EPIC logo


Volume 3.20          December 11, 1996

Published by the
Electronic Privacy Information Center
Washington, D.C.

Table of Contents
[1] Net Users Want Anonymity, New Privacy Laws
[2] Regulations on Key Recovery Access Policy Released
[3] Supreme Court to Review Decency Act
[4] European Crypto Update: More Calls for Voluntary Use
[5] Proposed WIPO Treaties Debated
[6]Support EPIC
[7] EPIC Bookstore Opens / epic.org Upgraded
[8] Upcoming Conferences and Events

[1] Net Users Want Anonymity, New Privacy Laws

The Sixth GVU WWW survey is now available. The most comprehensive poll of Internet user attitudes looks at a wide range of issues, from user demographics to modem speeds and views on Internet commerce. But perhaps of most interest (at least to readers of the EPIC Alert) is the survey's detailed examination of the Net's view of privacy and data protection. Here are the highlights (5 indicates complete, total, metaphysical agreement; 1 means the opposite):

- Anonymity and new laws to protect privacy received high ratings. Nearly everyone felt strongly that people ought to be able to have private communications over the Internet (4.7). Users greatly value anonymity on the Internet (4.5). Most people also prefer anonymous payment systems (3.9) and feel that the Internet needs new laws to protect privacy (3.8).

- Users also made clear that they want to control their demographic information (4.4). While users tend not to like junk mail (2.3), they were even more opposed to receiving mass e-mailings (1.7). Likewise, while users believe that magazines do not have the right to resell demographic information (2.1), they feel even stronger with respect to WWW sites selling demographic information (1.8).

The survey concluded, "The notion that people like to receive targeted marketing material is not supported by the data, regardless of the medium. There is high agreement on these issues across strata."

- Many users (70%) said that they would not fill out registration forms accurately unless web operators were more forthcoming about the use of data collected. Over 62% report that they do not trust the collecting site.

Similar concerns among Internet users were found in the 1996 Equifax/Harris Consumer Privacy Survey released in mid-November. Among the key findings of that poll:

- 60% of Internet users favor anonymity, agreeing that "users should be able to visit Internet sites and use e-mail without having to give their real identities."

- An even greater percentage of Internet users (71%) feel that providers of on-line services should not be able to "track the places users go on the Internet in order to send these users targeted marketing offers."

- The Harris-Equifax poll also found that Internet users were more likely to favor the creation of a federal privacy commission than non-users.

More information about the Sixth GVU WWW Survey is available at:


Further information on the Harris poll may be obtained from Louis Harris and Associates, Ic. 111 Fifth Ave., New York, NY 10002. 212/539-9600.

[2] Draft Regulations on Key Recovery Access Policy Released

The Commerce Department is circulating draft regulations that differ sharply from earlier assurances made by the White House to relax export controls on strong encryption. The draft regulations state that it is the aim of the Commerce Department to promote "a worldwide key management infrastructure with the use of key recovery and key escrow encryption items." The proposal contrasts with earlier assurances that encryption standards would be voluntary and market-driven.

The regulations would amend the Export Administration Regulations (EAR) by imposing national security and foreign policy controls ("EI" for Encryption Items) on certain information security systems and equipment, cryptographic devices (including recoverable encryption software) and related technology.

For the first time, the Administration makes clear what it means by "Key Recovery Encryption." The regulations state that

For purposes of this rule, "recovery encryption products" refer to encryption products (including software) which allow law enforcement officials to obtain under proper legal authority and without the cooperation or knowledge of the user, the plaintext of encrypted data and communications.

This is an exact description of the original Clipper encryption proposal that was widely opposed by Internet users and industry when it was announced in 1993.

The Bureau of Export Administration's review committee, which now includes a representative from the Department of Justice, will consider all applications for mass-market encryption before permitting export. The two-year window for 56-bit key length DES is now just six months. Applicants must provide a "satisfactory business and marketing plan for exporting recoverable items and services," subsequent renewal is not automatic, and will "depend on the applicant's adherence to explicit benchmarks and milestones as set forth in the plan submitted for the initial license application." Even key escrow and key recovery encryption items will require that "prior to the export or reexport, a key recovery agent satisfactory to the Bureau of Export Administration has been identified."

The regulations indicate that approved key recovery products will not be interoperable with non-key recovery products ("The product's cryptographic functions shall interoperate with . . . non-key recovery products only when the key recovery product permits access to the key(s) or other escrowed material/information needed to decrypt ciphertext generated or received by the key recovery product"). The regulations also favor key recovery agents who have "an active U.S. government security clearance of Secret or higher issued or updated within the last five years."

