Volume 3.13 July 10, 1996
[1] Clipper Returns ... Again [2] Commerce Notice for Key Escrow Panel [3] Supreme Court Rules on Cable Censorship [4] Justice Department Appeals CDA Decision [5] FBI File Controversy Continues to Grow [6] Crypto Hearings Update [7] EU Committee Approves Telecom Privacy Directive [8] Upcoming Conferences and Eventss
[1] Key Escrow Returns ... Again
Marking the fourth time that the Clinton Administration has tried to push though a proposal for key escrow encryption, the Department of Commerce announced this week that the Secretary of Commerce will appoint a panel to advise on the implementation of a "key management infrastructure." The KMI proposal was first put forward by the White House in May. The proposal called for the creation of a key management infrastructure which would require users to disclosure their private keys to a government certified escrow agent. It was quickly dubbed "Clipper III," and widely criticized by the public and members of Congress. (See EPIC Alert 3.10[1]) The new proposal also flies in the face of the recent findings of an extensive report from the National Research Council which concluded that it would be a mistake to continue "aggressive promotion" of key escrow encryption. The NRC found that there was insufficient experience to support large scale deployment of key escrow; key escrow would not solve the most serious law enforcement problems; key escrow will have "a significant negative impact" on the development of new information services and technologies; and key escrow will skew market development of encryption applications. The KMI proposal also contradicts a recent recommendation by the Department of Commerce's own Computer System Security and Privacy Advisory Board which endorsed the conclusions of the NRC report. (See EPIC Alert 3.11[6]) More information is available at http://www.epic.org/crypto/key_escrow/
[2] Commerce Notice for Key Escrow Panel
[Federal Register: July 8, 1996 (Volume 61, Number 131)] [Notices] [Page 35710] From the Federal Register Online via GPO Access [wais.access.gpo.gov] DEPARTMENT OF COMMERCE Technical Advisory Committee To Develop a Federal Information Processing Standard for the Federal Key Management Infrastructure; Notice of Establishment In accordance with the provisions of the Federal Advisory Committee Act, 5 U.S.C. App. 2, and the General Services Administration (GSA) rule on Federal Advisory Committee Management, 41 CFR Part 101-6, and after consultation with GSA, the Secretary of Commerce has determined that the establishment of the Technical Advisory Committee to Develop a Federal Information Processing Standard for the Federal Key Management Infrastructure is in the public interest in connection with the performance of duties imposed on the Department by law. The Committee will advise the Secretary on the development of a draft Federal Information Processing Standard for the Federal Key Management Infrastructure. The Committee will consist of no more than twenty-four members to be appointed by the Secretary to assure a balanced representation among individuals with established expertise in cryptography and the implementation and use of cryptographic systems. The Committee will function solely as an advisory body, and in compliance with provisions of the Federal Advisory Committee Act. The charter will be filed under the Act, fifteen days from the date of publication of this notice. Interested persons are invited to submit comments regarding the establishment of this committee to Edward Roback, Computer Security, National Institute of Standards and Technology, Gaithersburg, MD 20899, telephone: 301-975-3696. Dated: June 27, 1996. Mark Bohannon, Chief Counsel for the Technology Administration.
