============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 6.15 September 23, 1999 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org ======================================================================= Table of Contents ======================================================================= [1] Impact of New Encryption Policy Remains Unclear [2] Privacy Agenda for the 21st Century Announced [3] Report Slams Privacy Policies; Poll Finds Privacy is Top Concern [4] Internet Filtering Debate Resumes in Congress [5] "Public Voice in Electronic Commerce" Conference [6] Provision Repealing National Driver's Licenses In Final Stages [7] EPIC Bookstore - The Code Book and More [8] Upcoming Conferences and Events ================================================================= NOTE TO SUBSCRIBERS: A listserv problem has resulted in duplicate copies of recent Alerts being sent to some recipients. We are aware of the problem and apologize for any inconvenience. Your patience is appreciated as we continue to diagnose the listserv. ================================================================= ======================================================================= [1] Impact of New Encryption Policy Remains Unclear ======================================================================= On September 16, the Clinton Administration unveiled a new encryption policy initiative. The White House's revised approach seems to recognize the futility of seeking to prevent the spread of privacy- enhancing technologies, and shifts the emphasis to monitoring the exports of encryption products and developing "new tools" to counter their use. It remains unclear whether the revised policy will actually enhance the privacy of most computer users. On the export control front, the Administration will draft new encryption export regulations that will "strike a balance" between the needs of industry and law enforcement. According to the White House, the new rules -- due to be released by December 15 -- will constitute a significant liberalization of the export process. Any "retail" encryption commodity or software reportedly will be exportable without a license (after a "technical review") to commercial firms and other nongovernment end users in any country except for seven states designated as supporters of terrorism. The standards governing the required technical review have not yet been announced. The Administration's policy on export of encryption source code apparently has not changed, so that academic exchanges such as those at issue in the pending Bernstein v. Department of Justice litigation (see EPIC Alert 6.07) would still be subject to government approval prior to export. Coupled with the export revisions is new legislation that would provide a legal framework for law enforcement access to decryption keys; provide $80 million in funding for an FBI Technical Support Center; and protect the confidentiality of decryption techniques developed cooperatively by government and industry. Under the latter provision, law enforcement agents presenting "plaintext" evidence would be exempted from routine requirements of criminal procedure that permit a defendant to explore the means by which evidence was obtained. The proposal would also prohibit the government from disclosing "trade secrets disclosed to it [presumably by encryption manufacturers] to assist it in obtaining access to information protected by encryption." The legislative vehicle for these initiatives -- the Cyberspace Electronic Security Act -- will soon be transmitted to Congress. It does not include a highly controversial provision contained in an earlier White House draft that would have authorized secret police break-ins to alter computer equipment. EPIC believes that more details of the new encryption policy must be released before its impact on user privacy can be fully assessed. EPIC will closely monitor the process of implementing the newly- announced initiative, particularly the promulgation of the revised export control regulations and the development of special sensitive techniques to be used to extract plaintext from encryption products and services. The details of the White House announcement, including the text of the Cyberspace Electronic Security Act and other documents released by the Administration, are available at: http://www.epic.org/crypto/announce_9_16.html ======================================================================= [2] Privacy Agenda for the 21st Century Announced ======================================================================= Supporters of privacy from around the world recently gathered in Hong Kong for the 1999 Privacy Agenda Conference. At the conference, representatives from an international group of non-governmental organizations issued a declaration supporting strong privacy protections and continued vigilance against privacy abuses. The meeting of NGOs from around the world took place as data protection commissioners were meeting to review new threats to privacy and new opportunities for privacy protection. Earlier in the week, Consumer International President Pamela Chan said that governments should conduct research on the potential for abuse in the