[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

EPIC Alert 4.05



== Forwarded Message Follows =========================================

 * Originally By: In:[email protected]
 * Originally Re: EPIC Alert 4.05
 * Original Date: 04-08-97  18:08

   ==============================================================

       @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
       @     @  @   @   @        @ @   @     @     @  @    @
       @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
       @     @      @   @       @   @  @     @     @  @    @
       @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @

   ==============================================================
   Volume 4.05                                   April 8, 1997
   --------------------------------------------------------------

                            Published by the
              Electronic Privacy Information Center (EPIC)
                            Washington, D.C.

                          http://www.epic.org/


=======================================================================
Table of Contents
=======================================================================

[1] OECD Releases Crypto Guidelines
[2] White House Floats Draft Crypto Bill
[3] FAA Calls for Collecting SSNs of all Air Travelers
[4] Groups Urge IETF to Fix Cookies
[5] National Research Council Reports on Privacy of Medical Systems
[6] FTC To Conduct Hearings on Privacy, Investigate Databases
[7] NTIA Files Comments on Privacy of Telephone Calling Information
[8] Upcoming Conferences and Events

=======================================================================
[1] OECD Releases Crypto Guidelines
=======================================================================

The Organization for Economic Cooperation and Development (OECD), a 29
country international organization, released on March 27 its long
anticipated Guidelines for Cryptography Policy.  The Guidelines are
intended to promote the use of cryptography, to develop electronic
commerce through a variety of commercial applications, to bolster user
confidence in networks, and to provide for data security and privacy
protection.

The Cryptography Policy Guidelines are a non-binding agreement that
identifies the basic issues that countries should consider in drawing up
cryptography policies at the national and international level.  The
Recommendation culminates one year of intensive talks to draft the
Guidelines.  They are designed to assist decision-makers in the public
and private sectors in developing and implementing coherent national and
international policies for the effective use of cryptography. Member
countries are encouraged to establish new, or amend existing, policies
to reflect them.

The Guidelines set out eight basic Principles for cryptography policy in
the areas of trust, user choice, market development, technical
standards, privacy, lawful access, liability and international
cooperation. The key recommendations of the OECD include:

 -- Recognition of commercial importance of cryptography.  The Guidelines
    recognize that cryptography is an effective tool for the secure use
    of information technology by ensuring confidentiality, integrity and
    availability of data and providing authentication and non-repudiation
    mechanisms.

 -- Rejection of key escrow encryption.  The U.S. sought endorsement
    for government access to private keys.  Initial drafts of the
    guidelines included this recommendation.  The final draft does
    not. OECD countries rejected this approach.

 -- Endorsement of voluntary, market-driven development of crypto
    products.  The OECD emphasized open, competitive markets to
    promote trade and commerce in new cryptographic methods.

 -- Need for critical assessment of key escrow.  The OECD Guidelines
    recommend that countries which are considering key escrow techniques
    to consider also "the risks of misuse, the additional expense of
    any supporting infrastructure, the prospects of technical failure,
    and other costs."

 -- Endorsement of strong privacy safeguards.  The OECD adopted one of
    strongest privacy principles found in any international agreement,
    including the obligation to apply the OECD privacy principles to
    crypto products and services.  The OECD also noted favorably the
    development of anonymous payment schemes which would minimize the
    collection of personal data.

 -- Removal of Restrictions on Cryptography.  The OECD urged member
    countries to remove, and avoid creating, obstacles to trade
    based on cryptography policy.  This guideline should lead to
    further liberalization of export control policies among the
    OECD member countries.

Drafting of the Guidelines for Cryptography Policy began in early 1996.
More than 100 representatives from OECD Member countries participated,
including government officials from commerce, industry, telecommunications
and foreign ministries, law enforcement and security agencies, privacy and
data protection commissions, as well as representatives of private sector
and privacy advocates.

The Global Internet Liberty Campaign (http://www.gilc.org/), an
international coalition of civil liberties and human rights organizations,
organized a conference for the OECD delegates in Paris in September 1996.
The conference contributed significantly to the OECD's final
recommendations.

The Guidelines, the OECD press announcement and additional commentary are
available at:

     http://www.epic.org/crypto/oecd/

=======================================================================
[2] White House Floats Draft Crypto Bill
=======================================================================

The White House has released a new draft proposal on key escrow encryption
to the Congress.  The draft (dated March 12) is entitled the "Electronic
Data Security Act of 1997."  The legislation is the latest attempt to push
forward the result the Administration sought to achieve with the failed
Clipper Chip initiative -- ensuring government access to all encrypted
communications through government-escrowed keys.

To achieve this goal, the bill would create incentives for all persons and
organizations to use a government-certified Certificate Authority (CA) to
establish their identities for any electronic transactions.  The CA would
ensure that there was an escrow system in place before it would issue an
identification certificate to the user.

Government agencies would likely refuse to communicate with persons and
entities not using a government certified CA.  Agencies would also likely
pressure others over whom they have substantial regulatory or economic
power, such as banks, state agencies, and government contractors,  to
require that government-certified CA's are used to communicate with them.
Another provision would require any person who "manufactures, imports,
packages, distributes or labels" encryption products to state whether they
use a key recovery agent.

The draft bill also provides that if non-escrowed cryptography is used
during the commission of a crime, an additional five year prison sentence
could be imposed. Another provision, apparently intended to gain industry
support, would limit the potential civil liability of any "Certification
Authority" or "Key Recovery Agent" who obtains a government certification.

