==============================================================
@@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@
@ @ @ @ @ @ @ @ @ @ @ @
@@@@ @@@ @ @ @@@@@ @ @@@ @@@ @
@ @ @ @ @ @ @ @ @ @ @
@@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @
==============================================================
Volume 4.12 September 4, 1997
--------------------------------------------------------------
Published by the
Electronic Privacy Information Center (EPIC)
Washington, D.C.
http://www.epic.org/
=======================================================================
Table of Contents
=======================================================================
[1] SSA to Restore Online Web Service
[2] Freeh Makes It Official: FBI Wants Mandatory Key Escrow
[3] Crypto in the Courts: Update on Bernstein, Karn & Junger
[4] Media Group Says "No" to Internet Ratings
[5] U.S. Government Web Sites Fail to Protect Privacy
[6] Consumer Groups Question FTC Privacy Report
[7] Clinton Signs IRS Browsing Bill
[8] Upcoming Conferences and Events
=======================================================================
[1] SSA to Restore Online Web Service
=======================================================================
The Social Security Administration announced today it would put a
modified version of the Personal Earnings and Benefits Estimate
Statement (PEBES) service back on-line before the end of the year. The
service was suspended on April 9, following public concerns about the
risk of improper access to personal information held by the agency.
The Social Security Administration said that the new service would be
based on an "opt-in" privacy standard. Individuals could
affirmatively choose to request the on-line delivery of PEBES
information by first obtaining an authentication code that would only
be delivered to a registered email address. Records of individuals
who did not request the code would not be available at the web site.
The SSA also said that it would limit the amount of information made
available on-line. Payment records would not be accessible at the SSA
web site, although they will still be sent by the U.S. mail.
Privacy experts expressed support for the SSA recommendations, saying
that the agency has done a good job meeting with the public,
consulting with experts, and developing sensible standards to protect
personal information.
The SSA experience with Internet service delivery is being watched
closely by other federal agencies as well as private companies who
hope to take advantage of the Internet and avoid public concerns about
privacy.
The SSA PEBES Service is available at:
http://s3abaca.ssa.gov/pro/batch-pebes/bp-7004home.shtml
More information on the SSA and Online Privacy is available at:
http://www.epic.org/privacy/databases/ssa/
=======================================================================
[2] Freeh Makes It Official: FBI Wants Mandatory Key Escrow
=======================================================================
Publicly confirming long-standing internal Bureau policy for the first
time, FBI Director Louis Freeh told a Senate subcommittee on September
3 that legislation is needed to mandate the inclusion of key escrow
features in encryption programs intended for domestic use. Testifying
before the Judiciary Subcommittee on Terrorism, Technology and
Government Information, Freeh said:
What we would recommend from a law enforcement point
of view is that the legislation contain a provision
that would require the manufacturers of encryption
products and services, those which will be used in
the United States or imported into the United States
for use, include a feature which would allow for the
immediate, lawful decryption of the communications
or the electronic information once that information
is found by a judge to be in furtherance of a
criminal activity or a national security matter.
There are a number of ways that that could be
implemented, but what we believe we need as a
minimum is a feature implemented and designed by
the manufacturers of the products and services here
that will allow law enforcement to have an immediate
lawful decryption of the communications in transit
or the stored data. That could be done in a mandatory
manner. It could be done in an involuntary manner.
But the key is that we would have the ability, once
we have the court order in hand, to get that
information and get it real-time without waiting for
what it would take for a supercomputer to give us,
which is too long for life or safety reasons.
While Administration officials have long denied any intention to
mandate the use of key escrow within the United States, declassified
documents obtained by EPIC under the Freedom of Information Act in
August 1995 revealed the government's ultimate agenda. In a briefing
document titled "Encryption: The Threat, Applications and Potential
Solutions," and sent to the National Security Council in February
1993, the FBI, NSA and DOJ concluded that:
Technical solutions, such as they are, will only work
if they are incorporated into *all* encryption products.
