============================================================= @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================= Volume 2.04 March 9, 1995 ------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, DC info@epic.org ======================================================================= Table of Contents ======================================================================= [1] EPIC Files Suit Against National Security Council [2] Supreme Court Rules on Use of Inaccurate Computer Records [3] Caller ID Privacy Protection Fails in Two More States [4] Industry Groups Urge Pervasive Crypto Implementation [5] IRS Issues "Correction' Notice on Compliance 2000 [6] Caller ID Study Finds FCC Out of Step [7] Wiretap Watch: FBI Issues Wiretap Notice, Questionnaire [8] Upcoming Conferences and Events ======================================================================= [1] EPIC Files Suit Against National Security Council ======================================================================= SECRET GOVERNMENT BOARD UNDER SCRUTINY Senator Roth Awaits Outcome Washington, DC - The Electronic Privacy Information Center, a public policy group in Washington, today filed suit seeking documents about a secret government working group responsible for developing policies on information security. President Clinton established the Security Policy Board last September by secret directive. The Board will have a significant impact on the development of the National Information Infrastructure. To date, very little information concerning the Board's activities have been made public. "Secrecy and classified directives will take us the wrong direction on the information highway," said David Sobel, legal counsel to EPIC. Sobel cited the Clinton Administration's controversial Clipper Chip as an example of misguided security policy. The Clipper initiative attempted to make it easy for the government to intercept private messages on the Internet. "The Clipper fiasco makes clear that it is a mistake to let secret government agencies set standards for the nation's communications infrastructure," according to Sobel. Presidential Decision Directive 29, which established the Security Policy Board, is the most recent White House pronouncement on information security policy. In 1984 National Security Decision Directive 145 gave the National Security Agency (NSA) new powers to issue policies and develop standards for civilian agencies and the private sector. The Reagan directive was strongly opposed by libraries, civil liberties organizations, and industry groups. In response, Congress enacted the Computer Security Act of 1987. That law restricted NSA's role to the protection of classified information systems. But then National Security Directive 42, issued by President Bush in 1990, expanded the role of NSA and the National Security Council in establishing government-wide security policy. Marc Rotenberg, the director of EPIC said, "This is a battle over the accountability and oversight of government computer policy. These decisions must be made in the bright light of day." According to earlier documents obtained by EPIC, one component of the Security Policy Board will have responsibility for "both the classified and the sensitive but unclassified world." The document states that "[t]he emerging reliance upon a common National Information Infrastructure makes it increasingly difficult to accept the logic of two separate but parallel structures for the formulation of information systems security policy and the development of supporting technology." Senator William V. Roth, Jr. (R-DE), the chair of the Senate Governmental Affairs Subcommittee on Investigations, said about the EPIC suit, "One of of the principal goals of the Computer Security Act was to ensure that privacy of data on individuals held by the federal government was protected. The mechanism for that was putting elected officials in charge of policy and procedures. If the new security policy board takes control away from elected officials it could be a return to 1984. I look forward to the court's assessment of the role of this new board." EPIC is currently litigating several Freedom of Information Act cases on government computer policy. The non-profit organization is seeking the disclosure of information concerning the Clipper Chip and the FBI's "digital telephony" national wiretap plan. ======================================================================= [2] Supreme Court Rules on Use of Inaccurate Computer Records ======================================================================= The Supreme Court ruled on March 1 that evidence obtained in a search prompted by erroneous information on a police computer can be admitted in court. In _Arizona v. Evans_, the Court reversed the decision of the Arizona Supreme Court. The 7-2 decision holds that an unjustified arrest and search caused by an administrative error by a court employee who did not update a computer database did not warrant the suppression of the evidence obtained through the search. The Arizona Supreme Court had ruled that the evidence should be suppressed because: It is repugnant to the principles of a free society that a person should ever be taken into police custody because of a computer error precipitated by government carelessness. As automation increasingly invades modern life, the potential for Orwellian mischief grows. Under such circumstances, the exclusionary rule is a 'cost' we cannot afford to be without. Chief Justice Rehnquist, writing for the majority, reasoned that excluding the evidence would not deter future errors