============================================================= @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================ Volume 1.02 June 16, 1994 ------------------------------------------------------------ Published by the Electronic Privacy Information Center (EPIC) Washington, DC (Alert@epic.org) ----------------------------------------------------------------------- Table of Contents ----------------------------------------------------------------------- [1] NIST Adopts Digital Signature Standard [2] National Performance Review Issues Info Tech Report [3] Federal Telephone Transactional Surveillance Increases [4] IRS Issues Privacy Principles [5] Government Printing Office Goes Online [6] New Files at the Internet Library [7] Upcoming Conferences and Events ----------------------------------------------------------------------- [1] NIST Adopts Digital Signature Standard ----------------------------------------------------------------------- On May 19, the National Institute of Standards and Technology approved its cryptographic standard to provide digital signatures for electronic documents. Digital signatures are used to authenticate users and to ensure that messages are not altered. These assurances are important for applications such as electronic commerce and virus protection. The DSS has been mired in controversy since its announcement in 1991. NIST originally planned to develop an algorithm that also provided privacy and confidentiality protection to replace the current government Data Encryption Standard (DES). Documents obtained by CPSR reveal that the National Security Agency pressured NIST into adopting the DSS instead. In 1993, NIST proposed the NSA-developed Clipper Chip to replace DES. The DSS has also been controversial because RSA Data Security claims that it infringes several of its patents. NIST contends that it found no patent infringements. ----------------------------------------------------------------------- [2] National Performance Review Releases Info Tech Report ----------------------------------------------------------------------- Vice President Al Gore's National Performance Review this week released the long awaited report "Reengineering Through Information Technology." The report finds that the federal government lacks leadership and a coherent plan to address information technology issues. It concludes that "government is falling dangerously behind the private sector in using technology to deliver services." The privacy and security sectio of a privacy organization within the executive branch. The organization would advise the president, assist federal agencies, coordinate US privacy initiatives with international organizations, and advise state and local governments on privacy issues. The Information Infrastructure Task Force (IITF) is directed to provide recommendations on the creation of the organization, including its size, authority and budget. The IITF will either propose a draft executive order or legislation for its creation. Office of Management and Budget official Bruce McConnell is in charge of the effort. The IITF is also directed to create an interagency task force to develop uniform privacy principles for information systems by July 1994, coordinated by the OMB. The task force must issue a report in less a year. The report calls for NIST, in consultation with the OMB and the assistance of the NSA, to "create opportunities for industry to develop the encryption capabilities required for protection of networked distributed systems." A high priority is set for "finalizing and promulgating digital encryption standards." A copy of the full report is available from cpsr.org. See below for details. ----------------------------------------------------------------------- [3] Transactional Surveillance Increased in 1993 ----------------------------------------------------------------------- Federal law enforcement use of telephone transactional records increased in 1993 for the sixth straight year. Last year, the FBI, the Drug Enforcement Administration, the Immigration and Naturalization Service and the Marshals Service increased their use of pen registers and trap and trace devices sharply over 1992. Pen registers capture the telephone numbers of every phone call made from a particular line. In 1993, 3,423 orders for pen registers affecting the lines of 8,130 people were issued, a nine percent increase over 1992's total. Since 1987, when the use of pen registers became regulated under the Electronic Communications Privacy Act, their use has increased 201 percent. While the number of telephone numbers captured is not available, in 1987 the DEA reported that for 716 installed pen registers, over 53,000 numbers were recorded. The use of trap and trace devices also increased sharply in 1993 (up 221 percent over 1992), to a total of 2,153 orders affecting 3,777 persons. Since 1987, the use of trap and trace devices has increased over 2,300 percent. Trap and trace devices capture the originating telephone numbers of incoming calls to a particular phone line. In 1987, the DEA reported that 91 trap and trace devices captured 2,886 numbers. ----------------------------------------------------------------------- [4] IRS Issues Privacy Guidelines ----------------------------------------------------------------------- The Internal Revenue Service has issued Privacy Guidelines to assist its employees in maintaining the confidentiality of taxpayer information. The guidelines provide no additional legal authority but are intended to remind employees of their already existing legal obligations. In 1993, the General Accounting Office reported that 368 IRS employees had been caught browsing through files, inspecting the records of relatives and celebrities. The guidelines set out 10 principles that each employee should follow: 1. Protecting taxpayer privacy and safeguarding confidential taxpayer information is a public trust. 2. No information will be collected or used with respect to taxpayers that is not necessary and relevant for tax administration and other legally mandated or authorized purposes. 3. Information will be collected, to the greatest extent practicable, directly from the taxpayer to whom it relates. 4. Information about taxpayers collected from third parties will be verified to the extent practicable with the taxpayers themselves before action is taken against them. 5. Personally identifiable taxpayer information will be used only for the purpose for which it was collected, unless other uses are specifically authorized or mandated by law. 6. Personally identifiable taxpayer information will be disposed of at the end of the retention period required by law or regulation. 