============================================================= @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================ Volume 2.03 February 24, 1995 ------------------------------------------------------------ Published by the Electronic Privacy Information Center (EPIC) Washington, DC info@epic.org ======================================================================= Table of Contents ======================================================================= [1] EPIC Calls for Crypto Reform at G-7 Meeting [2] USA Privacy Position at G-7 (and EPIC Proposal) [3] House Votes to Allow Illegal Evidence [4] Network Censorship Bill Introduced [5] Court Rules National Security Council Not Exempt from FOIA [6] Activist Files Suit To Overturn Crypto Export Controls [7] Wiretap Watch: Freeh on Crypto [8] Privacy Legislation in the 104th Congress [9] Upcoming Conferences and Events ======================================================================= [1] EPIC Calls for Crypto Reform at G-7 Meeting ======================================================================= PRESS RELEASE For Release: Saturday, February 25, 1995, 1300 GMT+1 (Brussels) Contact: Marc Rotenberg, +32 2 542 42 42, rotenberg@epic.org (Brussels) Dave Banisar, +1 202 544 9240, banisar@epic.org (Washington, DC) Simon Davies, +44 81 402 0737, davies@privint.demon.co.uk (London) EPIC Calls for Change in USA Crypto Policy at G-7 Meeting in Brussels BRUSSELS-- The widely publicized Internet break-in last week underscores the need for the United States to revise current policies on cryptography and privacy, according to a leading USA privacy organization. The group contends that as long as computer users are discouraged from using robust methods for privacy and security, the risks to future travelers on the information highway will continue to grow. The Electronic Privacy Information Center (EPIC), based in Washington, DC, urged the United States to change policies that restrict the open exchange of scientific and technical information. These policies inhibit the development of new techniques for privacy protection. In a statement released today at the G-7 meeting here in Brussels, EPIC recommended that the USA: o Relax export controls and permit the free flow of encryption technology across national borders. The Export Administration Act unnecessarily inhibits the exchange of techniques for privacy and slows development of important tools for network users. o Withdraw the Escrow Encryption Standard popularly known as "Clipper." Private industry, the technical community, and the public oppose the adoption of Clipper. The deployment of Clipper-based schemes in the federal government should be halted. o Remove "cryptology" from the items that may be classified under USA Executive Order. The classification of cryptology has frustrated open government, permitted the development of sub-optimal standards, and slowed technological innovation. o Not fund the USA National Wiretap Plan. The ill-considered proposal to mandate the development and use of technologies for the surveillance of the nation's telecommunications systems calls for the expenditure of $500 million over the next four years. Given the likelihood that this program will increase Internet vulnerabilities, all funding should be terminated. According to EPIC, unless the United States acts quickly to correct these policies, the Global Information Infrastructure will remain vulnerable to future attacks. EPIC also recommended the establishment of a privacy agency to address growing public concern about the inadequacy of privacy protection in the United States. Simon Davies, Director General of Privacy International speaking from London, said "We endorse the EPIC recommendations. Users of the Global Information Infrastructure must be allowed to use the most secure privacy technologies available." ======================================================================= [2] USA Privacy Position at G-7 (and EPIC Proposal) ======================================================================= The following recommended actions for privacy are taken from the White House document "Global Information Infrastructure: Agenda for Cooperation" (version 1.0). The US government will distribute this report at the G-7 meeting in Brussels. EPIC's recommended actions on GII privacy follow. ------------------- PRIVACY PROTECTION [USA GII document] In order to foster consumer confidence in the GII and to encourage the growth of interconnected global networks, users must feel that they are afforded adequate privacy protection. To this end, the United States will join with other governments to: o Identify key privacy issues that need to be addressed in relation to the development of national and global information infrastructures; o