The transfer of crypto export jurisdiction from the State Department to Commerce Department has also failed to correct one of the key defects in administrative rulemaking. The Administration continues to contend that the proposed regulations should not be subject to the Administrative Procedures Act (APA) because the regulations involve "a military or foreign affairs function of the United States."

Upon formal issuance, the regulations will go into effect immediately as an "interim rule." Although the Commerce Department asserts that the APA's public comment requirements are not applicable, the draft regulations state that "because of the importance of the issues raised by these regulations, this rule is issued in interim form and comments will be considered in the development of final regulations." EPIC has formally requested that the Department accept comments via the Internet upon formal issuance of the proposed regulations.

More information on the Key Recovery Access Policy may be obtained at:


[3] Supreme Court to Review Decency Act

In an order issued on December 6, the U.S. Supreme Court noted probable jurisdiction in the government's appeal of the lower court decision striking down the Communications Decency Act. The Court set a briefing schedule that requires the Justice Department to file its brief by January 21; the plaintiffs' briefs are due on February 20. Oral argument will likely be heard in late March and a decision is expected by July.

The Court's order sets the stage for what is likely to be a landmark decision that will apply the First Amendment to the Internet for the first time. A special three-judge court in Philadelphia ruled unanimously on June 12 that the CDA imposes an unconstitutional restriction of online speech. Another panel of judges in New York subsequently reached the same conclusion. EPIC participated in the Philadelphia case, ACLU v. Reno, as both a plaintiff and co-counsel.

More information on the CDA and the proceedings in ACLU v. Reno is available at:


[4] European Crypto Update: More Calls for Voluntary Use

While the U.S. government continues to push forward with encryption schemes based on third party access to keys, European user associations and governments have said recently that users should be free to choose cryptographic methods.

The Council of European Professional Informatics Societies (CEPIS), issued recommendations in November calling for free use of cryptography. CEPIS is composed of twenty information technology professional societies with a total of 200,000 members across Europe.

CEPIS called on governments to set policies that "all individuals and organizations in the private and public sectors should be able to store and transmit data to others, with confidentiality protection appropriate for their requirements, and should have ready access to the technology to achieve this." It also called for "the opportunity for individuals or organizations in the private and public sectors to benefit from information systems should not be reduced by incommensurable measures considered necessary for the enforcement of law." Finally CEPIS said that governments should discuss with experts whether restrictions on encryption were the most efficient and sensible way to fight crime.

On October 29, the European Electronic Messaging Association (EEMA) wrote the European Union that they were being put at a disadvantage by U.S. export controls laws on cryptography and called on the EU to press for relaxation through the GATT and WTO trading agreements. The EEMA also called for "no restrictions on the access to the U.S. originated Software Development Kits required to develop Secured Products, ... no restrictions on the development, sale and usage of Secured Products within market areas (for example, within the European Union), and ... the export or import of Secured Products to or from market areas only be controlled where there are real security issues at stake."

Finally, the Danish IT-Security Council issued a report in November recommending that there be no restrictions on citizen's rights to use cryptography. The Council found that a limitation on general access to cryptography can inflict measurable damage to data security and the ban on cryptography would mainly affect the behavior of normal citizens, not criminals.

More information on international cryptography issues is available at:


[5] Proposed WIPO Treaties Debated

World Leaders are meeting in Geneva, Switzerland for the next several weeks to work on three new treaties on intellectual property. The meetings are being convened by the World Intellectual Property Organization.

One measure, the "Treaty for the Sui Generis Protection of Databases" would give database owners rights over information in databases, even if that information was in the public domain. Scientific organizations believe it would hinder scientific research; library groups believe it would radically expand copyright to cover public domain documents such as government generated materials. In 1991, the U.S. Supreme Court ruled that a publisher does not have any rights to information merely because they typed it into an electronic format; they only possess rights for original material such as editorial decisions and layout.

The other controversial treaty, dealing with copyright, is opposed by a wide variety of parties, including telecommunications companies and online providers. Opposition is focused on several provisions, including the effect on "fair use" of copyrighted materials and whether the treaty would penalize the creation of temporary copies of materials for purposes of transmission and web browsing.

Privacy concerns have also been raised about the copyright management systems that may be developed to track the use of digital information by individuals.

The proposed copyright treaty is similar to bills that were rejected by Congress in the last session after intense opposition was raised. Several experts on intellectual property have said that the United States is attempting to achieve an international agreement on issues that it cannot resolve domestically.

