Volume 3.17 October 2, 1996
[1] White House Releases New Clipper Proposal [2] International Crypto Symposium Held in Paris for OECD [3] OECD Crypto Experts Meet in Paris [4] Human Rights Groups Release Crypto Resolution [5] E-FOIA Bill Approved by House and Senate [6] P-TRAK SSN System Criticism Continues [7] Avrahami Files Appeal to State Supreme Court [8] Upcoming Conferences and Events
[1] White House Releases New Clipper Proposal
The White House has released the latest version of the key escrow/recovery plan intended to promote government access to encoded communications. The new proposal follows similar proposals in which the Administration offers to relax export regulations in exchange for an industry commitment to establish key escrow encryption. Under the plan announced by the Office of the Vice President on October 1, 1996, companies would be allowed to export 56-bit encryption systems for the next two years if they setup a formal process to fully develop a key escrow system. After two years, non-escrow systems would be prohibited. Jurisdiction for the control of exports would also be transferred from the State Department to the Commerce Department. The Justice Department would be given veto power over export applications. The White House plans to introduce legislation for key escrow centers. According to the statement released by the Vice President, the Administration will continue to promote key escrow encryption through the purchase of key recovery products, bilateral and multilateral discussions, federal cryptographic and key recovery standards, and federal funding. The statement also said that "the Administration's initiative is broadly consistent with the recent recommendations of the National Research Council." However, the NRC report recommended against government promotion of key escrow encryption, noting that "the risks of key escrow encryption are considerable," Earlier this year, the Internet Society also endorsed a recommendation of the Internet Architecture Board and the Internet Engineering Steering Group which said that "such policies are against the interests of consumers and the business community, and are largely irrelevant to issues of military security." IBM announced that it would establish an industry consortium to support the plan, and several US hardware companies signed on. However, Netscape head Jim Barkesdale described the proposal as "extortion". Bipartisan criticism was also heard from Congress. Both Senator Leahy and Senator Burns quickly issued releases criticizing the proposal. The software industry expressed opposition to the White House plan. The Software Publishers Association, the Business Software Alliance, and the International Technology Association of America criticized the proposal. More information on Clipper 4.0 is available at: http://www.epic.org/crypto/key_escrow/
[2] International Crypto Symposium Held in Paris for OECD
On September 25, 1996 cryptographers, human rights advocates, legal scholars, and delegates to the Organization for Economic Cooperation and Development met in Paris to explore issues concerning cryptography policy. The symposium was scheduled to coincide with an OECD meeting to consider new guidelines on international cryptography policy. The conference on the "Public Voice in the Development of International Encryption Policy" was sponsored by EPIC and Planete Internet and held in the Centre de Conferences des Internationales. Justice Michael Kirby, a member of the High Court of Australia and former chair of the OECD expert panels on security and privacy, opened the conference with remarks that placed the current effort to develop cryptography guidelines in the larger context of the OECD's work on privacy and information security and the ongoing need to recognize human rights concerns. Justice Kirby, drawing on his international human rights work in the area of HIV/AIDS, urged participants to keep in mind ten principles for the development of sound policies. Justice Kirby concluded his remarks with an appeal that "the claims of national security and law enforcement agencies be attained within a context of constitutionalism, the rule of law and respect for, and effective protection of human rights." Kirby reminded those present that "respect of human rights, and especially individual privacy" is "the ultimate common denominator of the OECD." Welcoming remarks were provided Mr. Norman Reaburn the Chair of the OECD Expert Panel on Cryptography Policy, Mr. John Dryden the head of the OECD Secretariat, and Mr. Marc Rotenberg the director of the Electronic Privacy Information Center (EPIC) in Washington, DC. The panels were moderated by OECD delegates from Australia, Canada, Germany, and Japan. The first panel "Cryptography Policy: The View of Cryptographers" featured Dr. Ross Anderson of the University of Cambridge, Dr. Matt Blaze of AT&T Laboratories, Dr. Whitfield Diffie of Sun Microsystems, Mr. Yves Le Roux of Digital Research, and Dr. Herb Lin of the National Research Council. The second panel "Human Rights Issues in the Development of Cryptography Policy" featured Mr. Dave Banisar of EPIC, Mme. Louise Cadoux of the Commission Nationale de l'Informatique et des