==============================================================
@@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@
@ @ @ @ @ @ @ @ @ @ @ @
@@@@ @@@ @ @ @@@@@ @ @@@ @@@ @
@ @ @ @ @ @ @ @ @ @ @
@@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @
==============================================================
Volume 4.09 June 18, 1997
--------------------------------------------------------------
Published by the
Electronic Privacy Information Center (EPIC)
Washington, D.C.
http://www.epic.org/
=======================================================================
Table of Contents
=======================================================================
[1] EPIC Files Suit For Crypto Czar Records
[2] McCain/Kerrey Introduce Crypto Restrictions Bill
[3] Computer Security Act Revisions Proposed in House
[4] First Amendment Pledge Campaign Launched On Eve of CDA Decision
[5] Georgia Tech Releases New Online Privacy Survey
[6] Torricelli Introduces New Spam Bill
[7] GILC to Meet at INET in Malaysia
[8] Upcoming Conferences and Events
=======================================================================
[1] EPIC Files Suit For Crypto Czar Records
=======================================================================
EPIC today filed a lawsuit seeking public disclosure of the travel
records of Ambassador David Aaron, who has spent the past year
promoting the Clinton Administration's controversial encryption
policies in foreign countries. Through the suit, filed in U.S.
District Court in Washington, EPIC is seeking to open U.S. encryption
policy to public scrutiny by requesting release of the trip reports of
the Administration's "crypto czar."
The significance of the Administration's overseas lobbying on the
controversial encryption issue is underscored by the upcoming "Group of
Seven" (or G-7) summit that convenes on June 20 in Denver. At the
request of the Administration, encryption policy is on the G-7 agenda.
The summit meeting is the most recent example of the Administration's
strategy to pre-empt the ongoing domestic debate on encryption by
enlisting support for "key-escrow" encryption from foreign governments.
Ambassador Aaron sought an endorsement of the Administration's policy
during the Organization for Economic Cooperation and Development's
deliberations on encryption policy earlier this year. But the
29-member international organization rejected the key escrow proposal
and recommended instead that national policies be based on open
markets, voluntary choice, and privacy safeguards.
In a letter sent to key members of Congress on the eve of the G-7
Summit, EPIC urged a Congressional inquiry into the Administration's
campaign to sell "key-escrow" policy overseas. EPIC said that, "With
several encryption bills now pending and an important national debate
ensuing, the Administration is seeking to accomplish through
international understandings what it cannot accomplish through the
domestic policy-making process." According to EPIC Director Marc
Rotenberg, "The White House should stop trying to export a bad crypto
policy and instead allow the export of good crypto products."
=======================================================================
[2] McCain/Kerrey Introduce Crypto Restrictions Bill
=======================================================================
Senators John McCain (R-AZ) and Bob Kerrey (D-NE) have introduced a
bill that is designed to promote key escrow for domestic use in the
United States. The Secure Public Networks Act, S. 909, contains a
number of coercive measures that would force widespread domestic
adoption of key escrow encryption techniques.
The bill promotes key escrow technology by requiring that all federal
funds spent directly or indirectly for communications networks and
security products that incorporate encryption must support key escrow.
This would include schools, states receiving federal grants, the new
Internet II and other projects. This would also likely include
telephone companies that are required under the Communication
Assistance for Law Enforcement Act (CALEA) to ensure that their
networks are secure and will receive $500 million dollars of federal
funds to retrofit their systems.
The bill would also require that entities wishing to become registered
as certificate authorities must hold an individual's private encryption
key before they can issue the person a certificate. Certificate
authorities who issue certificates without obtaining such private keys
would be subject to criminal and civil penalties.
Access to keys would be broadly permitted and warrants would not be
required in all cases. "Authorized" government officials could obtain
access to keys using only a subpoena or a certification from the
Attorney General that foreign intelligence is involved. Furthermore,
the definition of Key Recovery Agent "includes any person who hold the
person's own recovery information." In other words, under the bill,
individuals could be compelled to release their own keys.
Another provision would make it a criminal offense to use cryptography
in the furtherance of any crime that has a one year jail sentence.
This would in effect criminalize many minor state crimes including the
use of a digital cell phone to place a bet with a bookmaker.
To gain the support of industry, the bill offers to relax crypto
exports up to 56 bit DES. However, it would provide broad discretion
to the Secretary of Commerce to prohibit any export without judicial
review of the decision.
Sen. McCain (as Chairman of the Commerce Committee) has ordered that
the bill be rapidly heard. A mark-up on the bill is scheduled for
Thursday, June 19. It is also being supported by Sens. Jay Rockefeller
(D-WV), Ernest Hollings (D-SC), and John Kerry (D-MA).