way Internet transactions are carried out. She also urged the adoption of new safeguards to protect the privacy of individuals. Privacy International Director Simon Davies said, "We plan to go forward with an aggressive campaign to protect the right of privacy and to stand against all who would undermine this critical freedom." Marc Rotenberg, director of the Electronic Privacy Information Center, said that national government must continue to listen to the "public voice" as they go forward with policies for the Internet. "Privacy and the protection of consumer interests remain a central concern for the Internet economy." Participants in the Privacy Agenda conference included representatives from Australia, Canada, Denmark, Italy, Hong Kong SAR, Japan, Malaysia, the Netherlands, New Zealand, Thailand, the United Kingdom, and the United States. "A Privacy Agenda for the 21st Century" http://www.epic.org/events/privacyagenda/declaration.htm 1999 Privacy Agenda Conference http://www.epic.org/events/privacyagenda/ EPIC and PI, "Privacy & Human Rights: An International Survey of Privacy Laws and Developments" http://www.epic.org/privacy&humanrights99/ ======================================================================= [3] Report Slams Privacy Policies; Poll Finds Privacy is Top Concern ======================================================================= According to a recent article in E-Commerce Times, a new report by Forrester Research, Inc., finds that 90 percent of Web sites fail to comply with basic privacy principles. The report strongly contradicts the findings of the Federal Trade Commission, which recently told Congress that industry self-policing is working. "The vast majority of such policies, like those of the Gap, Macy's and JC Penney, use vague terms and legalese that serve to protect companies and not individuals." The report also notes that "clever interactive tools such as Reel.com's Mood Matcher -- which helps customers find movies based on their moods -- and PlanetRx's personalized prescription filler make it possible for companies to collect "highly intrusive psychographic data that individuals would rarely provide on a standard registration form." The report suggests that the FTC, rather than producing reassuring messages to the industry, should push companies to take bigger and faster strides towards complying with already established privacy principles. Forrester also suggests that companies should be required to make customer profiles available to users, including all parties with whom data is shared, and provide the ability for customers to control who the information is shared with and the option to remove themselves from lists. Finally, the report says that "because independent privacy groups like TRUSTe and BBBOnline earn their money from e-commerce organizations, they become more of a privacy advocate for the industry -- rather than for consumers. The FTC should call for a consumer-based organization to provide principles and redress." Meanwhile, a Wall Street Journal/NBC News polls finds that the loss of personal privacy is the Number One concern of Americans as the twenty-first century approaches. When asked what concerns them the most about the next century, twenty-nine percent of respondents answered the "loss of personal privacy." Overpopulation and terrorist acts on U.S. soil followed at twenty-three percent, racial tensions at seventeen percent, world war at sixteen percent, and global warming at fourteen percent. The Wall Street Journal/NBC News poll was based on nationwide telephone interviews of 2,025 adults, by the polling organizations of Peter Hart and Robert Teeter. "Report Labels Internet Privacy Policies 'A Joke'" http://www.ecommercetimes.com/news/articles/990916-3.shtml Forrester Research Inc. http://www.forrester.com/ Wall Street Journal http://www.wsj.com ======================================================================= [4] Internet Filtering Debate Resumes in Congress ======================================================================= Congress' move towards mandatory Internet filtering for schools and libraries is likely to resume next week, as Senate and House conferees on juvenile justice legislation are expected to consider the issue. The House-approved version of the legislation would mandate that public schools and libraries receiving "E-Rate" universal service funds purchase and use Internet filtering software to regulate access by minors. The Senate did not include such a provision in its version of the massive juvenile justice bill and the conferees must decide whether to retain the mandate in the final, consensus measure. Although not included in the Senate's juvenile justice package, the issue has been addressed by the Senate Commerce Committee. On June 23, the committee approved Sen. John McCain's (R-AZ) Children's Internet Protection Act (S.97). That action came over the objections of leading education, library and civil liberties groups, which argued that the legislation would impose a costly unfunded requirement and ignore a variety of alternative approaches being taken in localities around the country. The juvenile justice conferees will consider language included in the