LibertÚs, Mr. Simon Davies of Privacy International, Mr. Barry Steinhardt with the American Civil Liberties Union, and Mr. Alain Weber of the French Human Rights League The third panel "User Needs for Strong Cryptography" featured Dr. Brian Carpenter of the Internet Architecture Board, Dr. StÚphane Bortzmeyer of the Association des Utilisateurs d'Internet, and Mr. Phil Zimmerman of the Pretty Good Privacy Inc. The final panel "Legal Dimensions and Cryptography Policy" featured Mr. Victor Mayer-Schoenberger of the Austrian Institute for Law and Policy, Mr. Kevin O'Connor the Australian Privacy Commissioner, and Prof. Joel Reidenberg of the Fordham Law School and the Sorbonne. The complete program for the EPIC/Planete Internet conference, the speech of Justice Kirby, remarks of speakers, and other resources are available at: http://www.epic.org/events/crypto_paris/
[3] OECD Crypto Experts Meet in Paris
Following the EPIC/Planete Internet conference, the OECD Member countries met in Paris for two days to discuss Cryptography Policy Guidelines that could provide internationally comparable criteria for encryption of computerised information. According to the OECD, the Guidelines identify the issues which countries should take into consideration in formulating cryptography policies at the national and international level. An OECD press statement said that, "Discussions have focused on the rights of users to choose cryptographic methods, the freedom of the market to develop them, interoperability, consequences for the protection of personal data and privacy, lawful access to encrypted data, and reducing the barriers to international trade." The OECD Guidelines will be non-binding recommendations to Member governments, meaning that they will not be part of international law, nor will they endorse any specific cryptography system. The Group of Experts on Cryptography Policy will continue discussions the week of December 16, with a view to completion this year of a draft of the Guidelines which would be forwarded for approval by the Council of the OECD early in 1997. The complete text of the OECD press statement is available in english at: http://www.epic.org/events/crypto_paris/releaseE_OECD.html The complete text of the OECD press statement is available in french at: http://www.epic.org/events/crypto_paris/releaseF_OECD.html
[4] Human Rights Groups Release Crypto Resolution
More than a dozen international human rights and cyber rights organizations recently endorsed a resolution in Support of the Freedom to Use Encryption. The resolution was released in Paris on September 25, just prior to the meeting of the OECD. Noting that "national governments have already taken steps to detain and to harass users and developers of cryptography technology" and that "cryptography is already in use by human rights advocates who face persecution by their national governments," the organizations urged the OECD to "base its cryptography policies on the fundamental right of citizens to engage in private communication." The organizations further urged the OECD to "resist policies that would encourage the development of communication networks designed for surveillance." The organizations that endorsed the resolution included ALCEI (Electronic Frontiers Italy), the American Civil Liberties Union, Association des Utilisateurs d'Internet, CITADEL-EF France, Computer Professionals for Social Responsibility, cyberPOLIS, Digital Citizens Foundation in the Netherlands, EFF-Austin, Electronic Frontier Australia, Electronic Frontier Canada, Electronic Frontier Foundation, Electronic Privacy Information Center, Human Rights Watch, NetAction, and Privacy International The campaign was organized by the Global Internet Liberty Coalition, a new coalition of national and international human rights and cyber rights organizations. The complete text of the crypto resolution is available at: http://www.gilc.org/gilc/resolution.html
[5] E-FOIA Bill Approved by House and Senate
Congress has passed and sent to the President the Electronic Freedom of Information Act Amendments of 1996. The "E-FOIA" legislation requires federal agencies to make information available to requesters in electronic form "if the record is readily reproducible by the agency in that form or format." It also requires agencies to maintain indices of previously released documents that are "likely to become the subject of subsequent requests," and to make such indices available "by computer telecommunications" no later than December 31, 1999. The legislation also attempts to tackle the perennial problem of agency delays in responding to FOIA requests. These provisions include the establishment of "multitrack processing of requests ... based on the amount of work or time (or both) involved," and the expedited processing of requests upon a showing of "compelling need." It is likely that these new provisions, like earlier FOIA amendments designed to improve public access, will be applied narrowly by federal agencies and become the subject of litigation. The text of the E-FOIA legislation is available at: http://www.epic.org/open_gov/foia/efoia.html
[6] P-TRAK SSN System Criticism Continues