because it was a court employee, not a law enforcement official, who forgot to update the record. Justices O'Connor and Souter concurred with the decision, but also expressed concern with errors brought on by computerization. Justice O'Connor recommended that accuracy must be ensured in the record systems relied upon by law enforcement. Surely it would not be reasonable for the police to rely, say, on a recordkeeping system, their own or some other agency's, that has no mechanism to ensure its accuracy over time and that routinely leads to false arrests, even years after the probable cause for any such arrest has ceased to exist (if it ever existed).... In recent years, we have witnessed the advent of powerful, computer-based recordkeeping systems that facilitate arrests in ways that have never before been possible. The police, of course, are entitled to enjoy the substantial advantages this technology confers. They may not, however, rely on it blindly. With the benefits of more efficient law enforcement mechanisms comes the burden of corresponding constitutional responsibilities. Justice Stevens, in a strongly worded dissent, rejected Rehnquist's premise that the 4th Amendment is only a constraint on the actions of individual law enforcement officials. He argued that it places a constraint on the entire sovereign and that the exclusionary rule was not an "extreme sanction," but merely places the two parties back at the same place they would have been had there been no illegal search. Stevens reviewed the Founding Fathers' reasons for the 4th Amendment and called for stronger protections: The offense to the dignity of the citizen who is arrested, handcuffed, and searched on a public street simply because some bureaucrat has failed to maintain an accurate computer data base strikes me as equally outrageous. Justice Ginsburg also strongly rejected the majority's opinion. She recognized that computer technology can compound errors by widely disseminating them: Widespread reliance on computers to store and convey information generates, along with manifold benefits, new possibilities of error, due to both computer malfunctions and operator mistakes. Most germane to this case, computerization greatly amplifies an error's effect, and correspondingly intensifies the need for prompt correction; for inaccurate data can infect not only one agency, but the many agencies that share access to the database. She suggested that all computers under government control should be subject to the exclusionary rule (not just those controlled by the police) to ensure the accuracy of their records: In this electronic age, particularly with respect to recordkeeping, court personnel and police officers are not neatly compartmentalized actors. Instead, they serve together to carry out the State's information-gathering objectives. Whether particular records are maintained by the police or the courts should not be dispositive where a single computer database can answer all calls. Not only is it artificial to distinguish between court clerk and police clerk slips; in practice, it may be difficult to pinpoint whether one official, e.g., a court employee, or another, e.g., a police officer, caused the error to exist or to persist. Applying an exclusionary rule as the Arizona court did may well supply a powerful incentive to the State to promote the prompt updating of computer records. The case has been remanded back down to the Arizona courts which may come up with an independent state basis to exclude the evidence. ======================================================================= [3] Caller ID Blocking Fails in Pennsylvania and Wisconsin ======================================================================= Following the disclosure by the New York Times that Caller ID blocking had failed in New York State, newspapers report that at least two other states have had similar problems with the controversial phone service. The Philadelphia Inquirer reported on March 1 that the phone numbers of more than 13,000 Bell Atlantic customers were improperly disclosed. Bell Atlantic did not inform the customers or the Public Utility Commission for several weeks, until they corrected the problem. The phone company described the problem as "human error" in many cases and a software programming error in others. The Pennsylvania PUC is investigating to see if Bell Atlantic violated state law by not informing customers of the error when it was discovered. Last month, after the NYNEX problems in New York State were uncovered, Ameritech revealed that nearly 1,000 customers in Wisconsin also were unprotected after signing up for the service. ======================================================================= [4] Industry Groups Urge Pervasive Crypto Implementation ======================================================================= Three leading international industry organizations have called for the lifting of governmental restrictions on cryptographic technology. In a policy statement submitted to the G-7 Global Information Society Summit in Brussels, the European Association of Manufacturers of Business Machines and Information Technology Industry (EUROBIT), the Information Technology Industry Council (ITI), and the Japan Electronic Industry Development Association (JEIDA) said: We want governments to recognize that their explicit support for the Global Information Infrastructure necessarily entails implicit support for the general use of cryptographic technology. Without pervasive cryptographic technology there can be no basis for privacy or trust, and the main benefits of the