[3] Supreme Court Rules on Cable Censorship
In a precursor to the impending review of the Communications Decency Act, the Supreme Court on June 28 struck down two provisions and upheld one of a law on regulating "indecent" programming on cable television. The Court splintered on the case, generating a total of five opinions, with most of the decision lacking a solid majority. The effects on the CDA case are unclear. In the first part of the decision, Denver Area Education versus FCC, No. 95-124 and 95-227, a plurality of four judges upheld section 10(a) of the cable legislation, which allows cable companies to restrict "patently offensive" programming on "leased access" channels. Leased access channels are channels set aside for use by third party commercial entities for programming such as infomercials and shopping channels. The decision creates a new standard for review described by advocates as "fuzzy scrutiny" that looks at an "extremely important problem . . . without imposing an unnecessarily great restriction on speech." In the only part of the decision that garnered a majority, the Court struck down Section 10(b) of the act which required that all "patently offensive" material on leased access channels be placed on a special channel and that subscribers who wished to view the channel send a written request to the cable company thirty days in advance of the programming. The Court, with a majority of six judges, ruled that the provision was not narrowly tailored. It recognized that there are other alternatives including lockboxes and the V-chip (without ruling on its constitutionality) that could also have been used. The Court also recognized the privacy interest in the list created by the provision and its chilling effect on free speech: the "written notice" requirement will further restrict viewing by subscribers who fear for their reputations should the operator, advertently or inadvertently, disclose the list of those who wish to watch the "patently offensive" channel. Cf. Lamont v. Postmaster General, 381 U.S. 301, 307 (1965) (finding unconstitutional a requirement that recipients of Communist literature notify the Post Office that they wish to receive it). Finally, a plurality of four judges struck down section 10(c) which allowed cable operators to restrict "patently offensive" programming on public access channels. It noted that cable TV companies have not historically had editorial control over these channels and that there is already an infrastructure of boards and managers that set policy for the channels. It found no examples of the channels being used for the kind of programming banned, but noted the fears of programmers who believed that the cable companies would use the new powers abusively to restrict other "borderline" programming.
[4] Justice Department Appeals CDA Decision
On July 1, 1996, the Justice Department filed a notice with the US District Court in Philadelphia noting its appeal to the US Supreme Court of the lower court's decision striking down provisions of the Communications Decency Act. The CDA contains provisions allowing for a direct appeal to the Supreme Court. Section 561 allows for expedited review of the decision directly to the Court instead of the usual appeal to the Court of Appeals: (b) Appellate Review. -- Notwithstanding any other provision of law, an interlocutory or final judgment, decree, or order of the court of 3 judges in an action under subsection (a) holding this title or an amendment made by this title, or any provision thereof, unconstitutional shall be reviewable as a matter of right by direct appeal to the Supreme Court. Any such appeal shall be filed not more than 20 days after entry of such judgment, decree, or order. More information on the CDA decision is available at: http://www.epic.org/cda/
[5] The FBI Files Scandal and the Privacy Act of 1974
In early June, the House Government Reform and Oversight Committee revealed that the White House had requested the FBI file on former Travel Office employee Billy Dale. Soon after, it was also revealed that the White House had obtained hundreds other individuals' FBI files. Some of the files requested by the White House were those of members of previous Republican administrations. So far, 481 files are known to have been sent to the White House and there are unconfirmed reports of hundreds more. The White House is claiming that the files were obtained as part of a bureaucratic mistake. The White House and the FBI quickly apologized for their action. White House Chief of Staff Leon Panetta said, "A mistake has been made here. It is inexcusable and I think an apology is owed to those that were involved." FBI Director Louis J. Freeh described the disclosure of files as an "egregious violations of privacy" and noted that "the FBI gave inadequate protection to the privacy interests of persons in FBI files." Despite these apologies, the FBI maintains that its release of confidential information to the White House was not against the law. The Privacy Act of 1974, which does not apply to the White House, requires that record-holding agencies, such as the FBI, get the permission of an individual before disclosing their record. Although the FBI did not have the appropriate permissions, they claim they did not violate the Privacy Act because their actions fall under the "routine use" exception in the Act. A report by Howard Shapiro, FBI General Counsel, states that the routine use "to assist the recipient agency in the performance of any authorized function where access to records in this system is declared by the recipient agency to be relevant to that function" is applicable because the White House requests appeared to be legitimate requests. Legal scholars note that if the FBI's claim of "routine use" survives judicial scrutiny, the Privacy Act's safeguards will have little meaning. Even revised internal policies designed to prevent similar incidents from happening in the future could be relaxed in the future. A Senate oversight committee may soon hold hearings to consider whether amendments to the Privacy Act are necessary to ensure protection of personal information held in federal agencies. More information on the FBI files issue is available from: http://www.epic.org/privacy/filegate/