Opposition to the proliferation of commercial databases exploded into public view recently when the Lexis-Nexis P-TRAK "personal locator" system prompted a flood of angry e-mail and telephone calls to the information service company. The P-TRAK database originally allowed Lexis-Nexis subscribers to search under an individual's name and access telephone numbers, addresses, previous addresses, maiden names and Social Security numbers (SSNs). After an initial flurry of complaints in June, the company claimed that it had eliminated SSNs from its database. After the recent flare-up, the firm provided a clarification: SSNs are no longer searchable using an individual's name, but a subscriber can start with an SSN (or any nine-digit number, for that matter), and obtain all of the personally-identifying information that goes along with that number. Also, contrary to claims of the Lexis/Nexis company, the personal data was not publicly available, nor is it similar to "white pages" information. In fact, Lexis/Nexis obtained the P-TRAK personal locator information from TransUnion, a credit reporting agency. The two companies exploited a loophole in the Fair Credit Reporting Act which leaves credit "header" information unprotected even though the associated credit report could not be disclosed. In the wake of the P-TRAK episode, the Federal Trade Commission recommended that Congress take steps to provide greater protection for sensitive information. The FTC says that it has received "numerous complaints "... concerning recently-introduced, widely-available commercial services that provide, for a fee, identifying information on individuals." Congress adjourned before it could act, but is likely to take up the issue next year. Additional information on the misuse of Social Security numbers is available at: http://www.epic.org/privacy/ssn/
[7] Avrahami Files Appeal to State Supreme Court
Ram Avrahami, the Virginia resident who brought suit last year against U.S. News and World Report for selling his name without his consent, has appealed the decision of a lower court to the Virginia State Supreme Court. Mr. Avrahami argues that the lower court wrongly dismissed his claim. He argues that under Virginia law "the unauthorized sale, exchange, or rental of a person's name as part of a mailing list violates the Privacy Act's prohibition on using a person's name for the purposes of trade." He also contends, among other points, that "the Mail Preference Service established by the Direct Marketing Association is no substitute for the 'written consent' required by the Privacy Act." U.S. News & World Report will reply to Mr. Avrahami's motion and then the Virginia Supreme Court must decide whether to review the decision of the lower court. More information on Avrahami v. US News & World Report is available at: http://www.epic.org/privacy/junk_mail/
[8] Upcoming Conferences and Events
"Managing Privacy in Cyberspace and Across National Borders." October 8-10, 1996. Washington, DC. Sponsored by Privacy and American Business. Contact: Lorrie Sherwood, (201) 996-1154. "The Information Society: New Risks & Opportunities in Privacy," October 17-18, 1996. Bruxelles, Belgium. Sponsored by the European Parliament. Contact: http://www.droit.fundp.ac.be/privacy96.html "Communications Unleashed - What's at Stake? Who Benefits? How to Get Involved!" October 19-20, 1996. Washington DC. Sponsored by CPSR and Georgetown University. Contact: phyland@aol.com. "19th National Information Systems Security Conference." October 22-25, 1996. Baltimore, MD. Sponsored by NSA & NIST. Contact: Tammy Grice (301) 948-2067. National Consumer Rights Litigation Conference: Defending Consumer Access to Justice. October 26-28. Washington, DC. Sponsored by the National Consumer Law Center. Contact: NCSL: (617) 523-7398 (fax). ETHICOMP96: The Third International Conference on Ethical Issues of Information Technology, November 6-8, 1996. Madrid, Spain. Contact: pbarroso@capilla.cph.es. "CFP97: Commerce & Community." March 11-14, 1997. Burlingame, California. Sponsored by the Association for Computing Machinery. Contact: Cfp97@cfp.org or http://www.cfp.org. "Eurosec'97, the Seventh Annual Forum on Information Systems Quality and Security." March 17-19. 1997. Paris, France. Sponsored by XP Conseil. Contact: http://ourworld.compuserve.com/homepages/eurosec/ "INET 97 -- The Internet: The Global Frontiers." June 24-27, 1997. Kuala Lumpur, Malaysia. Sponsored by the Internet Society. Contact: inet97@isoc.org or http://www.isoc.org/inet97. (Send calendar submissions to Alert@epic.org)
The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. To subscribe, send email to epic-news@epic.org with the subject: "subscribe" (no quotes). Back issues are available via http://www.epic.org/alert/
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues relating to the National Information Infrastructure, such as the Clipper Chip, the Digital Telephony proposal, medical record privacy, and the sale of consumer data. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, email info@epic.org, HTTP://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003. Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and funding of the National Wiretap Plan. Thank you for your support.