outline of the major vulner-
      developed and presented m a most readable                   abihtms of time-sharing systems which handle
      form. First, basic mathematical structure of                sensitive data• It also served as an intro-
      secrecy systems is dealt with. Examples of                  ductory paper for the session on privacy at
      various types of ciphers are given• Measures                the conference•
      of "how secret" a system is are introduced,
      and it is shown that "perfect" secrecy is            60. WATSON, T. J., JR. Technology and privacy.
      possible but requires, if the number of mes-             Speech given to Commonwealth Club of Cali-
      sages is finite, the same number of possible             fornia, Hotel St. Francis, San Francisco, Cahf.,
      keys. A measure of "noise" in a message is               5 Apr. 1968.
      given and strongly ideal systems where this                 An address by the Chairman of the Board
      cannot be decreased by the cryptanalyst are                 of IBM to the Commonwealth Club of Cali-
      discussed• Finally, an analysis of the basic                fornia. Watson discusses in general what the
      weaknesses of secrecy systems is made. This                 privacy problem is, advantages and dlsad-

                                                                         Computing Surveys, Vol• 1, No• 2~ June 1969
102        •      Lance J. Ho:ffman

      vantages of centralized data banks, and            protect, and check access requests against user
      possible steps toward solwng the problem.          security control profiles, verify memory
      Suggestions are given for legal, ethical, and      bounds and memory blanking, and provide
      technological safeguards.                          security indicators for input/output. The
                                                         integrated techniques are apphed to control
61. WEIsSMAN, C. Programming protectmn: what             users and system programmers in an ad-
    do you want to pay? SDC Mag. 10,7-8 (July,           vanced modular system. Retrofit of most of
    Aug. 1967), System Development Corp., Santa          the recommended techmques to an emsting
    Momca, Calif.                                        data processor (the Burroughs D825 Modular
62. WESTIN, A. F. Privacy and Freedom. Athe-             Data Processing System) is feasible. An ex-
    neum, New York, 1967.                                ternal retrofit umt is described which pro-
      A comprehensive, well-written book on the          v~des control mode and privileged instruc-
      relationship of privacy to freedom, tracing        tmns for single-mode processors.--Author's
      "privacy rights" from 1776 to the present.         Abstract
      The emphasis is on the present and the fu-            This paper is the final report of an eight-
      ture. The book has four parts: (1) the func-       month study program conducted by the Bur-
      tions of privacy and survedlance m socmty,         roughs Corporation for the US Air Force. It
      (2) new tools for invading privacy, (3)            is a highly technical description of a pro-
      American socmty's struggle for controls (five      posed multlprogramming, multiprocessing,
      case studies), and (4) policy chomes for the       on-line computer system designed with secu-
      1970's. Each part is copmusly documented,          rtty of information m mind. A very detailed
      and in addition there are four blbhographms        report, it deals with techmcal aspects of a
      at the end: the functmns of privacy, the new       computer system operating m a secure en-
      technology, the struggle for controls, and         vironment; the report does not touch on
      privacy m American law and pohcy. The sec-         cryptography, long-dmtance communications
      tmn on computer technology and posslbihtms         problems, electromagnetic radiation moni-
      for it by 1975 is quite enhghtemng. Numer-         toring, physmal security, equipment wire-
      ous legal decisions are cited m this seminal       tapping or physmal modifications, personnel
      work. It is must reading for those sermusly        problems, or admimstrative procedures.
      concerned with the general problem of pri-            Recommendations made by the study are
      vacy.                                              described m the author's abstract above. In
                                                         additioP the reviewer notes the following
63. W~STIN, A . F . The snooping machine. Playboy        which may be of interest. Physical keys asso-
    15, 5 (May 1968), 130ft.                             ciated with a user are recommended (p. 7).
      A good review of initml and revised ideas on       The'system reqmres the user (or an operator
      a natmnal data bank. The advantages and            with a master key) to be physically present
      disadvantages are set forth m this article in      at a terminal before mput or output can oc-
         nontechmcal (T) publicatmn. An interest-        cur. An execute-only bit in each word Is
      mg account of the automated adventures of          recommended (p. 9). This is turned on in
      a mythical citizen m 1975 is given                 routines of the operating system, thus guar-
                                                         anteeing its integrity.
64. BIN(]HAM, HARVEY W. Security techniques for             The amount of hardware over and above
    E D P of multilevel classified informatmn. Doc.      that required for a traditional system is de-
    RADC-TR-65-415, Rome Air Development                 tailed in terms of "equivalent flip-flops" in
    Center, Gnffiss Air Force Base, New York, Dec.       Table 2, p. 56. Software security techniques
    1965. (Unclassffied)                                 are summarized on pp. 71-72. An attempt is
      The study objective was to develop hardware        made to gauge the costs of these techmques
      and software techmques for security (need-to-      on pp. 99-100, the units of measurement be-
      know) control of on-line users and program-        mg addltmnal instructmn executions neces-
      mers in multiprogramming, multlprocessing          sary and addltmnal storage space used. Ample
      E D P systems of apparent future develop-          justification is not given 5or these estimates,
      ment. Hardware techmques recommended               which tend to be plausible but low. A de-
      include: (1) processors hawng two modes of         taded description of startup procedures for
      operation, interrupt entry into control mode       this security-oriented system is given on pp.
      m whmh privileged instructmns are executa-         77-80. Tables of all hardware and software
      ble, flag bits for ldentffication and control of   security techniques which were considered m
      memory words, and address checks against           the study (not only the ones recommended),
      access-differentmted memory bounds; (2)            along with their application, what they pro-
      panty checks on mtermodule mformatmn               tect against, and additional comments, are
      transfers; (3) input/output control proces-        given on pp. 119-127. Pages 101-112 describe
      sors, which establish and verify peripheral        the detailed interfaces recommended for se-
      unit connectmns, check memory addresses            curity between terminal umts, bulk files, and
      against bounds, and confirm security content       the input/output control processor. Pages
      of record headers being transferred; and (4)       113-117 detail retrofits (changes) necessary to
      bulk file control of physical record integrity,    Implement the proposed system on the Bur-
      and lock control over write permission and         roughs D825 computer system, an existing
      flag bit setting to permit supervisor estab-       multlprogrammmg and multlprocessing sys-
      hshment of control programs. Software tech-        tem. General flowcharts of key security rou-
      niques reside in the executive control pro-        tines are given in Appendix I. A brief dis-
      gram and are executed in control mode and          cussmn of the literature on error-correcting
      ldentffied by flag bits. Security routines are     codes and redundancy techmques is given in
      described and evaluated which construct,           Appendix IV. Pages 115 and 116 are switched