To ensure that this occurs, legislation mandating the
use of Government-approved encryption products or
adherence to Government encryption criteria is
required.
Additional information on the declassified material obtained by EPIC,
including images of selected documents, is available at:
http://www.epic.org/crypto/ban/fbi_dox/
=======================================================================
[3] Crypto in the Courts: Update on Bernstein, Karn & Junger Cases
=======================================================================
On August 25, a federal judge in San Francisco declared the Commerce
Department's cryptography export regulations unconstitutional as an
infringement of free speech and issued an injunction against their
enforcement. The decision was the second ruling in favor of Daniel
Bernstein, an Illinois math professor and cryptographer who attempted
to publish his Snuffle encryption program on the Internet. Last
December, Judge Marilyn Patel similarly found the State Department's
encryption export restrictions unconstitutional, but the Clinton
Administration released new rules shortly after the decision, under
the auspices of the Commerce Department.
In response to an emergency motion filed by the government, Judge
Patel ruled on August 28 that most of the injunction would be put on
hold pending review by the Ninth Circuit Court of Appeals. Part of
the injunction will, however, remain in effect -- after September 8,
Bernstein will be free to publish his Snuffle 5.0 software on the
Internet without fear of prosecution.
Another legal challenge to export controls on cryptography is likely
to move forward in federal court in Washington, DC. In that case,
cryptographer Phil Karn is seeking approval to export a diskette
containing a verbatim copy of the source code printed in the book
"Applied Cryptography" (which is widely available and freely
exportable). After being litigated under the previous State
Department export regulations, Karn's case was remanded for
reconsideration under the new Commerce Department regulations.
Commerce issued its ruling on August 22, finding that certain programs
on the diskette were classified as controlled encryption items, and
subject to prior licensing before export. That ruling paves the way
for Karn to renew his challenge before the court. EPIC submitted a
friend of the court brief in support of Karn in previous proceedings
before the DC Circuit Court of Appeals.
In the third legal challenge, Professor Peter Junger has filed an
amended complaint in federal court in Cleveland. Junger wishes to
publish a number of encryption programs, written by himself and
others, on his Web site as part of the materials used in his course in
Computing and the Law at Case Western Reserve University. He seeks
not only relief for himself but also a preliminary and permanent
injunction enjoining the Commerce Department from "interpreting,
applying and enforcing the encryption software and technology
provisions" of regulations against "any person who desires to disclose
or 'export' ... encryption software and technology." The complaint
alleges that those encryption regulation violate the freedom of speech
and of the press that are protected, particularly from prior
restraints such as licensing requirements, by the First Amendment, as
has already been held by Judge Patel in the Bernstein case.
Additional information on the Bernstein case is available at:
http://www.eff.org/pub/Privacy/ITAR_export/Bernstein_case/
Additional information on the Karn case is available at:
http://people.qualcomm.com/karn/export/index.html
Additional information on the Junger case is available at:
http://samsara.law.cwru.edu/comp_law/jvd/
=======================================================================
[4] Media Group Says "No" to Internet Ratings
=======================================================================
Internet rating proposals suffered a serious setback on August 28,
when the Internet Content Coalition (ICC) decided not to pursue a
rating scheme for online news sites. The ICC, which includes
entertainment, technology, and news companies, had earlier expressed
its willingness to develop criteria for assigning an "N" rating to
Websites devoted to news coverage. Sites carrying such a rating would
be exempt from filtering and blocking systems designed to limit access
to "offensive" online material. The blocking approach was touted at a
White House meeting in July, convened to create a "family-friendly"
Internet in the wake of the Supreme Court decision striking down the
Communications Decency Act.
In recent weeks, criticism of filtering and blocking systems has
increased, with both the American Library Association and the American
Civil Liberties Union issuing position papers warning that such
approaches could infringe on free speech. Controversies have arisen
across the country as local libraries have considered proposals to
install blocking software on library computers connected to the
Internet.
