============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 4.09 June 18, 1997 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/ ======================================================================= Table of Contents ======================================================================= [1] EPIC Files Suit For Crypto Czar Records [2] McCain/Kerrey Introduce Crypto Restrictions Bill [3] Computer Security Act Revisions Proposed in House [4] First Amendment Pledge Campaign Launched On Eve of CDA Decision [5] Georgia Tech Releases New Online Privacy Survey [6] Torricelli Introduces New Spam Bill [7] GILC to Meet at INET in Malaysia [8] Upcoming Conferences and Events ======================================================================= [1] EPIC Files Suit For Crypto Czar Records ======================================================================= EPIC today filed a lawsuit seeking public disclosure of the travel records of Ambassador David Aaron, who has spent the past year promoting the Clinton Administration's controversial encryption policies in foreign countries. Through the suit, filed in U.S. District Court in Washington, EPIC is seeking to open U.S. encryption policy to public scrutiny by requesting release of the trip reports of the Administration's "crypto czar." The significance of the Administration's overseas lobbying on the controversial encryption issue is underscored by the upcoming "Group of Seven" (or G-7) summit that convenes on June 20 in Denver. At the request of the Administration, encryption policy is on the G-7 agenda. The summit meeting is the most recent example of the Administration's strategy to pre-empt the ongoing domestic debate on encryption by enlisting support for "key-escrow" encryption from foreign governments. Ambassador Aaron sought an endorsement of the Administration's policy during the Organization for Economic Cooperation and Development's deliberations on encryption policy earlier this year. But the 29-member international organization rejected the key escrow proposal and recommended instead that national policies be based on open markets, voluntary choice, and privacy safeguards. In a letter sent to key members of Congress on the eve of the G-7 Summit, EPIC urged a Congressional inquiry into the Administration's campaign to sell "key-escrow" policy overseas. EPIC said that, "With several encryption bills now pending and an important national debate ensuing, the Administration is seeking to accomplish through international understandings what it cannot accomplish through the domestic policy-making process." According to EPIC Director Marc Rotenberg, "The White House should stop trying to export a bad crypto policy and instead allow the export of good crypto products." ======================================================================= [2] McCain/Kerrey Introduce Crypto Restrictions Bill ======================================================================= Senators John McCain (R-AZ) and Bob Kerrey (D-NE) have introduced a bill that is designed to promote key escrow for domestic use in the United States. The Secure Public Networks Act, S. 909, contains a number of coercive measures that would force widespread domestic adoption of key escrow encryption techniques. The bill promotes key escrow technology by requiring that all federal funds spent directly or indirectly for communications networks and security products that incorporate encryption must support key escrow. This would include schools, states receiving federal grants, the new Internet II and other projects. This would also likely include telephone companies that are required under the Communication Assistance for Law Enforcement Act (CALEA) to ensure that their networks are secure and will receive $500 million dollars of federal funds to retrofit their systems. The bill would also require that entities wishing to become registered as certificate authorities must hold an individual's private encryption key before they can issue the person a certificate. Certificate authorities who issue certificates without obtaining such private keys would be subject to criminal and civil penalties. Access to keys would be broadly permitted and warrants would not be required in all cases. "Authorized" government officials could obtain access to keys using only a subpoena or a certification from the Attorney General that foreign intelligence is involved. Furthermore, the definition of Key Recovery Agent "includes any person who hold the person's own recovery information." In other words, under the bill, individuals could be compelled to release their own keys. Another provision would make it a criminal offense to use cryptography in the furtherance of any crime that has a one year jail sentence. This would in effect criminalize many minor state crimes including the use of a digital cell phone to place a bet with a bookmaker. To gain the support of industry, the bill offers to relax crypto exports up to 56 bit DES. However, it would provide broad discretion to the Secretary of Commerce to prohibit any export without judicial review of the decision. Sen. McCain (as Chairman of the Commerce Committee) has ordered that the bill be