============================================================= @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================= Volume 2.11 October 16, 1995 ------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, DC info@epic.org http://www.epic.org/ ======================================================================= Table of Contents ======================================================================= [1] EPIC Seeks Disclosure of Clipper Documents [2] Landmark Privacy Case, Avrahami v. USN&WR [3] Your Net Activities for Sale (and what you can do) [4] Canadian Direct Marketers Call for Privacy Law [5] Opposition to ID Systems Grows [6] Who You Gonna Trust? Bankers and Hackers [7] VTW Alert / Telecom Post / PJ Updates [8] Developments at EPIC Web Site [9] Upcoming Conferences and Events ======================================================================= [1] EPIC Seeks Disclosure of Clipper Documents ======================================================================= The Electronic Privacy Information Center (EPIC) has filed a brief in federal court challenging the "national security" classification of information concerning the "Clipper Chip" encryption system and the underlying SKIPJACK algorithm. The brief was filed in response to the National Security Agency's attempt to withhold the information from the public following a Freedom of Information Act (FOIA) request. Urging disclosure of the disputed information, EPIC argues that: 1) Clipper's technical details have been withheld for *law enforcement* reasons, not "national security" reasons. As such, the information is not properly classified; 2) The security of the Clipper encryption system does not require the secrecy of the SKIPJACK algorithm or other technical details; 3) Disclosure of the withheld information will not (as NSA claims) constitute a violation of U.S. export control laws; and 4) The withheld information was part of the government's decision- making process that culminated in the adoption of FIPS 185, the "Escrowed Encryption Standard." The brief was filed in a FOIA case initiated on behalf of EPIC's co- sponsoring organization, Computer Professionals for Social Responsibility, in May 1993. NSA was granted a delay of more than two years in order to process relevant documents. The agency recently moved for summary judgment in the case, arguing (among other things) that the disputed information is properly classified. The full text of the EPIC brief can be obtained via the World Wide Web at: http://www.epic.org/crypto/clipper/SJ_opp.txt ======================================================================= [2] Landmark Privacy Case ======================================================================= A Virginia resident has filed suit in state court against US News & World Report, challenging the right of the magazine to sell or rent his name to another publication without his express written consent. Ram Avrahami argues that USN&WR has benefited commercially from his name, thus violating the Virginia law which protects every person from having his/her name being used for commercial purpose without consent. The suit raises a critical question for the future of privacy: who controls personal information? If Mr. Avrahami prevails, companies that sell personal information could be required to obtain permission before data is sold to others. Such an ownership right could establish a more equitable and efficient relationship between consumers and companies. EPIC has put together an expert team to assist Mr. Avrahami, to prepare an amicus brief for the court proceeding, and to pursue other aspects of the case. This case may quickly become the leading consumer privacy case in the country. A feature article appeared in the Wall Street Journal on October 13. What are Mr. Avrahami's prospects for success? Not clear, but a 1991 Time/CNN poll found that 93% of American adults believed that "companies that sell information to others should be required by law to ask permission from individuals before making the information available." (Time Magazine, Nov. 11, 1991). A web page with details about the case, the relevant law, information about the direct marketing industry, and books and articles about privacy and marketing data can be found at: http://www.epic.org/privacy/junk_mail/ ======================================================================= [3] Your Net Activities for Sale (and what you can do) ======================================================================= The Marketry company of Bellvue, Washington is now selling email addresses of Internet users obtained from Newsgroup postings. From the company's press release: "These are email address of individuals who are actively using the Internet to obtain and transfer information. They have demonstrated a substantial interest in specific area of information on the Internet. They are regularly