More information on the WIPO treaties is available from the Digital Future Coalition at:


[6] Support EPIC

Once a year we ask readers of the EPIC Alert to consider a contribution to support the work of the Electronic Privacy Information Center. Your support helps makes possible this publication as well as our many other activities.

We are a non-profit, public interest research organization. We receive support from individual contributors, private foundations, and companies. Contributions to EPIC support our Freedom of Information Act, crypto and First Amendment litigation, our privacy and free speech advocacy, and the development of our Web site. Contributions are also fully tax-deductible.

There are several ways to support EPIC. It is easiest to send us a check or money order. You can also send us e-cash via First Virtual or DigiCash. Checks should be sent to EPIC, 666 Pennsylvania Ave., SE Suite 301, Washington, DC 20003.

We appreciate your support and welcome your suggestions.

More information about supporting EPIC is available at:


[7] EPIC Bookstore Opens / epic.org Upgraded

In association with Amazon.com, the Electronic Privacy Information Center is pleased to announce the opening of the EPIC Bookstore, offering perhaps the most comprehensive collections of books on privacy, free speech, crypto, and online liberty available anywhere on the Internet.

Featured books currently include:

- "The Right to Privacy" by Ellen Alderman & Caroline Kennedy

- "Shamans, Software, and Spleens: Law and the Construction of the Information Society" by James Boyle

- "Above the Law: Secret Deals, Political Fixes, and Other Misadventures of the U.S. Department of Justice" by David Burnham

- "Who Knows: Safeguarding Your Privacy in a Networked World" by Ann Cavoukian & Don Tapscott

- "Idoru" by William Gibson

- "Where Wizards Stay Up Late: The Origins of the Internet" by Katie Hafner and Matthew Lyon

- "Computer Related Risks" by Peter G. Neumann

- "Applied Cryptography" by Bruce Schneier

- "24 Hours in Cyberspace: Photographed on One Day by 150 of the World's Leading Photojournalists" by Rick Smolan and others

- "Snowcrash" by Neal Stephenson

The EPIC Bookstore includes hundreds of titles on Computer Security, Cryptography, the First Amendment and Free Speech, Open Government, and Privacy. Drop by and browse the cyber shelves. Amazon will even provide gift wrapping.

The EPIC web site has also been upgraded with a new logo, clean format, and new organization. Take a look!


[8] Upcoming Conferences and Events

1997 RSA Data Security Conference. January 28-31, 1997. San Francisco, CA. Contact: http://www.rsa.com

Financial Cryptography 1997 (FC97). February 24-28, 1997. Anguilla, BWI. Sponsored by the International Association for Cryptologic Research. http://www.cwi.nl/conferences/FC97

CFP97: Commerce & Community. March 11-14, 1997. Burlingame, California. Sponsored by the Association for Computing Machinery. Contact: cfp97@cfp.org or http://www.cfp.org

Eurosec'97: the Seventh Annual Forum on Information Systems Quality and Security. March 17-19. 1997. Paris, France. Sponsored by XP Conseil. Contact: http://ourworld.compuserve.com/homepages/eurosec/

Ethics in the Computer Society: The Second Annual Ethics and Technology Conference. June 6-7, 1997. Chicago, Ill. Sponsored by Loyola University Chicago. http://www.math.luc.edu/ethics97

INET 97 -- The Internet: The Global Frontiers. June 24-27, 1997. Kuala Lumpur, Malaysia. Sponsored by the Internet Society. Contact: inet97@isoc.org or http://www.isoc.org/inet97

Privacy laws & Business 10th Anniversary Conference. July 1-3, 1997. St. John's College, Cambridge, England. Contact: info@privacylaws.co.uk.

AST3: Cryptography and Privacy. September 15, 1997. Brussels, Belgium. Sponsored by Privacy International and EPIC. Contact: pi@privacy.org.

International Conference on Privacy. September 23-26, 1997. Montreal, Canada. Sponsored by the Commission d'Acces a l'information du Quebec.

(Send calendar submissions to Alert@epic.org)

The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. To subscribe, send email to epic-news@epic.org with the subject: "subscribe" (no quotes) or use the subscription form at:


Back issues are available via http://www.epic.org/alert/

The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national id cards, medical record privacy, and the collection and sale of personal information. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, email info@epic.org, HTTP://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax).

If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003. Individuals with First Virtual accounts can donate at http://www.epic.org/epic/support.html

Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and funding of the National Wiretap Plan.