EPIC logo

   
   
    ==============================================================
   
        @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
        @     @  @   @   @        @ @   @     @     @  @    @
        @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
        @     @      @   @       @   @  @     @     @  @    @
        @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
   
    ==============================================================
    Volume 7.18                                   October 12, 2000
    --------------------------------------------------------------
   
                             Published by the
               Electronic Privacy Information Center (EPIC)
                             Washington, D.C.
   
              http://www.epic.org/alert/EPIC_Alert_7.18.html
   
=======================================================================
Table of Contents
=======================================================================
   
[1] EPIC Obtains First Set of FBI Carnivore Documents
[2] Congressional Office Seeks Access to Census and IRS Data
[3] Capitol Hill Hearings Focus on Internet Consumer Privacy
[4] New At-Large Members Elected to ICANN Board
[5] NIST Selects New Advanced Encryption Standard
[6] Supreme Court to Hear Thermal Imaging Case
[7] EPIC Bookstore - Think UNIX
[8] Upcoming Conferences and Events
   
=======================================================================
[1] EPIC Obtains First Set of FBI Carnivore Documents
=======================================================================
   
The Federal Bureau of Investigation released the first set of
documents concerning its Carnivore Internet surveillance system on
October 2.  The documents were released as a result of EPIC's Freedom
of Information Act lawsuit against the FBI and Department of Justice
(see EPIC Alert 7.15).  Of the 729 pages of material processed, nearly
200 were withheld in full and another 400 were released with
deletions.  The documents reveal the surveillance system's origins,
contain discussions of interception of voice over IP, and describe
various testing procedures.
   
The newly-released documents confirm that Carnivore grew out of an
earlier FBI project called "Omnivore" and reveal for the first time
that Omnivore itself replaced an older surveillance tool.  The name of
that earlier project has been blacked out of the documents, and
remains classified.  In September 1998, the FBI's Data Intercept
Technology Unit in Quantico, Virginia launched a project to migrate
Omnivore from Sun's Solaris operating system to a Windows NT platform.
"This will facilitate the miniaturization of the system and support a
wide range of personal computer (PC) equipment," according to the
project's Statement of Need.  The project was called "Phiple Troenix"
and the resulting system was named "Carnivore."
   
Phiple Troenix's estimated price tag of $800,000 included training for
personnel at the Bureau's National Infrastructure Protection Center
(NIPC).  The Omnivore project was formally closed down in June 1999,
at a final cost of $900,000.
   
Carnivore version 1.2 was released in September 1999; as of May
2000, it was in version 1.3.4.  At that time it was subjected to an
exhaustive series of carefully prescribed tests under variable
conditions.  The results, according to an internal memo, were
positive.  "Carnivore is remarkably tolerant of network aberration,
such as speed change, data corruption and targeted smurf type
attacks."
   
An "Enhanced Carnivore" project began in November 1999 and is
scheduled to conclude in January of next year, at a total cost of
$650,000.  Some of the documents indicate that the Bureau plans to add
more features to versions 2.0 and 3.0 of Carnivore, but the details
have been mostly redacted.
   
The next installment of Carnivore documents is scheduled to be
released to EPIC in mid-November.
   
EPIC has posted scanned images of selected documents at:
   
      http://www.epic.org/privacy/carnivore/foia_documents.html
   
=======================================================================
[2] Congressional Office Seeks Access to Census and IRS Data
=======================================================================
   
In a secretive assault on Americans' privacy, the Congressional Budget
Office (CBO) is seeking access to confidential Census Bureau records,
as well as confidential financial data collected by the Internal
Revenue Service.  Congressional supporters of the CBO's data grab are
attempting to insert into any of several pending appropriations bills
language that would authorize the unprecedented disclosure of Census
and IRS information.
   
