[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

EPIC Alert 3.17



    =============================================================

       @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
       @     @  @   @   @        @ @   @     @     @  @    @
       @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
       @     @      @   @       @   @  @     @     @  @    @
       @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @

   ==============================================================
   Volume 3.17                                    October 2, 1996
   --------------------------------------------------------------

                            Published by the
              Electronic Privacy Information Center (EPIC)
                            Washington, D.C.

                          http://www.epic.org/

=======================================================================
Table of Contents
=======================================================================

[1] White House Releases New Clipper Proposal
[2] International Crypto Symposium Held in Paris for OECD
[3] OECD Crypto Experts Meet in Paris
[4] Human Rights Groups Release Crypto Resolution 
[5] E-FOIA Bill Approved by House and Senate
[6] P-TRAK SSN System Criticism Continues
[7] Avrahami Files Appeal to State Supreme Court
[8] Upcoming Conferences and Events

=======================================================================
[1] White House Releases New Clipper Proposal
=======================================================================

The White House has released the latest version of the key
escrow/recovery plan intended to promote government access to encoded
communications. The new proposal follows similar proposals in which
the Administration offers to relax export regulations in exchange for
an industry commitment to establish key escrow encryption.

Under the plan announced by the Office of the Vice President on
October 1, 1996, companies would be allowed to export 56-bit
encryption systems for the next two years if they setup a formal
process to fully develop a key escrow system. After two years,
non-escrow systems would be prohibited. Jurisdiction for the control
of exports would also be transferred from the State Department to the
Commerce Department. The Justice Department would be given veto power
over export applications. The White House plans to introduce
legislation for key escrow centers.

According to the statement released by the Vice President, the
Administration will continue to promote key escrow encryption through
the purchase of key recovery products, bilateral and multilateral
discussions, federal cryptographic and key recovery standards, and
federal funding.

The statement also said that "the Administration's initiative is
broadly consistent with the recent recommendations of the National
Research Council." However, the NRC report recommended against
government promotion of key escrow encryption, noting that "the risks
of key escrow encryption are considerable," Earlier this year, the
Internet Society also endorsed a recommendation of the Internet
Architecture Board and the Internet Engineering Steering Group which
said that "such policies are against the interests of consumers and
the business community, and are largely irrelevant to issues of
military security."

IBM announced that it would establish an industry consortium to
support the plan, and several US hardware companies signed on.
However, Netscape head Jim Barkesdale described the proposal as
"extortion". Bipartisan criticism was also heard from Congress. Both
Senator Leahy and Senator Burns quickly issued releases criticizing
the proposal.

The software industry expressed opposition to the White House plan.
The Software Publishers Association, the Business Software Alliance,
and the International Technology Association of America criticized the
proposal.

More information on Clipper 4.0 is available at:
  
  http://www.epic.org/crypto/key_escrow/

=======================================================================
[2] International Crypto Symposium Held in Paris for OECD
=======================================================================

On September 25, 1996 cryptographers, human rights advocates, legal
scholars, and delegates to the Organization for Economic Cooperation
and Development met in Paris to explore issues concerning cryptography
policy. The symposium was scheduled to coincide with an OECD meeting
to consider new guidelines on international cryptography policy. The
conference on the "Public Voice in the Development of International
Encryption Policy" was sponsored by EPIC and Planete Internet and held
in the Centre de Conferences des Internationales.

Justice Michael Kirby, a member of the High Court of Australia and
former chair of the OECD expert panels on security and privacy, opened
the conference with remarks that placed the current effort to develop
cryptography guidelines in the larger context of the OECD's work on
privacy and information security and the ongoing need to recognize
human rights concerns.

Justice Kirby, drawing on his international human rights work in the
area of HIV/AIDS, urged participants to keep in mind ten principles
for the development of sound policies. Justice Kirby concluded his
remarks with an appeal that "the claims of national security and law
enforcement agencies be attained within a context of
constitutionalism, the rule of law and respect for, and effective
protection of human rights." Kirby reminded those present that
"respect of human rights, and especially individual privacy" is "the
ultimate common denominator of the OECD."

Welcoming remarks were provided Mr. Norman Reaburn the Chair of the
OECD Expert Panel on Cryptography Policy, Mr. John Dryden the head of
the OECD Secretariat, and Mr. Marc Rotenberg the director of the
Electronic Privacy Information Center (EPIC) in Washington, DC. The
panels were moderated by OECD delegates from Australia, Canada,
Germany, and Japan.

The first panel "Cryptography Policy: The View of Cryptographers"
featured Dr. Ross Anderson of the University of Cambridge, Dr. Matt
Blaze of AT&T Laboratories, Dr. Whitfield Diffie of Sun Microsystems,
Mr. Yves Le Roux of Digital Research, and Dr. Herb Lin of the National
Research Council.