rapidly heard. A mark-up on the bill is scheduled for Thursday, June 19. It is also being supported by Sens. Jay Rockefeller (D-WV), Ernest Hollings (D-SC), and John Kerry (D-MA). More information is available at: http://www.epic.org/crypto/legislation/ ======================================================================= [3] Computer Security Act Revisions Proposed in House ======================================================================= Rep. James Sensenbrenner (R-WI) introduced HR 1903, the "Computer Security Enhancement Act on June 17. The bill is designed to enhance the security of unclassified information on federal computer systems, to promote private sector input in the development of computer security technology used to protect these federal computer systems, and to provide for evaluations of cryptographic technology originating outside the United States. The bill would reinforce of the role of the National Institute of Standards and Technology (NIST) and its Computer System Security and Privacy Advisory Board in the development of computer security systems, and includes an explicit proviso that NIST develop encryption standards and policies only for use in Federal Government computer systems. The bill would authorize the Secretary of Commerce to commission the National Research Council to study public key infrastructures for use by individuals, businesses and government. HR 1903 also establishes a fellowship program to support students at institutions of higher learning in computer security. A hearing is scheduled on the bill for June 19. More information on the bill and the Computer Security Act is available at: http://www.epic.org/crypto/csa/ ======================================================================= [4] Georgia Tech Releases New Net Survey ======================================================================= The Graphic, Visualization and Usability Center (GVU) of the Georgia Institute of Technology has released its 7th WWW user survey. The issues listed as the most important by respondents were censorship (34%), privacy (26%), and navigation (13%). Among women, privacy was the top concern. Anonymity continued to play an important role. Nearly 40% of the respondents reported that they had provided false information when registering at a web site. Fifteen percent said that they falsified information over 25% of the time. When questioned on why they provide false information, 69% reported that the uses of the information were not clearly explained, 64% reported that accessing the site was not worth providing information, and 62% stated that they do not trust the sites. Only one of five users thought that devices such as cookies, which allow identification of users across sessions at a site, should be used. On ranking users' views towards these issues on a one to five scale, the survey found that there was strong support (4.7) for private communications on the net and anonymity (4.46). There was also significant support for anonymous payment systems (3.93) and new privacy laws (3.79). The survey results are available at: http://www.gvu.gatech.edu/user_surveys/survey-1997-04/ ======================================================================= [5] First Amendment Pledge Campaign Launched On Eve of CDA Decision ======================================================================= As the nation awaits a Supreme Court decision on the future of free speech on the Internet, EPIC and the American Civil Liberties Union have launched "firstamendment.org," a website dedicated to upholding the First Amendment in cyberspace. The groups are calling on President Clinton and members of Congress to be among the first to "Take the First Amendment Pledge" and cease any further attempts to draft legislation to censor the Internet in the event the Supreme Court upholds a lower court decision striking down government regulation of the Internet as unconstitutional. The launch of the website comes as Clinton Administration officials have begun publicly discussing a shift in policy on Internet regulation, saying that "industry self-regulation" -- not laws criminalizing certain Internet communications -- is the solution to shielding minors from online "indecency." The Supreme Court is expected to issue a ruling soon in Reno v. ACLU, which challenges the censorship provisions of the Communications Decency Act aimed at protecting minors by criminalizing so-called "indecency" on the Internet. EPIC, along with the ACLU and 18 other plaintiffs, filed a challenge to the law the day it was enacted. Online users can capture the "First Amendment Pledge" GIF (graphic image file) for placement on their own website. Other features planned for the site include an "action alert" that informs users of legislative threats to the First Amendment and allows them to instantly e-mail or fax their member of Congress, and an online "postcard" that can be e-mailed to friends, relatives and elected officials, urging them to "Take the Pledge." Take the pledge at: http://www.firstamendment.org ======================================================================= [6] Torricelli Introduces New Spam Bill ======================================================================= On