EPIC Alert 2.05

Volume 2.05                                                     March 26, 1995 

Published by the

Electronic Privacy Information Center (EPIC)

Washington, DC


Table of Contents


[1] Senate Committee Approves "Decency" Bill [2] EPIC Statement on Communications Decency Act [3] Caller ID Snafus Continue: FCC Delays Implementation [4] Security Policy Board Criticized: FCSM Letter to OMB [5] Commerce Dept. to Recommend Relaxing Crypto Export Control [6] Maryland Debates Online Privacy [7] Reminder: Computers, Freedom and Privacy Conference [8] Upcoming Conferences and Events

[1] Senate Committee Approves "Decency" bill

The Senate Commerce Committee voted on March 23 to incorporate a revised version of S. 314, the Communications Decency Act of 1995, into the telecommunications reform legislation. The amendment makes every person who creates, makes or solicits "any comment, request, suggestion, proposal or other communication which is obscene, lewd, lascivious, filthy, or indecent" subject to criminal prosecution. The bill also gives the FCC sweeping new authority to regulate on-line communications, and curtails First Amendment rights that currently exist for print communication. In a revision pushed by online providers, commercial carriers may avoid liability if they do not exercise editorial control over content, or if they take a series of good faith steps to comply with the statute. A provision criminalizing anonymous messages that "annoy, abuse, threaten, or harass" was also removed. However, users of on-line services, content providers, electronic publishers, and journalists face new restrictions on speech and private communications. For this reason, there is still considerable opposition to the bill. Civil liberties groups believe that the bill is unconstitutional. The Senate Commerce Committee approved the amendment, sponsored by Senator Slade Gorton (R-WA), unanimously by voice vote. The entire bill was approved by the Committee 17-2, subject to amendments. The bill now goes to the full Senate, where more amendments are expected to be added. The legislation has generated considerable controversy. Earlier this week, the presidents of the major computing societies in the US - ACM, IEEE, SIAM, CPSR and AAAI - wrote to Senator Exon expressing concern about the effects on the development of computer networks if the legislation was enacted. An Internet petition calling for the withdrawal of the legislation gathered over 100,000 signatures in only a few weeks and Senators on the Telecommunications subcommittee received a large number of calls, faxes and email messages on the bill. The bill is expected to be considered by the full Senate in the next few months.

[2] EPIC Statement on Communications Decency Act

EPIC STATEMENT ON COMMUNICATIONS DECENCY ACT March 24, 1995 The Electronic Privacy Information Center opposes the Communications Decency Act as adopted by the Senate Commerce Committee on March 24, 1995. We believe that the bill is an unconstitutional restriction on free expression, personal privacy, and intellectual freedom. EPIC has urged Senator Exon and his staff to explore all non-legislative solutions before further action on this bill. Comprehensive hearings are still necessary. We recognize that there is a genuine concern about the type of materials that are available to children via the Internet. EPIC also believes that a thoughtful, long-term solution to this problem will require the participation of parents and schools, and the development of good technical and educational measures. We do not believe that the contents of private communication or the expression of public opinion should be regulated by the government The National Center for Missing and Exploited Children has produced a fine publication for parents and others who are concerned about these issues. This brochure, "Child Safety on the Information Highway," was written by Lawrence J. Magid, a syndicated columnist for the Los Angeles Times. Mr. Magid encourages parents to take an active interest in the on-line activities of their children, and opposes passage of the Communications Decency Act. For a copy of the brochure, contact The National Center for Missing & Exploited Children 2101 Wilson Blvd, Suite 550, Arlington, VA 22201-3052 or call 1-800-The-LOST (1-800-843-5678). EPIC will continue to oppose the Communications Decency Act. We urge others to do the same.

[3] FCC Delays Implementation of Nationwide Caller ID, More Failures

The Federal Communications Commission announced on March 17 that it was delaying the implementation of rules proposed for interstate Caller ID. The rules were scheduled to go into effect on April 12, 1995, after four years of deliberation by the FCC. The order was delayed after the FCC received comments from telephone companies stating that they would not be able to comply in time. The FCC has not set a new date for implementation. There were also a number of petitions from state Public Utility Commissions and consumer organizations who opposed the original FCC order. The FCC order would have the effect of over-ruling state safeguards that currently require per line blocking. California has filed suit to prevent the FCC rule from going into effect. More than 40 states have required that per-line blocking be made available. The FCC also delayed enforcing the rule that common carriers who offer Automatic Number Identification (ANI) must inform customers that their number may be identified to the called party. ANI is used with 800 and 900 numbers. Problems also continued with the Caller ID services. There have been failures in at least 11 states with the implementation of per line blocking. One writer to the Telecom Digest reported that per call blocking also failed in Michigan due to a configuration error.

