==============================================================
@@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@
@ @ @ @ @ @ @ @ @ @ @ @
@@@@ @@@ @ @ @@@@@ @ @@@ @@@ @
@ @ @ @ @ @ @ @ @ @ @
@@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @
==============================================================
Volume 4.15 November 10, 1997
--------------------------------------------------------------
Published by the
Electronic Privacy Information Center (EPIC)
Washington, D.C.
http://www.epic.org/
=======================================================================
Table of Contents
=======================================================================
[1] Amicus Brief Filed in Landmark Encryption Case
[2] Infowar Report Released
[3] EC Rejects Key Escrow Encryption
[4] Congress Critical of FBI Wiretap Proposals
[5] FCC Proposes Requiring V-chips for Computers
[6] Update on Open Government Cases
[7] Congressional Action and New Bills
[8] Upcoming Conferences and Events
=======================================================================
[1] Amicus Brief Filed in Landmark Encryption Case
=======================================================================
A diverse coalition of organizations, joined by three of the world's
best-known experts on communication security, has lent its support
to a constitutional challenge to U.S. encryption export controls. In
a friend-of-the-court brief filed today in the Ninth Circuit U.S.
Court of Appeals in San Francisco, the groups argued that the Export
Administration Regulations' encryption provisions constitute a prior
restraint on speech in violation of the First Amendment and pose a
significant threat to both electronic commerce and personal privacy.
The brief was coordinated by EPIC and endorsed by 15 organizations
including the American Civil Liberties Union, National Association
of Manufacturers, Association for Computing, Human Rights Watch and
the Internet Society. The submission was also signed by Dr.
Whitfield Diffie of Sun Microsystems, Dr. Peter Neumann of SRI
International and Dr. Ronald Rivest of the Massachusetts Institute
of Technology.
The judicial challenge to the export control regulations was
initiated by Daniel Bernstein, a computer science professor at the
University of Illinois, who unsuccessfully sought U.S. government
approval to publish source code and related information about his
"Snuffle" encryption technique. The prohibited "export" included
any posting on the Internet using a computer in the United States
and any disclosure to foreign nationals in the United States. In
August, the U.S. District Court for the Northern District of
California granted partial summary judgment for Professor Bernstein,
holding that the export regulations impose a prior restraint on
speech and enjoining the government from enforcing the EAR
encryption regulations. The government quickly appealed that
decision to the Ninth Circuit.
The EPIC-led coalition was represented on a pro bono basis by the
Washington law firm of Covington & Burling, which was primarily
responsible for the preparation of the brief. The complete text is
available at:
http://www.epic.org/crypto/export_controls/bernstein_brief.html
=======================================================================
[2] Infowar Report Released
=======================================================================
The report of the President's Commission on Critical Infrastructure
Protection released last week would establish sweeping new authority
for the National Security Council to limit public debate about threats
to the nation's infrastructure and to establish and manage a new
federal bureaucracy, including a proposed Office of National
Infrastructure Assurance.
The report recommends that the Freedom of Information Act be suspended
so that information collected by the proposed ONIA not be subject to
public scrutiny. The report also proposes expanding government
classification authority. It also recommends the preemption of state
privacy laws and limitations on the federal polygraph statute for the
purpose of permitting more extensive background investigations.
Most surprisingly, the Commission's report backs key escrow
encryption, even though technical experts and early proponents of the
plan have all pointed to vulnerabilities that would result from an
architecture that would permit third party access to encoded
communication.
At a hearing before the House Science Committee last week,
Representative Connie Morella (R-MD) asked Commission chair General
Robert Marsh (ret.) about the cryptography issue. He responded curtly
that strong cryptography was vital for the nation's infrastructure and
then said that the he backed key recovery encryption. Other witnesses
at the hearing said that the proposal would make critical
infrastructures more vulnerable to attack.
The report is available at:
http://www.pccip.org/
=======================================================================
[3] EC Rejects Key Escrow Encryption
=======================================================================
The European Commission released a report in October recommending
against restrictions on cryptography and criticizing key escrow/
recovery encryption proposals. The paper, entitled "Towards an
European Framework for Digital Signatures and Encryption," examines
the policy issues surrounding digital signatures and the use of
encryption for confidentiality.
The EC report recognizes the importance of encryption, describing it
as "the essential tool for security and trust in electronic
communications." It notes that "it can be expected that encryption
will remain the cornerstone for most confidentiality services on open
networks for the foreseeable future."
The report recommends against restricting the use of encryption:
"restricting the use of encryption could well prevent law-abiding
companies and citizens from protecting themselves against criminal
attacks. It would not however prevent totally criminals from using
these technologies."