Work with both the public and private sectors to achieve consensus on a set of fair information principles for the collection, transfer, storage, and subsequent use of data over national and global information infrastructures; o Ensure that privacy protection does not unduly impede the free flow of information across national borders; o Share information on new privacy protection policy developments and on new technologies and standards for privacy protection; and o Encourage the use of voluntary guidelines developed by international bodies, such as the OECD, as the best means of ensuring the protection of privacy on an international basis. ------------------- PRIVACY PROTECTION [EPIC GII proposal] The GII cannot achieve its promise if users, citizens, and consumers are not guaranteed adequate protection of their personal privacy rights. To achieve this protection, the United States will join with other governments to: o Cooperate in national, bilateral, regional and international fora to achieve high levels of privacy protection and technical protection in order to guarantee to individuals the technical and legal means to control the use of their personal data over the GII; o Ensure that Fair Information Practices provide users and potential users of the GII maximum protection in the use of personal information, and eliminate compelled disclosure of personal data; o Provide effective enforcement against the unauthorized use of personal information (misuse), including severe legal penalties and vigilant monitoring. Enforcement is particularly critical as technological innovations jeopardize the existing ability of individuals to protect their personal information; o Encourage the development and use of technological capabilities and safeguards, such as digital cash, anonymous servers, electronic debit cards, and encryption methods to complement existing privacy management techniques and prevent misuse at all levels. Cooperative efforts to develop testbeds, define standards, and construct infrastructure components for these safeguards should be encouraged, as should measures to prevent or render illegal the use of devices to overcome these safeguards; and o Work in collaboration with privacy organizations, technical experts, and others towards greater efforts to educate GII users about the importance of privacy protection. ======================================================================= [3] House Votes to Allow Illegal Evidence ======================================================================= The House of Representatives voted on Feb. 8 to allow evidence obtained in violation of the 4th Amendment or federal law to be admissible in court if it was the product of an "objectively reasonable search or seizure." This revision in the law places a large loophole in the "exclusionary rule," which currently provides the only workable sanction for violations of the law by police investigators. At hearings on the legislation, the American Bar Association, represented by a Wisconsin state prosecutor strongly opposed to the bill, argued that it will increase illegal warrentless searches and decrease police professionalism. An effort by Rep. Melvin Watt (D-NC) to replace the text of the bill with the text of the 4th Amendment was defeated. The bill was amended to prohibit illegal evidence obtained by the BATF and the IRS from being used, but other federal agencies such as the FBI and Secret Service would be granted unprecedented leeway in the conduct of their investigations. The final bill passed 289-142. The bill has now been sent to the Senate Judiciary Committee. S. 3, the Senate Republican crime bill, also contains a similar provision. A copy of the bill and the Congressional Record debate is available at cpsr.org /cpsr/privacy/epic/104th_congress_bills/ ======================================================================= [4] Network Censorship Bill Introduced ======================================================================= Senator James Exon (D-NE) has introduced the "Communications Decency Act of 1995" intending to regulate a variety of communications on the Internet. The bill has met with fierce opposition from Internet users across the country. The bill attempts to restrict all sexually oriented communications on electronic networks. Many commentators believe the proposal will infringe on free speech and privacy rights and will be unworkable. The legislation would penalize anyone who "makes, transmits, or otherwise makes available any comment, request, suggestion, proposal, image, or other communication" that is "obscene, lewd, lascivious, filthy, or indecent." If the bill is enacted, anyone who provides communications service will be liable for the content of the transmissions of all of its users. This