============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 5.04 March 30, 1998 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/ ======================================================================= Table of Contents ======================================================================= [1] Congress Holds Internet Privacy Hearing [2] U.S. Official Concedes Flaws in Key Recovery Crypto [3] Wiretapping Law Hits Impasse, FBI Calls for New Powers [4] Senate Committee Approves Net Censorship Bills [5] Starr's Bookstore Subpoena Incites Controversy [6] New Report Finds Credit Errors Common [7] Congressional Actions, New Bills and Upcoming Hearings [8] Upcoming Conferences and Events ======================================================================= [1] Congress Holds Internet Privacy Hearing ======================================================================= A Subcommittee of the House Judiciary Committee held a hearing on March 26 to examine issues relating to communications privacy and the Internet. Commerce Undersecretary David Aaron testified about recent efforts within the Administration to develop privacy safeguards for the Internet. The Administration has come under fire from both its trading partners in Europe and from American consumers for failing to propose new privacy standards. Aaron told the subcommittee that the U.S. is looking at a combination of ways to protect privacy, including laws, codes, technical means, and self-regulation. He avoided discussion of the encryption issue, until he was asked a series of questions by Rep. Bob Goodlatte (R-VA), sponsor of legislation that would revise current export controls on encryption. EPIC Executive Director Marc Rotenberg told the subcommittee that current U.S. privacy policy is backward -- "We place restrictions on the development of new technologies to protect privacy, where free market solutions would be preferable. And we leave privacy problems to the market, where government involvement is required." Rep. Goodlatte engaged in a lengthy exchange with Rotenberg about the problems with current controls on encryption. Rotenberg challenged an earlier statement of former Ambassador Aaron that encryption is not very important for the Internet. "Today millions of Internet users rely on encryption to protect the privacy of their electronic transactions. Ambassador Aaron is simply wrong," said Rotenberg. Also testifying were Federal Trade Commission official David Medine, Indiana Law School professor Fred Cate and Center for Democracy and Technology staff counsel Deidre Mulligan. Medine discussed current FTC efforts to evaluate privacy policies on the Internet. Cate said that legislation was not necessary at this time. Mulligan said that the United States needs a privacy agency. Chairman Howard Coble (R-NC) suggested at the end of the hearing that it was unlikely the subcommittee would produce legislation before the end of the session. But he indicated that some Congressional action would be necessary and that future hearing would be held. Reps. Barney Frank (D-MA) and William Delahunt (D-MA) also expressed interest in further hearings. Information on Internet privacy, including testimony from the hearing, is available at: http://www.epic.org/privacy/internet/ ======================================================================= [2] U.S. Official Concedes Flaws in Key Recovery Crypto ======================================================================= A high-level government document obtained by EPIC shows that a top U.S. official acknowledged more than a year ago that the Internet privacy technique championed by the Clinton Administration is "more costly and less efficient" than alternative methods that the government seeks to suppress. In a November 1996 memorandum to other government officials, William A. Reinsch, the Commerce Department's Under Secretary for Export Administration, discussed the Administration's efforts to promote "escrowed" or "recoverable" encryption techniques in overseas markets. Such techniques enable government agents to unscramble encrypted information and they form the cornerstone of current U.S. encryption policy. After noting that government regulations permit the export of non- escrowed encryption products only to "safe end-users" such as foreign police and security agencies, Reinsch recognized the inferiority of the Administration's favored technology: Police forces are reluctant to use "escrowed" encryption products (such as radios in patrol cars). They are more costly and less efficient than non-escrowed products. There can be long gaps in reception due to the escrow features -- sometimes as long as a ten second pause. Our own police do not use recoverable encryption products; they buy the same non-escrowable products used by their counterparts in Europe and Japan. Ironically, Reinsch's concession is contained in a memorandum that discusses the Administration's strategy to "help the market transition from non-recoverable products to recoverable products." EPIC and other critics of current U.S. encryption policy have long maintained that "key escrow" and "key recovery" approaches compromise the security of private information by providing "backdoor" access to encrypted data. The Reinsch memo was released in response to a Freedom of Information Act request EPIC submitted to the Department of State concerning the international activities of former U.S. "crypto czar" David Aaron. That request is the subject of a pending federal lawsuit EPIC initiated last year. The Reinsch memorandum is available at: http://www.epic.org/crypto/key_escrow/reinsch_memo.html ======================================================================= [3] Wiretapping Law Hits Impasse, FBI Calls for New Powers ======================================================================= The Federal Bureau of Investigation on March 27 asked the Federal Communications Commission (FCC) to step