More information is available at:
http://www.epic.org/crypto/legislation/
=======================================================================
[3] Computer Security Act Revisions Proposed in House
=======================================================================
Rep. James Sensenbrenner (R-WI) introduced HR 1903, the "Computer
Security Enhancement Act on June 17. The bill is designed to enhance
the security of unclassified information on federal computer systems,
to promote private sector input in the development of computer security
technology used to protect these federal computer systems, and to
provide for evaluations of cryptographic technology originating outside
the United States.
The bill would reinforce of the role of the National Institute of
Standards and Technology (NIST) and its Computer System Security and
Privacy Advisory Board in the development of computer security systems,
and includes an explicit proviso that NIST develop encryption standards
and policies only for use in Federal Government computer systems.
The bill would authorize the Secretary of Commerce to commission the
National Research Council to study public key infrastructures for use
by individuals, businesses and government. HR 1903 also establishes a
fellowship program to support students at institutions of higher
learning in computer security.
A hearing is scheduled on the bill for June 19. More information on
the bill and the Computer Security Act is available at:
http://www.epic.org/crypto/csa/
=======================================================================
[4] Georgia Tech Releases New Net Survey
=======================================================================
The Graphic, Visualization and Usability Center (GVU) of the Georgia
Institute of Technology has released its 7th WWW user survey. The
issues listed as the most important by respondents were censorship
(34%), privacy (26%), and navigation (13%). Among women, privacy was
the top concern.
Anonymity continued to play an important role. Nearly 40% of the
respondents reported that they had provided false information when
registering at a web site. Fifteen percent said that they falsified
information over 25% of the time. When questioned on why they provide
false information, 69% reported that the uses of the information were
not clearly explained, 64% reported that accessing the site was not
worth providing information, and 62% stated that they do not trust the
sites. Only one of five users thought that devices such as cookies,
which allow identification of users across sessions at a site, should
be used.
On ranking users' views towards these issues on a one to five scale,
the survey found that there was strong support (4.7) for private
communications on the net and anonymity (4.46). There was also
significant support for anonymous payment systems (3.93) and new
privacy laws (3.79).
The survey results are available at:
http://www.gvu.gatech.edu/user_surveys/survey-1997-04/
=======================================================================
[5] First Amendment Pledge Campaign Launched On Eve of CDA Decision
=======================================================================
As the nation awaits a Supreme Court decision on the future of free
speech on the Internet, EPIC and the American Civil Liberties Union
have launched "firstamendment.org," a website dedicated to upholding
the First Amendment in cyberspace. The groups are calling on President
Clinton and members of Congress to be among the first to "Take the
First Amendment Pledge" and cease any further attempts to draft
legislation to censor the Internet in the event the Supreme Court
upholds a lower court decision striking down government regulation of
the Internet as unconstitutional.
The launch of the website comes as Clinton Administration officials
have begun publicly discussing a shift in policy on Internet
regulation, saying that "industry self-regulation" -- not laws
criminalizing certain Internet communications -- is the solution to
shielding minors from online "indecency." The Supreme Court is
expected to issue a ruling soon in Reno v. ACLU, which challenges the
censorship provisions of the Communications Decency Act aimed at
protecting minors by criminalizing so-called "indecency" on the
Internet. EPIC, along with the ACLU and 18 other plaintiffs, filed a
challenge to the law the day it was enacted.
Online users can capture the "First Amendment Pledge" GIF (graphic
image file) for placement on their own website. Other features planned
for the site include an "action alert" that informs users of
legislative threats to the First Amendment and allows them to instantly
e-mail or fax their member of Congress, and an online "postcard" that
can be e-mailed to friends, relatives and elected officials, urging
them to "Take the Pledge."
Take the pledge at:
http://www.firstamendment.org
=======================================================================
[6] Torricelli Introduces New Spam Bill
=======================================================================
On June 11, Sen. Robert Torricelli (D-NJ) introduced the Electronic
Mailbox Protection Act of 1997. The bill, like the efforts of Sen.
Frank Murkowski (R-AK) and Rep. Chris Smith (R-NJ), addresses the issue
of unsolicited commercial e-mail (or spam). However, Torricelli's bill
takes a different perspective on solutions to the problem.
The most noticeable difference between Torricelli's bill and the others
is that it regulates all unsolicited e-mail, not just unsolicited
commercial e-mail. This means that, according to the bill's definition
of unsolicited e-mail, anyone sending e-mail to another with whom they
do not have a pre-existing personal or business relationship would be
covered by the bill. For example, a student e-mailing a question to a
professor with whom the student has no pre-existing relationship could
conceivably fall within the provisions of the bill.