The CBO proposal seeks the data, which is currently kept strictly
confidential under federal law, in order to make long-term projections
about the viability of the Social Security and Medicare programs.  The
initiative is being opposed and publicized by Rep. Carolyn Maloney
(D-NY), who has accused the CBO of trying to sneak its proposal
through the complex appropriations process currently ongoing as
Congress rushes toward adjournment.
   
In a letter sent to leaders of the House Appropriations Committee on
October 11, Rep. Maloney said that "changing the law that protects the
confidentiality of census data in the middle of the 2000 Census,
behind closed doors and with no public debate, sends the wrong signal
to the American public."  She cited widespread privacy concerns that
were expressed earlier this year after the Census Bureau's long-form
questionnaire sought answers to a number of intrusive personal
questions (see EPIC Alert 7.06).
   
The attempted disclosure is also opposed by Commerce Secretary Norman
Mineta, who told Congressional leaders that the proposal would weaken
"the most important legal structure protecting the privacy and
confidentiality of all Americans, with regard to the private
information they provide the Census Bureau."  Saying that he is
"adamantly opposed" to the proposal, Mineta noted that CBO's
initiative "would threaten public confidence in the confidentiality
of all information collected by the Census Bureau and other data
collecting agencies."
   
According to a coalition of consumer and privacy groups, another
last-minute amendment could detrimentally affect personal privacy.
Sen. Judd Gregg (R-NH) has attached his Social Security number
proposal, S. 2554, to the Commerce-Justice-State Appropriations Bill.
The amendment would not effectively increase protections over Social
Security numbers, but would pre-empt the ability of states to provide
stronger protections on their own.
   
A letter from consumer and privacy groups opposing the amendment to
the Commerce-Justice-State appropriations bill is available at:
   
      http://www.pirg.org/consumer/greggssn.htm
   
=======================================================================
[3] Capitol Hill Hearings Focus on Internet Consumer Privacy
=======================================================================
   
On October 2, EPIC testified before the Senate Commerce Committee on
a trio of Internet privacy bills introduced by Committee members:
S. 809, the "Online Privacy Protection Act"; S. 2606, the "Consumer
Privacy Protection Act"; and S. 2928, the "Consumer Internet Privacy
Enhancement Act."  In testimony before the full Committee, EPIC argued
that there is widespread public support for privacy legislation, a
substantive privacy law will require more than the posting of privacy
policies, and protections should provide multiple enforcement
mechanisms.  In its conclusion, EPIC argued that among the three
bills, S. 2606 provides the most robust legal framework for privacy
protection.
   
More recently, on October 11, EPIC testified before the House Commerce
Subcommittee on Telecommunications Trade and Consumer Protection.  The
hearing on "Recent Developments in Privacy Protections for Consumers"
touched on the privacy practices of both government and commercial
websites.  In its testimony, EPIC pointed to both online profiling and
the recent trend of companies claiming customer data as assets in
bankruptcy proceedings as evidence of the need for baseline privacy
standards.  The testimony went on to argue that strong laws would give
consumer long-needed privacy rights in the online world and would
provide necessary support for developing privacy enhancing
technologies.
   
In a related development, a recent survey conducted by Harris
Interactive and commissioned by the National Consumers League found
that more Americans are "very concerned" about loss of personal
privacy than they are about health care, crime, or taxes.  Seventy-one
percent of respondents also believed that it is absolutely essential
that companies ask permission before using personal information, and
34 percent incorrectly believed that it is illegal for companies to
share or sell personal data.
   
EPIC's testimony before the Senate Commerce Committee on October 2:
   
      http://www.epic.org/privacy/internet/testimony_1000.html
   
EPIC's testimony before the House Commerce Committee on October 11:
   
      http://www.epic.org/privacy/internet/shen_testimony_1000.html
   
Results of the National Consumers League survey:
   
      http://nclnet.org/essentials/
   
=======================================================================
[4] New At-Large Members Elected to ICANN Board
=======================================================================
   
Five new members have been elected to the Internet Corporation for
Assigned Names and Numbers (ICANN) Board of Directors.  The five new
members are the first publicly elected members of the Board and will
take their posts following ICANN's November meeting in Los Angeles.
   