in and force telecommunications carriers and equipment manufacturers to adopt FBI-proposed standards for implementing the Communications Assistance for Law Enforcement Act of 1994 (CALEA). The FBI request follows several weeks of closed meetings with industry officials which failed to produce an agreement after four years of controversy. The industry has been resisting Bureau demands to include additional surveillance capabilities in new technical standards developed under CALEA. On March 12, the FBI issued its "final" rules on capacity requirements for CALEA. In its public notice, the Bureau is demanding that it have the ability to monitor over 50,000 phone lines simultaneously. In many areas of the country, the FBI is seeking increases in capacity of nearly 300 percent. Under CALEA, the capacity notice was due in October 1995. Two previous notices were widely criticized for increasing the number of lines that would be subject to surveillance (See EPIC Alert 4.02). The final draft retains the controversial increases and rejects industry criticisms of the methodology used to arrive at the final requirements. More information on wiretapping and CALEA is available at: http://www.epic.org/privacy/wiretap/ ======================================================================= [4] Senate Committee Approves Net Censorship Bills ======================================================================= The Senate Commerce Committee approved two Internet censorship bills on March 12. The "Internet School Filtering Act" (S. 1619), sponsored by Sen. John McCain (R-AZ), would require schools and libraries receiving federal "e-rate" Internet subsidies to certify that they are using filtering software designed to prevent minors from accessing "inappropriate" material. The Committee deferred action on an amendment by Sen. Conrad Burns (R-MT) that would require schools and libraries to implement an "acceptable use policy" for Internet access but not necessarily mandate filters. The McCain filtering bill has been criticized by EPIC and other members of the Internet Free Expression Alliance (IFEA). The American Library Association and the National Education Association also oppose the legislation. In a statement submitted to the Commerce Committee, NEA noted that "various studies have shown that blocking software and filtering software have serious technical limitations and provide a false sense of security." The teachers' organization cited EPIC's "Faulty Filters" report as demonstrating the flaws in the filtering approach. The Commerce Committee also approved S. 1482, sponsored by Sen. Dan Coats (R-IN). The Coats bill -- which has been dubbed "CDA II" -- would criminalize the "commercial" distribution on websites of material that is "harmful to minors." Full Senate consideration of the two bills has not yet been scheduled. More information on Internet censorship legislation is available at the IFEA website: http://www.ifea.net ======================================================================= [5] Starr's Bookstore Subpoena Incites Controversy ======================================================================= Independent Counsel Kenneth Starr last week issued a subpoena for the records of book purchases made by former White House intern Monica Lewinsky from a Washington bookstore. Although the store's policy is not to reveal information about individual customers' purchases, it apparently will produce records of a few of Lewinsky's transactions that were specifically identified by the Office of Independent Counsel. The New York Times quoted the bookstore's attorney as saying that the records of "fewer than six" check or credit card transactions dating from November 1995 will be provided. The original subpoena called for the production of "all documents and things referring or relating to any purchase by Monica Lewinsky," according to the attorney. The American Booksellers Foundation for Free Expression condemned Starr's action, saying the "subpoena of the records of an individual's book purchases has serious First Amendment consequences." According to Christopher Finan, president of the Foundation, "If the government can find out what books we are buying, we will no longer feel free to buy the books we want. That would be the death of free speech." A similar controversy over the rental records of video store customers surfaced during the confirmation hearing for Supreme Court nominee Robert Bork. In the wake of the Bork video disclosures, Congress enacted the Video Privacy Act of 1988, which protects the confidentiality of video rental records. ======================================================================= [6] New Report Finds Credit Errors Common ======================================================================= The U.S. Public Interest Research Group (PIRG) has released a report finding that nearly a third of credit reports contain serious errors. The report, "Mistakes Do Happen: Credit Report Errors Mean Consumers Lose," was released on March 12. Major Findings of the Report: Twenty-nine percent (29%) of the credit reports contained serious errors -- false delinquencies or accounts that did not belong to the consumer -- that could result in the denial of credit; Forty-one percent (41%) of the credit reports contained personal demographic identifying information that was misspelled, long-outdated, belonged to a stranger, or was otherwise incorrect; Twenty percent (20%) of the credit reports were missing major credit, loan, mortgage, or other consumer accounts that demonstrate the creditworthiness of the consumer; Twenty-six percent (26%) of the credit reports contained credit accounts that had been closed by the consumer but incorrectly remained listed as open; Altogether, 70% of the credit reports contained either serious errors or other mistakes of some kind. The report also found that it was difficult for consumers to obtain their reports. Fourteen percent