House bill that would require schools and libraries to certify that they have selected and installed "a technology for computers with Internet access to filter or block . . . materials deemed to be harmful to minors." It further provides that "the determination of what material is to be deemed harmful to minors shall be made by the school, school board, library or other [local] authority," and not the federal government. While the latter provision was included to counter concerns over the creation of a national standard for Internet content, it amounts to a federal mandate requiring local censorship decisions. Such local actions have already been challenged in the courts, including a case in which the Loudoun County, Virginia libraries were ordered to remove filtering software from their computers (see EPIC Alert 5.18). More information on mandatory Internet filtering is available at the website of the Internet Free Expression Alliance: http://www.ifea.net/ ======================================================================= [5] "Public Voice in Electronic Commerce" Conference ======================================================================= The 3rd Trade-Union/NGO Public Voice conference, "The Public Voice in Electronic Commerce," will be held at the Organization for Economic Cooperation and Development (OECD) in Paris, on October 11th, 1999. The conference seeks to inject the concerns of consumers and individuals into the ongoing development of international e-commerce policy. The conference program includes four panels, on the following topics: 1. Protecting consumer rights in electronic commerce 2. Privacy and personal data protection 3. Access as the key for development 4. Internet, the Future of Work, and Quality of Life Two Global Internet Liberty Campaign (GILC) member organizations, Imaginons un R#233#seau Internet Solidaire (IRIS) and the Electronic Privacy Information Center (EPIC) are organizing the 3rd Public Voice conference, in conjunction with the OECD Forum on Electronic Commerce (October 12-13, 1999). "The Public Voice in Electronic Commerce" will be hosted by TUAC (Trade-Union Advisory Committee) and is sponsored by the Global Internet Liberty Campaign, with the help of TACD (Transatlantic Consumer Dialogue). For more detailed information about the program and registration, please see: http://www.thepublicvoice.org or http://www.iris.sgdg.org/actions/publicvoice99 ======================================================================= [6] Provision Repealing National Driver's Licenses In Final Stages ======================================================================= The pending Transportation Appropriations bill contains an amendment that could repeal a federal law requiring National Driver's Licenses. National Driver's Licenses, so-called because of a requirement to include a Social Security number (SSN) on all state-issued driver's licenses, were initially introduced by Section 656(b) of the Illegal Immigration Reform and Immigrant Responsibility Act of 1996. Intended to weed out illegal immigrants -- who do not possess SSNs -- from using false driver's licenses as identification, the inclusion of SSNs on all driver's licenses could undermine privacy and increase fraud. Social Security numbers, once actually used simply for distribution of social security benefits, have become a widespread, unalterable personal identifier. While someone may change their name, address, or job, it is impossible to get a new SSN. For decades, the numbers have been used by the government to keep track of citizens and their information. In the private realm, SSNs are often used as passwords and/or identification for credit information, school records, and medical histories. Any widespread dissemination of SSNs on a commonly displayed identification such as a driver's license increases the risk of fraud and invasion of privacy. Privacy advocates have long argued that the number's use should be restricted to situations where it is the only suitable piece of identification. With respect to the identification of illegal immigrants, there are no less than twenty-six other forms of documentation that available to the Immigration and Naturalization Service (INS). For further comment on implementation of a national driver's license please see: http://www.epic.org/privacy/id_cards/epic-dot-898.html ======================================================================= [7] EPIC Bookstore - The Code Book and More ======================================================================= The Code Book : The Evolution of Secrecy from Mary, Queen of Scots to Quantum Cryptography by Simon Singh http://www.amazon.com/exec/obidos/ISBN=0385495315/electronicprivacA "For millennia, secret writing was the domain of spies, diplomats, and generals; with the advent of the Internet, it has become the concern of the public and businesses. One cyber-libertarian responded with the freeware encryption program Pretty Good Privacy (PGP), and Singh similarly meets a sharpening public curiosity about how codes work.