The EC paper also examined the problems of key escrow/key recovery
systems, including the additional risks of having the systems
implemented, the costs involved and finally that possibility that the
systems can be "easily circumvented." The report notes that, "In any
case, restrictions imposed by national licensing schemes, particularly
those of a mandatory nature, could lead to Internal Market obstacles
and reduce the competitiveness of the European Industry." The report
also notes that "Privacy considerations suggest not to limit the use
of cryptography as a means to ensure data security and
confidentiality."
On digital signatures, the report separates out the role of
certificate authorities (CAs) from Trusted Third Parties such as those
proposed by the UK Government at the urging of the United States. It
recommends that "CAs must therefore be forbidden to store private
keys." It also suggests that digital signatures without identities
attached can be used to conduct anonymous transactions.
The report is available from:
http://www.epic.org/crypto/
=======================================================================
[4] Congress Critical of FBI Wiretap Proposals
=======================================================================
The FBI has come under renewed criticism from Congress and industry
representatives on the implementation of the Communications Assistance
for Law Enforcement Act (CALEA). At a October 23 hearing, the Crime
Subcommittee of House Judiciary Committee heard from witnesses from
major telecommunications industry associations and the Bureau on
progress in implementing the law, which was enacted on the last day of
the Congressional session in 1994. The law requires that all new
telecommunications technologies have built in surveillance
capabilities. The law is scheduled to go into effect next year, but
industry and the FBI have been feuding over the development of the new
standards required by the law.
Many of the members of the Committee were critical of both the Act and
the FBI. Rep. Bob Barr (R-GA), who chaired part of the hearing,
bluntly stated that the legislation would not have passed in the
Republican 104th or 105th Congresses.
A major area of contention was the FBI's demand that the industry add
numerous features that were not required by the 1994 law. These
include an enhanced ability to track geographical locations of cell
phones, the ability to monitor conference calls when the targeted
party has left, and the ability to separate out content from signaling
data of packet-based communications. Thomas Wheeler, President of the
Cellular Telephone Industry Association (CTIA) described the FBI's
demands as asking the for "the Apollo Program" for surveillance.
The FBI's efforts to lobby against the industry designed standards
during a vote on the specifications also came under fire. The Bureau
organized a campaign to vote down the industry-developed standards,
which was described in the hearing as "ballot stuffing." Twenty-eight
police agencies filed the same 74-page ballot comments, including a
sheriff in Florida who included the FBI's letter requesting that he
file the comments. CTIA's Wheeler described the FBI's actions as
"rolling a hand grenade under the table."
Another controversial issue was the FBI's effort, during its
negotiations with the Telecommunications Industry Association (TIA)
over the wiretap standard, to petition the American National Standards
Institute (ANSI) to revoke the standards-settings authority of TIA
after 50 years. The FBI apparently withdrew the request after several
months.
Finally, questions still remain over the FBI's demands for the law's
"capacity" requirements. The Bureau's current requirement still calls
for each switch in a geographic region to have the ability to monitor
hundreds of lines simultaneously. This would result in the FBI having
the capacity to conduct tens of thousands of interceptions
simultaneously nationwide.
More information on CALEA is available from:
http://www.epic.org/privacy/wiretap/
=======================================================================
[5] FCC Proposes Requiring V-chips to be Included in Computers
=======================================================================
On September 25, the Federal Communications Commission released a
proposed rulemaking on V-chip technology recommending that the devices
also be installed in every computer capable of receiving video
signals. The V-chip is required by the Telecommunications Act of 1996
to be installed in every new television set.
The proposed rule applies "to any computer that is sold with TV
receiver capability and a monitor that has a viewable picture size of
13 inches or larger." It applies "regardless of whether it is
designed to receive video programming that is distributed only through
cable television systems, MDS, DBS, or by some other distribution
system."
For future technologies such as Digital TV, the FCC proposal
recognizes that many will be built into computers:
[W]e propose that all DTV receiver boards themselves (regardless
of whether they are sold with a computer and monitor with a
viewable picture size of 13 inches or larger) be required to
include program blocking capability.
Congress has been critical of the proposal. Rep. Edward Markey (D-MA)
told the Washington Times that the V-chip was not intended for
computers and Rep. Billy Tauzin (R-LA) remarked, "Next, they'll try
and put V-chips in Gameboys." Comments on the proposal are due on
November 24. Interested persons can email their comments to
vchip@fcc.gov.
=======================================================================
[6] Update on Open Government Cases
=======================================================================
A federal judge in Washington ruled on October 22 that the National
Archives acted illegally when it issued a regulation authorizing all
government agencies to delete their electronic mail and other
computerized records regardless of content. Judge Paul L. Friedman
declared the controversial regulation "null and void" and
characterized the government's position as "irrational on its face."
Government attorneys had argued that most federal agencies are not yet
equipped to preserve records in electronic formats. While
acknowledging that this was "an important concern," the court noted
that "computers have now become a significant part of the way the
federal government conducts its business" and agencies must now adapt
to that reality.
