EPIC logo

       @@@@  @@@@  @@@  @@@@      @    @     @@@@  @@@@  @@@@@
       @     @  @   @   @        @ @   @     @     @  @    @
       @@@@  @@@    @   @       @@@@@  @     @@@   @@@     @
       @     @      @   @       @   @  @     @     @  @    @
       @@@@  @     @@@  @@@@    @   @  @@@@  @@@@  @   @   @
   Volume 5.04	                                  March 30, 1998
                            Published by the
              Electronic Privacy Information Center (EPIC)
                            Washington, D.C.
Table of Contents
[1] Congress Holds Internet Privacy Hearing
[2] U.S. Official Concedes Flaws in Key Recovery Crypto
[3] Wiretapping Law Hits Impasse, FBI Calls for New Powers
[4] Senate Committee Approves Net Censorship Bills
[5] Starr's Bookstore Subpoena Incites Controversy
[6] New Report Finds Credit Errors Common
[7] Congressional Actions, New Bills and Upcoming Hearings
[8] Upcoming Conferences and Events
[1] Congress Holds Internet Privacy Hearing
A Subcommittee of the House Judiciary Committee held a hearing on
March 26 to examine issues relating to communications privacy and the
Commerce Undersecretary David Aaron testified about recent efforts
within the Administration to develop privacy safeguards for the
Internet.  The Administration has come under fire from both its
trading partners in Europe and from American consumers for failing to
propose new privacy standards. Aaron told the subcommittee that the
U.S. is looking at a combination of ways to protect privacy, including
laws, codes, technical means, and self-regulation.  He avoided
discussion of the encryption issue, until he was asked a series of
questions by Rep. Bob Goodlatte (R-VA), sponsor of legislation that
would revise current export controls on encryption.
EPIC Executive Director Marc Rotenberg told the subcommittee that
current U.S. privacy policy is backward -- "We place restrictions on
the development of new technologies to protect privacy, where free
market solutions would be preferable. And we leave privacy problems to
the market, where government involvement is required."
Rep. Goodlatte engaged in a lengthy exchange with Rotenberg about the
problems with current controls on encryption.  Rotenberg challenged an
earlier statement of former Ambassador Aaron that encryption is not
very important for the Internet.  "Today millions of Internet users
rely on encryption to protect the privacy of their electronic
transactions. Ambassador Aaron is simply wrong," said Rotenberg.
Also testifying were Federal Trade Commission official David Medine,
Indiana Law School professor Fred Cate and Center for Democracy and
Technology staff counsel Deidre Mulligan.  Medine discussed current
FTC efforts to evaluate privacy policies on the Internet.  Cate said
that legislation was not necessary at this time.  Mulligan said that
the United States needs a privacy agency.
Chairman Howard Coble (R-NC) suggested at the end of the hearing that
it was unlikely the subcommittee would produce legislation before the
end of the session.  But he indicated that some Congressional action
would be necessary and that future hearing would be held. Reps. Barney
Frank (D-MA) and William Delahunt (D-MA) also expressed interest in
further hearings.
Information on Internet privacy, including testimony from the hearing,
is available at:
[2] U.S. Official Concedes Flaws in Key Recovery Crypto
A high-level government document obtained by EPIC shows that a top
U.S. official acknowledged more than a year ago that the Internet
privacy technique championed by the Clinton Administration is "more
costly and less efficient" than alternative methods that the
government seeks to suppress. In a November 1996 memorandum to other
government officials, William A. Reinsch, the Commerce Department's
Under Secretary for Export Administration, discussed the
Administration's efforts to promote "escrowed" or "recoverable"
encryption techniques in overseas markets. Such techniques enable
government agents to unscramble encrypted information and they form
the cornerstone of current U.S. encryption policy.
After noting that government regulations permit the export of non-
escrowed encryption products only to "safe end-users" such as foreign
police and security agencies, Reinsch recognized the inferiority of
the Administration's favored technology:
     Police forces are reluctant to use "escrowed" encryption
     products (such as radios in patrol cars). They are more
     costly and less efficient than non-escrowed products.
