============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 4.15 November 10, 1997 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/ ======================================================================= Table of Contents ======================================================================= [1] Amicus Brief Filed in Landmark Encryption Case [2] Infowar Report Released [3] EC Rejects Key Escrow Encryption [4] Congress Critical of FBI Wiretap Proposals [5] FCC Proposes Requiring V-chips for Computers [6] Update on Open Government Cases [7] Congressional Action and New Bills [8] Upcoming Conferences and Events ======================================================================= [1] Amicus Brief Filed in Landmark Encryption Case ======================================================================= A diverse coalition of organizations, joined by three of the world's best-known experts on communication security, has lent its support to a constitutional challenge to U.S. encryption export controls. In a friend-of-the-court brief filed today in the Ninth Circuit U.S. Court of Appeals in San Francisco, the groups argued that the Export Administration Regulations' encryption provisions constitute a prior restraint on speech in violation of the First Amendment and pose a significant threat to both electronic commerce and personal privacy. The brief was coordinated by EPIC and endorsed by 15 organizations including the American Civil Liberties Union, National Association of Manufacturers, Association for Computing, Human Rights Watch and the Internet Society. The submission was also signed by Dr. Whitfield Diffie of Sun Microsystems, Dr. Peter Neumann of SRI International and Dr. Ronald Rivest of the Massachusetts Institute of Technology. The judicial challenge to the export control regulations was initiated by Daniel Bernstein, a computer science professor at the University of Illinois, who unsuccessfully sought U.S. government approval to publish source code and related information about his "Snuffle" encryption technique. The prohibited "export" included any posting on the Internet using a computer in the United States and any disclosure to foreign nationals in the United States. In August, the U.S. District Court for the Northern District of California granted partial summary judgment for Professor Bernstein, holding that the export regulations impose a prior restraint on speech and enjoining the government from enforcing the EAR encryption regulations. The government quickly appealed that decision to the Ninth Circuit. The EPIC-led coalition was represented on a pro bono basis by the Washington law firm of Covington & Burling, which was primarily responsible for the preparation of the brief. The complete text is available at: http://www.epic.org/crypto/export_controls/bernstein_brief.html ======================================================================= [2] Infowar Report Released ======================================================================= The report of the President's Commission on Critical Infrastructure Protection released last week would establish sweeping new authority for the National Security Council to limit public debate about threats to the nation's infrastructure and to establish and manage a new federal bureaucracy, including a proposed Office of National Infrastructure Assurance. The report recommends that the Freedom of Information Act be suspended so that information collected by the proposed ONIA not be subject to public scrutiny. The report also proposes expanding government classification authority. It also recommends the preemption of state privacy laws and limitations on the federal polygraph statute for the purpose of permitting more extensive background investigations. Most surprisingly, the Commission's report backs key escrow encryption, even though technical experts and early proponents of the plan have all pointed to vulnerabilities that would result from an architecture that would permit third party access to encoded communication. At a hearing before the House Science Committee last week, Representative Connie Morella (R-MD) asked Commission chair General Robert Marsh (ret.) about the cryptography issue. He responded curtly that strong cryptography was vital for the nation's infrastructure and then said that the he backed key recovery encryption. Other witnesses at the hearing said that the proposal would make critical infrastructures more vulnerable to attack. The report is available at: http://www.pccip.org/ ======================================================================= [3] EC Rejects Key Escrow Encryption ======================================================================= The European Commission released a report in October recommending against restrictions on cryptography and criticizing key escrow/ recovery encryption proposals. The paper, entitled "Towards an European Framework for Digital Signatures and Encryption," examines the policy issues surrounding digital signatures and the use of encryption for confidentiality. The EC report recognizes the importance of encryption, describing it as "the essential tool for security and trust in electronic communications." It notes that "it can be expected that encryption will remain the cornerstone for most confidentiality services on open networks for the foreseeable future." The report recommends against restricting the use of encryption: "restricting the use of encryption could well prevent law-abiding companies and citizens from protecting themselves against