[4] Security Policy Board Criticized.

The National Security Council's proposal to merge protection of civilian and military computer systems under the control of the Security Policy Board came under increasing criticism from civilian government computer security experts this week. Two different government panels released statements opposing the proposal. The Computer Systems Security and Privacy Advisory Board, a board created by the Computer Security Act 1987. Res. 95-3, March 24, 1995 called on the SPB to stop its activities. The board is concerned about the Security Policy Board (SPB) proposal of November 27, 1994, to "...have authority over all classified and unclassified but sensitive systems." Therefore, the board recommends that the SPB not proceed with this plan to control unclassified but sensitive systems until broader input of issues is gathered. To that end, the board would like to have the opportunity to be fully involved in working on these issues." In a letter written January 11 and released March 23, the Steering Committee of the Federal Computer Security Program Manager's Forum strongly criticized the Security Policy Board's proposal. The Forum is made up of senior computer security managers for civilian agencies including the Justice Department, HHS, and Department of Transportation. The letter states that classified and unclassified systems should be kept separate because of the different needs for each: We believe that it is inappropriate for the national security and intelligence communities to participate in selecting security measures for civilian agencies. Their expertise in protecting national security systems is not readily transferable to civilian agency requirements. The Forum asked the OMB to limit the SPB's authority to only classified systems. The letter states that SPB's review conflicts with the Computer Security Act of 1987 and PDD-29 and will increase public concerns about previous government initiatives such as NSDD-145 and the Clipper Chip. On March 9, EPIC filed suit against the National Security Council, asking for documentation on the SPB and Presidential Decision Directive 29, which created the board. The EPIC suit is now in federal district court. Senator William Roth (R-DE), chair of the Senate Governmental Affairs Subcommittee on Investigations also expressed concern with the role of the SPB. [Security Manager's Letter to OMB] FEDERAL COMPUTER SECURITY PROGRAM MANAGERS' FORUM January 11, 1995 The Honorable Sally Katzen Office of Management and Budget Office of Information and Regulatory Affairs Old Executive Office Building, Room 350 17th Street and Pennsylvania Ave, NW Washington, DC 20503 Dear Ms. Katzen On behalf of the Steering Committee of the Federal Computer Security Program manager's Forum, I am writing you to inform you of our unanimous disagreement with the Security Policy Board's (SPB) proposal to establish a new federal computer security organization with jurisdiction over both unclassified and classified programs. The Steering Committee urges you to take appropriate action to restrict implementation of the SPB report to only classified systems for the following reason. 1. The establishment of a national security community dominated Information System Security Committee having jurisdiction for both classified and unclassified systems is contrary to the Computer Security Act. Furthermore, it is not consistent with the authority of PDD-29 which requires coordination of national security policy 2. This initiative also undercuts a stated Administration goal for an "open government" in which the free flow of information is facilitated by removing government restrictions and regulations. For example, the SPB document states that a priority project for the new committee will be to craft a broad new definition for "national security related information." This will be viewed by many as an attempt to impose new restrictions on access to government information. 3. The SPB proposal may serve to increase concerns over the government's intentions in the field of information security. We know from observing the public debate over NSDD-145 and the Clipper Chip that the private sector deeply mistrusts the intentions of the government to use information security policy as a lever to further goals and objectives viewed as contrary to the interests of the business community. Congress passed the Computer Security Act of 1987 in response to expressions of displeasure from the private sector regarding the unwelcome overtures by the national security community towards "assisting" the private sector under the auspices of national security. This was perceived as having a significant adverse impact upon personal privacy, competitiveness and potential trade markets. 4. We believe that it is inappropriate for the national security and intelligence communities to participate in selecting security measures for unclassified systems at civilian agencies. Their expertise in protecting national security systems is not readily transferable to civil agency requirements. The primary focus of security in the classified arena is directed towards protecting the confidentiality of information with little concern for cost effectiveness. Unclassified systems, however, which constitute over 90% of the governments IT assets, have significantly fewer requirements for confidentiality vis-a-vis the need for integrity and availability. In these times of diminishing resources, cost-effectiveness is of paramount concern in the unclassified arena. The Steering Committee is most concerned that the report is being misrepresented as Administration policy. Indicative of this is that "transition teams" are being formed to implement the report. Please consider these facts and take action to restrict the SPB report implementation to only classified systems. Thank you for your thoughtful consideration of this request.. Sincerely, Lynn McNulty Forum Chair National Institute of Standards and Technology Sadie Pitcher Forum Co-chair Department of Commerce