     There can be long gaps in reception due to the escrow
     features -- sometimes as long as a ten second pause. Our
     own police do not use recoverable encryption products;
     they buy the same non-escrowable products used by their
     counterparts in Europe and Japan.
Ironically, Reinsch's concession is contained in a memorandum that
discusses the Administration's strategy to "help the market transition
from non-recoverable products to recoverable products." EPIC and other
critics of current U.S. encryption policy have long maintained that
"key escrow" and "key recovery" approaches compromise the security of
private information by providing "backdoor" access to encrypted data.
The Reinsch memo was released in response to a Freedom of Information
Act request EPIC submitted to the Department of State concerning the
international activities of former U.S. "crypto czar" David Aaron.
That request is the subject of a pending federal lawsuit EPIC
initiated last year.
The Reinsch memorandum is available at:
[3] Wiretapping Law Hits Impasse, FBI Calls for New Powers
The Federal Bureau of Investigation on March 27 asked the Federal
Communications Commission (FCC) to step in and force
telecommunications carriers and equipment manufacturers to adopt
FBI-proposed standards for implementing the Communications Assistance
for Law Enforcement Act of 1994 (CALEA).  The FBI request follows
several weeks of closed meetings with industry officials which failed
to produce an agreement after four years of controversy.  The industry
has been resisting Bureau demands to include additional surveillance
capabilities in new technical standards developed under CALEA.
On March 12, the FBI issued its "final" rules on capacity requirements
for CALEA.  In its public notice, the Bureau is demanding that it have
the ability to monitor over 50,000 phone lines simultaneously.  In
many areas of the country, the FBI is seeking increases in capacity of
nearly 300 percent.  Under CALEA, the capacity notice was due in
October 1995.  Two previous notices were widely criticized for
increasing the number of lines that would be subject to surveillance
(See EPIC Alert 4.02).  The final draft retains the controversial
increases and rejects industry criticisms of the methodology used to
arrive at the final requirements.
More information on wiretapping and CALEA is available at:
[4] Senate Committee Approves Net Censorship Bills
The Senate Commerce Committee approved two Internet censorship bills
on March 12.  The "Internet School Filtering Act" (S. 1619), sponsored
by Sen. John McCain (R-AZ), would require schools and libraries
receiving federal "e-rate" Internet subsidies to certify that they are
using filtering software designed to prevent minors from accessing
"inappropriate" material.  The Committee deferred action on an
amendment by Sen. Conrad Burns (R-MT) that would require schools and
libraries to implement an "acceptable use policy" for Internet access
but not necessarily mandate filters.
The McCain filtering bill has been criticized by EPIC and other
members of the Internet Free Expression Alliance (IFEA).  The American
Library Association and the National Education Association also oppose
the legislation.  In a statement submitted to the Commerce Committee,
NEA noted that "various studies have shown that blocking software and
filtering software have serious technical limitations and provide a
false sense of security."  The teachers' organization cited EPIC's
"Faulty Filters" report as demonstrating the flaws in the filtering
The Commerce Committee also approved S. 1482, sponsored by Sen. Dan
Coats (R-IN).  The Coats bill --  which has been dubbed "CDA II" --
would criminalize the "commercial" distribution on websites of
material that is "harmful to minors."
Full Senate consideration of the two bills has not yet been scheduled.
More information on Internet censorship legislation is available at
the IFEA website:
[5] Starr's Bookstore Subpoena Incites Controversy
Independent Counsel Kenneth Starr last week issued a subpoena for the
records of book purchases made by former White House intern Monica
Lewinsky from a Washington bookstore.  Although the store's policy is
not to reveal information about individual customers' purchases, it
apparently will produce records of a few of Lewinsky's transactions
that were specifically identified by the Office of Independent
The New York Times quoted the bookstore's attorney as saying that the
records of "fewer than six" check or credit card transactions dating
from November 1995 will be provided.  The original subpoena called for
the production of "all documents and things referring or relating to
any purchase by Monica Lewinsky," according to the attorney.