criminal attacks. It would not however prevent totally criminals from using these technologies." The EC paper also examined the problems of key escrow/key recovery systems, including the additional risks of having the systems implemented, the costs involved and finally that possibility that the systems can be "easily circumvented." The report notes that, "In any case, restrictions imposed by national licensing schemes, particularly those of a mandatory nature, could lead to Internal Market obstacles and reduce the competitiveness of the European Industry." The report also notes that "Privacy considerations suggest not to limit the use of cryptography as a means to ensure data security and confidentiality." On digital signatures, the report separates out the role of certificate authorities (CAs) from Trusted Third Parties such as those proposed by the UK Government at the urging of the United States. It recommends that "CAs must therefore be forbidden to store private keys." It also suggests that digital signatures without identities attached can be used to conduct anonymous transactions. The report is available from: http://www.epic.org/crypto/ ======================================================================= [4] Congress Critical of FBI Wiretap Proposals ======================================================================= The FBI has come under renewed criticism from Congress and industry representatives on the implementation of the Communications Assistance for Law Enforcement Act (CALEA). At a October 23 hearing, the Crime Subcommittee of House Judiciary Committee heard from witnesses from major telecommunications industry associations and the Bureau on progress in implementing the law, which was enacted on the last day of the Congressional session in 1994. The law requires that all new telecommunications technologies have built in surveillance capabilities. The law is scheduled to go into effect next year, but industry and the FBI have been feuding over the development of the new standards required by the law. Many of the members of the Committee were critical of both the Act and the FBI. Rep. Bob Barr (R-GA), who chaired part of the hearing, bluntly stated that the legislation would not have passed in the Republican 104th or 105th Congresses. A major area of contention was the FBI's demand that the industry add numerous features that were not required by the 1994 law. These include an enhanced ability to track geographical locations of cell phones, the ability to monitor conference calls when the targeted party has left, and the ability to separate out content from signaling data of packet-based communications. Thomas Wheeler, President of the Cellular Telephone Industry Association (CTIA) described the FBI's demands as asking the for "the Apollo Program" for surveillance. The FBI's efforts to lobby against the industry designed standards during a vote on the specifications also came under fire. The Bureau organized a campaign to vote down the industry-developed standards, which was described in the hearing as "ballot stuffing." Twenty-eight police agencies filed the same 74-page ballot comments, including a sheriff in Florida who included the FBI's letter requesting that he file the comments. CTIA's Wheeler described the FBI's actions as "rolling a hand grenade under the table." Another controversial issue was the FBI's effort, during its negotiations with the Telecommunications Industry Association (TIA) over the wiretap standard, to petition the American National Standards Institute (ANSI) to revoke the standards-settings authority of TIA after 50 years. The FBI apparently withdrew the request after several months. Finally, questions still remain over the FBI's demands for the law's "capacity" requirements. The Bureau's current requirement still calls for each switch in a geographic region to have the ability to monitor hundreds of lines simultaneously. This would result in the FBI having the capacity to conduct tens of thousands of interceptions simultaneously nationwide. More information on CALEA is available from: http://www.epic.org/privacy/wiretap/ ======================================================================= [5] FCC Proposes Requiring V-chips to be Included in Computers ======================================================================= On September 25, the Federal Communications Commission released a proposed rulemaking on V-chip technology recommending that the devices also be installed in every computer capable of receiving video signals. The V-chip is required by the Telecommunications Act of 1996 to be installed in every new television set. The proposed rule applies "to any computer that is sold with TV receiver capability and a monitor that has a viewable picture size of 13 inches or larger." It applies "regardless of whether it is designed to receive video programming that is distributed only through cable television systems, MDS, DBS, or by some other distribution system." For future technologies such as Digital TV, the FCC proposal recognizes that many will be built into computers: [W]e propose that all DTV receiver boards themselves (regardless of whether they are sold with a computer and monitor with a viewable picture size of 13 inches or larger) be required to include program blocking capability. Congress has been critical of the proposal. Rep. Edward Markey (D-MA) told the Washington Times that the V-chip was not intended for computers and Rep. Billy Tauzin (R-LA) remarked, "Next, they'll try and put V-chips in Gameboys." Comments