accessing information in their interest areas from newsgroups, Internet chats and websites. . . . The file is anticipated to grow at the rate of 250,000 E Mail addresses per month, all with Interest selections." What are the interest areas currently available? "Adult, Computer, Sports, Science, Education, News, Investor, Games, Entertainment Religion, Pets." The release notes that "additional interests areas will be added, please inquire." Activities of US and non-US Net users will be included in the Marketry product. The Washington Post reported that the president of Markertry, Norm Swent, would not disclose who the actual owner of the list is. "That really is confidential information," Swent said, "and we are obviously bound by confidentiality agreements with the list owner." WHAT YOU CAN DO: (a) Sit back, let your newsgroup postings get swept up by the data scavengers and watch the junk email pile high on your system, or (b) Send email to Marketry and tell them to STOP SELLING PERSONAL DATA GATHERED FROM THE NET. Send email to: listpeople@marketry.com and tell your friends to send email. And tell your friends' friends. It's your name. It's your mailbox. Think about it. ======================================================================= [4] Canadian Direct Marketers Call for Privacy Law ======================================================================= The Canadian Direct Marketing Association (CDMA) has announced its intention to support the adoption of comprehensive privacy legislation in Canada. In a letter dated October 2 to John Manley, the Canadian Minister of Industry, the CDMA writes, "The Canadian Direct Marketing Association is asking the Government of Canada to pass national privacy legislation governing the private sector. We believe every Canadian is entitled to fundamental protection of their personal data." The CDMA said that it hoped the government would build on the Model Code for the Protection of Personal Information developed by the Canadian Standards Association. (See Alert 2.10[4] "CSA Announces Privacy Standards"). Unlike the Direct Marketing Association in the United States, the CDMA has long required its members to follow a compulsory privacy code. The CDMA notes that many industries have complied with the Code, but given the failure of "other private sector organizations there seems to be no realistic possibility of comprehensive self- regulation." The CDMA announcement follows growing support in Canada for privacy legislation and increasing skepticism about the viability of industry self-regulation. (See EPIC Alert 2.10[5] "Around the Globe: Privacy Notes"). More information is available from Scott McClellan, Director of Communications, CDMA, 416/391-2362 ext. 226 ======================================================================= [5] Opposition to ID Systems Grows ======================================================================= An emerging groundswell of opposition to proposed new databases and identity cards for immigration verification purposes is threatening the passage of immigration bills in Congress. Advocates are now hopeful that the ID proposals currently pending in Congress will be rejected. Last week a test program authorized by the Immigration in the National Interest Act of 1995 (HR 2202) narrowly survived a 17-15 vote in the House Judiciary Committee 17-15. Bipartisan opposition to the plan, originally expected to pass easily, continues to grow. The immigration verification system recommended by the US Commission on Immigration Reform would create a database of all persons eligible for employment in the United States. Employers would be required to call a number and provide the name and Social Security Number of the potential employee. The proposal is supported by Rep. Lamar Smith (R-TX), chairman of the House Judiciary Committee's subcommittee on Immigration. Senators Alan Simpson (R-WY) and Diane Feinstein (D-CA) and Congressman Bill McCullum (R-FL) would expand the plan and have recommended the creation of national ID cards based on the Social Security Account. The Card that would contain the name, photo, address, Social Security number and other information on every card and a magnetic stripe on the back. Feinstein recommended that the ID card also contain a retinal scan. Opposition to the proposal has come from across the political spectrum. The coalition opposing the proposals includes civil liberties groups, conservative think tanks, immigration groups, religious associations and small businesses. Conservative and liberal members of Congress have also come out in opposition to the proposals. Rep. Steve Chabot (R-OH) described the proposal as "1-800-BIG-BROTHER." Rep. John Conyers (D-MI) told the Washington Post that the card "would usher in an era of all- intrusive government." House Majority Leader Dick Armey (R-TX) has promised to oppose any attempt to create a