new industrial revolution cannot be realized. If the Information Society is to develop, public policy must reflect the fact that this technology will be used everywhere. Cryptography is essential both to the confidentiality of information and to information integrity, including proof of correctness and electronic signatures. ... We do of course recognize the legitimate needs of national authorities to enforce the rule of law, and to maintain national security, but individuals and businesses have needs too - the need for privacy, and the need to operate on a basis of trust - and unless those needs are met the Information Society may not happen. The organizations made the following recommendations: * That governments, industry and users must agree on the cryptographic techniques to be used in the Global Information Infrastructure and on a procedure for verifying that products conform to the techniques so agreed; * That the agreed techniques and the agreed verification procedures must be made public; * That the agreed techniques must be based on private sector led, voluntary consensus international standards; * That products implementing the agreed techniques should not be subject to import controls, restrictions on use within the law, or restrictive licensing; * That products implementing the agreed techniques should be exportable to all countries, except those which are subject to UN embargo; and * That users and suppliers of products implementing the agreed techniques should be free to make technical and economic choices about modes of implementation and operation, including a choice between implementation in hardware or software where relevant. EPIC had also urged the G-7 delegates to move toward strong cryptographic safeguards for privacy protection. (See EPIC Alert 2.03). ======================================================================= [5] IRS Issues "Clarification" on Compliance 2000 Program Notice ======================================================================= Stating that its original December 20, 1994, notice may have "not adequately distinguished among the various uses of the compliance system," the IRS has released a supplemental notice announcing that it will "clarify the notice to better describe more precisely the type of activities covered." The "clarification" states that "the system will not be used to support large scale data matching in order to identify for contact by IRS officials." It distinguishes that information collected to "support compliance research on broadly shared characteristics and compliance trends of large groups" from law enforcement actions. The notice states that the data collected for research purposes will not be used to "select individuals for enforcement actions" or for enforcement actions. It does admit that this information, which is described as market segment research," will include more information then ever before from third parties and will allow for more use of this information. However, it asserts that "life style or other highly personal information, even in the aggregate" will not be included. EPIC has filed a Freedom of Information Act request with the IRS to determine the scope of the collection and use of this information. ======================================================================= [6] New Study Finds FCC Out of Step on Caller ID ======================================================================= EXPERTS SAY FCC MUST RECONSIDER CALLER ID Proposed FCC Rule is a Mistake WASHINGTON -- In a letter delivered to the Commissioners of the FCC, two professors of communication recommend that the FCC drop a proposed regulation that would limit the privacy of telephone customers. The letter accompanies a report on a study conducted by Professor Roopali Mukherjee of Indiana University and Professor Rohan Samarajiva of the Ohio State University titled "Regulating 'Caller ID': Emulation, Learning, and Inducement in the Policy Process." According to the report, the vast majority of states make available at least two privacy options for the controversial Caller ID service, also called Calling Line ID or CLID. However, the FCC is proposing that only the weaker privacy option be available to telephone customers. The report finds that: * A clear majority of states provide both per-call and per-line blocking for CLID * Over time states have moved from policies that provide fewer choices to customers to other more inclusive options * The proposed FCC rule is both (a) inconsistent with the state regulation of CLID and (b) out of phase with the development of CLID policies Professor Samarajiva said, "Our assessment is based on a careful review of the proceedings in 48 jurisdictions. We believe that it would be a mistake for the FCC to ignore the experience of the states that have looked closely at the CLID service." Marc Rotenberg, the director of the Electronic Privacy Information Center in Washington DC and one of the experts who testified in the state proceedings on CLID, said "The FCC should consider carefully the report of Professor Mukherjee and Professor Samarajiva. The conclusion is unmistakable. The current FCC proposal is a serious mistake." The FCC rule is expected to take effect on April 12. ======================================================================= [7] Wiretap Watch: FBI Begins Wiretap Law Implementation ======================================================================= On February 23, the FBI issued a Federal Register Notice on the "Implementation of the Communications Assistance for Law Enforcement Act." According to the notice, there is now a