[. . .] Beginning with such simple ideas as monoalphabetic substitution, which can protect the communications of a boy's treehouse club but not much more, Singh underscores with stories how codemakers and codebreakers have battled each other throughout history. A tool called frequency analysis easily defeats the monoalphabetic cipher, and encryptors over time have added the Vigenere square, cipher disks, one-time pads, and public-key cryptography that underlies PGP. But each security strategy, Singh explains, contains some vulnerability that the clever code cracker can exploit, an opaque process the author splendidly illuminates. Instances of successful decipherment, as of Egyptian hieroglyphics or the German Enigma cipher system in World War II, combine with Singh's sketches of the mathematicians who have advanced the art of secrecy, from Julius Caesar to Alan Turing to contemporary mathematicians, resulting in a wonderfully understandable survey." -- Gilbert Taylor, Booklist Also available from the EPIC Bookstore: "The Privacy Law Sourcebook: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 1999). Price: $50. http://www.epic.org/pls/ The "Physicians Desk Reference of the privacy world." An invaluable resource for students, attorneys, researchers and journalists who need an up-to-date collection of US and International privacy law, as well as a comprehensive listing of privacy resources. "Filters and Freedom - Free Speech Perspectives on Internet Content Controls," David Sobel, editor (EPIC 1999). Price: $20. http://www.epic.org/filters&freedom/ A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression. "Cryptography and Liberty: An International Survey of Cryptography Policy" Wayne Madsen and David Banisar, editors, (EPIC 1999). Price: $15. http://www.epic.org/cryptobook99/ An international survey of encryption policies around the world. Survey results show that in the vast majority of countries, cryptography may be freely used, manufactured, and sold without restriction, with the U.S. being a notable exception. "Privacy and Human Rights 1999: An International Survey of Privacy Laws and Developments" David Banisar, Simon Davies, editors, (EPIC 1999). Price: $15. http://www.epic.org/privacy&humanrights99/ An international survey of the privacy and data protection laws found in 50 countries around the globe. This report outlines the constitutional and legal conditions of privacy protection, and summarizes important issues and events relating to privacy and surveillance. Additional titles on privacy, open government, free expression, computer security, and crypto, as well as films and DVDs can be ordered through the EPIC Bookstore: http://www.epic.org/bookstore/ ======================================================================= [8] Upcoming Conferences and Events ======================================================================= Information Security Solutions Europe 1999. October 4-6, 1999. Maritim proArte Hotel. Berlin, Germany. For more information: http://www.eema.org/isse/ The Public Voice in Electronic Commerce. October 11, 1999. Organization for Economic Co-operation and Development. Paris, France. For more information: http://www.thepublicvoice.org The Internet Security Conference (TISC). October 11-15, 1999. Boston World Trade Center. Boston, MA. For more information: http://tisc.corecom.com Public Workshop on "Online Profiling" -- November 8, 1999. National Telecommunications and Information Administration, Commerce and Federal Trade Commission. Submissions and requests to participate due October 18, 1999. For more information: http://www.ntia.doc.gov/ntiahome/privacy/index.html The 1999 BNA Public Policy Forum: E-Commerce and Internet Regulation. November 15, 1999. Mayflower Hotel. Washington, D.C. For more information: http://internetconference.pf.com/ Annual Computer Security Applications Conference: Practical Solutions to Real Security Problems. December 6-10, 1999. Radisson Resort Scottsdale. Phoenix, Arizona. For more information: http://www.acsac.org/ Integrating Government with New Technologies '99 Policy vs Technology: Service Integration in the New Environments - A two-day Seminar and Training Session. December 13-14, 1999. Government Conference Center. Ottawa, Canada. For more information: http://www.rileyis.com/seminars Surveillance Expo '99. December 13-15, 1999. Doubletree Hotel. Crystal City, Virginia. For more information: http://www.rosseng.com PEN/Newman's Own Eighth Annual First Amendment Award. Nominations due December 31, 1999. For more information: http://www.pen.org RSA 2000. The ninth annual RSA Data Security Conference and Expo. January 16-20, 2000. San Jose McEnery Convention Center. San Jose, CA. For more information: http://www.rsa.com/rsa2000/ ======================================================================= Subscription Information ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. A Web-based form is available for subscribing or unsubscribing at: http://www.epic.org/alert/subscribe.html To subscribe or unsubscribe using email, send email to epic-news@epic.org with the subject: "subscribe" (no quotes) or "unsubscribe". Back issues are available at: http://www.epic.org/alert/ ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail info@epic.org, http://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 6.15 ----------------------- .