============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 4.12 September 4, 1997 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/ ======================================================================= Table of Contents ======================================================================= [1] SSA to Restore Online Web Service [2] Freeh Makes It Official: FBI Wants Mandatory Key Escrow [3] Crypto in the Courts: Update on Bernstein, Karn & Junger [4] Media Group Says "No" to Internet Ratings [5] U.S. Government Web Sites Fail to Protect Privacy [6] Consumer Groups Question FTC Privacy Report [7] Clinton Signs IRS Browsing Bill [8] Upcoming Conferences and Events ======================================================================= [1] SSA to Restore Online Web Service ======================================================================= The Social Security Administration announced today it would put a modified version of the Personal Earnings and Benefits Estimate Statement (PEBES) service back on-line before the end of the year. The service was suspended on April 9, following public concerns about the risk of improper access to personal information held by the agency. The Social Security Administration said that the new service would be based on an "opt-in" privacy standard. Individuals could affirmatively choose to request the on-line delivery of PEBES information by first obtaining an authentication code that would only be delivered to a registered email address. Records of individuals who did not request the code would not be available at the web site. The SSA also said that it would limit the amount of information made available on-line. Payment records would not be accessible at the SSA web site, although they will still be sent by the U.S. mail. Privacy experts expressed support for the SSA recommendations, saying that the agency has done a good job meeting with the public, consulting with experts, and developing sensible standards to protect personal information. The SSA experience with Internet service delivery is being watched closely by other federal agencies as well as private companies who hope to take advantage of the Internet and avoid public concerns about privacy. The SSA PEBES Service is available at: http://s3abaca.ssa.gov/pro/batch-pebes/bp-7004home.shtml More information on the SSA and Online Privacy is available at: http://www.epic.org/privacy/databases/ssa/ ======================================================================= [2] Freeh Makes It Official: FBI Wants Mandatory Key Escrow ======================================================================= Publicly confirming long-standing internal Bureau policy for the first time, FBI Director Louis Freeh told a Senate subcommittee on September 3 that legislation is needed to mandate the inclusion of key escrow features in encryption programs intended for domestic use. Testifying before the Judiciary Subcommittee on Terrorism, Technology and Government Information, Freeh said: What we would recommend from a law enforcement point of view is that the legislation contain a provision that would require the manufacturers of encryption products and services, those which will be used in the United States or imported into the United States for use, include a feature which would allow for the immediate, lawful decryption of the communications or the electronic information once that information is found by a judge to be in furtherance of a criminal activity or a national security matter. There are a number of ways that that could be implemented, but what we believe we need as a minimum is a feature implemented and designed by the manufacturers of the products and services here that will allow law enforcement to have an immediate lawful decryption of the communications in transit or the stored data. That could be done in a mandatory manner. It could be done in an involuntary manner. But the key is that we would have the ability, once we have the court order in hand, to get that information and get it real-time without waiting for what it would take for a supercomputer to give us, which is too long for life or safety reasons. While Administration officials have long denied any intention to mandate the use of key escrow within the United States, declassified documents obtained by EPIC under the Freedom of Information Act in August 1995 revealed the government's ultimate agenda. In a briefing document titled "Encryption: The Threat, Applications and Potential Solutions," and sent to the National Security Council in February 1993, the FBI, NSA and DOJ concluded that: Technical solutions, such as they are, will only work if they are incorporated into *all* encryption products. To ensure that this occurs, legislation mandating the use of Government-approved encryption products or adherence to Government encryption criteria is required. Additional information on the declassified material obtained by EPIC, including images of selected documents, is available at: http://www.epic.org/crypto/ban/fbi_dox/ ======================================================================= [3] Crypto in the Courts: Update on Bernstein, Karn & Junger Cases ======================================================================= On August 25, a federal judge in San Francisco declared the Commerce Department's cryptography export regulations unconstitutional as an infringement of free speech and issued an injunction against their enforcement. The decision was the second ruling in favor of Daniel Bernstein, an Illinois math professor and cryptographer who attempted to publish his Snuffle encryption program on the Internet. Last December, Judge Marilyn Patel similarly found the State Department's encryption export restrictions unconstitutional, but the Clinton Administration released new rules shortly after the decision, under the auspices of the Commerce Department. In response to an emergency motion filed by the government, Judge Patel ruled on August 28 that most of the injunction