could include the entire USENET system, email routing systems, long distance carriers, local area network providers, PBX operators and more. The Electronic Messaging Association suggests that the only way to ensure that no liability will result is to have system operators monitor all communications. The bill may also discourage encrypted communications by forcing providers who are concerned about liability to prohibit communications that they cannot decode. The legislation would also make it a federal crime to transmit any anonymous communications with the intent to harass. This could have the effect of forcing telecommunication providers (including online services and universities) to prohibit anonymous postings because of the chance that a harassing message may be posted. The bill was introduced last year by Senator Exon and added to the telecommunications reform legislation that died in the waning days of the 103rd Congress. Senator Exon has said that he would like to attach the bill to this year's telecomm reform bill in the next few months. EPIC director Marc Rotenberg debated Senator Exon about the proposal last week on CNN. The Senator conceded that there were problems with the bill and said that he would meet with Mr. Rotenberg and others to see if these problems could be fixed. Voters Telecom Watch is coordinating a campaign to oppose the Exon bill. The ACLU and EFF are also actively opposing this bill. For more information URL: gopher://gopher.panix.com/11/vtw/exon or email vtw@vtw.org. Also try gopher://aclu.org:6601 or email infoaclu@aclu.org. ======================================================================= [5] Court Rules National Security Council Not Exempt from FOIA ======================================================================= U.S. District Judge Charles Richey ruled on February 14 that the National Security Council (NSC) is an "agency" and therefore subject to the public disclosure provisions of the Freedom of Information Act (FOIA). The decision came in a long-pending lawsuit concerning the status of White House e-mail messages dating back to the Reagan administration. For many years, the NSC had acknowledged its "agency" status and responded to requests submitted under the FOIA. The Clinton administration ended that practice and argued in several lawsuits that the NSC was not subject to the Act. In a lengthy opinion, Judge Richey rejected the administration's position, finding that the National Security Council "exercises authority independently of the President" (the legal test for "agency" status). The Judge noted that, among other things, "the NSC plays a role in Telecommunications independent of the President. ... By virtue of a 1990 Directive, an NSC committee is responsible for federal policies with respect to the security of telecommunications systems." The cited directive (NSD 42) was released to EPIC staff through litigation against the NSC in 1992. The recent decision clears the way for resumed proceedings in Computer Professionals for Social Responsibility v. National Security Agency, et al., in which EPIC staff is challenging the withholding of key documents concerning the Clipper Chip. Proceedings in the case were suspended pending resolution of the National Security Council's status -- the NSC is a co-defendant in the Clipper case and played a leading role in the development of the government's key-escrow encryption initiative. According to EPIC Legal Counsel David Sobel, "NSC documents are crucial to public understanding of government encryption policy. The court's rejection of the administration's position is extremely significant and will greatly enhance oversight in this area." ======================================================================= [6] Activist Files Suit to Overturn Export Controls ======================================================================= A graduate student in mathematics at the University of California at Berkeley has filed suit in federal court seeking to invalidate government restrictions on the export of encryption technology. The plaintiff, Daniel Bernstein, developed "The Snuffle Encryption System" and was subsequently advised by the State Department that an export license was required under the International Traffic in Arms Regulations (ITAR). In September 1993, Bernstein appealed that determination and, to date, has not received a response from the State Department. Critics have long maintained that the ITAR process inhibits the development and dissemination of privacy-enhancing encryption technology. Bernstein alleges in his lawsuit that his "scientific paper, algorithm and computer program are speech protected by the First Amendment to the United States Constitution." The suit further alleges that "The statutes, regulations, policies