national ID card. The bill remains in the House Judiciary Committee. Several members have promised to attempt to remove the provision on the House floor. The Senate has not yet taken up the issue. It is unlikely that the Senate will address the bill before next year. On a different front, both the House and Senate welfare reform bills contain provisions to create a database of all newly hired people working in the US. This databases would then be used to track down people who are behind on their child support. It is expended that the list of uses would grow. The bills would also expand the use of the Social Security Numbers and require its placement on a number of state documents including birth certificates, drivers' licensees, and marriage licensees. ======================================================================= [6] Whom You Gonna Trust? Bankers and Hackers ======================================================================= Bankers Trust, one of the leading proponents of the Commercial Key Escrow scheme (see www.epic.org/crypto/ ) was the subject of a recent BusinessWeek cover story. The news feature described racketeering charges brought by clients of Bankers Trust who lost hundred of million of dollars. Procter & Gamble is charging that Bankers Trust "engaged in a pervasive pattern of fraud spanning a number of years and involving numerous victims." Supporters of the Bankers Trust plan to hold in escrow keys to private encrypted communications might take note of two quotations that appeared on the cover of the BusinessWeek story: "What Bankers Trust can do for Sony and IBM is get in the middle and rip them off" and "Funny business, you know. Lure people into that calm and then just totally f---' em." ("The Bankers Trust Tapes," BW, Oct. 16, 1995). Meanwhile, the Wall Street Journal reports that Netscape will be turning to the hacker community to find flaws and plug holes in the popular web software. Under the "Bugs Bounty" program, Netscape will offer $1,000 to the first person to identify major security flaws. "There are a whole bunch of people out there with a lot of great computer science knowledge. We thought it was time to proactively harness all that energy to give them a reward" for finding bugs says Mike Homer, Vice President of marketing for Netscape. (WSJ, Oct. 9, 1995). ======================================================================= [7] VTW Alert / Telecom Post / PJ Updates ======================================================================= Two excellent legislative alerts worth reading closely as the action in Congress heats up: VTW BillWatch: A weekly newsletter tracking US Federal legislation affecting civil liberties. BillWatch is published every Friday evening as long as Congress is in session. Contact: vtw@vtw.org (email), gopher -p1/vtw gopher.panix.com (gopher), http://www.vtw.org/ (URL). Publisher: Shabbir J. Safdir Telecom Post covers activity in Congress on telecommunications and related issues. To subscribe, send to LISTSERV@CPSR.ORG with the message SUBSCRIBE TELECOM-POST YOUR NAME. Publisher: Coralee Whitcomb (cwhitcom@bentley.edu). Privacy Journal has released updates for three popular publications for professionals who need reference books on the privacy issues. *Compilation of State and Federal Privacy Laws ($29)* describes by category more than 500 laws on the confidentiality of personal information. *War Stories* is a collection of real-life stories involving invasions of privacy, along with the sources of the stories and the lawyers who represent the victims. *Directory of Privacy Professionals* ($14.50) provides postal addresses, phone numbers, and electronic addresses for 200 individuals and organizations, in business and in government, actively involved in privacy issues. The books are available by check or credit card from Privacy Journal, P.O. Box 28577, Providence, RI 02908, 401/274-7861 0005101719@mcimail.com. There is a $4 handling fee. ======================================================================= [8] Developments at EPIC Web Site ======================================================================= The EPIC Web site is undergoing a major upgrade. We have put in a 56kb line and upgraded the server software and hardware. In the next few months we will be adding listserver software to improve the delivery of EPIC-related information. We are also making arrangements to expand significantly the privacy resources available at the web site. You will now find materials at WWW.EPIC.ORG organized in four categories: -- Hot topics (Current news) -- Resources (Legislative Guide, On-line Guide, EPIC Docket, EPIC Alert) -- Policy Archives (Cryptography, Privacy, Free Speech, Open Government) -- About EPIC Please send your comments and suggestions to alert@epic.org. We apologize for any difficulties that result from our transition to a better