The ICC's recent action calls into question the viability of such
systems, which can be configured to block access to unrated Websites.
If major news sources such as CNN, MSNBC and NEWS.COM elect not to
rate their content, both institutional and individual users will
likely be less inclined to install software filters and lose access to
such resources. As a result, the debate over news ratings will have a
significant impact on the deployment of filtering systems, and news
organizations appear to be strongly opposed to ratings. According to
the Netly News, Time Inc. New Media's Editor-in-Chief Dan Okrent said
after the ICC meeting that "Everyone in the room agreed to a general
statement that as news organizations we will not rate our content and
we oppose the efforts of others to rate our content."
Additional information on ratings, filtering and blocking is available
at:
http://www.epic.org/free_speech/censorware/
=======================================================================
[5] U.S. Government Web Sites Fail to Protect Privacy
=======================================================================
A new report by the public interest group OMB Watch reveals that many
U.S. government Web sites do not adhere to the requirements of the
Privacy Act of 1974 to protect personal privacy.
OMB Watch reviewed 70 federally-run sites linked from the White House
Web page. The group found that only 17 percent provide adequate
notices as required by the Privacy Act. According to the report, 31
of the surveyed sites collected personal information, but only 11 of
those sites contain notices on how the information will be used. No
sites allowed individuals to access their own records. According to
OMB Watch, three sites that used cookies to track visitors
discontinued their use after reviewing a draft of the report.
The OMB Watch report was based on a previous report conducted by EPIC
entitled "Surfer Beware," which surveyed the privacy policies of 100
top commercial web sites. The OMB Watch study examined the collection
of personal information, notices on collection, Privacy Act
statements, and the use of cookies.
The report is available at:
http://www.ombwatch.org/ombwatch.html
=======================================================================
[6] Consumer Groups Question FTC Privacy Report
=======================================================================
Several privacy and consumer organizations that participated in the
Federal Trade Commission's Consumer Privacy Workshop earlier this year
have questioned the accuracy of a preliminary report submitted by the
FTC to Senator John McCain, chairman of the Senate Commerce Committee.
The report from the FTC downplayed public concerns about privacy and
described the efforts of a few companies to develop privacy policies.
But the Consumer Federation of America, the Center for Media
Education, the Electronic Frontier Foundation, the Electronic Privacy
Information Center, and the Privacy Rights Clearinghouse said that the
FTC preliminary report "does not adequately reflect the substance of
the hearings or the views of consumer organizations that
participated."
The consumer and privacy groups specifically took issue with the FTC's
claim that the public favored self-regulatory approaches. According to
the organizations, survey research presented at the Workshop clearly
showed that "Internet users favor legislation today to protect
personal privacy."
The groups cited the survey conducted by Professor Alan Westin for
American Laws and Business which found that "58 percent of computer
users wanted government to pass laws now on how personal information
can be collected and used on the Net." Professor Westin also found
that "Only 24 percent say government should limit its role to
recommending standards." Other privacy polls have found similar
support for passage of privacy legislation.
The original letter from the Senate Commerce Committee asked the
Commission to "investigate the compilation, sale, and usage of
electronically transmitted data bases that include identifiable
personal information of private citizens without their knowledge."
Privacy experts believe that the FTC has yet to complete its work.
The FTC letter to Senator McCain:
http://www.ftc.gov/os/9707/privac9b.htm
Letter from Consumer and Privacy Groups to Senator McCain:
http://www.epic.org/privacy/databases/ftc_letter_0797.html
Original letter from the Senate Commerce Committee to the FTC:
http://www.epic.org/privacy/databases/ftc_databases.html
EPIC's page on the Federal Trade Commission:
http://www.epic.org/privacy/internet/ftc/
=======================================================================
[7] Clinton Signs IRS Browsing Bill
=======================================================================
President Clinton signed the Taxpayer Browsing Protection Act of 1997
(Public Law 105-35) into law on August 5. The new law criminalizes the
unauthorized "browsing" of taxpayer information by IRS employees.
