============================================================= @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 4.03 February 27, 1997 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/ ======================================================================= Table of Contents ======================================================================= [1] New Report Details FBI/European Tapping Agreements [2] Airline Security Report Released [3] Briefs Filed in Reno v. ACLU Internet "Indecency" Challenge [4] Crypto Legislation Introduced [5] Clipper Upgrade at DOD/Litigation Update [6] State Department Reports Widespread Illegal Wiretapping Worldwide [7] New Medical Privacy Survey [8] Upcoming Conferences and Events ======================================================================= [1] New Report Details FBI/European Tapping Agreements ======================================================================= A report issued on Feb. 24 by Statewatch, a London-based advocacy organization, shows that the FBI has been working with its counterparts in the European Union for five years to create a "global tapping system." The report reveals the existence of a Memorandum of Understanding to ensure that surveillance of all existing and new technologies is compatible and coordinated with the FBI's efforts to advance its "digital telephony" agenda within the United States. The FBI's plan is to facilitate wiretapping worldwide by pressuring countries to harmonize national laws on interception; increase cooperation of telecommunications providers; ensure equipment has interception standards incorporated; and create de facto global standards by persuading as many countries as possible to cooperate and by providing compatible equipment to non-participating countries. To achieve these goals, the FBI and its EU counterparts wrote a resolution adopted by the Council of the European Union on "the lawful interception of telecommunications." The Council issued the resolution on Jan 17, 1995 (unpublished until November 1996) and a Memorandum of Understanding on the requirements that need to be adopted into all laws. The MOU has been signed by the 15 member countries of the EU, and the US. There have also been "expressions of support" from Australia, Canada, and Norway. The FBI and EU have also pushed the requirements as standards before the international telecommunications standards bodies such as the ITU and pressured other countries to adopt them. The requirements are almost exactly the same as the FBI demands for digital telephony. They include "real-time access" to the "entire telecommunication transmitted" sent to a "law enforcement monitoring facility", access to all associated call data, geographic location information for mobile phone users, decrypted information for all operator-provided encryption, and response times "in urgent cases within hours or minutes." The report notes that even countries that do not agree will be affected: The strategy appears to be to first get the "Western world" (EU, US plus allies) to agree to "norms" and "procedures" and then to sell these products to Third World countries -- who even if they do not agree to "interception orders" will find their telecommunications monitored ... the minute it hits the airwaves. The digital telephony proposal has received significant criticism in the United States since its adoption in 1994. The FBI originally claimed that law provided a mandate to simultaneously monitor a significantly higher percentage of phone lines that is current practice in the US. That interpretation was withdrawn after public protect. The FBI then claimed that the law would require the development of a global locator system based on the nation's telephone system. That interpretation was also withdrawn after public protect. Several members of Congress have said that they will oppose future funding of the plan. A copy of the Statewatch report, the Council of Europe Resolution and more information is available at: http://www.privacy.org/pi/activities/tapping/ ======================================================================= [2] Airline Security Report Released ======================================================================= The White House Commission on Airline Safety and Security released its final recommendations for improving airline security on February 12. The recommendations include a call for the use of the controversial technique of "profiling" passengers to determine if they are security threats. This would involve creating new databases of passengers and checking those systems each time a person flies. If the person fits the profile, he or she would be subject to more intrusive searches and questioning before being permitted to board a flight. The Commission also recommended the use of security profiles developed by the FBI or CIA. At about the same time that the Commission report was released, the Washington Post reported that Arab-Americans were often stopped at airports by security officers. EPIC has joined a coalition of 19 civil liberties, religious, Arab-American and conservative organizations that sent a letter to Vice President Gore addressing the privacy implications of the recommendations. The letter urges that ID checks, profiling, and new intrusive x-ray technology be rejected, and that all decisions of the FAA that might affect civil liberties be open to public scrutiny. More information on the issue, including the final report and the coalition letter, are available at: http://www.epic.org/privacy/faa/ ======================================================================= [3] Briefs Filed in Reno v. ACLU Internet "Indecency" Challenge ======================================================================= The plaintiffs in the landmark case of Reno v. ACLU submitted their briefs to the U.S. Supreme Court on February 20. The case, which will be argued on March 19, presents the Court with its first opportunity to apply the First Amendment to the Internet and will thus have a lasting impact on the medium. The specific issue before the Court is whether a special three-judge court in Philadelphia was correct when it enjoined enforcement of the controversial Communications Decency Act (CDA) in a ground-breaking decision issued last June. The brief filed by the ACLU, EPIC and 18 other plaintiffs notes that the lower court judges made hundreds of detailed factual findings about the Internet to support their conclusion that the CDA is unconstitutional. The court's findings conclusively show that it is impossible for most speakers on the Internet to distinguish between adults and minors in their audience, and therefore they cannot comply with the CDA's prohibition against the dissemination of "indecent" material to minors. The CDA would thus reduce all Internet communication to a level that is suitable for children, a result that the Supreme Court has consistently condemned. The ACLU/EPIC brief also addresses the privacy implications of the CDA -- a point often overlooked in the censorship debate. By making it a crime to distribute certain information to minors, the CDA would destroy anonymity on the Internet and mandate the use of age and identity verification mechanisms to screen the online audience. The brief argues that "it is unconstitutional to require adults to 'register' in order to gain access to constitutionally protected speech" and that "a registration requirement would also prevent Americans from exercising their First Amendment right to engage in communication anonymously on the Internet." Briefs were also submitted by the group of plaintiffs led by the American Library Association, and dozens of individuals and organizations who signed on to the eleven friend-of-the-court ("amicus") briefs filed in opposition to the CDA. The ACLU/EPIC brief, as well as links to several of the other submissions, are available at: http://www.epic.org/cda/ ======================================================================= [4] Crypto Legislation Introduced ======================================================================= Several bills have been introduced in Congress to liberalize export control laws, protect the legal right to use all forms of encryption, and to prevent the imposition of mandatory key escrow encryption. The proposals would effectively end the attempt by the White House to force the adoption of cryptographic techniques designed for third party access. On February 27, Senator Conrad Burns reintroduced the Pro-CODE legislation to promote commerce and privacy on the Internet. Senator Burns said that "support has been building in Congress every year and will soon reach a critical mass as it becomes apparant that the administration policy could devastate our high-tech sector and a vital Internet." The bill has gained the support of twenty Senators. However, one new provision in the bill would create a secret Information Security Board that would give law enforcement agencies special access to the development of new plans for privacy enhancing technologies. EPIC has said that such a board should operate subject to the Federal Advisory Committee Act, which requires that government business be conducted in the open. EPIC also recommended that the board be composed of a wide range of organizations, including users groups, technical experts, and consumer advocates. At the same time that Senator Burns introduced Pro-CODE, Senator Patrick Leahy (D-VT) introduced the Encryption Communications Privacy Act. The bill would protect the right to use encryption, but would criminalize the use of encryption in furtherance of a crime and also sets up a legal framework to promote key escrow. Earlier this month, Rep. Bob Goodlatte (R-VA) re-introduced the Security and Freedom Through Encryption (SAFE) Act (H.R. 695). The bill, which has over 50 cosponsors, relaxes crypto export controls and prohibits mandatory key escrow. It also creates new criminal penalties for using encryption to further a criminal act. More information on encryption policy is available from: http://www.epic.org/crypto/ ======================================================================= [5] Clipper Upgrade at DOD/Litigation Update ======================================================================= Federal Computer Week has reported that the Defense Department plans to modify the Fortezza encryption card to no longer generate a "Law Enforcement Access Field" or "LEAF." Fortezza was introduced as a companion to the Clipper Chip and uses the same algorithm. Several commentators suggested that this development signal the "death of Clipper." In fact, the revision to Fortezza signals its movement to Clipper 4.0. Sources tell EPIC that the NSA is likely to adopt the "key recovery" technology currently being promoted by the U.S. government for use in the revised Fortezza card. The agency hopes that with the new cards, it will be able to pressure other government agencies to adopt the technology and expand the market for key recovery products, something that it was unable to do with Fortezza and the Clipper Chip. Meanwhile, the Federal court hearing the 1993 CPSR/EPIC FOIA case seeking information on the Clipper Chip has ordered the National Security Agency to submit additional information to the court. The court found that the NSA failed to adequately explain why the documents