The second panel "Human Rights Issues in the Development of
Cryptography Policy" featured Mr. Dave Banisar of EPIC, Mme. Louise
Cadoux of the Commission Nationale de l'Informatique et des Libertes,
Mr. Simon Davies of Privacy International, Mr. Barry Steinhardt with
the American Civil Liberties Union, and Mr. Alain Weber of the French
Human Rights League

The third panel "User Needs for Strong Cryptography" featured Dr.
Brian Carpenter of the Internet Architecture Board, Dr. Stephane
Bortzmeyer of the Association des Utilisateurs d'Internet, and Mr.
Phil Zimmerman of the Pretty Good Privacy Inc.

The final panel "Legal Dimensions and Cryptography Policy" featured
Mr. Victor Mayer-Schoenberger of the Austrian Institute for Law and
Policy, Mr. Kevin O'Connor the Australian Privacy Commissioner, and
Prof. Joel Reidenberg of the Fordham Law School and the Sorbonne.

The complete program for the EPIC/Planete Internet conference, the
speech of Justice Kirby, remarks of speakers, and other resources are
available at:

  http://www.epic.org/events/crypto_paris/

=======================================================================
[3] OECD Crypto Panels Meets in Paris
=======================================================================

Following the EPIC/Planete Internet conference, the OECD Member
countries met in Paris for two days to discuss Cryptography Policy
Guidelines that could provide internationally comparable criteria for
encryption of computerised information.

According to the OECD, the Guidelines identify the issues which
countries should take into consideration in formulating cryptography
policies at the national and international level. An OECD press
statement said that, "Discussions have focused on the rights of users
to choose cryptographic methods, the freedom of the market to develop
them, interoperability, consequences for the protection of personal
data and privacy, lawful access to encrypted data, and reducing the
barriers to international trade."

The OECD Guidelines will be non-binding recommendations to Member
governments, meaning that they will not be part of international law,
nor will they endorse any specific cryptography system.

The Group of Experts on Cryptography Policy will continue discussions
the week of December 16, with a view to completion this year of a
draft of the Guidelines which would be forwarded for approval by the
Council of the OECD early in 1997.

The complete text of the OECD press statement is available in english
at:

 http://www.epic.org/events/crypto_paris/releaseE_OECD.html

The complete text of the OECD press statement is available in french
at:

 http://www.epic.org/events/crypto_paris/releaseF_OECD.html

=======================================================================
[4] Human Rights Groups Release Privacy Resolution 
=======================================================================

More than a dozen international human rights and cyber rights
organizations recently endorsed a resolution in Support of the Freedom
to Use Encryption. The resolution was released in Paris on September
25, just prior to the meeting of the OECD.

Noting that "national governments have already taken steps to detain
and to harass users and developers of cryptography technology" and
that "cryptography is already in use by human rights advocates who
face persecution by their national governments," the organizations
urged the OECD to "base its cryptography policies on the fundamental
right of citizens to engage in private communication."

The organizations further urged the OECD to "resist policies that
would encourage the development of communication networks designed for
surveillance."

The organizations that endorsed the resolution included ALCEI
(Electronic Frontiers Italy), the American Civil Liberties Union,
Association des Utilisateurs d'Internet, CITADEL-EF France, Computer
Professionals for Social Responsibility, cyberPOLIS, Digital Citizens
Foundation in the Netherlands, EFF-Austin, Electronic Frontier
Australia, Electronic Frontier Canada, Electronic Frontier Foundation,
Electronic Privacy Information Center, Human Rights Watch, NetAction,
and Privacy International

The campaign was organized by the Global Internet Liberty Coalition, a
new coalition of national and international human rights and cyber
rights organizations.

The complete text of the crypto resolution is available at:

  http://www.gilc.org/gilc/resolution.html


=======================================================================
[5] E-FOIA Bill Approved by House and Senate
=======================================================================

Congress has passed and sent to the President the Electronic Freedom
of Information Act Amendments of 1996. The "E-FOIA" legislation
requires federal agencies to make information available to requesters
in electronic form "if the record is readily reproducible by the
agency in that form or format." It also requires agencies to maintain
indices of previously released documents that are "likely to become
the subject of subsequent requests," and to make such indices
available "by computer telecommunications" no later than December 31,
1999.

The legislation also attempts to tackle the perennial problem of
agency delays in responding to FOIA requests. These provisions include
the establishment of "multitrack processing of requests ... based on
the amount of work or time (or both) involved," and the expedited
processing of requests upon a showing of "compelling need." It is
likely that these new provisions, like earlier FOIA amendments
designed to improve public access, will be applied narrowly by federal
agencies and become the subject of litigation.

The text of the E-FOIA legislation is available at:

   http://www.epic.org/open_gov/foia/efoia.html

=======================================================================
[6] P-TRAK SSN System Criticism Continues
=======================================================================

Opposition to the proliferation of commercial databases exploded into
public view recently when the Lexis-Nexis P-TRAK "personal locator"
system prompted a flood of angry e-mail and telephone calls to the
information service company. The P-TRAK database originally allowed
Lexis-Nexis subscribers to search under an individual's name and
access telephone numbers, addresses, previous addresses, maiden names
and Social Security numbers (SSNs). After an initial flurry of
complaints in June, the company claimed that it had eliminated SSNs
from its database. After the recent flare-up, the firm provided a
clarification: SSNs are no longer searchable using an individual's
name, but a subscriber can start with an SSN (or any nine-digit
number, for that matter), and obtain all of the personally-identifying
information that goes along with that number.

