============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ =============================================================== Volume 4.05 April 8, 1997 --------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/ ======================================================================= Table of Contents ======================================================================= [1] OECD Releases Crypto Guidelines [2] White House Floats Draft Crypto Bill [3] FAA Calls for Collecting SSNs of all Air Travelers [4] Groups Urge IETF to Fix Cookies [5] National Research Council Reports on Privacy of Medical Systems [6] FTC To Conduct Hearings on Privacy, Investigate Databases [7] NTIA Files Comments on Privacy of Telephone Calling Information [8] Upcoming Conferences and Events ======================================================================= [1] OECD Releases Crypto Guidelines ======================================================================= The Organization for Economic Cooperation and Development (OECD), a 29 country international organization, released on March 27 its long anticipated Guidelines for Cryptography Policy. The Guidelines are intended to promote the use of cryptography, to develop electronic commerce through a variety of commercial applications, to bolster user confidence in networks, and to provide for data security and privacy protection. The Cryptography Policy Guidelines are a non-binding agreement that identifies the basic issues that countries should consider in drawing up cryptography policies at the national and international level. The Recommendation culminates one year of intensive talks to draft the Guidelines. They are designed to assist decision-makers in the public and private sectors in developing and implementing coherent national and international policies for the effective use of cryptography. Member countries are encouraged to establish new, or amend existing, policies to reflect them. The Guidelines set out eight basic Principles for cryptography policy in the areas of trust, user choice, market development, technical standards, privacy, lawful access, liability and international cooperation. The key recommendations of the OECD include: -- Recognition of commercial importance of cryptography. The Guidelines recognize that cryptography is an effective tool for the secure use of information technology by ensuring confidentiality, integrity and availability of data and providing authentication and non-repudiation mechanisms. -- Rejection of key escrow encryption. The U.S. sought endorsement for government access to private keys. Initial drafts of the guidelines included this recommendation. The final draft does not. OECD countries rejected this approach. -- Endorsement of voluntary, market-driven development of crypto products. The OECD emphasized open, competitive markets to promote trade and commerce in new cryptographic methods. -- Need for critical assessment of key escrow. The OECD Guidelines recommend that countries which are considering key escrow techniques to consider also "the risks of misuse, the additional expense of any supporting infrastructure, the prospects of technical failure, and other costs." -- Endorsement of strong privacy safeguards. The OECD adopted one of strongest privacy principles found in any international agreement, including the obligation to apply the OECD privacy principles to crypto products and services. The OECD also noted favorably the development of anonymous payment schemes which would minimize the collection of personal data. -- Removal of Restrictions on Cryptography. The OECD urged member countries to remove, and avoid creating, obstacles to trade based on cryptography policy. This guideline should lead to further liberalization of export control policies among the OECD member countries. Drafting of the Guidelines for Cryptography Policy began in early 1996. More than 100 representatives from OECD Member countries participated, including government officials from commerce, industry, telecommunications and foreign ministries, law enforcement and security agencies, privacy and data protection commissions, as well as representatives of private sector and privacy advocates. The Global Internet Liberty Campaign (http://www.gilc.org/), an international coalition of civil liberties and human rights organizations, organized a conference for the OECD delegates in Paris in September 1996. The conference contributed significantly to the OECD's final recommendations. The Guidelines, the OECD press announcement and additional commentary are available at: http://www.epic.org/crypto/oecd/ ======================================================================= [2] White House Floats Draft Crypto Bill ======================================================================= The White House has released a new draft proposal on key escrow encryption to the Congress. The draft (dated March 12) is entitled the "Electronic Data Security Act of 1997." The legislation is the latest attempt to push forward the result the Administration sought to achieve with the failed Clipper Chip initiative -- ensuring government access to all encrypted communications through government-escrowed keys. To achieve this goal, the bill would create incentives for all persons and organizations to use a government-certified Certificate Authority (CA) to establish their identities for any electronic transactions. The CA would ensure that there was an escrow system in place before it would issue an identification certificate to the user. Government agencies would likely refuse to communicate with persons and entities not using a government certified CA. Agencies would also likely pressure others over whom they have substantial regulatory or economic power, such as banks, state agencies, and government contractors, to require that government-certified CA's are used to communicate with them. Another provision would require any person who "manufactures, imports, packages, distributes or labels" encryption products to state whether they use a key recovery agent. The draft bill also provides that if non-escrowed cryptography is used during the commission of a crime, an additional five year prison sentence could be imposed. Another provision, apparently intended to gain industry support, would limit the potential civil liability of any "Certification Authority" or "Key Recovery Agent" who obtains a government certification. More information on cryptography policy is available at: http://www.epic.org/crypto/ ================================================================== [3] FAA Calls for Collecting SSNs of all Air Travelers ================================================================== On March 13, the FAA issued a call for comments on a FAA proposal to require airlines to collect substantial personal information on each passenger, including full name, address, next of kin, Social Security Number and date of birth. The purpose of this collection would be to facilitate identification of victims of airplane crashes. The proposal anticipates that passengers would have to provide this information in order to board an aircraft. The proposal raises a number of substantive threats to personal privacy. One major problem is that it appears to violate the Privacy Act of 1974, which limits the ability of government agencies to collect the SSN. There also appear to be no limitations on the use of the collected information, creating a risk that the data could be put to a wide variety of unrelated uses by both the airlines and government agencies. One potential use of this information would be in connection with the controversial "profiling" proposals recently recommended by the Gore Commission. The use of the Social Security Number would simplify the comparison of passenger records with other databases. It appears likely that the FAA is using this proposal as a less controversial rationale to demand the collection of personal information rather than specifically including it in the profiling proposal, which has already generated considerable public and editorial opposition. More information on the proposal and other FAA activities is available at the EPIC Airline Security Page: http://www.epic.org/privacy/faa/ ======================================================================= [4] Groups Urge IETF to Fix Cookies ======================================================================= Several leading consumer, civil liberties, and children's advocacy organizations have urged an Internet standards organization to fix a problem with web browser software that allows companies and government agencies operating web sites to track the activities of Internet users. The groups say that there is a problem with the so-called "cookies" technology. Cookies make it possible to read information on users' computers and find out where they go on the Internet. Some companies in the on-line advertising industry use cookies data to collect personal information for advertising and marketing. The Internet Engineering Task Force, a loose coalition of technical experts responsible for the development of standards for the Internet is meeting this week in Memphis to consider a wide range of technical issues concerning the Internet, including a proposal to limit the ability of companies to use cookies. The proposed safeguard has come under attack by several companies engaged in interactive advertising and marketing. According to a March 31, 1997 article in Ad Age, these groups are now drafting a "counter-proposal" to head-off the IETF recommendation. In the letter, the groups express support for RFC 2109, the proposal for an HTTP State Management Mechanism. The letter further says that "transparency" -- the ability of users to see and exercise control over the disclosure of personally identifiable information -- is a critical guideline for the development of sensible privacy practices on the Internet" The letter was signed by the Center for Media Education, Computer Professionals for Social Responsibility, the Consumer Federation of American, the Consumer Project on Technology, the Electronic Frontier Foundation, the Electronic Privacy Information Center, National Association of Elementary School Principals, NetAction, Privacy International, the United States Privacy Council, and more than one hundred Internet users. The coalition letter, and more information about cookies, is available at: http://www.epic.org/privacy/internet/cookies/ ======================================================================= [5] National Research Council Reports on Privacy of Medical Systems ======================================================================= The National Research Council has released a report on the privacy of medical systems. The report, entitled "For the Record: Protecting Electronic Health Information," calls for measures by government, companies and consumers to better protect the privacy of medical records. The NRC recommended a two-prong approach to dealing with medical privacy, involving the revision of organizational practices to deter unauthorized access to and/or misuse of electronic medical records, and implemention of more stringent technical measures as a safeguard in case the first prong proves ineffective. The NRC also proposes that health-related organizations adopt fair information practices similar to those contained in the federal Privacy Act of 1974. Consumers should have access to a privacy ombudsman that not only provides such information, but could also address patient grievances over violations of privacy. The NRC waffled on fundamental issues such as the desirability of national databases of medical information and the creation of a unique national patient identifier, but expressed concerns over the ramifications for privacy entailed in such a system. Also proposed by the NRC, although admittedly difficult to implement, is the identification of parties which may inappropriately link patient information. Using the Social Security Number, the NRC states, is in its current form insufficient to protect the privacy of individuals. More information on medical privacy is available at: http://www.epic.org/privacy/medical/ ======================================================================= [6] FTC To Conduct Hearings on Privacy, Investigate Databases ======================================================================= The Federal Trade Commission has announced that it will convene a public workshop devoted to consumer information privacy on June 10-13, 1997. This is a follow-up to FTC workshops held last summer. The workshop is intended to gather information on the collection, compilation, sale and use of computerized data bases that contain sensitive identifying information, as well as self-regulatory efforts, technological innovations and unsolicited e-mail. The workshop will also address these developments as they pertain to children's personal information. The workshop will gather information for a new computer data base study that the FTC has also announced. However, this study will be limited to "look up services" which contain personal identifying information, such as the Lexis-Nexis P-TRAK service. Importantly, the FTC will not address computer databases used primarily for direct marketing purposes, medical and student records or the use of computer credit reports for employment purposes. Interested participants must submit written comments by April 15, 1997. More information is available at the FCC web page: http://www.ftc.gov/ ======================================================================= [7] NTIA Files Comments on Privacy of Telephone Calling Information ======================================================================= The Commerce Department's National Telecommunications and Information Administration (NTIA) recommended on March 27 that the Federal Communications Commission (FCC) establish more specific policies to protect the privacy of information gathered about consumers by telephone companies. The recommendations cover Customer Proprietary Network Information (CPNI). CPNI is the information that is gathered by phone companies in the process of delivering services, such as numbers called, length of calls, and times calls were made. The FCC is currently conducting a rulemaking on CPNI under the Telecommunications Act of 1996. The law limits the use and disclosure of CPNI information: a telecommunications carrier that receives or obtains customer proprietary network information by virtue of its provision of a telecommunications service shall only use, disclose, or permit access to individually identifiable customer proprietary network information in its provision of (A) the telecommunications service from which such information is derived, or (B) services necessary to, or used in, the provision of such telecommunications service, including the publishing of directories. NTIA recommended that phone companies provide a list of uses for the information and provide consumers with an opportunity to opt-out of those disclosures. However, this appears to contradict the text of Section 702 of the Act, which requires that phone companies obtain prior written consent before they can share the information and use the information for marketing purposes. Telephone companies have been pressing the FCC to relax that requirement and to require customers to contact them before the telcos stop selling the information. Public interest groups such as Computer Professionals for Social Responsibility and NetAction are arguing for more consumer protection. The NTIA comments are available at: http://www.ntia.doc.gov/ntiahome/fccfilings/cc96-115.htm ======================================================================= [8] Upcoming Conferences and Events ======================================================================= Culture and Democracy revisited in the Global Information Society. May 8 - 10, 1997. Corfu, Greece. Sponsored by IFIP-WG9.2/9.5. Contact: http://www.math.aegean.gr/english/events/econf/ecnew/ewc97.htm Can Trusted Third Parties Be Trusted?: A Public Debate on The UK DTI Crypto Proposal. May 19, 1997. London, UK. Sponsored by Privacy International and the London School of Economics. Contact: pi@privacy.org CYBER://CON.97: Rules for Cyberspace?:Governance, Standards and Control. June 4 - 7, 1997. Chicago, Illinois. Sponsored by the John Marshall Law School. Contact: cyber97@jmls.edu. Ethics in the Computer Society: The Second Annual Ethics and Technology Conference. June 6 - 7, 1997. Chicago, Ill. Sponsored by Loyola University Chicago. http://www.math.luc.edu/ethics97 Public Workshop on Consumer Privacy. June 10-13, 1997. Washington, DC. Sponsored by the Federal Trade Commission. Contact: http://www.ftc.gov/os/9703/privacy.htm INET 97 -- The Internet: The Global Frontiers. June 24-27, 1997. Kuala Lumpur, Malaysia. Sponsored by the Internet Society. Contact: inet97@isoc.org or http://www.isoc.org/inet97 Privacy Laws & Business 10th Anniversary Conference. July 1-3, 1997. St. John's College, Cambridge, England. Contact: info@privacylaws.co.uk. Communities, Culture, Communication, and Computers (C**5): On the Role of Professionals in the Information Age. August 20-22, 1997, Paderborn, Germany. Sponsored by FIFF. Contact: c5@uni-paderborn.de AST3: Cryptography and Internet Privacy. Sept. 15, 1997. Brussels, Belgium. Sponsored by Privacy International. Contact: pi@privacy.org. http://www.privacy.org/pi/conference/brussels/ 19th Annual International Privacy and Data Protection Conference. Sept. 17-18, 1997. Brussels, Belgium. Sponsored by Belgium Data Protection and Privacy Commission. International Conference on Privacy. September 23-26, 1997. Montreal, Canada. Sponsored by the Commission d'Acces a l'information du Quebec. http://www.confpriv.qc.ca/ Managing the Privacy Revolution '97. October 21-23, 1997. Washington, DC. Sponsored by Privacy and American Business. Contact: http://shell.idt.net/~pab/conf97.html (Send calendar submissions to alert@epic.org) ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. To subscribe, send email to epic-news@epic.org with the subject: "subscribe" (no quotes) or use the subscription form at: http://www.epic.org/alert/subscribe.html Back issues are available at: http://www.epic.org/alert/ ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, email info@epic.org, HTTP://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003. Individuals with First Virtual accounts can donate at http://www.epic.org/epic/support.html Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and funding of the National Wiretap Plan. Thank you for your support. ---------------------- END EPIC Alert 4.05 -----------------------
Alert Home Page | EPIC Home Page