[5] Commerce Dept. to Recommend Relaxing Crypto Export Control

The Bureau of National Affairs reports that the Department of Commerce will recommend that the United States relax export controls on cryptography. The recommendations will be presented to the President in early July. The National Security Agency is expected to release a report on the availability of foreign encryption software which will be presented to the President at the same time. The Commerce Department has also filed a request with the Office of Management and Budget to collect information on the damage to US businesses resulting from current export controls. The Software Publishers Association, in a December survey of encryption software currently available, identified 407 foreign encryption products, 120 of which used the Data Encryption Standard (DES). The SPA found 480 domestic encryption products.

[6] Maryland Debates Online Privacy

On March 11, the Maryland House of Delegates held landmark hearings on online privacy. The hearing marked the first time that a state legislature had taken up the issue of privacy on the NII. The bill, SB 524, was prompted by revelations last year that America Online and other service providers were selling information about their customers to direct marketers. In the case of AOL, the users were not informed until after newspapers reported that advertisements for AOL member profiles appeared in a direct marketing magazine. The legislation requires that an "online computer service may not disclose personal information concerning a subscriber to any other person unless the subscriber ...has received notice ... and consented to the disclosure." The consent can be in electronic or written form. Online providers are also required to tell customers up front what information is being collected, how it is being used, and how customers can access their records. Dave Banisar from EPIC testified on behalf of the bill. He argued that the bill was a modest attempt to protect individual privacy. He noted that the provisions of the act were already incorporated in the 1980 OECD guidelines on privacy which was endorsed by many US companies in the early 1980's and the Code of Fair Information Practices, first developed in 1973. Opposing the bill were representatives from AOL, AT&T, Sprint, MCI and the Direct Marketing Association. The online providers argued that legislation should be placed on hold until national legislation is enacted, which is highly unlikely this term in Congress. The DMA strongly opposed the bill. Bell Atlantic, said that they may support the bill if it were revised to require an opt out. The sponsors of the bill indicated that they were agreeable to the change. The bill was sent to a committee for review over the summer break. It is expected to be reintroduced again next session.

[7] Reminder: Computers, Freedom and Privacy Conference

Do you belong at the Fifth Conference on Computers, Freedom and Privacy (CFP'95) which takes place March 28-31, 1995 in Burlingame, California? You do if you are concerned about the definition of rights, and the processes by which they are being defined, now that computer and telecommunications technologies have become part of mainstream living, conversation, and politics. CFP'95 participants will include people from the fields of computer science, business, public policy, government, law enforcement, research, information, health, law, civil liberties, library science, education, social science, and many others. CFP'95 offers a much-needed neutral ground, a demilitarized zone, where people from widely different backgrounds and positions can learn from each other. Like past Computers, Freedom and Privacy conferences, CFP'95 will be a place where information industry executives talk to concerned end users, law enforcement officials talk to civil rights advocates, information systems managers talk to legal and security experts. and more. This interaction, and the mutual understanding it promotes, will shape the future. TUTORIALS The conference sessions and CFP'95 focus on the controversies. The tutorials held on March 28, the day before the formal conference opens, will help you get the most from CFP'95 by giving you the general background needed to discuss the issues of the day. BIRDS OF A FEATHER SESSIONS CFP'95 during the day will bring together people with different interests. The CFP'95 Birds of a Feather (BoF) sessions in the evenings will let participants explore their shared interests in greater detail. Currently slated BoFs will cover: Cryptography Policy, FCC and FTC Rules, Law and Ethics, Cyber Roots, Governance and Sanctions, Electronic Cash, and Copyright and Media. By WWW: URL=http://www-techlaw.stanford.edu/CFP95.html By Gopher: www-techlaw.stanford.edu By FTP: www-techlaw.stanford.edu By Email: Info.CFP95@forsythe.stanford.edu By Fax: (415) 548-0840 By Telephone: (415) 548-9673