The American Booksellers Foundation for Free Expression condemned
Starr's action, saying the "subpoena of the records of an individual's
book purchases has serious First Amendment consequences."  According
to Christopher Finan, president of the Foundation, "If the government
can find out what books we are buying, we will no longer feel free to
buy the books we want.  That would be the death of free speech."
A similar controversy over the rental records of video store customers
surfaced during the confirmation hearing for Supreme Court nominee
Robert Bork.  In the wake of the Bork video disclosures, Congress
enacted the Video Privacy Act of 1988, which protects the
confidentiality of video rental records.
[6] New Report Finds Credit Errors Common
The U.S. Public Interest Research Group (PIRG) has released a report
finding that nearly a third of credit reports contain serious errors.
The report, "Mistakes Do Happen: Credit Report Errors Mean Consumers
Lose," was released on March 12.
Major Findings of the Report:
     Twenty-nine percent (29%) of the credit reports contained serious
errors -- false delinquencies or accounts that did not belong to the
consumer -- that could result in the denial of credit;
     Forty-one percent (41%) of the credit reports contained personal
demographic identifying information that was misspelled,
long-outdated, belonged to a stranger, or was otherwise incorrect;
     Twenty percent (20%) of the credit reports were missing major
credit, loan, mortgage, or other consumer accounts that demonstrate
the creditworthiness of the consumer;
     Twenty-six percent (26%) of the credit reports contained credit
accounts that had been closed by the consumer but incorrectly remained
listed as open;
     Altogether, 70% of the credit reports contained either serious
errors or other mistakes of some kind.
The report also found that it was difficult for consumers to obtain
their reports.  Fourteen percent of consumers were forced to call at
least four times after receiving busy signals or had to write a letter
in order to receive their report; twelve percent of the consumers
waited two weeks or longer to receive their report once they finished
requesting it.  Overall, fifteen percent of consumers who attempted to
participate in the survey either made at least three phone calls and
never got through or requested their reports but never received them.
The report is available at:
[7] New Congressional Bills and Upcoming Hearings
* House of Representatives *
March 31, 1998. Subcommittee on Basic Research and Subcommittee on
Technology (Joint Hearing) (Oversight) .  Domain Names Systems: Where
Do We Go From Here?   2318 Rayburn HOB. 2:00 P.M.
April 1, 1998. Committee on Banking.  General Oversight Subcommittee,
Hearing on the Operations of the Department of the Treasury's,
Financial Crimes Enforcement Network ("FinCEN"). 2128 Rayburn.  1:00
* Senate *
April 1, 1998.  Banking, Housing, and Urban Affairs.  Financial
Services and Technology Subcommittee. Hearings to examine how identity
theft contributes to electronic crime. SD-538.  10:00 a.m.
--- NEW BILLS ---
H.R. 3321. CALEA Implementation Amendments of 1998. Extends deadline
of Communications Assistance for Law Enforcement Act for telephone
companies to make wiretapping easier until 2000. Introduced by Barr
(R-GA) on March 4, 1998. Referred to the Committee on the Judiciary.
H.R. 3442. E-Rate Policy and Child Protection Act of 1998. Requires
schools and libraries that  receive universal service support for
discounted telecommunications services to establish policies governing
access to material that is inappropriate for children. Introduced by
Markey (D-MA) on March 11, 1998. Referred to the Committee on
H.R. 3472. Digital Signature and Electronic Authentication Law (SEAL)
of 1998. Allows financial institutions to use digital signatures.
Introduced by Cook (R-UT) on March 17. Referred to the Committee on
Banking and Financial Services.
H.R. 3494. Child Protection and Sexual Predator Punishment Act of
1998. Introduced by McCollum (R-FL). Criminalizes sending sexual
material to a minor. Minimum prison term for using computer is 3
years. Allows use of subpoenas to obtain evidence instead of warrants.