Telecommunications Industry Liaison Unit in the Engineering Section, Information Resources Division of the FBI to work with industry on the implementation of the new wiretap compliance requirements. The FBI is expected to publish estimated wiretap capacity requirements in the Federal Register by October 28, 1995. Carriers will then have three years to redesign the nation's phone system so that all networks have the capability to: - Isolate a particular electronic communication - Isolate call-identifying information - Deliver intercepted information to a remote government monitoring location - Deliver information to the government without disclosing the government's activity Washington Telecom Week on March 3 revealed that one of the first activities of the new Liaison Unit will be to send a questionnaire to telephone companies asking for information on installing wiretaps since January 1993, a curious request since the FBI claimed last year that it already had evidence of obstacles to electronic surveillance. The FBI will use the information to determine technical capacity requirements. The FBI will also be filing a notice in the Commerce Business Daily asking for comments on cost and payment procedures. For more information about the FBI's wiretap plans, the FBI Telecommunications Industry Liaison Unit can be reached toll free at 1-800-551-0336. ======================================================================= [8] Upcoming Privacy Related Conferences and Events ======================================================================= Access, Privacy, and Commercialism: When States Gather Personal Information. College of William and Mary, Williamsburg, VA, Mar.17. Contact: Trotter Hardy 804/221-3826. "Intelligent Transportation: Serving the User Through Deployment" Mar. 15-17, Washington, DC. Sponsored by ITS America. Call Sandra Fitzgerald (202) 484-2902. (This conference is notable for its *lack* of specific discussion of privacy issues over the 3 day, 70 panel meeting.) Computers, Freedom and Privacy '95. Burlingame, CA. Mar. 28-31, 1995. Sponsored by Stanford University and ACM. Speakers include John Morgridge (Cisco), Esther Dyson (Rel 1.0), Roger Wilkins (George Mason University), Margaret Jane Radin (Stanford Law School), and Willis H. Ware (Rand). Contact: cfp95@forsythe.stanford.edu. Privacy Advocates meeting. Burlingame, CA (in conjunction with CFP). Apr. 1, 1995. Contact Robert Ellis Smith, Privacy Journal 401/274-7861 or 0005101719@mcimail.com. ETHICOMP95: An international conference on the ethical issues of using Information Technology. DeMontfort University, Leicester, ENGLAND, March 28-30, 1995. Speakers include Simon Davies (Privacy International) Contact: Simon Rogerson srog@dmu.ac.uk 44 533 577475 (phone) 44 533 541891 (Fax). National Net '95: Reaching Everyone. Washington, DC. Apr. 5-7, 1995. Sponsored by EDUCOM. The privacy panel will include Brock Meeks (CyberWire Dispatch), Bob Gellman (former Hill staffperson), and Barry Steinhardt (ACLU). Contact: net95@educom.edu or call 202/872-4200. Information Security and Privacy in the Public Sector. Hyatt Dulles, VA. Apr. 19-20, 1995. Sponsored by AIC Conferences. Speakers include Joan Winston (OTA), Lynn McNulty (NIST), Marc Rotenberg (EPIC), Dorothy Denning (Georgetown University), David Banisar (EPIC) and Jim Bidzos (RSA). Contact: Scott Kessler 212/952-1899 x308 INET '95. Honolulu, HI. June 28-30, 1995. Sponsored by the Internet Society. Contact inet95@isoc.org. Advanced Surveillance Technologies. Sept. 4, 1995. Copenhagen, Denmark. Sponsored by Privacy International and EPIC. Contact pi@epic.org. "Managing the Privacy Revolution." Privacy & American Business. Oct. 31 - Nov. 1, 1995. Washington, DC. Speakers include C.B. Rogers (Equifax). Contact Alan Westin 201/996-1154. (Send calendar submissions to Alert@epic.org) ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. To subscribe, send the message: SUBSCRIBE CPSR-ANNOUNCE Firstname Lastname to listserv@cpsr.org. You may also receive the Alert by reading the USENET newsgroup comp.org.cpsr.announce. Back issues are available via FTP/WAIS/Gopher/HTTP from cpsr.org /cpsr/alert and on Compuserve (Go NCSA), Library 2 (EPIC/Ethics). An HTML version of the current issue is available from http://epic.digicash.com/epic ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues relating to the National Information Infrastructure, such as the Clipper Chip, the Digital Telephony proposal, medical record privacy, and the sale of consumer data. EPIC is sponsored by the Fund for Constitutional Government and Computer Professionals for Social Responsibility. EPIC publishes the EPIC Alert and EPIC Reports, pursues Freedom of Information Act litigation, and conducts policy research on emerging privacy issues. For more information, email info@epic.org, WWW at HTTP://epic.digicash.com /epic or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. (202) 544-9240 (tel), (202) 547-5482 (fax). The Fund for Constitutional Government is a non-profit organization established in 1974 to protect civil liberties and constitutional rights. Computer Professionals for Social Responsibility is a national membership organization of people concerned about the impact of technology on society. For information contact: cpsr-info@cpsr.org If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003. Your contributions will help support Freedom of Information Act litigation, strong and effective advocacy for the right of privacy and efforts to oppose Clipper and Digital Telephony wiretapping proposals. ------------------------ END EPIC Alert 2.04 ------------------------