============================================================= @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================ Volume 1.06 October 28, 1994 ------------------------------------------------------------ Published by the Electronic Privacy Information Center (EPIC) Washington, DC (Alert@epic.org) ======================================================================= Table of Contents ======================================================================= [1] FTC Orders Trans Union to Stop Selling Credit Reports to Marketers [2] State Department Rules 1st Amendment Doesn't Apply to Disks [3] FBI Director May Ask For Mandatory Key Escrow Legislation [4] Clipper: Alive and Well [5] EPIC on Compuserve [6] New Files in the Archive [7] Upcoming Conferences and Events ======================================================================= [1] FTC Cracks down on Trans Union ======================================================================= The Federal Trade Commission on October 18 ordered Trans Union, one of the nation's largest credit bureaus, to stop selling consumer credit information in its files to direct marketers in violation of the Fair Credit Reporting Act (FCRA). This decision follows a year after TRW, another large credit bureau, signed a consent decree with the FTC to limit selling credit information. Equifax, the other large credit bureau, also stopped voluntarily selling credit info for marketing last year. Trans Union, through its Transmark target marketing division, created lists of individuals based on credit-related criteria and then sold the information to companies to use for target marketing. The Commission ruled that target marketing was illegal under the FCRA because the law requires that the consumer initiate the transaction before the information can be released. It also found that the companies had full access to consumers' names and were aware of the criteria under which the names had been chosen from the Trans Union database, which is also an illegal disclosure of credit information. Trans Union has said they will appeal and plan to continue selling the information in the meanwhile. Under a newly passed law, Trans Union must ask for a stay of the order after 60 days before they can continue selling the information. Ed. Mierwizinski, Consumer Program Director of US Public Interest Research Group's Washington Office hailed the FTC's actions "its a good decision. I predict if they try and appeal, they will loose." ======================================================================= [2] State Dept: 1st Amendment Doesn't Apply to Disks ======================================================================= The State Department ruled on October 7 that some forms of electronic speech are not protected by the First Amendment and can be prohibited from export. The decision raises questions about the protection of free speech on the information superhighway. The controversy arose over the export of an electronic version of Applied Cryptography: Protocols, Algorithms, and Source Code in C (John Wiley and Sons, 1994) by Bruce Schneier. The agency ruled that electronic source code for computer programs that contains cryptographic algorithms is not protected under the First Amendment and thus is not exportable under current law. The ruling follows just a few months after the same department OK'd the export of the same code in printed form. Under current State Department rules, the export of almost all software with confidentiality and privacy features is prohibited unless permission is granted by the National Security Agency prior to export. Earlier this year Schneier and San Diego engineer Phil Karn requested and received permission to export the printed version, which contains over 100 pages of source code for different cryptographic algorithms in a type face easily converted to electronic form by a standard computer scanner. The book has sold over 17,000 copies worldwide in less than one year. When Karn and Schneier requested permission to export the disks, which have the exact same information as is contained in the book, William Robinson, the director of the Office of Defense Trade Controls, rejected the request stating "the text files on the subject disk are not an exact representation of what is found in Applied Cryptography...each source code listing has been partitioned into its own file and has the capability of being easily compiled into an executable subroutine . . . This is an added value to any end user that wishes to incorporate encryption into a product." Computer users and experts are critical of the distinction. Karn noted "with the widespread availability of optical character recognition (OCR) equipment and software, even printed information such as the Book is easily turned into 'machine readable' disk files equivalent to the diskette." Bob Stratton, a Senior Engineer at AlterNet "Whether its in a book or on a disk, it doesn't matter. The technology [the cryptography code] will flow no matter what." When Karn and Schneier appealed the decision, Martha C. Harris, the Deputy Assistant Secretary for Export Controls at the State Department stated "We...have concluded that continued control over the export of such material is consistent with the protections of the First Amendment" She noted that a high level, interagency review had resulted from the request. Bob Peck, a First Amendment lawyer with the American Civil Liberties Union notes "any claim that the First Amendment is inapplicable because of the medium is just not valid." Karn plans to appeal the decision. ======================================================================= [3] Clipper: Alive and Well ======================================================================= Vice President Gore's July letter to Rep. Maria Cantwell led some observers to to hail the "death of Clipper." Others (including EPIC and Sen. Patrick Leahy) maintained that the Gore letter simply re-stated earlier Administration pronouncements on the encryption issue and did not represent a change in policy. Any lingering doubts were laid to rest recently by Lynn McNulty, the Associate Director