it is withholding should not be released. The agency must submit the additional information by March 5. And the U.S. Court of Appeals for the D.C. Circuit has modified its order remanding the Karn v. Department of State case back down to the District Court. The appellate court has now suggested that the trial court examine the procedural and constitutional issues in more detail. The ruling is somewhat more favorable to Phil Karn than was the original order. More information on the Karn case is available at: http://www.qualcomm.com/people/pkarn/export/index.html The EPIC Litigation Docket is available at: http://www.epic.org/privacy/litigation/ ======================================================================= [6] State Department Reports Widespread Illegal Wiretapping Worldwide ======================================================================= The U.S. State Department reports that privacy invasions and illegal wiretapping were widespread across the world in 1996. The "Country Reports for Human Rights Practices for 1996" find that most countries in the world have constitutional and legal guarantees of the right to privacy and the secrecy of mail and communications. However, in over 90 countries, the survey reports that police, defense and intelligence agencies routinely violate those rights to monitor political opponents, human rights workers and journalists. This report comes at the same time that the U.S. Justice Department continues to push international organizations such as the OECD, G-7, Council of Europe and others to promote wiretapping and to limit technical tools to prevent illegal electronic surveillance. Excerpts from the 1994, 1995 and 1996 State Department reports are available at the Privacy International web page at: http://www.privacy.org/pi/reports/ ======================================================================= [7] New Medical Privacy Survey ======================================================================= The Center for Disease Control has released a new report on privacy statutes in the United States. "The Legislative Survey of State Confidentiality Laws, with Specific Emphasis on HIV and Immunization" was prepared by Professor Lawrence Gostin of Georgetown University Law Center, along with Zita Lazzarini of the Harvard School of Public Health and Kathleen M. Flaherty of the Georgetown/Johns Hopkins Program on Law and Public Health The report examines current state and federal laws protecting the confidentiality of health information. It focuses on four specific areas: public health information held by government; privately held health care information; HIV and AIDS-related information; and immunization information. The report is available at: http://www.epic.org/privacy/medical/cdc_survey.html ======================================================================= [8] Upcoming Conferences and Events ======================================================================= DIAC- Community Space and CyberSpace- What's the Connection? March 1-2, 1997. Seattle, WA. Sponsored by CPSR. Contact: http://www.scn.org/tech/diac-97/index.html ACM'97 -- The Next 50 Years of Computing. March 3-5, 1997, San Jose, CA. Sponsored by the Association for Computing. Contact: http://www.acm.org/acm97. CFP97: Commerce & Community. March 11-14, 1997. Burlingame, California. Sponsored by the Association for Computing Machinery. Contact: cfp97@cfp.org or http://www.cfp.org Privacy Summit. March 15, 1997, Burlingame, California. 8.30 am - 10.30 am. Contact: akrause@igc.apc.org or dhurley@well.com Eurosec'97: the Seventh Annual Forum on Information Systems Quality and Security. March 17-19, 1997. Paris, France. Sponsored by XP Conseil. Contact: http://ourworld.compuserve.com/homepages/eurosec/ CYBER://CON.97: Rules for Cyberspace?:Governance, Standards and Control. June 4-7, 1997. Chicago, Illinois. Sponsored by the John Marshall Law School. Contact: cyber97@jmls.edu. Ethics in the Computer Society: The Second Annual Ethics and Technology Conference. June 6-7, 1997. Chicago, Ill. Sponsored by Loyola University Chicago. http://www.math.luc.edu/ethics97 INET 97 -- The Internet: The Global Frontiers. June 24-27, 1997. Kuala Lumpur, Malaysia. Sponsored by the Internet Society. Contact: inet97@isoc.org or http://www.isoc.org/inet97 Privacy laws & Business 10th Anniversary Conference. July 1-3, 1997. St. John's College, Cambridge, England. Contact: info@privacylaws.co.uk. AST3: Cryptography and Internet Privacy. Sept. 15, 1997. Brussels, Belgium. Sponsored by Privacy International and EPIC. Contact: pi@privacy.org. http://www.privacy.org/pi/conference/brussels/ 19th Annual International Privacy and Data Protection Conference. Sept. 17-18, 1997. Brussels, Belgium. Sponsored by Belgium Data Protection and Privacy Commission. International Conference on Privacy. September 23-26, 1997. Montreal, Canada. Sponsored by the Commission d'Acces a l'information du Quebec. (Send calendar submissions to alert@epic.org) ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. To subscribe, send email to epic-news@epic.org with the subject: "subscribe" (no quotes) or use the subscription form at: http://www.epic.org/alert/subscribe.html Back issues are available at: http://www.epic.org/alert/ ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, email info@epic.org, HTTP://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003. Individuals with First Virtual accounts can donate at http://www.epic.org/epic/support.html Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and funding of the National Wiretap Plan. Thank you for your support. ---------------------- END EPIC Alert 4.03 -----------------------