In another significant case, the Supreme Court has refused to review a
lower court ruling subjecting committees formed by the National
Academy of Sciences (NAS) to public scrutiny under the Federal
Advisory Committee Act (FACA). The NAS conducts research for
government agencies on a contract basis by establishing committees of
volunteer experts that, with the assistance of NAS staff members,
prepare reports. A notable example was the NAS-sponsored report on
encryption policy released last year.
One of the primary goals of FACA is to open to public view the process
by which government agencies obtain advice from private individuals.
FACA's openness and conflict of interest requirements seek to ensure
that Executive branch advisory committees develop neutral, expert
recommendations. Many public interest groups, including EPIC, make
frequent use of the statute.
In the wake of the Court's action, legislation has already been
proposed to amend FACA to exempt NAS committees from the law's
openness and conflict of interest provisions.
More information on FACA and FARA is available from
http://www.epic.org/open_government/
=======================================================================
[7] Congressional Action and New Bills
=======================================================================
APPROVED
H.R.2369. Wireless Privacy Enhancement Act of 1997. The bill bans
modifying scanners to intercept cellular phone calls and increases
penalties for intentional interception. The House Subcommittee on
Telecommunications, Trade, and Consumer Protection of the House
Committee on Commerce approved a revised version of the bill on
October 29.
INTRODUCED
HR 2563. Taxpayer Confidentiality Act of 1997. Introduced by Dunn
(R-WA) on September 26. Amends IRS code to restrict the authority to
examine books and witnesses for purposes of tax administration.
Referred to the Committee on Ways and Means.
HR 2581. Social Security Privacy Act of 1997. Introduced by Campbell
(R-CA). Limits use of Social Security number. Requires disclosure of
uses of SSN by businesses. Referred to the Committee on Ways and
Means.
S. 1223. Employee Information Protection Act of 1997. Introduced by
Burns (R-MT) on September 26. Amends 1996 welfare bill to require
that data collected for "new hires" database be deleted after six
months. Referred to the Committee on Finance.
S. 1356. To amend the Communications Act of 1934 to prohibit Internet
service providers from providing accounts to sexually violent
predators. Introduced by Faircloth (R-NC). Sets civil fines of
$5,000 per day for providing an account to a "sexually violent
predator." Referred to the Committee on Commerce, Science, and
Transportation.
S. 1368. Medical Information Privacy and Security Act. Introduced by
Leahy (D-VT) and Kennedy (D-MA) on November 4. General medical
privacy bill.
=======================================================================
[8] Upcoming Conferences and Events
=======================================================================
Education in Computer Security Workshop, January 19-21, 1998. Pacific
Grove, California. Sponsored by Naval Postgraduate School Center for
INFOSEC. Contact:
http://www.cs.nps.navy.mil/research/cisr/events/wecs98_announce.html
RSA'98 -- The 1998 RSA Data Security Conference. January 12-16,
1998. San Francisco, CA. Contact kurt@rsa.com or
http://www.rsa.com/conf98/
Financial Cryptography '98. February 23-26, 1998. Anguilla, BWI.
http://www.cwi.nl/conferences/FC98
7th USENIX Security Symposium. January 26-29, 1998. San Antonio, Tx
Sponsored by USENIX & CERT. http://www.usenix.org/sec/sec98.html
The Eighth Conference on Computers, Freedom & Privacy. February,
18-20, 1998. Austin, TX. Contact: mlemley@mail.law.utexas.edu.
ACM Policy98. May 10-12, 1998. Washington, DC. Sponsored by ACM and
USACM.
(Send calendar submissions to alert@epic.org)
=======================================================================
The EPIC Alert is a free biweekly publication of the Electronic
Privacy Information Center. To subscribe or unsubscribe, send email to
epic-news@epic.org with the subject: "subscribe" (no quotes) or
"unsubscribe" or use the Web form at:
http://www.epic.org/alert/subscribe.html
Back issues are available at:
http://www.epic.org/alert/
=======================================================================
The Electronic Privacy Information Center is a public interest
research center in Washington, DC. It was established in 1994 to
focus public attention on emerging privacy issues such as the
Clipper Chip, the Digital Telephony proposal, national ID cards,
medical record privacy, and the collection and sale of personal
information. EPIC is sponsored by the Fund for Constitutional
Government, a non-profit organization established in 1974 to protect
civil liberties and constitutional rights. EPIC publishes the EPIC
Alert, pursues Freedom of Information Act litigation, and conducts
policy research. For more information, e-mail info@epic.org,
http://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite
301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482
(fax).
If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible. Checks should be made out to "The Fund for
Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave.,
SE, Suite 301, Washington DC 20003. Individuals with First Virtual
accounts can donate at http://www.epic.org/epic/support.html
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and funding of the National Wiretap Plan.
Thank you for your support.
---------------------- END EPIC Alert 4.15 -----------------------
