Volume 3.12 June 25, 1996
[1] Sen. Burns Introduces New Crypto Bill [2] New Report Finds U.S. Workplace Privacy Lacking [3] Federal Eavesdropping Increases [4] Counter-Terrorism Bill Signed into Law [5] FAA Infringes on Travelers' Right to Privacy [6] Senate Passes Immigration Bill [7] DOD Key Escrow System Problems Surface [8] Upcoming Conferences and Eventss
[1] Sen. Burns Introduces New Crypto Bill
Sen. Conrad Burns (R-MT) has introduced legislation designed to relax export controls on privacy-enhancing encryption technology. The "Promotion of Commerce On-Line in the Digital Era (Pro-CODE) Act" would place export control authority in the Commerce Department, rather than the State Department and the National Security Agency (NSA) -- the agencies currently charged with that responsibility. The bill also contains a "prohibition on mandatory key escrow" and would restrict the Department of Commerce's ability to impose government-mandated encryption standards (such as the Clipper Chip) on non-governmental entities. As Sen. Burns explained in a "Dear Colleague" letter circulated to other members of the Senate: This Act will allow businesses and individuals worldwide to choose the strong security features that they need to protect information being communicated in electronic commerce by: 1) prohibiting the government from imposing government-designed encryption standards on the private sector; 2) prohibiting "Big Brother" from mandating a back door into people's computer systems; and 3) updating U.S. export controls on the sale of encryption products in foreign commerce, and placing U.S. businesses on a level playing field with their foreign competitors. Co-sponsors of the Pro-CODE Act include Sens. Robert Dole (R-KS), Patrick Leahy (D-VT), Nancy Murray (D-WA), Larry Pressler (R-SD) and Ron Wyden (D-OR). Sen. Dole's co-sponsorship is particularly significant, as it places him squarely at odds with the Clinton administration on an issue of paramount importance to Silicon Valley and the nation's technology industry. The proposed legislation comes in the midst of an ongoing debate concerning U.S. encryption policy and at a time when the need for secure electronic communications is becoming widely recognized. The explosive growth of the Internet underscores the need for policies that encourage the development and use of robust security technologies to protect sensitive personal and commercial information in the digital environment. As Sen. Burns noted upon introduction of his bill, "Computer users will not be willing to transmit creative content, business plans or even send letters without assurances of data security." EPIC recently joined with more than two dozen other organizations to create the Internet Privacy Coalition (IPC). The mission of the IPC is to promote privacy and security on the Internet through widespread public availability of strong encryption and the relaxation of export controls on cryptography. The IPC has launched the "Golden Key Campaign" to raise public awareness of these issues. Additional information is available at the IPC website: http://www.privacy.org/ipc/ The text of the Pro-CODE legislation, and Sen. Burns' floor statement on the bill, are available at: http://www.epic.org/crypto/pro_code.html
[2] New Report Finds U.S. Workplace Privacy Lacking
A new report by David Linowes, the former chair of the United States Privacy Protection Study Commission, finds that too many of the nation's largest industrial corporations still don't have adequate policies to protect sensitive confidential employee data from possible abuse. Linowes found that 38 percent do not inform employees of the types of records maintained on them; 44 percent do not tell personnel how records are used; nearly 60 percent don't inform employees about disclosure practices to government; and 18 percent don't tell personnel which records the firms can access. He also found that 70 percent of the companies surveyed disclosed personal information to non-government credit grantors, 47 percent gave information to landlords, and 19 percent gave information to charitable organizations. "If this kind of liberal cooperation with credit grantors is to prevail, the subject individual at least should be informed. More than one-half are not," Linowes said. Professor Linowes concludes it would be necessary for Congress and the President to consider legislation to address the problem. "It is apparent that adequate universal information privacy safeguards can only be achieved by the enactment of public policy legislation by Congress and the President," Linowes said. "Further, such legislation would serve to help bring our nation up to the standards already adopted by practically all other industrialized nations." Copies of the survey report, including an executive summary of highlights, are available by contacting Helen Brighton or Ray Spencer at (217) 333-0670 or by e-mailing rspence@ux1.cso.uiuc.edu. Copies of the complete press release are available at: http://www.epic.org/privacy/workplace/linowesPR.html
[3] Federal Eavesdropping Increases