[8] Upcoming Privacy Related Conferences and Events

Computers, Freedom and Privacy '95. Burlingame, CA. Mar. 28-31, 1995. Sponsored by Stanford University and ACM. Contact: cfp95@forsythe.stanford.edu. Privacy advocates meeting. Burlingame, CA (in conjunction with CFP). Apr. 1, 1995. Contact Robert Ellis Smith, Privacy Journal 401/274-7861 or 0005101719@mcimail.com. ETHICOMP95: An international conference on the ethical issues of using Information Technology. DeMontfort University, Leicester, ENGLAND, March 28-30, 1995. Speakers include Simon Davies (Privacy International) Contact: Simon Rogerson srog@dmu.ac.uk 44 533 577475 (phone) 44 533 541891 (Fax). National Net '95: Reaching Everyone. Washington, DC. Apr. 5-7, 1995. Sponsored by EDUCOM. The privacy panel will include Brock Meeks (CyberWire Dispatch), Bob Gellman (information and privacy policy consultant), Lance Hoffman (George Washington University), and Don Haines (ACLU). Contact: net95@educom.edu or call 202/872-4200. Security on the I-WAY. Arlington, VA. Apr. 10-11. Sponsored by National Computer Security Assn. Contact: 74774.1326@compuserve.com Information Security and Privacy in the Public Sector. Hyatt Dulles, VA. Apr. 19-20, 1995. Sponsored by AIC Conferences. Speakers include Joan Winston (OTA), Lynn McNulty (NIST), Marc Rotenberg (EPIC), Dorothy Denning (Georgetown University), David Banisar (EPIC) and Jim Bidzos (RSA). Contact: Scott Kessler 212/952-1899 x308. Health Care, Privacy @ Cyberspace. Desmond Hotel, Albany, New York. June 21-22, 1995. Sponsored by the Institute for the Advancement of Health Care Management and the Government Law Center of Albany Law School. Contact Debra Sottolano ds3789@albany.edu. INET '95. Honolulu, HI. June 28-30, 1995. Sponsored by the Internet Society. Speakers on privacy include Frank Tuerkheimer (University of Wisconsin School of Law.). Contact inet95@isoc.org. Key Players in the Introduction of Information Technology: Their Social Responsibility and Professional Training. July 5-6-7, 1995. Namur, Belgium. Sponsored by CREIS. Contact: nolod@ccr.jussieu.fr. DEF CON III. August 4-6, 1995. Las Vegas. Major hacker conference. Contact: dtangent@defcon.org or http://dfw.net/~aleph1/defcon Advanced Surveillance Technologies. Sept. 4, 1995. Copenhagen, Denmark. Sponsored by Privacy International and EPIC. Contact pi@privacy.org. 17th International Conference of Data Protection and Privacy Commissioners. Copenhagen, Denmark. September 6-8, 1995. Sponsored by the Danish Data Protection Agency. Contact Henrik Waaben, +45 33 14 38 44 (tel), +45 33 13 38 43 (fax). "Managing the Privacy Revolution." Privacy & American Business. Oct. 31 - Nov. 1, 1995. Washington, DC. Speakers include C.B. Rogers (Equifax). Contact Alan Westin 201/996-1154.
(Send calendar submissions to Alert@epic.org)

To subscribe to the EPIC Alert, send the message: SUBSCRIBE CPSR-ANNOUNCE Firstname Lastname to listserv@cpsr.org. You may also receive the Alert by reading the USENET newsgroup comp.org.cpsr.announce. Back Issues of the EPIC Alert are available at cpsr.org and on Compuserve at Keyword: NCSA, Library 2 (EPIC/Ethics). A HTML version of the current issue is available from http://epic.digicash.com/epic
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues relating to the National Information Infrastructure, such as the Clipper Chip, the Digital Telephony proposal, medical record privacy, and the sale of consumer data. EPIC is sponsored by the Fund for Constitutional Government and Computer Professionals for Social Responsibility. EPIC publishes the EPIC Alert and EPIC Reports, pursues Freedom of Information Act litigation, and conducts policy research on emerging privacy issues. For more information email info@epic.org, or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). The Fund for Constitutional Government is a non-profit organization established in 1974 to protect civil liberties and constitutional rights. Computer Professionals for Social Responsibility is a national membership organization of people concerned about the impact of technology on society. For information contact: cpsr-info@cpsr.org
If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003. Your contributions will help support Freedom of Information Act litigation, strong and effective advocacy for the right of privacy and efforts to oppose Clipper and Digital Telephony wiretapping proposals. Current FOIA cases include: EPIC v. National Security Council (effort to uncover information surrounding Security Policy Board, see article above), EPIC v. FBI (effort to obtain information justifying wiretap legislation), CPSR v. National Security Agency (records relating to Clipper and NSA decision to classify public documents), CPSR v. National Institute of Standards and Technology (records regarding development of Digital Signature Standard), and CPSR v. Secret Services (activities of Secret Service in beak-up of 2600 group at Pentagon City) Thank you for your support.