on the proposal are due on November 24. Interested persons can email their comments to vchip@fcc.gov. ======================================================================= [6] Update on Open Government Cases ======================================================================= A federal judge in Washington ruled on October 22 that the National Archives acted illegally when it issued a regulation authorizing all government agencies to delete their electronic mail and other computerized records regardless of content. Judge Paul L. Friedman declared the controversial regulation "null and void" and characterized the government's position as "irrational on its face." Government attorneys had argued that most federal agencies are not yet equipped to preserve records in electronic formats. While acknowledging that this was "an important concern," the court noted that "computers have now become a significant part of the way the federal government conducts its business" and agencies must now adapt to that reality. In another significant case, the Supreme Court has refused to review a lower court ruling subjecting committees formed by the National Academy of Sciences (NAS) to public scrutiny under the Federal Advisory Committee Act (FACA). The NAS conducts research for government agencies on a contract basis by establishing committees of volunteer experts that, with the assistance of NAS staff members, prepare reports. A notable example was the NAS-sponsored report on encryption policy released last year. One of the primary goals of FACA is to open to public view the process by which government agencies obtain advice from private individuals. FACA's openness and conflict of interest requirements seek to ensure that Executive branch advisory committees develop neutral, expert recommendations. Many public interest groups, including EPIC, make frequent use of the statute. In the wake of the Court's action, legislation has already been proposed to amend FACA to exempt NAS committees from the law's openness and conflict of interest provisions. More information on FACA and FARA is available from http://www.epic.org/open_government/ ======================================================================= [7] Congressional Action and New Bills ======================================================================= APPROVED H.R.2369. Wireless Privacy Enhancement Act of 1997. The bill bans modifying scanners to intercept cellular phone calls and increases penalties for intentional interception. The House Subcommittee on Telecommunications, Trade, and Consumer Protection of the House Committee on Commerce approved a revised version of the bill on October 29. INTRODUCED HR 2563. Taxpayer Confidentiality Act of 1997. Introduced by Dunn (R-WA) on September 26. Amends IRS code to restrict the authority to examine books and witnesses for purposes of tax administration. Referred to the Committee on Ways and Means. HR 2581. Social Security Privacy Act of 1997. Introduced by Campbell (R-CA). Limits use of Social Security number. Requires disclosure of uses of SSN by businesses. Referred to the Committee on Ways and Means. S. 1223. Employee Information Protection Act of 1997. Introduced by Burns (R-MT) on September 26. Amends 1996 welfare bill to require that data collected for "new hires" database be deleted after six months. Referred to the Committee on Finance. S. 1356. To amend the Communications Act of 1934 to prohibit Internet service providers from providing accounts to sexually violent predators. Introduced by Faircloth (R-NC). Sets civil fines of $5,000 per day for providing an account to a "sexually violent predator." Referred to the Committee on Commerce, Science, and Transportation. S. 1368. Medical Information Privacy and Security Act. Introduced by Leahy (D-VT) and Kennedy (D-MA) on November 4. General medical privacy bill. ======================================================================= [8] Upcoming Conferences and Events ======================================================================= Education in Computer Security Workshop, January 19-21, 1998. Pacific Grove, California. Sponsored by Naval Postgraduate School Center for INFOSEC. Contact: http://www.cs.nps.navy.mil/research/cisr/events/wecs98_announce.html RSA'98 -- The 1998 RSA Data Security Conference. January 12-16, 1998. San Francisco, CA. Contact kurt@rsa.com or http://www.rsa.com/conf98/ Financial Cryptography '98. February 23-26, 1998. Anguilla, BWI. http://www.cwi.nl/conferences/FC98 7th USENIX Security Symposium. January 26-29, 1998. San Antonio, Tx Sponsored by USENIX & CERT. http://www.usenix.org/sec/sec98.html The Eighth Conference on Computers, Freedom & Privacy. February, 18-20, 1998. Austin, TX. Contact: mlemley@mail.law.utexas.edu. ACM Policy98. May 10-12, 1998. Washington, DC. Sponsored by ACM and USACM. (Send calendar submissions to alert@epic.org) ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. To subscribe or unsubscribe, send email to epic-news@epic.org with the subject: "subscribe" (no quotes) or "unsubscribe" or use the Web form at: http://www.epic.org/alert/subscribe.html Back issues are available at: http://www.epic.org/alert/ ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003. Individuals with First Virtual accounts can donate at http://www.epic.org/epic/support.html Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and funding of the National Wiretap Plan. Thank you for your support. ---------------------- END EPIC Alert 4.15 -----------------------
Alert Home Page | EPIC Home Page