H.R. 3551. Identity Piracy Act of 1998. Creates new federal penalty
for identity theft. Introduced by Delauro (D-CT) on March 25, 1998.
Referred to the Committee on the Judiciary, and in addition to the
Committee on Transportation and Infrastructure.
H.R. 3555. Driver Record Information Verification System Act. Requires
Secretary of transportation to conduct study of creation of National
Drivers database. Examines use of SSN as identification number.
Introduced by Moran (D-VA) on March 25, 1998. Referred to the
Committee on Transportation and Infrastructure.
S. 1721. To provide for the Attorney General of the United States to
develop guidelines for Federal prosecutors to protect familial privacy
and communications between parents and their children. Introduced by
Leahy (D-VT) on March 6. Referred to the Committee on the Judiciary.
S. 1737. Taxpayer Confidentiality Act of 1998. Creates
accountant-client privilege. Introduced by Mack (R-FL) on March 10,
1998. Referred to the Committee on Finance.
S. 1865. Safeguard of New Employee Information Act of 1998. Creates
penalties for abuse of information in New Hires Database. Requires
data be deleted after 24 months. Introduced by Baucus (D-MT) on March
26. Referred to the Committee on Finance.
[8] Upcoming Conferences and Events
The Internet Invasion? A Debate about the Pervasiveness of Internet
Speech Washington, DC. April 2, 1998. Sponsored by the Cato Institute.
Contact: http://www.cato.org/events/calendar.html
1998 IEEE Symposium on Security. IEEE Computer Society, Oakland, CA,
May 3-6. Sponsored by IEEE and IACR. Contact:
ACM Policy98. May 10-12, 1998. Washington, DC. Sponsored by ACM and
USACM. http://www.acm.org/usacm/events/policy98/
1998 EPIC Cryptography and Privacy Conference. June 8, 1998.
Washington, DC. Sponsored by EPIC, Harvard University and London
School of Economics. Contact: http://www.epic.org/events/crypto98/
INET'98, July 21-24, 1998, Geneva, Switzerland. Sponsored by Internet
Society. Contact: http://www.isoc.org/inet98/
Advances in Social Informatics and Information Systems, Baltimore, MD,
Aug. 14-16, 1998.  Sponsored by the Association for Information
Systems Contact:  http://info.cwru.edu/rlamb/ais98cfp.htm
CPSR Annual Conference - Internet Governance.  Boston, Mass, Oct.
10-11. Sponsored by CPSR. contact: cpsr@cpsr.org
1999 RSA Data Security Conference.  San Jose, California, January 18-21,
1999. Sponsored by RSA. Contact: http://www.rsa.com/conf99/
          (Send calendar submissions to alert@epic.org)
Subscription Information
The EPIC Alert is a free biweekly publication of the Electronic
Privacy Information Center.  To subscribe or unsubscribe, send email
to epic-news@epic.org with the subject: "subscribe" (no quotes) or
"unsubscribe". A Web-based form is available at:
Back issues are available at:
About EPIC
The Electronic Privacy Information Center is a public interest
research center in Washington, DC.  It was established in 1994 to
focus public attention on emerging privacy issues such as the Clipper
Chip, the Digital Telephony proposal, national ID cards, medical
record privacy, and the collection and sale of personal information.
EPIC is sponsored by the Fund for Constitutional Government, a
non-profit organization established in 1974 to protect civil liberties
and constitutional rights.  EPIC publishes the EPIC Alert, pursues
Freedom of Information Act litigation, and conducts policy research.
For more information, e-mail info@epic.org, http://www.epic.org or
write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC
20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax).
If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible.  Checks should be made out to "The Fund for
Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave.,
SE, Suite 301, Washington DC 20003. Individuals with First Virtual
accounts can donate at http://www.epic.org/epic/support.html
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the
right of privacy and efforts to oppose government regulation of
encryption and funding of the National Wiretap Plan.
Thank you for your support.
  ---------------------- END EPIC Alert 5.04 -----------------------

Return to:

Alert Home Page | EPIC Home Page