server. ======================================================================= [9] Upcoming Privacy Related Conferences and Events ======================================================================= Smithsonian Institution, "Frontiers in Cyberspace: Encryption, Privacy, and Cybercodes. October 25, 1995. Marc Rotenberg, Director, Electronic Privacy Information Center (EPIC), Philip Zimmerman, Creator, Pretty Good Privacy (PGP); Stewart Baker, Attorney, Steptoe & Johnson. Contact: Melody Curtis (CurtisM@aol.com) Managing the Privacy Revolution. October 31 - November 1, 1995. Washington, DC. Sponsored by Privacy & American Business. Speakers include Mike Nelson (White House) C.B. Rogers (Equifax). Contact Alan Westin 201/996-1154. Innovation and the Information Environment. November 3-4. University of Oregon School of Law in Eugene, Oregon. Contact: Keith Aoki KAOKI@law.uoregon.edu. National Privacy and Public Policy Symposium. November 2-4., Hartford, Cosponsored by the Connecticut Foundation for Open Government. Contact Richard Akeroyd, rakeroyd@csunet.ctsateu.edu 203/566-4301 (tel), 203/566-8940 (fax) 22nd Annual Computer Security Conference and Exhibition. November 6-8, Washington, DC. Sponsored by the Computer Security Institute. Contact: 415-905-2626. Global Security and Global Competitiveness: Open Source Solutions. November 7-9. Washington, D.C. Sponsored by OSS. Contact: Robert Steele oss@oss.net. 11th Annual Computer Security Applications Conference: Technical papers, panels, vendor presentations, and tutorials that address the application of computer security and safety technologies in the civil, defense, and commercial environments. December 11-15, 1995, New Orleans, Louisiana. Contact Vince Reed at (205)890-3323 or vreed@mitre.org. Computers Freedom and Privacy '96. March 27-30. Cambridge, Mass. Sponsored by MIT, ACM and WWW Consortium. Contact cfp96@mit.edu or http://www-swiss.ai.mit.edu/~switz/cfp96 Conference on Technological Assaults on Privacy, April 18-20, 1996. Rochester Institute of Technology, Rochester, New York. Papers should be submitted by February 1, 1996. Contact Wade Robison privacy@rit.edu, by FAX at (716) 475-7120, or by phone at (716) 475-6643. Australasian Conference on Information Security and Privacy June 24-26, 1996. New South Wales, Australia. Sponsored by Australasian Society for Electronic Security and University of Wollongong. Contact: Jennifer Seberry (jennie@cs.uow.edu.au). Visions of Privacy for the 21st Century: A Search for Solutions. May 9-11, 1996. Victoria, British Columbia. Sponsored by The Office of Information and Privacy Commissioner for the Province of British Columbia and the University of Victoria. Program at http://www.cafe.net/gvc/foi 18th International Conference of Data Protection and Privacy Commissioners. Sponsored by the Privacy Commissioner of Canada. September 18-20, 1996. Ottawa, Canada. Advanced Surveillance Technologies II. Sponsored by EPIC and Privacy International. September 17, 1995. Ottawa, Canada. Contact pi@privacy.org International Colloquium on the Protection of Privacy and Personal Information. Commission d'acces a l'information du Quebec. May 1997. Quebec City, Canada. (Send calendar submissions to Alert@epic.org) ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. To subscribe, send the message: SUBSCRIBE CPSR-ANNOUNCE Firstname Lastname to listserv@cpsr.org. You may also receive the Alert by reading the USENET newsgroup comp.org.cpsr.announce. Back issues are available via http://www.epic.org/alert/ or FTP/WAIS/Gopher/HTTP from cpsr.org /cpsr/alert/ and on Compuserve (Go NCSA), Library 2 (EPIC/Ethics). ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues relating to the National Information Infrastructure, such as the Clipper Chip, the Digital Telephony proposal, medical record privacy, and the sale of consumer data. EPIC is sponsored by the Fund for Constitutional Government and Computer Professionals for Social Responsibility. EPIC publishes the EPIC Alert and EPIC Reports, pursues Freedom of Information Act litigation, and conducts policy research on emerging privacy issues. For more information, email info@epic.org, WWW at HTTP://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. (202) 544-9240 (tel), (202) 547-5482 (fax). The Fund for Constitutional Government is a non-profit organization established in 1974 to protect civil liberties and constitutional rights. Computer Professionals for Social Responsibility is a national membership organization of people concerned about the impact of technology on society. For information contact: cpsr-info@cpsr.org If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003. Your contributions will help support Freedom of Information Act litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and funding of the National Wiretap Plan. Thank you for your support. ------------------------ END EPIC Alert 2.11 ------------------------