Computing Surveys, Vol. 1, No. 2, June 1969
                                                   Computers and Privacy: A Survey                  •      103

     in this report of 173+xiii pages, which con-           spo.nsibllity of social scientists Amer. Psychol-
     tains 12 illustrations, tables, and a glossary         ogist 23, 11 (Nov. 1968).
       This report should definitely be read by all           A paper for social scientists discussing the
     who plan to design or configure a computer               advantages to be gained by creation of a na-
     system in which secure information must be               tional data center and the pitfalls vis-a-vis
     protected.                                               privacy. The paper gives a good history of
65. DUEKER, K . J . Data sharing and confidentiality          the proposal for a nahonal data center and an
    in urban and regional planning. Proc. Urban               excellent view of what stage the proposal is
    Inform. Syst. Assoc. Fifth Annual Conf., Gar-             in currently (August 1968). It presents an ex-
    den City, N.Y., 8 Sept. 1967.                             cellent suggestion, namely, that only random
                                                              samples of respondents be kept (one in 1000
      A good overview for statisticians, urban                samples are adequate for most analyses in
      planners, and the interested layman of the              the social sciences).
      computer privacy problem. The first 15 pages      68. U. S Congress. Privacy and the national data
      present a good summary of the computer in-            bank concept House Committee on Govern-
      vasion of privacy literature. The latter 11           ment Operations, U.S. Government Printing
      pages present implications of the National
      Data Center proposal to planners at the state         Office, Washington, D.C., 2 Aug. 1968.
      and local levels. The latter part will in-              A very excellent review of the national data
      terest urban planners particularly, while the           bank concept, which explains why such a
      former is of general interest. This easily              system would be most helpful in certain areas
      readable paper is not at all technical. Some of         and how it poses grave threats to privacy if
      the references do not exist in the volumes              not carefully designed. Initial actions by the
      cited.                                                  Bureau of the Budget to study the feasibility
                                                              of a central, computer-based data bank are
66. EVANS, D. C., AND LE CLERC, J. Y        Address           reviewed very briefly, as are the hearings of
   mapping and the control of access in an inter-             the House of Representatives Special Sub-
   active computer. Proc. AFIPS 1967 Spring                    committee on Invasion of Privacy. The Com-
   Joint Comput. Conf., Vol. 30, Thompson Book                mittee on Government Operations notes that
   Co., Washington, D.C., pp. 23-30.                          "the reports commissioned by the Bureau of
                                                              the Budget do not contain well-thought-out
     An idea for extended segmentation hardware               theoretical or practical procedures necessary
     is presented. This hardware would control                to insure privacy and that the Budget Bu-
     access paths at execution time, permit selec-            reau "has not come to understand fully the
     tive input and output operations under actual            importance of privacy in the National Data
     control of interactive users, and eliminate the          Center system." It suggests in detail proce-
     need for relocation of programs at load time.            dures, safeguards, and alternatives to be con-
     Access control is by hardware at the seg-                sidered in formulating specific proposals for
     ment level. The system has not been imple-                a national data bank. These can be applied
     mented, although "the hardware and software              to any data base of sensitive information
     problems have been analyzed extensively,"                and should be quite carefully considered by
     according to the paper, in the Ph.D. dis-                designers of any such data bank, public or
     sertation of the second author. The ideas on             private. This 34-page document is a gem and
     access control, whether eventually done in               an absolute must for those concerned with
                                                               the specter of a national data bank.
     hardware or software, are steps in the right
     direction.                                         69. Santa Clara (California) County. LOGIC
                                                            User's Guide for Terminal Inquiry Systems.
67. SawY~a, J., AND SCHF.~HTEa, H. Computers,               General Services Agency, Data Processing Cen-
    privacy, and the national data center: the re-          ter, Santa Clara County, Calif., 1 Aug. 1967.

                                                                      Computing Surveys, Vol 1, No. 2, June 1969

Shared By:
Description: grid computing,security