Torricelli also takes a fundamentally different approach to regulating
unsolicited e-mail. While the Murkowski and Smith bills attempt to
limit spam through labeling or banning the spam itself, the Torricelli
bill attacks the harvesting and distribution of e-mail addresses as
well as some attempts by spammers to circumvent blocking systems and
avoid responses.
Other provisions attempt to stop spammers from circumventing responses
or filters. One provision creates a violation for using fictitious or
unregistered domains or e-mail accounts to avoid responses or messages
of non-delivery. Another provision creates a violation for using any
mechanism to avoid filtering tools.
The bill creates a violation for directing unsolicited e-mail through
another entity's server knowing that such action is in contravention of
that entity's policy. The penalty would be $5,000 per violation.
More information on spam is available at:
http://www.epic.org/privacy/junk_mail/spam/
=======================================================================
[7] GILC to Meet at INET in Malaysia
=======================================================================
The Global Internet Liberty Campaign (GILC) will hold an informational
meeting at the INET 97 conference in Kuala Lumpur, Malaysia on June 25.
Topics to be addressed include protection of free speech on the
Internet; access to Internet services in SE Asia; crypto policy around
the globe; and development of privacy standards. Special guests
addressing the meeting will include Ira Magaziner, U.S. Presidential
Advisor, and Don Heath, President of the Internet Society.
Additional information on activities at INET is available at:
http://www.epic.org/events/inet_malaysia/
=======================================================================
[7] Upcoming Conferences and Events
=======================================================================
Cyberpayments 97. June 19-20, 1997. Washington, DC. Sponsored by NACHA.
Contact: http://www.nacha.org
INET 97 -- The Internet: The Global Frontiers. June 24-27, 1997. Kuala
Lumpur, Malaysia. Sponsored by the Internet Society. Contact:
inet97@isoc.org or http://www.isoc.org/inet97
Informational Meeting of the Global Internet Liberty Campaign (GILC).
June 25, 1997. INET 97, Putra World Trade Center, Kuala Lumpur,
Malaysia. Contact: rotenberg@epic.org.
Privacy Laws & Business 10th Anniversary Conference. July 1-3, 1997.
St. John's College, Cambridge, England. Contact:
info@privacylaws.co.uk.
4th Annual Privacy Issues Forum., July 10-11, 1997. Auckland, New
Zealand. Sponsored by NZ Privacy Commissioner. Contact: Terry Debenham,
Fax +649-302 2305 or email privacy@iprolink.co.nz.
Hacking In Progress. August 8-10, 1997, Almere, Netherlands. Sponsored
by Hac-Tic. Contact: http://www.hip97.nl/
AST3: Cryptography and Internet Privacy. Sept. 15, 1997. Brussels,
Belgium. Sponsored by Privacy International. Contact: pi@privacy.org.
http://www.privacy.org/pi/conference/brussels/
19th Annual International Privacy and Data Protection Conference. Sept.
17-18, 1997. Brussels, Belgium. Sponsored by Belgium Data Protection
and Privacy Commission.
International Conference on Privacy. September 23-26, 1997. Montreal,
Canada. Sponsored by the Commission d'Acces a l'information du Quebec.
http://www.confpriv.qc.ca/
Managing the Privacy Revolution '97. October 21-23, 1997. Washington,
DC. Sponsored by Privacy and American Business. Contact:
http://shell.idt.net/~pab/conf97.html
RSA'98 -- The 1998 RSA Data Security Conference. January 12-16, 1998.
San Francisco, CA. Contact kurt@rsa.com or http://www.rsa.com/conf98/
(Send calendar submissions to alert@epic.org)
=======================================================================
The EPIC Alert is a free biweekly publication of the Electronic Privacy
Information Center. To subscribe, send email to epic-news@epic.org
wih the subject: "subscribe" (no quotes) or use the subscription form
at:
http://www.epic.org/alert/subscribe.html
Back issues are available at:
http://www.epic.org/alert/
=======================================================================
The Electronic Privacy Information Center is a public interest research
center in Washington, DC. It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC is sponsored
by the Fund for Constitutional Government, a non-profit organization
established in 1974 to protect civil liberties and constitutional
rights. EPIC publishes the EPIC Alert, pursues Freedom of Information
Act litigation, and conducts policy research. For more information,
e-mail info@epic.org, http://www.epic.org or write EPIC, 666
Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240
(tel), +1 202 547 5482 (fax).
If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible. Checks
should be made out to "The Fund for Constitutional Government" and sent
to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003.
Individuals with First Virtual accounts can donate at
http://www.epic.org/epic/support.html
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption
and funding of the National Wiretap Plan.
Thank you for your support.
---------------------- END EPIC Alert 4.09 -----------------------