Nii Quaynor, an employee of Network Computer Systems and administrator
for the .gh domain (Ghana), was the winner in the Africa region.
Masanobu Katoh, an employee of Fujitsu living in the United States,
placed first in the Asia/Australia/Pacific region.  In the European
region Andy Mueller-Maguhn of the Chaos Computer Club was selected.
Ivan Moura Campos, the chief executive of Akwan Information
Technologies, is the representative for the Latin America and
Caribbean region.  Cisco engineer and outspoken ICANN critic Karl
Auerbach placed first in the North America region.  The views of all
five members on civil society issues can be found at the website of
the Internet Democracy Project.
   
Earlier this month, the Internet Democracy Project co-sponsored two
events on the ICANN elections.  The "ICANN Candidates Forum" was held
on October 2 at the Harvard Law School in cooperation with the Berkman
Center for Internet and Society.  Another event -- "ICANN and Internet
Privatization: Technical Coordination or Cyberspace Governance?" --
was held on October 4 in cooperation with the Technology & Culture
Forum at MIT. Cybercasts of both events are available online.
   
ICANN will meet next in Los Angeles on November 13-17, 2000.
Participants are expected to discuss the introduction of new top-level
domains.  The following ICANN meeting will be held in Melbourne,
Australia on March 10-13, 2001.
   
Results of the 2000 At-Large Membership Vote:
   
      http://www.election.com/us/icann/icannresult.html
   
Homepage of the Internet Democracy Project:
   
      http://www.internetdemocracyproject.org/
   
Information on the upcoming ICANN Meeting in Marina del Rey, November
13-17, 2000:
   
      http://www.icann.org/mdr2000/
   
=======================================================================
[5] NIST Selects New Advanced Encryption Standard
=======================================================================
   
On October 2, the National Institute of Standards and Technology
(NIST) selected a new algorithm to be used as the government's
official encryption standard for the 21st century.  Rijndael, named
after its Belgian creators Joan Daemen and Vincent Rijmen, will
replace the Data Encryption Standard (DES), adopted by the federal
government as the Federal Information Processing Standard (FIPS) since
1977.
   
The search for a new Advanced Encryption Standard (AES) was announced
by the NIST in 1997. By March 1999, the pool of candidates was
narrowed to five finalists: MARS, RC6, Rijndael, Serpent, and Twofish.
  Rijndael was chosen for its combination of "security, performance,
efficiency, ease of implementation and flexibility."
   
Rijndael will now be the official scrambling standard for all U.S.
federal government agencies.  As it will be available for use
royalty-free worldwide, it is also likely to be widely adopted for use
by private sector companies both nationally and internationally.
   
The weakness of the Data Encryption Standard, which relied on 56 bit
encryption keys, was demonstrated in a series of DES Cracker Projects
sponsored by RSA Laboratories in 1997, 1998 and 1999.  Relying on
specialized "DES Cracker" machines, code breakers were eventually able
to recover DES keys in a matter of hours.  The AES will use three key
sizes: 128, 192 and 256 bits.  It is estimated that it would take
longer than the life of the universe to crack the AES (!!).
   
For complete AES-related information visit the AES home page at:
   
      http://www.nist.gov/aes
   
For more information on the RSA's DES Challenges visit:
   
      http://www.rsasecurity.com/rsalabs/challenges/
   
=======================================================================
[6] Supreme Court to Hear Thermal Imaging Case
=======================================================================
   
On September 26, the U.S. Supreme Court agreed to hear a case that
presents the question whether the use of a device that detects heat
emanating from a home constitutes a search under the Fourth Amendment.
   
The petitioner, Danny Lee Kyllo, was arrested in 1992 by Oregon
officials for growing marijuana in his home.  To obtain the evidence
for the arrest, the police used (without a warrant) a thermal imaging
device that detects heat emanations inside a home.  After discovering
Kyllo's home was warmer than neighboring buildings, police then
obtained a warrant and searched Kyllo's home and found evidence of
criminal conduct.  Kyllo pleaded guilty to charges of growing
marijuana but challenged the constitutionality of the use of the
thermal imaging device absent a warrant.
   