and conduct of Defendants cause a chilling effect on the exercise of First Amendment rights to speak, to publish, to engage in academic inquiry and study and to receive items from Plaintiff and other persons similarly situated, preventing important matters of concern to mathematicians, scientists, the commercial community, and the public from being openly discussed." Named as defendants are the State Department, Defense Department, Commerce Department, National Security Agency and several officials of those agencies. A San Mateo attorney has taken the case on a pro bono basis. The Electronic Frontier Foundation is paying for some litigation-related expenses. ======================================================================= [7] Wiretap Watch: Freeh Sets Stage for Future Restrictions ======================================================================= "Powerful encryption threatens to make worthless the access assured by the new digital [telephony] law." -- FBI Director Louis Freeh, February 14, 1995, before the Senate Judiciary Committee. EXCERPT FROM THE BUDGET OF THE UNITED STATES, FY 1996: -- Federal Bureau of Investigation (p. 642) Telephone Carrier Compliance "The Communications Assistance for Law Enforcement Act of 1994 authorizes the Attorney General to pay telecommunications carriers for costs directly associated with modifying equipment to perform court-authorized wiretap. Activities eligible for reimbursement include modifications performed by carriers in connection with equipment, facilities, and services installed or deployed to comply with the Act. In particular, telecommunications carriers are required to expeditiously isolate and enable intercept of all wire and electronic communications, provide access to call-identifying information that is reasonably available to the carrier, deliver the intercepts and call-identifying information to the government, and provide these services unobtrusively so as to minimize interference to subscriber services." "The program, administered by the Federal Bureau of Investigation, is funded through a surcharge of approximately 30% imposed on civil monetary penalties and criminal fines. For 1996, the Federal Bureau of Investigation will use $100 million in increased fines and penalties to finances the telephone carrier compliance." ======================================================================= [8] Privacy Legislation in the 104th Congress ======================================================================= -- Compiled by the Electronic Privacy Information Center -- An updated version of this document, the text of the bills, and other legislative materials are available from cpsr.org /cpsr/privacy/epic/104th_congress_bills/ -- House Bills -- Taking Back Our Streets Act of 1995 (HR 3). Introduced by Rep. McCollum. Republician Crime Bill. Includes provision to substantially limit judicial sanctions for illegal searches (exclusionary rule). Referred to Committee on the Judiciary. Split into seperate bills (see HR 666). FBI Counterintelligence Act of 1995 (HR 68). Introduced by Rep. Bereuter. Authorizes easier access to credit reports by FBI for "national security purposes." Referred to Committee on Banking and Financial Services. Quality Assurance in Drug Testing Act (HR 153). Introduced by Rep. Solomon. Prohibits random drug tests, requires that employers have explicit written policies and education and use certified labratories. Referred to Committee on Commerce. Individual Privacy Protection Act of 1995 (HR 184). Introduced by Rep. Collins. Creates national Privacy Commission with authority to oversee enforcement of Privacy Act. Referred to Committee on Government Reform and Oversight. Interstate Child Support Enforcement Act (HR 195). Introduced by Rep. Roukema. Extends access to federal, state, local and commerical databases for purposes of enforcing child support. Increases use of Social Security Numbers. Creates database of new hires. Referred to Committee on Ways and Means and three other committees. Antitrust Reform Act of 1995 (HR 411). Introduced by Rep. Dingell. Telecommunications reform bill. Includes section ordering FCC to conduct privacy survey of new technologies and places limits on use of Customer Propriety Number Information (CPNI). Referred to Committee on Commerce. Postal Privacy Act of 1995 (HR 434). Introduced by Rep. Condit. Prohibits Post Office from selling personal information to direct marketers. Referred to Committee on Government Reform and Oversight. Fair Health Information Practices Act of 1995 (HR 435). Introduced by Rep. Condit. Health care privacy bill. Sets limits on access, use and dissemination of personal medical information. Referred to Committee on Commerce and two other committees. Social Security Account Number