Also, contrary to claims of the Lexis/Nexis company, the personal data
was not publicly available, nor is it similar to "white pages"
information. In fact, Lexis/Nexis obtained the P-TRAK personal locator
information from TransUnion, a credit reporting agency. The two
companies exploited a loophole in the Fair Credit Reporting Act which
leaves credit "header" information unprotected even though the
associated credit report could not be disclosed.

In the wake of the P-TRAK episode, the Federal Trade Commission
recommended that Congress take steps to provide greater protection for
sensitive information. The FTC says that it has received "numerous
complaints "... concerning recently-introduced, widely-available
commercial services that provide, for a fee, identifying information
on individuals." Congress adjourned before it could act, but is likely
to take up the issue next year.

Additional information on the misuse of Social Security numbers is
available at:

   http://www.epic.org/privacy/ssn/


=======================================================================
[7] Avrahami Files Appeal to State Supreme Court
=======================================================================

Ram Avrahami, the Virginia resident who brought suit last year against
U.S. News and World Report for selling his name without his consent,
has appealed the decision of a lower court to the Virginia State
Supreme Court.

Mr. Avrahami argues that the lower court wrongly dismissed his claim.
He argues that under Virginia law "the unauthorized sale, exchange, or
rental of a person's name as part of a mailing list violates the
Privacy Act's prohibition on using a person's name for the purposes of
trade." He also contends, among other points, that "the Mail
Preference Service established by the Direct Marketing Association is
no substitute for the 'written consent' required by the Privacy Act."

U.S. News & World Report will reply to Mr. Avrahami's motion and then
the Virginia Supreme Court must decide whether to review the decision
of the lower court.

More information on Avrahami v. US News & World Report is available
at:

 http://www.epic.org/privacy/junk_mail/

=======================================================================
[8] Upcoming Conferences and Events
=======================================================================

"Managing Privacy in Cyberspace and Across National Borders." October
8-10, 1996. Washington, DC. Sponsored by Privacy and American
Business. Contact: Lorrie Sherwood, (201) 996-1154.

"The Information Society: New Risks & Opportunities in Privacy,"
October 17-18, 1996. Bruxelles, Belgium. Sponsored by the European
Parliament. Contact: http://www.droit.fundp.ac.be/privacy96.html

"Communications Unleashed - What's at Stake? Who Benefits? How to Get
Involved!" October 19-20, 1996. Washington DC. Sponsored by CPSR and
Georgetown University. Contact: [email protected].

"19th National Information Systems Security Conference." October
22-25, 1996. Baltimore, MD. Sponsored by NSA & NIST. Contact: Tammy
Grice (301) 948-2067.

National Consumer Rights Litigation Conference: Defending Consumer
Access to Justice. October 26-28. Washington, DC. Sponsored by the
National Consumer Law Center. Contact: NCSL: (617) 523-7398 (fax).

ETHICOMP96: The Third International Conference on Ethical Issues of
Information Technology, November 6-8, 1996. Madrid, Spain. Contact:
[email protected].

"CFP97: Commerce & Community." March 11-14, 1997. Burlingame,
California. Sponsored by the Association for Computing Machinery.
Contact: [email protected] or http://www.cfp.org.

"Eurosec'97, the Seventh Annual Forum on Information Systems Quality
and Security." March 17-19. 1997. Paris, France. Sponsored by XP
Conseil. Contact: http://ourworld.compuserve.com/homepages/eurosec/

"INET 97 -- The Internet: The Global Frontiers." June 24-27, 1997.
Kuala Lumpur, Malaysia. Sponsored by the Internet Society. Contact:
[email protected] or http://www.isoc.org/inet97.


       (Send calendar submissions to [email protected])

=======================================================================

The EPIC Alert is a free biweekly publication of the Electronic
Privacy Information Center. To subscribe, send email to
[email protected] with the subject: "subscribe" (no quotes).

Back issues are available via http://www.epic.org/alert/

=======================================================================

The Electronic Privacy Information Center is a public interest
research center in Washington, DC. It was established in 1994 to focus
public attention on emerging privacy issues such as the Clipper Chip,
the Digital Telephony proposal, national id cards, medical record
privacy, and the collection and sale of personal information. EPIC is
sponsored by the Fund for Constitutional Government, a non-profit
organization established in 1974 to protect civil liberties and
constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom
of Information Act litigation, and conducts policy research. For more
information, email [email protected], HTTP://www.epic.org or write EPIC,
666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544
9240 (tel), +1 202 547 5482 (fax).

If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible. Checks should be made out to "The Fund for
Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave.,
SE, Suite 301, Washington DC 20003. Individuals with First Virtual
accounts can donate at http://www.epic.org/epic/support.html

Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and funding of the National Wiretap Plan.

Thank you for your support.

  ---------------------- END EPIC Alert 3.17 -----------------------