Previously, only the disclosure of such records was prohibited. The
law unanimously passed the House in April and the Senate on July 23.
Under the new law, the potential penalties for IRS employees or
contractors, and other Federal and State employees having access to
Federal tax information, is a $1,000 fine and one year in jail.
Federal employees can also be dismissed without going through the
usual civil service removal procedures. The new law allows the filing
of civil suits for the unauthorized viewing of records. Individuals
also must be informed if it is found that their records have been
improperly accessed.
Demand for changes in the existing law erupted after the General
Accounting Office revealed that during fiscal years 1994 and 1995,
there were over 1,500 instances where IRS employees were accused of
unlawful browsing. A third of those cases were closed without action.
More information on the browsing law is available at:
http://www.epic.org/privacy/databases/irs/
=======================================================================
[8] Upcoming Conferences and Events
=======================================================================
TELECOM Interactive 97. September 8-14, 1997. Geneva, Switzerland.
Sponsored by the International Telecommunications Union. Contact:
telecom-interactive@itu.int or http://gold.itu.int/TELECOM/int97/
Cryptography and the Internet. September 15, 1997. Brussels, Belgium.
Sponsored by Privacy International. Contact: pi@privacy.org.
http://www.privacy.org/pi/conference/brussels/. Deadline 10 Sept 1997.
19th Annual International Privacy and Data Protection Conference.
September 17-18, 1997. Brussels, Belgium. Sponsored by Belgium Data
Protection and Privacy Commission. Email privacy@infoboard.be
International Conference on Privacy. September 23-26, 1997. Montreal,
Canada. Sponsored by Lavery, De Billy law firm.
http://www.confpriv.qc.ca/
Net Worth, Net Work: Technology and Values for the Digital Age.
October 4-5. University of Cal, Berkeley. Sponsored by CPSR. Contact:
http://www.cpsr.org/dox/home.html
20th National Information Systems Security Conference. October 7-10.
Baltimore, MD. Sponsored by NIST and NSA. Contact:
http://csrc.nist.gov/nissc/
EPIC International Privacy Conference. October 20,1997. Georgetown
University Law Center, Washington, DC. Sponsored by EPIC. Contact:
shauna@epic.org.
Managing the Privacy Revolution '97. October 21-23, 1997. Washington,
DC. Sponsored by Privacy and American Business. Contact:
http://shell.idt.net/~pab/conf97.html
RSA'98 -- The 1998 RSA Data Security Conference. January 12-16, 1998.
San Francisco, CA. Contact kurt@rsa.com or http://www.rsa.com/conf98/
(Send calendar submissions to alert@epic.org)
=======================================================================
The EPIC Alert is a free biweekly publication of the Electronic Privacy
Information Center. To subscribe, send email to epic-news@epic.org wih
the subject: "subscribe" (no quotes) or use the subscription form at:
http://www.epic.org/alert/subscribe.html
Back issues are available at:
http://www.epic.org/alert/
=======================================================================
The Electronic Privacy Information Center is a public interest
research center in Washington, DC. It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC is sponsored by the Fund for Constitutional Government, a
non-profit organization established in 1974 to protect civil liberties
and constitutional rights. EPIC publishes the EPIC Alert, pursues
Freedom of Information Act litigation, and conducts policy research.
For more information, e-mail info@epic.org, http://www.epic.org or
write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC
20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax).
If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible. Checks should be made out to "The Fund for
Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave.,
SE, Suite 301, Washington DC 20003. Individuals with First Virtual
accounts can donate at http://www.epic.org/epic/support.html
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and funding of the National Wiretap Plan.
Thank you for your support.
---------------------- END EPIC Alert 4.12 -----------------------