Anti-Fraud Act (HR 502). Introduced by Rep. Calvert. Amends the Social Security Act to require the Secretary of Health and Human Services to establish a program to verify employee social security information, and to require employers to use the program using an 800 number to verify employees. Referred to Committee on Ways and Means. Immigration Reform Act of 1995 (HR 560). Introduced by Rep. Gallegly. Requires introduction of new tamperproof ID cards for immigrants. Referred to the Committee on the Judiciary. Consumer Reporting Reform Act of 1995 (HR 561). Introduced by Rep. Gonzales. Updates 1970 Fair Credit Reporting Act to require better accuracy, less expensive credit reports, limit use of credit records for direct marketing and prohibit most uses of reports by employers. Referred to the Committee on Banking and Financial Services. Act to Enforce Employer Sanctions Law (HR 570). Introduced by Rep. Beilenson. Requires issuance of new Social Security card which is "counterfeit-resistant ... contains fingerprint identification, barcode validation, a photograph, or some other identifiable feature." Card will be sole identification allowed for work authorization. Referred to Committee on Ways and Means and Judiciary Committee. Exclusionary Rule Reform Act of 1995 (HR 666). Introduced by Rep. McCollum. Allows introduction of evidence obtained by illegal search or seizure that violates 4th Amendment, statute or rule of procedure if "objective belief" that search or seizure legal. Does not apply to IRS or BATF. Rejected amendment by Rep. Watt (D-NC) to replace language with that of 4th Amendment. Passed by House Feb. 8, 1995. Criminal Alien Deportation Improvements Act of 1995 (HR 668). Introduced by Rep. Smith. Authorizes wiretaps for investigations of llegal immigration. Passed by House Feb 10. Referred to Senate Judiciary Committee. Illegal Immigration Control Act of 1995 (HR 756). Introduced by Rep. Hunter. Authorizes Wiretaps for investigations of illegal immigration and false identification. Requires issuance of "enhanced," machine readable Social Security cards to all citizens and resident aliens by year 2000 that will include photo and SSN. Orders Attorney General to create databases for verification. Referred to Committee on Judiciary. Child Support Responsibility Act of 1995 (HR 785). Introduced by Rep. Johnson. Makes SSN of parents public record by requiring their use on birth cirtificates and marriage liscenses. Referred to Committee on Ways and Means. Paperwork Reducation Act of 1995 (HR 830). See S. 244 below. Controversal provision to benefit West Publishing limiting access to public records removed after Internet campaign by TAP. Passed by House Feb. 22 (418-0). House Report 104-37. Communications Decency Act of 1995 (HR 1004). Introduced by Rep. Johnson. Same as Exon bill (see S. 314 below). Referred to Commerce and Judiciary Committees. -- Senate Bills -- Violent Crime Control and Law Enforcement Improvement Act of 1995 (S. 3). Senate Republician Crime Bill. Introduced by Sen. Dole. Includes provision to substantially limit judicial sanctions for illegal searches (exclusionary rule). Allows wiretapping for immigration and use of false documents, allows participation of foreign governments in domestic wiretapping and disclosure of info to foreign law enforcement agencies. Referred to Committee on the Judiciary. Family Health Insurance Protection Act (S. 7). Introduced by Sen. Daschle. Democratic health care bill. Sets national standards for transfer and privacy of medical records. Referred to Committee on Finance. Exclusionary Rule Limitation Act of 1995 (S. 54). Introduced by Sen. Thurmond. (See HR 666 above). Paperwork Reduction Act of 1995 (S. 244). Introduced by Sen. Nunn. Renews 1980 Paperwork Reduction Act. Establishes OMB as controller of information policy in government. Sets standards for collection, use and protection of statistical information. Referred to Committee on Government Affairs. Approved by committee Feb. 14. Immigrant Control and Financial Responsibility Act of 1995 (S. 269). Introduced by Sens. Dole and Simpson. Creates national registry for workplace verification. Increases use of wiretaps for immigration purposes. Referred to the Committee on the Judiciary. Communications Decency Act of 1995 (S. 314). Introduced by Sen. Exon. Revises Communications Act to make transmittal of sexually oriented communications a crime. Makes anonymous communications that are "annoying" a crime. Referred to Committee on Commerce, Science and Transportation. Interstate Child Support Responsibility Act of 1995 (S. 456). Introduced by Sen. Bradley. Creates databank of new hires. Allows datamatching with SSA for verification. Increases use of SSN. Referred to Committee on