============================================================= @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================ Volume 2.02 February 6, 1995 ------------------------------------------------------------ Published by the Electronic Privacy Information Center (EPIC) Washington, DC info@epic.org ======================================================================= Table of Contents ======================================================================= [1] IRS Backs Off Compliance 2000 Program [2] New Secrecy Order Needs Work [3] Caller ID Blocking Fails in New York [4] Post Office Partially Limits Access to Addresses [5] Clinton Announces National ID Registry [6] Correction: EU Directive Still Under Consideration [7] Overview of New Congressional Privacy Legislation [8] Upcoming Conferences and Events ======================================================================= [1] IRS Backing Off of Compliance 2000 Program ======================================================================= The Internal Revenue Service announced on Friday, January 20, that it was delaying implementation of the controversial Compliance 2000 program after heated opposition to the proposal from the Electronic Privacy Information Center (EPIC) and other privacy advocates appeared in over two dozen newspapers across the country. The proposal also drew sharp criticism from Senator David Pryor. The plan called for IRS collection and use of personal information from commercial databases. This data would not be subject to the requirements of the Privacy Act. IRS officials told the EPIC Alert that the Compliance 2000 notice published in the Federal Register was going to be revised in the next few weeks and then reissued. IRS Privacy Advocate Robert Veeder said that the notice had been drafted more than a year ago and that the program had been revised substantially since then. EPIC has filed a Freedom of Information Act request with the IRS, asking for more information about the types of data that would be collected if Compliance 200 goes forward, the sources of the information and the proposed uses. ======================================================================= [2] Draft Secrecy Order Still Needs Work ======================================================================= The White House recently circulated the latest draft of the President's long-awaited revised Executive Order on the classification of national security information. The current version back-pedals on favorable proposed reforms of the classification system, retreating from an earlier proposal that prohibited secrecy when the "public interest in keeping the information unclassified outweighs the need for classification." Such a standard would permit the public and the news media to challenge classification decisions in court. The draft also fails to go far enough in opening the government's civilian cryptographic activities to public scrutiny. Efforts to revise the current Executive Order (issued by President Reagan in 1982) began almost two years ago, soon after the Clinton Administration assumed office. Several drafts have circulated since then, and the issuance of a final revision was anticipated more than a year ago. The Center for National Security Studies, the Federation of American Scientists, the National Security Archive, and EPIC have all urged the relaxation of classification authority. EPIC has specifically recommended that classification be removed for cryptographic information. In comments submitted to the Information Security Oversight Office in July 1993, EPIC staff urged removal of "cryptology" from the categories of information presumed to be classifiable. The statement said that the "designation of a routine privacy-enhancing technology as presumptively a national security matter is inconsistent with the end of the Cold War and the dramatic growth of commercial and civilian telecommunications networks. ... [Cryptographic] technology today plays an essential role in assuring the security and privacy of a wide range of communications affecting finance, education, research, and personal correspondence." The recent Clinton proposal does indeed narrow the government's classification authority for "cryptology", although the final order should go further. Under the original Reagan Order, "cryptology" was singled out as a separate and independent category. The recent draft drops cryptology as an independent category and instead refers generally to "intelligence activities (including special operations), intelligence sources or methods, or cryptology." This formulation suggests a recognition that information concerning encryption technology should only be classified if it relates to intelligence uses of the technology, as opposed to the increasing use of encryption in civilian applications. The language, however, leaves open the possibility that the government might still attempt to classify information relating to cryptography. This position does not comport with the overwhelming opinion outside of government that cryptography should never be presumptively classified. The classification of cryptographic information has already hampered the public's ability to monitor the government's activities in the area of civilian communications