for Computer Security at the National Institute of Standards and Technology (NIST). Speaking at a conference sponsored by the Electronic Messaging Association, McNulty gave a presentation entitled "Clipper: Alive and Well." Noting that some media reports had pronounced Clipper dead, McNulty said simply "that is not correct." He reported that the government is "moving ahead to implement key escrow," and that the designated escrow agents are, in fact, escrowing keys. To date, 10,000 Clipper-equipped telephone units have been purchased by the law enforcement community. And the National Security Agency is continuing to aggressively market its key escrow technology to private manufacturers. ======================================================================= [4] FBI Director May Ask For Mandatory Key Escrow Legislation ======================================================================= At a conference on Global Cryptography earlier this month, FBI Director Louis Freeh suggested that if the administration's Clipper key escrow encryption scheme was not widely adopted, he may ask Congress for legislation making it mandatory. The FBI confirmed to comments to reporters Brock Meeks and Steven Levy. Excerpt from transcript of Freeh talk as faxed to MIchael Froomkin by the FBI: [note: bracked material is summary of earlier exchange] Q: [If people pre-encrypt while using Clipper, would] the policy then have to change? A: The terms of encryption being a voluntary standard? Oh yea, definitely, I mean if five years from now we solve the access problem but what we are hearing is all encrypted I'll probably ah, if I am still here, be talking about that in a very important way. Sure, I mean the objective is the same. The objective is for us to get those conversations whether they are by an alligator clipped or or [_sic_] ones and zeros wherever they are, what ever they are, I need them. ======================================================================= [5] EPIC on Compuserve ======================================================================= EPIC has joined that National Computer Security Association and the National Computer Ethics & Responsibilities Campaign in hosting a forum on privacy, security and ethical issues on the Compuserve Information System. EPIC materials, including back issues of the Alert, program description and reports are available in Library 2. Discussion of privacy topics are in Section 2 (EPIC/Ethics). To access the forum, use the keyword: NCSA. ======================================================================= [6] New Files at the Archive ======================================================================= OTA Report on Cryptography /cpsr/privacy/ota_report_1994 Final Version of HR 4922/S 2375. - The Communications Assistance for Law Enforcement Act of 1994 HR 5199 - Encryption Standards and Procedures Act of 1994 /cpsr/privacy/crypto/hr5199.txt Files related to the Applied Cryptography Export Decision /cpsr/privacy/crypto/export/applied_crypto/ The CPSR Internet Library is a free service available via FTP/WAIS/Gopher/listserv from cpsr.org:/cpsr. Materials from Privacy International, the Taxpayers Assets Project and the Cypherpunks are also archived. For more information, contact ftp-admin@cpsr.org. ======================================================================= [5] Upcoming Privacy Related Conferences and Events ======================================================================= 2nd ACM Conference on Computer and Communications Security, Fairfax, Virginia. Nov 2-4, 1994. Sponsored by: ACM SIGSAC, Hosted by: Bell Atlantic, George Mason University. Contact: gong@csl.sri.com Ethics in the Computer Age Conference. Gatlinburg, Tennessee. November 11-13. Sponsored by ACM. Contact: jkizza@utcvm.utc.edu The Technology for Information Security Conference '94 (TISC '94). Galveston, Texas. Dec. 5-8, sponsored by: NASA Johnson Space Center Mission Operations Directorate (MOD), MOD AIS Security Engineering Team, and the ISSA. Contact: John D'Agostino (dagostin@killerbee.jsc.nasa.gov). Second International Conference on Information Warfare: "Chaos on the Electronic Superhighway" Jan 18-19, Montreal, CA. January 18, 1995, Sponsored by NCSA. Contact: Mich Kabay (75300.3232@compuserve.com). (Send calendar submissions to Alert@epic.org) ======================================================================= To subscribe to the EPIC Alert, send the message: SUBSCRIBE CPSR-ANNOUNCE Firstname Lastname to listserv@cpsr.org. You may also receive the Alert by reading the USENET newsgroup comp.org.cpsr.announce. Back issues are available via FTP/WAIS/Gopher/HTTP from cpsr.org /cpsr/alert and on Compuserve at Keyword: NCSA, Library 2 (EPIC/Ethics) ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues relating to the National Information Infrastructure, such as the Clipper Chip, the Digital Telephony proposal, medical record privacy, and the sale of consumer data. EPIC is sponsored by the Fund for Constitutional Government and Computer Professionals for Social Responsibility. EPIC publishes the EPIC Alert and EPIC Reports, pursues Freedom of Information Act litigation, and conducts policy research on emerging privacy issues. For more information email info@epic.org, or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). The Fund for Constitutional Government is a non-profit organization established in 1974 to protect civil liberties and constitutional rights. Computer Professionals for Social Responsibility is a national membership organization of people concerned about the impact of technology on society. For information contact: cpsr-info@cpsr.org ------------------------ END EPIC Alert 1.06 ------------------------ --- CPSR ANNOUNCE LIST END --- To alter or end your subscription to this mailing list, write to listserv@cpsr.org. For general information send the message: HELP To unsubscribe, send the message: UNSUBSCRIBE CPSR-ANNOUNCE You need to do this from the same machine you subscribed from. In both cases, leave the subject blank, or at least not resembling an error message. ======================================================================