The case is on appeal from the U.S. Court of Appeals for the Ninth
Circuit which held in a 2-1 decision that the use of thermal imaging
technology did not constitute a search.  Writing for the majority,
Judge Hawkins said the use of the device was not a search since its
use did not reveal any intimate details.  Further, use of the device
did not violate any reasonable expectation of privacy since Kyllo made
no attempt to conceal heat emissions, thus "demonstrating a lack of
concern with the heat emitted and a lack of a subjective privacy
expectation in the heat."  In his dissent, Judge Noonan responded that
   
	It is strange to focus on the homeowner's non-existent
	expectation as to emissions.  The homeowner's expectation is
	directed to the privacy of the interior of his home.  It is
	that expectation which the Fourth Amendment is intended to
	protect.
   
While several federal Courts of Appeals have agreed with the Ninth
Circuit's decision that use of thermal imaging devices does not
constitute a search, other District and State Supreme Courts have held
that a warrant requirement should apply.
   
More information about Kyllo v. U.S. (No. 99-8508) is available at:
   
       http://www.supremecourtus.gov/
   
=======================================================================
[7] EPIC Bookstore - Think UNIX
=======================================================================
   
Think UNIX by Jon Lasser
   
http://www.powells.com/cgi-bin/biblio?inkey=2-078972376x-0
   
Unix has a reputation for being cryptic and difficult to learn, but it
doesn't need to be that way.  Think Unix takes an analogous approach
to that of a grammar book.  Rather than teaching individual words or
phrases like most books, Think Unix teaches the set of logical
structures to be learned.  Myriad examples help you learn individual
commands, and practice problems at the end of difficult sections help
you learn the practical side of Unix.  Strong attention is paid to
learning how to read "man pages," the standard documentation on all
Unix systems, including Linux.  While most books simply tell you that
man pages exist and spend some time teaching how to use the man
command, none spend any significant amount of space teaching how to
use the content of the man pages.  Even if you are lost at the Unix
command prompt, you can learn subsystems that are specific to the Unix
flavor.  Teaches how to use Unix effectively for everyday tasks by
teaching the design model
   
A succinct introduction to Unix for advanced computer users that
teaches the basics but also provides a framework for additional
learning.
   
		  ================================
   
EPIC Publications:
   
   
"Privacy & Human Rights 2000: An International Survey of Privacy Laws
and Developments," David Banisar, author (EPIC 2000).
Price: $20. http://www.epic.org/phr/
   
This survey, by EPIC and Privacy International, reviews the state of
privacy in over fifty countries around the world.  The survey examines
a wide range of privacy issues including, data protection, telephone
tapping, genetic databases, ID systems and freedom of information
laws.
   
                   ================================
   
"The Privacy Law Sourcebook 2000: United States Law, International
Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2000).
Price: $40. http://www.epic.org/pls/
   
The "Physicians Desk Reference of the privacy world." An invaluable
resource for students, attorneys, researchers and journalists who need
an up-to-date collection of U.S. and International privacy law, as
well as a comprehensive listing of privacy resources.
   
                   ================================
   
"Cryptography and Liberty 2000: An International Survey of Encryption
Policy," Wayne Madsen and David Banisar, editors (EPIC 2000).
Price: $20. http://www.epic.org/crypto&/
   
EPIC's third survey of encryption policies around the world. The
results indicate that the efforts to reduce export controls on strong
encryption products have largely succeeded, although several
governments are gaining new powers to combat the perceived threats of
encryption to law enforcement.
   
                   ================================
   
"Filters and Freedom - Free Speech Perspectives on Internet Content
Controls," David Sobel, editor (EPIC 1999). Price: $20.
http://www.epic.org/filters&freedom/
   
A collection of essays, studies, and critiques of Internet content
filtering.  These papers are instrumental in explaining why filtering
threatens free expression.
   