More information on cryptography policy is available at:

     http://www.epic.org/crypto/

==================================================================
[3] FAA Calls for Collecting SSNs of all Air Travelers
==================================================================

On March 13, the FAA issued a call for comments on a FAA proposal to
require airlines to collect substantial personal information on each
passenger, including full name, address, next of kin, Social Security
Number and date of birth.  The purpose of this collection would be to
facilitate identification of victims of airplane crashes.  The proposal
anticipates that passengers would have to provide this information in order
to board an aircraft.

The proposal raises a number of substantive threats to personal privacy.
One major problem is that it appears to violate the Privacy Act of 1974,
which limits the ability of government agencies to collect the SSN.  There
also appear to be no limitations on the use of the collected information,
creating a risk that the data could be put to a wide variety of unrelated
uses by both the airlines and government agencies.

One potential use of this information would be in connection with the
controversial "profiling" proposals recently recommended by the Gore
Commission.  The use of the Social Security Number would simplify the
comparison of passenger records with other databases.  It appears likely
that the FAA is using this proposal as a less controversial rationale to
demand the collection of personal information rather than specifically
including it in the profiling proposal, which has already generated
considerable public and editorial opposition.

More information on the proposal and other FAA activities is available at
the EPIC Airline Security Page:

     http://www.epic.org/privacy/faa/

=======================================================================
 [4] Groups Urge IETF to Fix Cookies
=======================================================================

Several leading consumer, civil liberties, and children's advocacy
organizations have urged an Internet standards organization to fix a
problem with web browser software that allows companies and government
agencies operating web sites to track the activities of Internet users.

The groups say that there is a problem with the so-called "cookies"
technology.  Cookies make it possible to read information on users'
computers and find out where they go on the Internet. Some companies in the
on-line advertising industry use cookies data to collect personal
information for advertising and marketing.

The Internet Engineering Task Force, a loose coalition of technical experts
responsible for the development of standards for the Internet is meeting
this week in Memphis to consider a wide range of technical issues
concerning the Internet, including a proposal to limit the ability of
companies to use cookies.

The proposed safeguard has come under attack by several companies engaged
in interactive advertising and marketing.  According to a March 31, 1997
article in Ad Age, these groups are now drafting a "counter-proposal" to
head-off the IETF recommendation.

In the letter, the groups express support for RFC 2109, the proposal for an
HTTP State Management Mechanism.  The letter further says that
"transparency" -- the ability of users to see and exercise control over the
disclosure of personally identifiable information -- is a critical
guideline for the development of sensible privacy practices on the
Internet"

The letter was signed by the Center for Media Education, Computer
Professionals for Social Responsibility, the Consumer Federation of
American, the Consumer Project on Technology, the Electronic Frontier
Foundation, the Electronic Privacy Information Center, National Association
of Elementary School Principals, NetAction, Privacy International, the
United States Privacy Council, and more than one hundred Internet users.

The coalition letter, and more information about cookies, is available at:

     http://www.epic.org/privacy/internet/cookies/

=======================================================================
[5] National Research Council Reports on Privacy of Medical Systems
=======================================================================

The National Research Council has released a report on the privacy of
medical systems.  The report, entitled "For the Record: Protecting
Electronic Health Information," calls for measures by government, companies
and consumers to better protect the privacy of medical records.

The NRC recommended a two-prong approach to dealing with medical privacy,
involving the revision of organizational practices to deter unauthorized
access to and/or misuse of electronic medical records, and implemention of
more stringent technical measures as a safeguard in case the first prong
proves ineffective.

The NRC also proposes that health-related organizations adopt fair
information practices similar to those contained in the federal Privacy Act
of 1974.  Consumers should have access to a privacy ombudsman that not only
provides such information, but could also address patient grievances over
violations of privacy.

The NRC waffled on fundamental issues such as the desirability of national
databases of medical information and the creation of a unique national
patient identifier, but expressed concerns over the ramifications for
privacy entailed in such a system.  Also proposed by the NRC, although
admittedly difficult to implement, is the identification of parties which
may inappropriately link patient information.  Using the Social Security
Number, the NRC states, is in its current form insufficient to protect the
privacy of individuals.

More information on medical privacy is available at:

     http://www.epic.org/privacy/medical/

=======================================================================
[6]  FTC To Conduct Hearings on Privacy, Investigate Databases
=======================================================================

The Federal Trade Commission has announced that it will convene a public
workshop devoted to consumer information privacy on June 10-13, 1997. This
is a follow-up to FTC workshops held last summer.

The workshop is intended to gather information on the collection,
compilation, sale and use of computerized data bases that contain sensitive
identifying information, as well as self-regulatory efforts, technological
innovations and unsolicited e-mail.  The workshop will also address these
developments as they pertain to children's personal information.

The workshop will gather information for a new computer data base study
that the FTC has also announced.  However, this study will be limited to
"look up services" which contain personal identifying information, such as
the Lexis-Nexis P-TRAK service.  Importantly, the FTC will not address
computer databases used primarily for direct marketing purposes, medical
and student records or the use of computer credit reports for employment
purposes.

Interested participants must submit written comments by April 15, 1997.

More information is available at the FCC web page:

     http://www.ftc.gov/

=======================================================================
[7] NTIA Files Comments on Privacy of Telephone Calling Information
=======================================================================

The Commerce Department's National Telecommunications and Information
Administration (NTIA) recommended on March 27 that the Federal
Communications Commission (FCC) establish more specific policies to protect

<<< Continued to next message >>>
======================================================================



If encryption is outlawed, only outlaws will have encryption...