Finance. ======================================================================= [9] Upcoming Privacy Related Conferences and Events ======================================================================= Cryptography: Technology, Law and Economics. New York City. March 3, 1995. Sponsored by CITI, Columbia University. Speakers include Stuart Haber (Surety), Matt Blaze (Bell Labs), John Kasden (Columbia Law School), Stewart Baker (Steptoe and Johnson) and David Sobel (EPIC). Contact: citi@research.gsb.columbia.edu Towards an Electronic Patient Record '95. Orlando, FL. Mar. 14-19, 1995. Sponsored by Medical Records Institute. Contact: 617/964-3926 (fax). Access, Privacy, and Commercialism: When States Gather Personal Information. College of William and Mary, Williamsburg, VA, March 17. Contact: Trotter Hardy 804/221-3826. The Digital Libraries in Our Future. Washington, DC. March 17, 1995. Sponsored by the Annenberg Washington Program. Speakers include Toni Carbo Bearman (Pittsburgh University), Cynthia Braddon (McGraw-Hill), and Paul Peters (CNI). Contact: Michael R. Beschloss 202/393-7100. Computers, Freedom and Privacy '95. Burlingame, CA. Mar. 28-31, 1995. Sponsored by Stanford and ACM. Speakers include John Morgridge (Cisco), Esther Dyson (Rel 1.0), Roger Wilkins (George Mason University), Margaret Jane Radin (Stanford Law School), and Willis H. Ware (Rand). Contact: cfp95@forsythe.stanford.edu. ETHICOMP95: An international conference on the ethical issues of using Information Technology. DeMontfort University, Leicester, ENGLAND, March 28-30, 1995. Speakers include Simon Davies (Privacy International) Contact: Simon Rogerson srog@dmu.ac.uk 44 533 577475 (phone) 44 533 541891 (Fax). "Quality of Life in the Electronic Village," March 30, 1995. Live teleconference, broadcast nationally from Virginia Tech, featuring eminent presenters from the fields of ethics, law, education, anthropology, medicine, and government. Contact 703/231-6476 or choices@vt.edu. National Net '95: Reaching Everyone. Washington, DC. Apr. 5-7, 1995. Sponsored by EDUCOM. Contact: net95@educom.edu or call 202/872-4200. Information Security and Privacy in the Public Sector. Hyatt Dulles, VA. Apr. 19-20, 1995. Sponsored by AIC Conferences. Speakers include Joan Winston (OTA), Lynn McNulty (NIST), Marc Rotenberg (EPIC), Dorothy Denning (George Washington University), David Banisar (EPIC) and Jim Bidzos (RSA). Contact: Scott Kessler 212/952-1899 x308 1995 IEEE Symposium on Security and Privacy. Oakland, CA, May 8-10. Contact: sp95@itd.nrl.navy.mil. INET '95. Honolulu, HI. June 28-30, 1995. Sponsored by the Internet Society. Contact inet95@isoc.org. Key Players in the Introduction of Information Technology: Their Social Responsibility and Professional Training. July 5-6-7, 1995. Namur, Belgium. Sponsored by CREIS. Contact: nolod@ccr.jussieu.fr. Advanced Surveillance Technologies. Sept. 4-5, 1995. Copenhagen, Denmark. Sponsored by Privacy International and EPIC. Contact pi@epic.org. (Send calendar submissions to Alert@epic.org) ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. To subscribe, send the message: SUBSCRIBE CPSR-ANNOUNCE Firstname Lastname to listserv@cpsr.org. You may also receive the Alert by reading the USENET newsgroup comp.org.cpsr.announce. Back issues are available via FTP/WAIS/Gopher/HTTP from cpsr.org /cpsr/alert and on Compuserve (Go NCSA), Library 2 (EPIC/Ethics). An HTML version of the current issue is available from epic.digicash.com/epic ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues relating to the National Information Infrastructure, such as the Clipper Chip, the Digital Telephony proposal, medical record privacy, national id systems and the sale of consumer data. EPIC is sponsored by the Fund for Constitutional Government and Computer Professionals for Social Responsibility. EPIC publishes the EPIC Alert and EPIC Reports, pursues Freedom of Information Act litigation, and conducts policy research on emerging privacy issues. For more information, email info@epic.org, WWW at HTTP://epic.digicash.com /epic or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. (202) 544-9240 (tel), (202) 547-5482 (fax). The Fund for Constitutional Government is a non-profit organization established in 1974 to protect civil liberties and constitutional rights. Computer Professionals for Social Responsibility is a national membership organization of people concerned about the impact of technology on society. For information contact: cpsr-info@cpsr.org If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003. Your contributions will help support Freedom of Information Act litigation, strong and effective advocacy for the right of privacy and efforts to oppose Clipper and Digital Telephony wiretapping proposals. ------------------------ END EPIC Alert 2.03 ------------------------