Federal eavesdropping in criminal and national security investigations increased nine percent in 1995 from 1994 levels. Since the last year of the Bush Administration, federal eavesdropping has increased 49 percent. There were a total of 697 orders issued under the Foreign Intelligence Surveillance Act in 1995, an increase of 21 percent over 1994. One possible explanation of the increase is a 1994 bill that expanded the jurisdiction of the Foreign Intelligence Surveillance Court to authorize break-ins in national security cases. No requests for orders were denied in 1995. There have been no denials since the enactment of the FISA in 1977. Federal requests for criminal eavesdropping orders declined slightly in 1995, from 554 to 532. State requests dropped by 12 percent. Eighty-four percent of all state orders were in New York (267), Pennsylvania (105) New Jersey (38) and Florida (37). For the seventh straight year, no surveillance requests were denied by a federal or state judge. Only 27 requests have been denied since 1968. The vast majority of requests for criminal orders continued to come in narcotics investigations. Sixty-nine percent of all orders were for drug investigations, a decline of 16 percent from the previous year. Investigations of gambling and racketeering accounted for another 9 percent each. The surveillance continued to catch many non-relevant conversations. Each order intercepted an average of 2,028 conversations, of which investigators labeled only 459 as "incriminating" (22.6%). Federal prosecutors reported that only 15 percent of conversations they intercepted were relevant. Each surveillance lasted an average of 49 days. More information on wiretapping, including charts and graphs on usage, is available at: http://www.epic.org/privacy/wiretap/
[4] Counter-Terrorism Bill Signed into Law
On April 23, President Clinton signed S. 735, the Anti-Terrorism and Effective Death Penalty Act of 1996. The signing followed more than a year of contentious debate in the Congress over the proper role of federal law enforcement and whether or not to give the FBI new powers. When the first bills were introduced, even before Oklahoma City, they were a wish list of new intrusive powers demanded by FBI Director Louis Freeh. The early bills greatly expanded wiretapping powers, allowed for easy access to consumer information and granted a variety of other powers. Many of the wiretap provisions including those allowing use of illegal wiretaps in court and roving wiretaps were rejected due to the objections of conservative Republicans in the House. The controversial provisions, which were contained in the Senate bill, were removed by Republican members of the Conference Committee even after a massive blitz by the White House. The final bill was approved by the Senate 91-8 and by the House 293-133. The bill, however, makes two substantive changes to current wiretap laws which are characterized as "Exclusion of Certain Types of Information from Definitions." One provision eliminates current requirements to obtain a warrant to intercept wireless transmissions of data (e.g., from a computer attached to a cellular telephone or a wireless LAN). This was a provision included in the Digital Telephony bill of 1993 at the recommendation of the Department of Justice. The other provision removes the requirement to obtain a warrant to intercept information related to an "electronic funds transfer." More information on the counter-terrorism bill is available from: http://www.epic.org/privacy/terrorism/
[5] FAA Infringes on Travelers' Right to Privacy
In a series of letters to the Federal Aviation Administration, Privacy Journal editor and EPIC board member Robert Ellis Smith has challenged the FAA's requirement that travelers must show photo ID before they can board a plane. Smith challenged the constitutionality of the requirement and has demanded that the FAA drop the requirement and make information concerning its policy public. In a response letter to Smith, the FAA's Association Administrator for Civil Aviation Security admitted that while the secret directive requires the airlines to ask for ID, it does not require the passenger to provide it: "While an airline is required to request identification, the actual presentation of identification by the passenger is not absolutely required, and there is currently no prohibition against allowing someone on an aircraft without such identification." The FAA refused to release the regulation, citing security reasons. EPIC has filed a Freedom of Information Act Request with the FAA for a copy of the regulation.
[6] Senate Passes Immigration Bill
On May 2, by a vote of 97-3, the Senate approved S. 1664, the Immigration Control and Financial Responsibility Act of 1995. In a key procedural vote, the Senate, led by Sens. Simpson, Kennedy and Simon, voted 54 to 46 not to consider an amendment by Sen. Spencer Abraham that would have struck out provisions of the bill relating to the national verifications systems. The amendment also included a provision sponsored by Sens. Michael Dewine and Russell Feingold that would have removed provisions that required standardized tamper-proof birth certificates and drivers licenses. The House passed its version of the bill two weeks ago. The bill now goes to a conference committee to iron out the differences in the two versions.