security. Information relating to the Digital Signature Standard (intended for the authentication of unclassified electronic transmissions) has been withheld from disclosure under the Reagan Executive Order. Likewise, key information concerning the Clipper encryption initiative (including the underlying Skipjack algorithm) has been classified and placed beyond public review. Congress sought to prevent such secrecy when it enacted the Computer Security Act of 1987, which limited the civilian role of the National Security Agency (NSA). Congress noted that NSA's "natural tendency to restrict and even deny access to information that it deems important would disqualify that agency from being put in charge of the protection of non-national security information." The Clinton Administration, through further revision of its draft Executive Order, has an opportunity to build upon the openness and accountability that Congress envisioned. ======================================================================= [3] Caller ID Blocking Fails in New York ======================================================================= NYNEX has admitted that the personal phone numbers of at least 30,000 of its customers who requested per-line blocking of Caller ID have been improperly disclosed. The problem resulted from a failure to correctly implement the blocking feature. The New York Times reports that NYNEX had known of the problem for at least a year before any action was taken. The Rhode Island Public Utilities Commission has ordered NYNEX not to allow customers in that state to order new Caller ID services or per line blocking until the problem is resolved. NYNEX must also run ads telling customers about the problem and provide an 800 number for consumers to call. EPIC has received several calls from individuals in New York who have had their phone numbers disclosed. The individuals work in sensitive jobs and have already received threatening phone calls as a result of the disclosures. ======================================================================= [4] Post Office Partially Limits Access to Addresses ======================================================================= The U.S. Postal Service announced on December 28 its final rule on access to names and addresses. The agency announced it was eliminating the service that allows anyone to obtain the new address of any individual for a $3.00 fee. The Postal Service, however, left intact its service that provides the addresses of all postal customers to large mailers such as direct marketers. The notice states "Congress has not given the Postal Service the function of serving as a national registration point for the physical whereabouts of individuals." HR 434, The Postal Privacy Act of 1995, (introduced by Rep. Gary Condit) requires that the Postal Service inform individuals of the uses of information contained in Change of Address cards and mandates that customers be offered an option to not have their names and addresses forwarded. ======================================================================= [5] Clinton Announces National ID Worker Registry ======================================================================= In the annual State of the Union address on January 25, President Clinton suggested he would support the creation of a national registry of all citizens and resident aliens. The idea was recommended by the U.S. Commission on Immigration Reform and is an attempt to address concerns about immigration control. The proposal would create a national database of all employees based on Social Security Numbers. Employers would be required to check this database before hiring. Civil liberties groups believe that this system, once in place, would lead to the development of a national ID card. The Commission previously proposed the creation of an ID card but backed off in the face of public opposition. Senator Alan Simpson (R-WY) has introduced a bill (S. 269) to implement the registry. Sen. Barbara Boxer (D-CA) told USA Today that Congress was planning to address the issue and that the system may be the only way to provide accurate citizenship information and protect privacy. Leaders of civil rights and immigration organizations and privacy advocates attended a meeting at the White House with representatives from the Department of Justice, HHS, INS, and the White House to discuss the implications of the program in early January. Further discussion is likely. ======================================================================= [6] Correction: EU Directive Still Under Consideration ======================================================================= We reported in EPIC Alert 2.01 that the Council of Ministers had reached a common position on the closely watched European data protection directive. The directive, once adopted, will establish European-wide privacy standards. We jumped the gun. At the time of the report, the common position had not been reached officially, though our sources told us they thought the Council of Ministers had effectively endorsed the final proposal. On February 6, Reuters reported that the General Affairs Council was unable to formally adopt the draft data protection directive earlier this month due to delays in getting the text