7. Taxpayer information will be kept confidential and will not be discussed with, nor disclosed to, any person within or outside the IRS other than as authorized by law in the performance of official duties. 8. Browsing, or any unauthorized access of taxpayer information by any IRS employee, constitutes a serious breach of the confidentiality of that information and will not be tolerated. 9. Requirements governing the accuracy, reliability, completeness, and timeliness of taxpayer information will be such as to ensure fair treatment of all taxpayers. 10. The privacy rights of taxpayers will be respected at all times and every taxpayer will be treated honestly, fairly, and respectfully. Henry Philcox of the IRS told the EPIC Alert that the IRS has produced instructional videotapes which display scenarios where the privacy guidelines would be in effect. The IRS has also appointed Rob Veeder, formerly with the Office of Management and Budget, as director of its privacy project. Veeder will be on board at the IRS within a few weeks. ----------------------------------------------------------------------- [5] Federal Register, Congressional Record Online ----------------------------------------------------------------------- The Government Printing Office has made the Federal Register, the Congressional Record and copies of bills signed by the President available on the Internet through its online service. The Federal Register contains notices filed by every federal agency of proposed rules, decisions and other operations. The Congressional Record contains floor statements, copies of some pending legislation and other materials from both the Senate and the House of Representatives. This project is the culmination of a three year effort, led by Taxpayers Assets Project and the American Library Association, to increase access to federal government information. Their campaign resulted in the enactment of the GPO WINDO bill in 1993, which mandated that the Government Printing Office offer online access to the Federal Register and the Congressional Record and encouraged more government agencies to make information available electronically. However, the high costs for the services have led many to question whether this project will improve access to government information. For a single user, access to the Federal Register and the Congressional Record will cost $375 per year for each publication. Monthly access at $35 is also available. No provisions are available for occasional searches. Taxpayers Assets Project has filed a formal appeal with the GPO, asking it to reconsider its pricing scheme. For more information on access, telnet to wais.access.gpo.gov, login: newuser, press for password or call 202-512-1661, login: wais, password: , login: newuser, password: . ----------------------------------------------------------------------- [6] Files Available for retrieval ----------------------------------------------------------------------- New files on Clipper. /privacy/crypto/privacy nist_reponse_to_blaze_paper.txt nist_response_senate_questions_6_94.txt nsa_response_senate_questions_6_94.txt Vice President Gore's National Performance Review Report on Information Technology. /privacy/communications/ national_performance_review_info_tech_report.txt Files on the current crisis in the Italian bulletin board community cpsr/computer_crime italy_crackdown_may94 News reports on the police crackdown on BBSs accused of pirating software; large-scale confiscation of equipment. italy_net_politics Speech by Bernardo Parrella of Agora (a multi-lingual Internet site in Italy: agora.stm.it) on the current state of BBS's and networking in Italy. The CPSR Internet Library is a free service available via FTP/WAIS/Gopher/listserv from cpsr.org:/cpsr. Materials from Privacy International, the Taxpayers Assets Project and the Cypherpunks are also archived. For more information, contact ftp-admin@cpsr.org. ----------------------------------------------------------------------- [7] Upcoming Privacy Related Conferences and Events ----------------------------------------------------------------------- DEF CON ][ ("underground" computer culture) "Load up your laptop Muffy, we're heading to Vegas!" The Sahara Hotel, Las Vegas, NV. July 22-24. Contact: dtangent@defcon.org. Symposium on Privacy and Intelligent Vehicle-Highway Systems. Santa Clara University, Santa Clara, California. July 29-30. Contact: Professor Dorothy J. Glancy 408-554-4075 (tel), 408-554-4426 (fax), dglancy@suacc.scu.edu. Hackers on Planet Earth: The First US Hacker Congress. Hotel Pennsylvania, New York City, NY. August 13-14. Sponsored by 2600 Magazine. Contact: 2600@well.sf.ca.us. Technologies of Surveillance; Technologies of Privacy. The Hague, The Netherlands. September 5. Sponsored by Privacy International and EPIC. Contact: Simon Davies (davies@privint.demon.co.uk). 16th International Conference on Data Protection. The Hague, Netherlands. September 6-8. Contact: B. Crouwers 31 70 3190190 (tel), 31-70-3940460 (fax). CPSR Annual Meeting. University of California, San Diego. October 8-9. Contact: Phil Agre Symposium: An Arts and Humanities Policy for the National Information Infrastructure. Boston, Mass. October 14-16. Sponsored by the Center for Art Research in Boston. Contact: Jay Jaroslav (jaroslav@artdata.win.net). Third Biannual Conference on Participatory Design, Chapel Hill, North Carolina. October 27-28. Sponsored by CPSR. Contact: trigg@parc.xerox.com. Ethics in the Computer Age Conference. Gatlinburg, Tennessee. November 11-13. Sponsored by ACM. Contact: jkizza@utcvm.utc.edu (Send calendar submissions to Alert@epic.org) ======================================================================= To subscribe to the EPIC Alert, send the message: "subscribe cpsr-announce " (without quotes or brackets) to listserv@cpsr.org. You may also receive the Alert by reading the USENET newsgroup comp.org.cpsr.announce ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues relating to the National Information Infrastructure, such as the Clipper Chip, the Digital Telephony proposal, medical record privacy, and the sale of consumer data. EPIC is sponsored by the Fund for Constitutional Government and Computer Professionals for Social Responsibility. EPIC publishes the EPIC Alert and EPIC Reports, pursues Freedom of Information Act litigation, and conducts policy research on emerging privacy issues. For more information email info@epic.org, or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). The Fund for Constitutional Government is a non-profit organization established in 1974 to protect civil liberties and constitutional rights. Computer Professionals for Social Responsibility is a national membership organization of people concerned about the impact of technology on society. For information contact: cpsr@cpsr.org ------------------------- END EPIC Alert 1.02 -------------------------