[6] Crypto Hearings
On June 26, Senator Conrad Burns chaired the second hearing on S. 1726, the "Pro-CODE" bill. The hearings examined civil liberties issues raised by encryption policy and encryption techniques. Witnesses included Phil Zimmermann of Pretty Good Privacy, Whit Diffie of Sun Microsystems, Phil Karn of Qualcomm, Barbara Simons of USACM and Marc Rotenberg of EPIC. The hearing took place in the wake of revelations of the FBI files abuses. Both Committee members and witnesses spoke to the need to protect citizens' communications from overzealous government action. Senator John Ashcroft emphasized protecting individuals' privacy: "The events this last week or two bring into sharp focus the need . . . to have private items that are not abused, and to think that somehow we would have to register with a government agency some way for them to participate in the most private of our understandings, your thoughts, unless we chose not to record them, is a very troubling thought." Marc Rotenberg, director of the Electronic Privacy Information Center, said that "current encryption policies are destined for the history books," and stressed the point that the government should not dictate technical standards for encryption. "It is absolutely critical that users be able to choose from a wide range of good tools that are designed to protect privacy and security." The Committee and the witnesses also discussed the implications of strong cryptography for law enforcement. There was general agreement that cryptography would prevent many crimes of opportunity, although it could make some investigations more difficult. Everyone recognized that the potential negative uses of cryptography are already possible but that good uses require encouragement. Whitfield Diffie noted: "A small number of people in a conspiracy can secure their communications rather readily. But the legitimate applications of cryptography require a worldwide infrastructure . . . and as long as we delay the development of that infrastructure, we are giving the relative advantage to the bad guys rather than the good guys." The final hearing on the Pro-CODE bill will take place on June 24. Officials from law enforcement and intelligence agencies are expected to testify. More information about export control issues can be found at: http://www.epic.org/crypto/export_controls/
[7] EU Committee Approves Telecom Privacy Directive
The EU Telecommunications Committee approved on June 27 a directive on telecommunications privacy for digital networks. The new directive establishes several new privacy requirements and follows the recently enacted directive on privacy and data protection. The directive requires free per-line and per-call blocking for Caller ID services. In addition, automatic rejection of blocked calls must be offered for free. These provisions can be overridden only in limited circumstances. Other information collected for call placement can be kept only until the service is completed. Billing data can only be kept for the statutory period in which it could be challenged. Member countries must also ensure that "the privacy of calling users and called subscribers is preserved" for itemized bills. On telemarketing, automated calls with pre-recorded messages are banned unless the individual has given affirmative consent. Member countries are required "to ensure that unsolicited calls for promotional or advertising/research purposes are not allowed in respect of subscribers who do not wish to receive these calls." On wiretapping, the directive prohibits any wiretaps that are not legally authorized. It requires that for a "particular risk of a breach of the security of the network" such as mobile telephones, that subscribers be informed and that the service provider must offer encryption.
[8] Upcoming Conferences and Events
DEF CON IV. July 26-28. Las Vegas, NV. Annual hacker convention. Contact: dtangent@defcon.org or http://www.defcon.org/. Surveillance Expo 96. August 19-21. McLean, Virginia. Sponsored by Ross Associates. Contact: Marilyn Roseberry 703-450-2200. Fifth International Information Warfare Conference, "Dominating the Battlefields of Business and War", September 5-6, 1996. Washington, DC. Sponsored by Interpact, NCSA, OSS. Contact: infowar96@ncsa.com Advanced Surveillance Technologies II. September 16, 1996. Ottawa, Canada. Sponsored by EPIC and Privacy International. Contact: http://www.privacy.org/pi/conference/ottawa/ or email pi@privacy.org. "Privacy Beyond Borders", 18th International Privacy and Data Protection Conference. September 18-20, 1996. Ottawa, Canada. Sponsored by the Privacy Commissioner of Canada. Contact: jroy@fox.nstn.ca CPSR Annual Meeting. October 19-20. Washington DC. Contact: phyland@ aol.com. (Send calendar submissions to Alert@epic.org)
The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. To subscribe, send email to epic-news@epic.org with the subject: "subscribe" (no quotes). Back issues are available via http://www.epic.org/alert/
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues relating to the National Information Infrastructure, such as the Clipper Chip, the Digital Telephony proposal, medical record privacy, and the sale of consumer data. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, email info@epic.org, HTTP://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003. Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and funding of the National Wiretap Plan. Thank you for your support.