[7] DOD Key Escrow System Problems Surface
According to reports in several trade magazines, the Defense Messaging System (DMS) is nearly ready for implementation, but prospective users are threatening to shun the universal e-mail platform unless Pentagon officials eliminate cumbersome security procedures designed by the NSA. DOD designed DMS a decade ago to replace the aging AUTODIN message system and to serve as the armed services' global e-mail infrastructure. Officials familiar with DMS' security features, which rely on the National Security Agency's Fortezza encryption card, said the system's slowness is likely to alienate users who send mostly unclassified messages over commercial e-mail systems. Users of wireless systems are also complaining about the high overhead. The DMS adopted the Fortezza card and is expected to implement over 450,000 cards in the next few years. Inside sources note that the NSA is using the DMS as a justification for paying companies such as Microsoft and Netscape to adopt the Fortezza card as a standard for their products. NSA has pushed agencies such as the CIA, NASA, IRS and the Federal Reserve to adopt Fortezza without success. Cost is also a major factor. Fortezza's PCMCIA cards cost nearly $100 each and all computers must be equipped with a card reader that costs an additional $150.
[8] Upcoming Conferences and Events
Workshop on Medical Records Privacy. May 10, 1996. Washington, DC. Sponsored by the Consumer Project on Technology. Contact Manon Ress (202) 387-8030 or email mress@essential.org. http://www.essential.org/cpt. Visions of Privacy for the 21st Century: A Search for Solutions. May 9-11, 1996. Victoria, British Columbia. Sponsored by The Office of Information and Privacy Commissioner for the Province of British Columbia and the University of Victoria. Program at http://www.cafe.net/gvc/foi Internet Privacy and Security Workshop. May 20-21, 1996. Haystack Observatory, MA. Sponsored by Federal Networking Council and MIT. Contact: papers@rpcp.mit.edu. InfoWarCon (Europe) '96, Defining the European Perspective. May 23-24, 1996. Brussels, Belgium. Sponsored by the National Computer Security Association. Contact: euroinfowar@ncsa.com. Practicing Law Institute's 16th Annual Institute on Computer Law: Understanding the Business and Legal Aspects of the Internet, June 17-18, 1996, San Francisco. info@pli.edu for info--or call 800/477 0300. Australasian Conference on Information Security and Privacy. June 24-26, 1996. New South Wales, Australia. Sponsored by Australasian Society for Electronic Security and University of Wollongong. Contact: Jennifer Seberry (jennie@cs.uow.edu.au). Personal Information - Security, Engineering and Ethics. 21-22 June, 1996. Isaac Newton Institute, Cambridge. Sponsored by Cambridge University and British Medical Association. Paper submission due 10 May 1996. Contact: Ross Anderson (rja14@newton.cam.ac.uk). Privacy Laws & Business 9th Annual Conference. July 1-3, 1996. St. John's College, Cambridge, England. Contact: Ms. Gill Ehrlich +44 181 423 1300 (tel), +44 181 423 4536 (fax). DEF CON IV. July 26-28. Los Vegas, NV. Annual Hacker Convention. Contact: dtangent@defcon.org or http://www.defcon.org/. Surveillance Expo 96. August 19-21. McLean, Virginia. Sponsored by Ross Associates. Contact: Marilyn Roseberry 703-450-2200. Fifth International Information Warfare Conference, "Dominating the Battlefields of Business and War", September 5-6, 1996. Washington, DC. Sponsored by Interpact, NCSA, OSS. Contact: infowar96@ncsa.com Advanced Surveillance Technologies II. Sponsored by EPIC and Privacy International. September 16, 1996. Ottawa, Canada. Contact: http://www.privacy.org/pi/conference/ottawa/ or email pi@privacy.org. 18th International Conference of Data Protection and Privacy Commissioners. September 18-20, 1996. Ottawa, Canada. Sponsored by the Privacy Commissioner of Canada. (Send calendar submissions to Alert@epic.org)
The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. To subscribe, send email to epic-news@epic.org with the subject: "subscribe" (no quotes). Back issues are available via http://www.epic.org/alert/
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues relating to the National Information Infrastructure, such as the Clipper Chip, the Digital Telephony proposal, medical record privacy, and the sale of consumer data. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, email info@epic.org, HTTP://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003. Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and funding of the National Wiretap Plan. Thank you for your support.