would be put on hold pending review by the Ninth Circuit Court of Appeals. Part of the injunction will, however, remain in effect -- after September 8, Bernstein will be free to publish his Snuffle 5.0 software on the Internet without fear of prosecution. Another legal challenge to export controls on cryptography is likely to move forward in federal court in Washington, DC. In that case, cryptographer Phil Karn is seeking approval to export a diskette containing a verbatim copy of the source code printed in the book "Applied Cryptography" (which is widely available and freely exportable). After being litigated under the previous State Department export regulations, Karn's case was remanded for reconsideration under the new Commerce Department regulations. Commerce issued its ruling on August 22, finding that certain programs on the diskette were classified as controlled encryption items, and subject to prior licensing before export. That ruling paves the way for Karn to renew his challenge before the court. EPIC submitted a friend of the court brief in support of Karn in previous proceedings before the DC Circuit Court of Appeals. In the third legal challenge, Professor Peter Junger has filed an amended complaint in federal court in Cleveland. Junger wishes to publish a number of encryption programs, written by himself and others, on his Web site as part of the materials used in his course in Computing and the Law at Case Western Reserve University. He seeks not only relief for himself but also a preliminary and permanent injunction enjoining the Commerce Department from "interpreting, applying and enforcing the encryption software and technology provisions" of regulations against "any person who desires to disclose or 'export' ... encryption software and technology." The complaint alleges that those encryption regulation violate the freedom of speech and of the press that are protected, particularly from prior restraints such as licensing requirements, by the First Amendment, as has already been held by Judge Patel in the Bernstein case. Additional information on the Bernstein case is available at: http://www.eff.org/pub/Privacy/ITAR_export/Bernstein_case/ Additional information on the Karn case is available at: http://people.qualcomm.com/karn/export/index.html Additional information on the Junger case is available at: http://samsara.law.cwru.edu/comp_law/jvd/ ======================================================================= [4] Media Group Says "No" to Internet Ratings ======================================================================= Internet rating proposals suffered a serious setback on August 28, when the Internet Content Coalition (ICC) decided not to pursue a rating scheme for online news sites. The ICC, which includes entertainment, technology, and news companies, had earlier expressed its willingness to develop criteria for assigning an "N" rating to Websites devoted to news coverage. Sites carrying such a rating would be exempt from filtering and blocking systems designed to limit access to "offensive" online material. The blocking approach was touted at a White House meeting in July, convened to create a "family-friendly" Internet in the wake of the Supreme Court decision striking down the Communications Decency Act. In recent weeks, criticism of filtering and blocking systems has increased, with both the American Library Association and the American Civil Liberties Union issuing position papers warning that such approaches could infringe on free speech. Controversies have arisen across the country as local libraries have considered proposals to install blocking software on library computers connected to the Internet. The ICC's recent action calls into question the viability of such systems, which can be configured to block access to unrated Websites. If major news sources such as CNN, MSNBC and NEWS.COM elect not to rate their content, both institutional and individual users will likely be less inclined to install software filters and lose access to such resources. As a result, the debate over news ratings will have a significant impact on the deployment of filtering systems, and news organizations appear to be strongly opposed to ratings. According to the Netly News, Time Inc. New Media's Editor-in-Chief Dan Okrent said after the ICC meeting that "Everyone in the room agreed to a general statement that as news organizations we will not rate our content and we oppose the efforts of others to rate our content." Additional information on ratings, filtering and blocking is available at: http://www.epic.org/free_speech/censorware/ ======================================================================= [5] U.S. Government Web Sites Fail to Protect Privacy ======================================================================= A new report by the public interest group OMB Watch reveals that many U.S. government Web sites do not adhere to the requirements of the Privacy Act of 1974 to protect personal privacy. OMB Watch reviewed 70 federally-run sites linked from the White House Web page. The group found that only 17 percent provide adequate notices as required by the Privacy Act. According to the report, 31 of the surveyed sites collected personal information, but only 11 of those sites contain notices on how the information will be used. No sites allowed individuals to access their own records. According to OMB Watch, three sites that used cookies to track visitors discontinued their use after reviewing a draft of the report. The OMB Watch report was based on a previous report conducted by EPIC entitled "Surfer Beware," which surveyed the privacy policies of 100 top commercial web sites. The OMB Watch study examined the collection of personal information, notices on collection, Privacy Act statements, and the use of cookies. The report is available at: http://www.ombwatch.org/ombwatch.html ======================================================================= [6] Consumer Groups Question FTC Privacy Report ======================================================================= Several privacy and consumer organizations that participated in the Federal Trade Commission's Consumer Privacy Workshop earlier this year have questioned the accuracy of a preliminary report submitted by the FTC to Senator John McCain, chairman of the Senate Commerce Committee. The report from the FTC downplayed public concerns about privacy and described the efforts of a few companies to develop privacy policies. But the Consumer Federation of America, the Center for Media Education, the Electronic Frontier Foundation, the Electronic Privacy Information Center, and the Privacy Rights Clearinghouse said that the FTC preliminary report "does not adequately reflect the substance of the hearings or the views of consumer organizations that participated." The consumer and privacy groups specifically took issue with the FTC's claim that the public favored self-regulatory approaches. According to the organizations, survey research presented at the Workshop clearly showed that "Internet users favor legislation today to protect personal privacy." The groups cited the survey conducted by Professor Alan Westin for American Laws and Business which found that "58 percent of computer users wanted government to pass laws now on how personal information can be collected and used on the Net." Professor Westin also found that "Only 24 percent say government should limit its role to recommending standards." Other privacy polls have found similar support for passage of privacy legislation. The original letter from the Senate Commerce Committee asked the Commission to "investigate the compilation, sale, and usage of electronically transmitted data bases that include identifiable personal information of private citizens without their knowledge." Privacy experts believe that the FTC has yet to complete its work. The FTC letter to Senator McCain: http://www.ftc.gov/os/9707/privac9b.htm Letter from Consumer and Privacy Groups to Senator McCain: http://www.epic.org/privacy/databases/ftc_letter_0797.html Original letter from the Senate Commerce Committee to the FTC: http://www.epic.org/privacy/databases/ftc_databases.html EPIC's page on the Federal Trade Commission: http://www.epic.org/privacy/internet/ftc/ ======================================================================= [7] Clinton Signs IRS Browsing Bill ======================================================================= President Clinton signed the Taxpayer Browsing Protection Act of 1997 (Public Law 105-35) into law on August 5. The new law criminalizes the unauthorized "browsing" of taxpayer information by IRS employees. Previously, only the disclosure of such records was prohibited. The law unanimously passed the House in April and the Senate on July 23. Under the new law, the potential penalties for IRS employees or contractors, and other Federal and State employees having access to Federal tax information, is a $1,000 fine and one year in jail. Federal employees can also be dismissed without going through the usual civil service removal procedures. The new law allows the filing of civil suits for the unauthorized viewing of records. Individuals also must be informed if it is found that their records have been improperly accessed. Demand for changes in the existing law erupted after the General Accounting Office revealed that during fiscal years 1994 and 1995, there were over 1,500 instances where IRS employees were accused of unlawful browsing. A third of those cases were closed without action. More information on the browsing law is available at: http://www.epic.org/privacy/databases/irs/ ======================================================================= [8] Upcoming Conferences and Events ======================================================================= TELECOM Interactive 97. September 8-14, 1997. Geneva, Switzerland. Sponsored by the International Telecommunications Union. Contact: telecom-interactive@itu.int or http://gold.itu.int/TELECOM/int97/ Cryptography and the Internet. September 15, 1997. Brussels, Belgium. Sponsored by Privacy International. Contact: pi@privacy.org. http://www.privacy.org/pi/conference/brussels/. Deadline 10 Sept 1997. 19th Annual International Privacy and Data Protection Conference. September 17-18, 1997. Brussels, Belgium. Sponsored by Belgium Data Protection and Privacy Commission. Email privacy@infoboard.be International Conference on Privacy. September 23-26, 1997. Montreal, Canada. Sponsored by Lavery, De Billy law firm. http://www.confpriv.qc.ca/ Net Worth, Net Work: Technology and Values for the Digital Age. October 4-5. University of Cal, Berkeley. Sponsored by CPSR. Contact: http://www.cpsr.org/dox/home.html 20th National Information Systems Security Conference. October 7-10. Baltimore, MD. Sponsored by NIST and NSA. Contact: http://csrc.nist.gov/nissc/ EPIC International Privacy Conference. October 20,1997. Georgetown University Law Center, Washington, DC. Sponsored by EPIC. Contact: shauna@epic.org. Managing the Privacy Revolution '97. October 21-23, 1997. Washington, DC. Sponsored by Privacy and American Business. Contact: http://shell.idt.net/~pab/conf97.html RSA'98 -- The 1998 RSA Data Security Conference. January 12-16, 1998. San Francisco, CA. Contact kurt@rsa.com or http://www.rsa.com/conf98/ (Send calendar submissions to alert@epic.org) ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. To subscribe, send email to epic-news@epic.org wih the subject: "subscribe" (no quotes) or use the subscription form at: http://www.epic.org/alert/subscribe.html Back issues are available at: http://www.epic.org/alert/ ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003. Individuals with First Virtual accounts can donate at http://www.epic.org/epic/support.html Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and funding of the National Wiretap Plan. Thank you for your support. ---------------------- END EPIC Alert 4.12 -----------------------
Alert Home Page | EPIC Home Page