translated into the EU's newest languages -- Swedish and Finnish. The report went on to say that "The Council was able to agree on the details of the common position on the directive, which will now probably be adopted at a Council meeting next week." More news as it happens. ======================================================================= [7] Overview of New Congressional Privacy Legislation Available ======================================================================= EPIC has produced an overview of current privacy legislation in the 104th Congress. Bills that improve privacy protections or negatively affect privacy are summarized. The summary will be updated regularly as new legislation is introduced or pending bills are revised. A summary will appear in the next issue of the EPIC Alert. Copies of the new bills are available for retrieval from the EPIC Archive at cpsr.org. Also included are floor statements on the legislation when available and updates on the status of the bills. To obtain the overview and copies of the house and Senate bills, ftp/gopher/wais to cpsr.org /cpsr/privacy/epic/104th_congress_bills/ ======================================================================= [8] Upcoming Privacy Related Conferences and Events ======================================================================= AAAS Annual Meeting & Science Innovation Expo. Atlanta. Feb 16-21. A special full-day session on cryptography and privacy will take place on Tuesday, Feb. 21. Contact: Alex Fowler 202/326-7016 or afowler@aaas.org Cryptography: Technology, Law and Economics. New York City. Mar. 3, 1995. Sponsored by CITI, Columbia University. Contact: citi@research.gsb.columbia.edu Towards an Electronic Patient Record '95. Orlando, FL. Mar. 14-19, 1995. Sponsored by Medical Records Institute. Contact: 617-964-3926 (fax). Access, Privacy, and Commercialism: When States Gather Personal Information. College of William and Mary, Williamsburg, VA, March 17. Contact: Trotter Hardy 804 221-3826. Computers, Freedom and Privacy '95. Palo Alto, Ca. Mar. 28-31, 1995. Sponsored by ACM. Contact: cfp95@forsythe.stanford.edu. ETHICOMP95: An international conference on the ethical issues of using Information Technology. DeMontfort University, Leicester, ENGLAND, March 28-30, 1995. Contact: Simon Rogerson srog@dmu.ac.uk 44 533 577475 (phone) 44 533 541891 (Fax). "Quality of Life in the Electronic Village," March 30, 1995. Live teleconference, broadcast nationally from Virginia Tech, featuring eminent presenters from the fields of ethics, law, education, anthropology, medicine, and government. Contact 703/231-6476 or choices@vt.edu. National Net '95: Reaching Everyone. Washington, DC. Apr. 5-7, 1995. Sponsored by EDUCOM. Contact: net95@educom.edu or call 202/872-4200. Information Security and Privacy in the Public Sector. Herndon, VA. Apr. 19-20, 1995. Sponsored by AIC Conferences. Contact: 212/952-1899. 1995 IEEE Symposium on Security and Privacy. Oakland, CA, May 8-10. Contact: sp95@itd.nrl.navy.mil. INET '95. Honolulu, HI. June 28-30, 1995. Sponsored by the Internet Society. Contact inet95@isoc.org. Key Players in the Introduction of Information Technology: Their Social Responsibility and Professional Training. July 5-6-7, 1995. Namur, Belgium. Sponsored by CREIS. Contact: nolod@ccr.jussieu.fr. Advanced Surveillance Technologies. Sept. 4-5, 1995. Copenhagen, Denmark. Sponsored by Privacy International and EPIC. Contact pi@epic.org. (Send calendar submissions to Alert@epic.org) ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. To subscribe, send the message: SUBSCRIBE CPSR-ANNOUNCE Firstname Lastname to listserv@cpsr.org. You may also receive the Alert by reading the USENET newsgroup comp.org.cpsr.announce. Back issues are available via FTP/WAIS/Gopher/HTTP from cpsr.org /cpsr/alert and on Compuserve (Go NCSA), Library 2 (EPIC/Ethics). An HTML version of the current issue is available from epic.digicash.com/epic ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues relating to the National Information Infrastructure, such as the Clipper Chip, the Digital Telephony proposal, medical record privacy, and the sale of consumer data. EPIC is sponsored by the Fund for Constitutional Government and Computer Professionals for Social Responsibility. EPIC publishes the EPIC Alert and EPIC Reports, pursues Freedom of Information Act litigation, and conducts policy research on emerging privacy issues. For more information, email info@epic.org, WWW at HTTP://epic.digicash.com /epic or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. (202) 544-9240 (tel), (202) 547-5482 (fax). The Fund for Constitutional Government is a non-profit organization established in 1974 to protect civil liberties and constitutional rights. Computer Professionals for Social Responsibility is a national membership organization of people concerned about the impact of technology on society. For information contact: cpsr-info@cpsr.org If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003. Your contributions will help support Freedom of Information Act litigation, strong and effective advocacy for the right of privacy and efforts to oppose Clipper and Digital Telephony wiretapping proposals. ------------------------ END EPIC Alert 2.02 ------------------------