                   ================================
   
Additional titles on privacy, open government, free expression,
computer security, and crypto, as well as films and DVDs can be
ordered through the EPIC Bookstore: http://www.epic.org/bookstore/
   
=======================================================================
[8] Upcoming Conferences and Events
=======================================================================
   
Drawing the Blinds: Reconstructing Privacy in the Information Age.
CPSR's Annual Conference and Wiener Award Dinner. October 14, 2000.
Philadelphia, PA. For more information: http://www.cpsr.org
   
Gore/Bush Forum on Privacy. Institute for Communitarian Policy Studies,
George Washington University. Rep. Markey will be presenting the views
of Vice President Gore and Senior Advisor Stephen Goldsmith the
approach of Governor Bush. October 16, 2000. Washington, DC. For more
information: comnet@gwu.edu
   
Identity Theft Victim Assistance Workshop. Federal Trade Commission.
October 23-24, 2000. Washington, DC. For more information:
http://www.ftc.gov/bcp/workshops/idtheft/index.html
   
Identity Theft Prevention Workshop. Social Security Administration.
October 25, 2000. Washington, DC. For more information:
http://www.ssa.gov/oig/IDTheft.htm
   
Privacy2000: Information and Security in the Digital Age. October 31-
November 1, 2000. Columbus, Ohio. For more information:
http://www.privacy2000.org
   
Mealey's Internet Law 101 Conference. November 1-2, 2000. Tysons
Corner, VA. For more information: seminars@mealeys.com
   
2000 BNA Public Policy Forum: e-commerce and internet regulation.
November 15-16, 2000. Tysons Corner, VA. For more information:
http://internetconference.pf.com
   
16th Annual Computer Security Applications Conference (ACSAC).
December 11-15, 2000. New Orleans, Louisiana. For more information:
http://www.acsac.org
   
Network and Distributed System Security Symposium (NDSS '01). Internet
Society. February 7-9, 2001. San Diego, CA. For more information:
http://www.isoc.org/ndss01/
   
Online, Offshore and Cross-Border: Regulating Global E-Commerce.
Washington College of Law, American University. March 30, 2001.
Washington, DC. For more information: http://www.wcl.american.edu
   
=======================================================================
Subscription Information
=======================================================================
   
The EPIC Alert is a free biweekly publication of the Electronic
Privacy Information Center. A Web-based form is available for
subscribing or unsubscribing at:
   
      http://www.epic.org/alert/subscribe.html
   
To subscribe or unsubscribe using email, send email to
epic-news@epic.org with the subject: "subscribe" (no quotes) or
"unsubscribe".
   
Back issues are available at:
   
      http://www.epic.org/alert/
   
=======================================================================
Privacy Policy
=======================================================================
   
The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities.  We do not sell, rent or share our
mailing list.  We also intend to challenge any subpoena or other legal
process seeking access to our mailing list.  We do not enhance (link
to other databases) our mailing list or require your actual name.
   
In the event you wish to subscribe or unsubscribe your email address
from this list, please follow the above instructions under
"subscription information".  Please contact info@epic.org if you have
any other questions.
   
=======================================================================
About EPIC
=======================================================================
   
The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC is sponsored by the Fund for Constitutional Government, a
non-profit organization established in 1974 to protect civil liberties
and constitutional rights.  EPIC publishes the EPIC Alert, pursues
Freedom of Information Act litigation, and conducts policy research.
For more information, e-mail info@epic.org, http://www.epic.org or
write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC
20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).
   
If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "The Fund for
Constitutional Government" and sent to EPIC, 1718 Connecticut
Ave., NW, Suite 200, Washington, DC 20009.
   
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and expanding wiretapping powers.
   
Thank you for your support.
   
   ---------------------- END EPIC Alert 7.18 -----------------------
   
   
.