of consumers were forced to call at least four times after receiving busy signals or had to write a letter in order to receive their report; twelve percent of the consumers waited two weeks or longer to receive their report once they finished requesting it. Overall, fifteen percent of consumers who attempted to participate in the survey either made at least three phone calls and never got through or requested their reports but never received them. The report is available at: http://www.pirg.org/consumer/credit/mistakes/index.htm ======================================================================= [7] New Congressional Bills and Upcoming Hearings ======================================================================= --- UPCOMING HEARINGS --- * House of Representatives * March 31, 1998. Subcommittee on Basic Research and Subcommittee on Technology (Joint Hearing) (Oversight) . Domain Names Systems: Where Do We Go From Here? 2318 Rayburn HOB. 2:00 P.M. April 1, 1998. Committee on Banking. General Oversight Subcommittee, Hearing on the Operations of the Department of the Treasury's, Financial Crimes Enforcement Network ("FinCEN"). 2128 Rayburn. 1:00 PM * Senate * April 1, 1998. Banking, Housing, and Urban Affairs. Financial Services and Technology Subcommittee. Hearings to examine how identity theft contributes to electronic crime. SD-538. 10:00 a.m. --- NEW BILLS --- H.R. 3321. CALEA Implementation Amendments of 1998. Extends deadline of Communications Assistance for Law Enforcement Act for telephone companies to make wiretapping easier until 2000. Introduced by Barr (R-GA) on March 4, 1998. Referred to the Committee on the Judiciary. H.R. 3442. E-Rate Policy and Child Protection Act of 1998. Requires schools and libraries that receive universal service support for discounted telecommunications services to establish policies governing access to material that is inappropriate for children. Introduced by Markey (D-MA) on March 11, 1998. Referred to the Committee on Commerce. H.R. 3472. Digital Signature and Electronic Authentication Law (SEAL) of 1998. Allows financial institutions to use digital signatures. Introduced by Cook (R-UT) on March 17. Referred to the Committee on Banking and Financial Services. H.R. 3494. Child Protection and Sexual Predator Punishment Act of 1998. Introduced by McCollum (R-FL). Criminalizes sending sexual material to a minor. Minimum prison term for using computer is 3 years. Allows use of subpoenas to obtain evidence instead of warrants. H.R. 3551. Identity Piracy Act of 1998. Creates new federal penalty for identity theft. Introduced by Delauro (D-CT) on March 25, 1998. Referred to the Committee on the Judiciary, and in addition to the Committee on Transportation and Infrastructure. H.R. 3555. Driver Record Information Verification System Act. Requires Secretary of transportation to conduct study of creation of National Drivers database. Examines use of SSN as identification number. Introduced by Moran (D-VA) on March 25, 1998. Referred to the Committee on Transportation and Infrastructure. --- S. 1721. To provide for the Attorney General of the United States to develop guidelines for Federal prosecutors to protect familial privacy and communications between parents and their children. Introduced by Leahy (D-VT) on March 6. Referred to the Committee on the Judiciary. S. 1737. Taxpayer Confidentiality Act of 1998. Creates accountant-client privilege. Introduced by Mack (R-FL) on March 10, 1998. Referred to the Committee on Finance. S. 1865. Safeguard of New Employee Information Act of 1998. Creates penalties for abuse of information in New Hires Database. Requires data be deleted after 24 months. Introduced by Baucus (D-MT) on March 26. Referred to the Committee on Finance. ======================================================================= [8] Upcoming Conferences and Events ======================================================================= The Internet Invasion? A Debate about the Pervasiveness of Internet Speech Washington, DC. April 2, 1998. Sponsored by the Cato Institute. Contact: http://www.cato.org/events/calendar.html 1998 IEEE Symposium on Security. IEEE Computer Society, Oakland, CA, May 3-6. Sponsored by IEEE and IACR. Contact: http://www.research.att.com/~reiter/oakland98.html ACM Policy98. May 10-12, 1998. Washington, DC. Sponsored by ACM and USACM. http://www.acm.org/usacm/events/policy98/ 1998 EPIC Cryptography and Privacy Conference. June 8, 1998. Washington, DC. Sponsored by EPIC, Harvard University and London School of Economics. Contact: http://www.epic.org/events/crypto98/ INET'98, July 21-24, 1998, Geneva, Switzerland. Sponsored by Internet Society. Contact: http://www.isoc.org/inet98/ Advances in Social Informatics and Information Systems, Baltimore, MD, Aug. 14-16, 1998. Sponsored by the Association for Information Systems Contact: http://info.cwru.edu/rlamb/ais98cfp.htm CPSR Annual Conference - Internet Governance. Boston, Mass, Oct. 10-11. Sponsored by CPSR. contact: cpsr@cpsr.org 1999 RSA Data Security Conference. San Jose, California, January 18-21, 1999. Sponsored by RSA. Contact: http://www.rsa.com/conf99/ (Send calendar submissions to alert@epic.org) ======================================================================= Subscription Information ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. To subscribe or unsubscribe, send email to epic-news@epic.org with the subject: "subscribe" (no quotes) or "unsubscribe". A Web-based form is available at: http://www.epic.org/alert/subscribe.html Back issues are available at: http://www.epic.org/alert/ ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003. Individuals with First Virtual accounts can donate at http://www.epic.org/epic/support.html Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and funding of the National Wiretap Plan. Thank you for your support. ---------------------- END EPIC Alert 5.04 -----------------------
Return to: