EPIC logo
       @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
       @     @  @   @   @        @ @   @     @     @  @    @
       @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
       @     @      @   @       @   @  @     @     @  @    @
       @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
   Volume 4.05	                                  April 8, 1997
                            Published by the
              Electronic Privacy Information Center (EPIC)
                            Washington, D.C.
Table of Contents
[1] OECD Releases Crypto Guidelines
[2] White House Floats Draft Crypto Bill
[3] FAA Calls for Collecting SSNs of all Air Travelers
[4] Groups Urge IETF to Fix Cookies
[5] National Research Council Reports on Privacy of Medical Systems
[6] FTC To Conduct Hearings on Privacy, Investigate Databases
[7] NTIA Files Comments on Privacy of Telephone Calling Information
[8] Upcoming Conferences and Events
[1] OECD Releases Crypto Guidelines
The Organization for Economic Cooperation and Development (OECD), a 29
country international organization, released on March 27 its long
anticipated Guidelines for Cryptography Policy.  The Guidelines are
intended to promote the use of cryptography, to develop electronic
commerce through a variety of commercial applications, to bolster user
confidence in networks, and to provide for data security and privacy
The Cryptography Policy Guidelines are a non-binding agreement that
identifies the basic issues that countries should consider in drawing up
cryptography policies at the national and international level.  The
Recommendation culminates one year of intensive talks to draft the
Guidelines.  They are designed to assist decision-makers in the public
and private sectors in developing and implementing coherent national and
international policies for the effective use of cryptography. Member
countries are encouraged to establish new, or amend existing, policies
to reflect them.
The Guidelines set out eight basic Principles for cryptography policy in
the areas of trust, user choice, market development, technical
standards, privacy, lawful access, liability and international
cooperation. The key recommendations of the OECD include:
 -- Recognition of commercial importance of cryptography.  The Guidelines
    recognize that cryptography is an effective tool for the secure use
    of information technology by ensuring confidentiality, integrity and
    availability of data and providing authentication and non-repudiation
 -- Rejection of key escrow encryption.  The U.S. sought endorsement
    for government access to private keys.  Initial drafts of the
    guidelines included this recommendation.  The final draft does
    not. OECD countries rejected this approach.
 -- Endorsement of voluntary, market-driven development of crypto
    products.  The OECD emphasized open, competitive markets to
    promote trade and commerce in new cryptographic methods.
 -- Need for critical assessment of key escrow.  The OECD Guidelines
    recommend that countries which are considering key escrow techniques
    to consider also "the risks of misuse, the additional expense of
    any supporting infrastructure, the prospects of technical failure,
    and other costs."
 -- Endorsement of strong privacy safeguards.  The OECD adopted one of
    strongest privacy principles found in any international agreement,
    including the obligation to apply the OECD privacy principles to
    crypto products and services.  The OECD also noted favorably the
    development of anonymous payment schemes which would minimize the
    collection of personal data.
 -- Removal of Restrictions on Cryptography.  The OECD urged member
    countries to remove, and avoid creating, obstacles to trade
    based on cryptography policy.  This guideline should lead to
    further liberalization of export control policies among the
    OECD member countries.
Drafting of the Guidelines for Cryptography Policy began in early 1996.
More than 100 representatives from OECD Member countries participated,
including government officials from commerce, industry, telecommunications
and foreign ministries, law enforcement and security agencies, privacy and
data protection commissions, as well as representatives of private sector
and privacy advocates.
The Global Internet Liberty Campaign (http://www.gilc.org/), an
international coalition of civil liberties and human rights organizations,
organized a conference for the OECD delegates in Paris in September 1996.
The conference contributed significantly to the OECD's final
The Guidelines, the OECD press announcement and additional commentary are
available at:
[2] White House Floats Draft Crypto Bill
The White House has released a new draft proposal on key escrow encryption
to the Congress.  The draft (dated March 12) is entitled the "Electronic
Data Security Act of 1997."  The legislation is the latest attempt to push
forward the result the Administration sought to achieve with the failed
Clipper Chip initiative -- ensuring government access to all encrypted
communications through government-escrowed keys.
To achieve this goal, the bill would create incentives for all persons and
organizations to use a government-certified Certificate Authority (CA) to
establish their identities for any electronic transactions.  The CA would
ensure that there was an escrow system in place before it would issue an
identification certificate to the user.
Government agencies would likely refuse to communicate with persons and
entities not using a government certified CA.  Agencies would also likely
pressure others over whom they have substantial regulatory or economic
power, such as banks, state agencies, and government contractors,  to
require that government-certified CA's are used to communicate with them.
Another provision would require any person who "manufactures, imports,
packages, distributes or labels" encryption products to state whether they
use a key recovery agent.
The draft bill also provides that if non-escrowed cryptography is used
during the commission of a crime, an additional five year prison sentence
could be imposed. Another provision, apparently intended to gain industry
support, would limit the potential civil liability of any "Certification
Authority" or "Key Recovery Agent" who obtains a government certification.
More information on cryptography policy is available at:
[3] FAA Calls for Collecting SSNs of all Air Travelers
On March 13, the FAA issued a call for comments on a FAA proposal to
require airlines to collect substantial personal information on each
passenger, including full name, address, next of kin, Social Security
Number and date of birth.  The purpose of this collection would be to
facilitate identification of victims of airplane crashes.  The proposal
anticipates that passengers would have to provide this information in order
to board an aircraft.
The proposal raises a number of substantive threats to personal privacy.
One major problem is that it appears to violate the Privacy Act of 1974,
which limits the ability of government agencies to collect the SSN.  There
also appear to be no limitations on the use of the collected information,
creating a risk that the data could be put to a wide variety of unrelated
uses by both the airlines and government agencies.
One potential use of this information would be in connection with the
controversial "profiling" proposals recently recommended by the Gore
Commission.  The use of the Social Security Number would simplify the
comparison of passenger records with other databases.  It appears likely
that the FAA is using this proposal as a less controversial rationale to
demand the collection of personal information rather than specifically
including it in the profiling proposal, which has already generated
considerable public and editorial opposition.
More information on the proposal and other FAA activities is available at
the EPIC Airline Security Page:
 [4] Groups Urge IETF to Fix Cookies
Several leading consumer, civil liberties, and children's advocacy
organizations have urged an Internet standards organization to fix a
problem with web browser software that allows companies and government
agencies operating web sites to track the activities of Internet users.
The groups say that there is a problem with the so-called "cookies"
technology.  Cookies make it possible to read information on users'
computers and find out where they go on the Internet. Some companies in the
on-line advertising industry use cookies data to collect personal
information for advertising and marketing.
The Internet Engineering Task Force, a loose coalition of technical experts
responsible for the development of standards for the Internet is meeting
this week in Memphis to consider a wide range of technical issues
concerning the Internet, including a proposal to limit the ability of
companies to use cookies.
The proposed safeguard has come under attack by several companies engaged
in interactive advertising and marketing.  According to a March 31, 1997
article in Ad Age, these groups are now drafting a "counter-proposal" to
head-off the IETF recommendation.
In the letter, the groups express support for RFC 2109, the proposal for an
HTTP State Management Mechanism.  The letter further says that
"transparency" -- the ability of users to see and exercise control over the
disclosure of personally identifiable information -- is a critical
guideline for the development of sensible privacy practices on the
The letter was signed by the Center for Media Education, Computer
Professionals for Social Responsibility, the Consumer Federation of
American, the Consumer Project on Technology, the Electronic Frontier
Foundation, the Electronic Privacy Information Center, National Association
of Elementary School Principals, NetAction, Privacy International, the
United States Privacy Council, and more than one hundred Internet users.
The coalition letter, and more information about cookies, is available at:
[5] National Research Council Reports on Privacy of Medical Systems
The National Research Council has released a report on the privacy of
medical systems.  The report, entitled "For the Record: Protecting
Electronic Health Information," calls for measures by government, companies
and consumers to better protect the privacy of medical records.
The NRC recommended a two-prong approach to dealing with medical privacy,
involving the revision of organizational practices to deter unauthorized
access to and/or misuse of electronic medical records, and implemention of
more stringent technical measures as a safeguard in case the first prong
proves ineffective.
The NRC also proposes that health-related organizations adopt fair
information practices similar to those contained in the federal Privacy Act
of 1974.  Consumers should have access to a privacy ombudsman that not only
provides such information, but could also address patient grievances over
violations of privacy.
The NRC waffled on fundamental issues such as the desirability of national
databases of medical information and the creation of a unique national
patient identifier, but expressed concerns over the ramifications for
privacy entailed in such a system.  Also proposed by the NRC, although
admittedly difficult to implement, is the identification of parties which
may inappropriately link patient information.  Using the Social Security
Number, the NRC states, is in its current form insufficient to protect the
privacy of individuals.
More information on medical privacy is available at:
[6]  FTC To Conduct Hearings on Privacy, Investigate Databases
The Federal Trade Commission has announced that it will convene a public
workshop devoted to consumer information privacy on June 10-13, 1997. This
is a follow-up to FTC workshops held last summer.
The workshop is intended to gather information on the collection,
compilation, sale and use of computerized data bases that contain sensitive
identifying information, as well as self-regulatory efforts, technological
innovations and unsolicited e-mail.  The workshop will also address these
developments as they pertain to children's personal information.
The workshop will gather information for a new computer data base study
that the FTC has also announced.  However, this study will be limited to
"look up services" which contain personal identifying information, such as
the Lexis-Nexis P-TRAK service.  Importantly, the FTC will not address
computer databases used primarily for direct marketing purposes, medical
and student records or the use of computer credit reports for employment
Interested participants must submit written comments by April 15, 1997.
More information is available at the FCC web page:
[7] NTIA Files Comments on Privacy of Telephone Calling Information
The Commerce Department's National Telecommunications and Information
Administration (NTIA) recommended on March 27 that the Federal
Communications Commission (FCC) establish more specific policies to protect
the privacy of information gathered about consumers by telephone companies.
The recommendations cover Customer Proprietary Network Information (CPNI).
CPNI is the information that is gathered by phone companies in the process
of delivering services, such as numbers called, length of calls, and times
calls were made.  The FCC is currently conducting a rulemaking on CPNI
under the Telecommunications Act of 1996.
The law limits the use and disclosure of CPNI information:
    a telecommunications carrier that receives or obtains
    customer proprietary network information by virtue of its
    provision of a telecommunications service shall only use,
    disclose, or permit access to individually identifiable
    customer proprietary network information in its provision of
    (A) the telecommunications service from which such
    information is derived, or (B) services necessary to, or used
    in, the provision of such telecommunications service,
    including the publishing of directories.
NTIA recommended that phone companies provide a list of uses for the
information and provide consumers with an opportunity to opt-out of those
disclosures.  However, this appears to contradict the text of Section 702
of the Act, which requires that phone companies obtain prior written
consent before they can share the information and use the information for
marketing purposes.  Telephone companies have been pressing the FCC to
relax that requirement and to require customers to contact them before the
telcos stop selling the information.  Public interest groups such as
Computer Professionals for Social Responsibility and NetAction are arguing
for more consumer protection.
The NTIA comments are available at:
[8] Upcoming Conferences and Events
Culture and Democracy revisited in the Global Information Society.
May 8 - 10, 1997. Corfu, Greece. Sponsored by IFIP-WG9.2/9.5. Contact:
Can Trusted Third Parties Be Trusted?: A Public Debate on The UK
DTI Crypto Proposal. May 19, 1997. London, UK. Sponsored by Privacy
International and the London School of Economics. Contact: pi@privacy.org
CYBER://CON.97: Rules for Cyberspace?:Governance, Standards and
Control. June 4 - 7, 1997. Chicago, Illinois. Sponsored by the John
Marshall Law School. Contact: cyber97@jmls.edu.
Ethics in the Computer Society: The Second Annual Ethics and
Technology Conference. June 6 - 7, 1997. Chicago, Ill. Sponsored by
Loyola University Chicago. http://www.math.luc.edu/ethics97
Public Workshop on Consumer Privacy. June 10-13, 1997. Washington, DC.
Sponsored by the Federal Trade Commission. Contact:
INET 97 -- The Internet: The Global Frontiers. June 24-27, 1997. Kuala
Lumpur, Malaysia. Sponsored by the Internet Society. Contact:
inet97@isoc.org or http://www.isoc.org/inet97
Privacy Laws & Business 10th Anniversary Conference. July 1-3, 1997.
St. John's College, Cambridge, England. Contact:
Communities, Culture, Communication, and Computers (C**5): On the Role of
Professionals in the Information Age.  August 20-22, 1997, Paderborn,
Germany. Sponsored by FIFF. Contact: c5@uni-paderborn.de
AST3: Cryptography and Internet Privacy. Sept. 15, 1997. Brussels,
Belgium. Sponsored by Privacy International. Contact:
pi@privacy.org. http://www.privacy.org/pi/conference/brussels/
19th Annual International Privacy and Data Protection Conference.
Sept. 17-18, 1997. Brussels, Belgium. Sponsored by Belgium Data
Protection and Privacy Commission.
International Conference on Privacy. September 23-26, 1997. Montreal,
Canada. Sponsored by the Commission d'Acces a l'information du Quebec.
Managing the Privacy Revolution '97. October 21-23, 1997. Washington,
DC. Sponsored by Privacy and American Business. Contact:
             (Send calendar submissions to alert@epic.org)
The EPIC Alert is a free biweekly publication of the Electronic Privacy
Information Center.  To subscribe, send email to epic-news@epic.org with
the subject: "subscribe" (no quotes) or use the subscription form at:
Back issues are available at:
The Electronic Privacy Information Center is a public interest research
center in Washington, DC.  It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the Digital
Telephony proposal, national ID cards, medical record privacy, and the
collection and sale of personal information. EPIC is sponsored by the Fund
for Constitutional Government, a non-profit organization established in
1974 to protect civil liberties and constitutional rights.  EPIC publishes
the EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research. For more information, email info@epic.org,
HTTP://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301,
Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax).
If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.  Checks should
be made out to "The Fund for Constitutional Government" and sent to EPIC,
666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003. Individuals with
First Virtual accounts can donate at http://www.epic.org/epic/support.html
Your contributions will help support Freedom of Information Act and First
Amendment litigation, strong and effective advocacy for the right of
privacy and efforts to oppose government regulation of encryption and
funding of the National Wiretap Plan.
Thank you for your support.
---------------------- END EPIC Alert 4.05 -----------------------

Return to:

Alert Home Page | EPIC Home Page