June 11, Sen. Robert Torricelli (D-NJ) introduced the Electronic Mailbox Protection Act of 1997. The bill, like the efforts of Sen. Frank Murkowski (R-AK) and Rep. Chris Smith (R-NJ), addresses the issue of unsolicited commercial e-mail (or spam). However, Torricelli's bill takes a different perspective on solutions to the problem. The most noticeable difference between Torricelli's bill and the others is that it regulates all unsolicited e-mail, not just unsolicited commercial e-mail. This means that, according to the bill's definition of unsolicited e-mail, anyone sending e-mail to another with whom they do not have a pre-existing personal or business relationship would be covered by the bill. For example, a student e-mailing a question to a professor with whom the student has no pre-existing relationship could conceivably fall within the provisions of the bill. Torricelli also takes a fundamentally different approach to regulating unsolicited e-mail. While the Murkowski and Smith bills attempt to limit spam through labeling or banning the spam itself, the Torricelli bill attacks the harvesting and distribution of e-mail addresses as well as some attempts by spammers to circumvent blocking systems and avoid responses. Other provisions attempt to stop spammers from circumventing responses or filters. One provision creates a violation for using fictitious or unregistered domains or e-mail accounts to avoid responses or messages of non-delivery. Another provision creates a violation for using any mechanism to avoid filtering tools. The bill creates a violation for directing unsolicited e-mail through another entity's server knowing that such action is in contravention of that entity's policy. The penalty would be $5,000 per violation. More information on spam is available at: http://www.epic.org/privacy/junk_mail/spam/ ======================================================================= [7] GILC to Meet at INET in Malaysia ======================================================================= The Global Internet Liberty Campaign (GILC) will hold an informational meeting at the INET 97 conference in Kuala Lumpur, Malaysia on June 25. Topics to be addressed include protection of free speech on the Internet; access to Internet services in SE Asia; crypto policy around the globe; and development of privacy standards. Special guests addressing the meeting will include Ira Magaziner, U.S. Presidential Advisor, and Don Heath, President of the Internet Society. Additional information on activities at INET is available at: http://www.epic.org/events/inet_malaysia/ ======================================================================= [7] Upcoming Conferences and Events ======================================================================= Cyberpayments 97. June 19-20, 1997. Washington, DC. Sponsored by NACHA. Contact: http://www.nacha.org INET 97 -- The Internet: The Global Frontiers. June 24-27, 1997. Kuala Lumpur, Malaysia. Sponsored by the Internet Society. Contact: inet97@isoc.org or http://www.isoc.org/inet97 Informational Meeting of the Global Internet Liberty Campaign (GILC). June 25, 1997. INET 97, Putra World Trade Center, Kuala Lumpur, Malaysia. Contact: rotenberg@epic.org. Privacy Laws & Business 10th Anniversary Conference. July 1-3, 1997. St. John's College, Cambridge, England. Contact: info@privacylaws.co.uk. 4th Annual Privacy Issues Forum., July 10-11, 1997. Auckland, New Zealand. Sponsored by NZ Privacy Commissioner. Contact: Terry Debenham, Fax +649-302 2305 or email privacy@iprolink.co.nz. Hacking In Progress. August 8-10, 1997, Almere, Netherlands. Sponsored by Hac-Tic. Contact: http://www.hip97.nl/ AST3: Cryptography and Internet Privacy. Sept. 15, 1997. Brussels, Belgium. Sponsored by Privacy International. Contact: pi@privacy.org. http://www.privacy.org/pi/conference/brussels/ 19th Annual International Privacy and Data Protection Conference. Sept. 17-18, 1997. Brussels, Belgium. Sponsored by Belgium Data Protection and Privacy Commission. International Conference on Privacy. September 23-26, 1997. Montreal, Canada. Sponsored by the Commission d'Acces a l'information du Quebec. http://www.confpriv.qc.ca/ Managing the Privacy Revolution '97. October 21-23, 1997. Washington, DC. Sponsored by Privacy and American Business. Contact: http://shell.idt.net/~pab/conf97.html RSA'98 -- The 1998 RSA Data Security Conference. January 12-16, 1998. San Francisco, CA. Contact kurt@rsa.com or http://www.rsa.com/conf98/ (Send calendar submissions to alert@epic.org) ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. To subscribe, send email to epic-news@epic.org wih the subject: "subscribe" (no quotes) or use the subscription form at: http://www.epic.org/alert/subscribe.html Back issues are available at: http://www.epic.org/alert/ ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003. Individuals with First Virtual accounts can donate at http://www.epic.org/epic/support.html Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and funding of the National Wiretap Plan. Thank you for your support. ---------------------- END EPIC Alert 4.09 -----------------------
Alert Home Page | EPIC Home Page