PRIVACY Forum Digest Thursday, 13 May 1993 Volume 02 : Issue 17 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Topanga, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy. CONTENTS Clipper on "Wall Street Journal Report" (Lauren Weinstein; PRIVACY Forum Moderator) DMV Records (Rasch@DOCKMASTER.NCSC.MIL) NIST Advisory Board Seeks Comments on Crypto (Clipper-Capstone Chip Info) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. ALL submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All submissions included in this digest represent the views of the individual authors and all submissions will be considered to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are also available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". For information regarding the availability of this digest via FAX, please send an inquiry to privacy-fax@vortex.com, call (310) 455-9300, or FAX to (310) 455-2364. ----------------------------------------------------------------------------- VOLUME 02, ISSUE 17 Quote for the day: "Life is like a sewer. What you get out of it depends on what you put into it." -- Tom Lehrer (1928- ) Preamble to the song "We Will All Go Together When We Go" on the album "An Evening Wasted with Tom Lehrer" (1953) ---------------------------------------------------------------------- Date: Sun, 9 May 93 16:20 PDT From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Clipper on "Wall Street Journal Report" Greetings. Last Sunday's (5/9/93) edition of the television news program "Wall Street Journal Report" featured a somewhat brief segment on encryption. Starting with the issues revolving around the theft of U.S. trade secrets and information by outside governments, it then led to the topic of encryption systems, mentioning DES, RSA, and finally Clipper. They discussed the controversy surrounding Clipper, and included brief soundbites from both NIST and Electronic Frontier Foundation spokespersons. There was even a brief shot of what was purported to be the Clipper chip itself (surface mount, I think). Clipper was identified in the piece as being developed by NSA, but it was the NIST spokesman who was asked if a "backdoor" existed in the chip (the reply was "no"... not the biggest surprise answer ever spoken, to be sure). As short mainstream television media pieces go, it was a reasonably accurate presentation. It seemed clear that some officials had presented the view that society needed to make a decision about the level of security that should be allowed the public. The implication seemed clear that this might involve banning "non-compliant" encryption systems if that view wins out. --Lauren-- ------------------------------ Date: Fri, 7 May 93 09:59 EDT From: Rasch@DOCKMASTER.NCSC.MIL Subject: DMV Records I am working on a research project, and need some help. In how many states is it illegal for a citizen to obtain DMV records on others? In which states are such records publicly available? What are the procedures for obtaining such records? I'd like any help I can get. ------------------------------ Date: Tue, 11 May 93 13:43:21 EDT From: Clipper-Capstone Chip Info Subject: NIST Advisory Board Seeks Comments on Crypto Note: This file has been posted to the following groups: RISKS Forum Privacy Forum Sci.crypt Alt.privacy.clipper and will be made available for anonymous ftp from csrc.ncsl.nist.gov, filename pub/nistgen/cryptmtg.txt and for download from the NIST Computer Security BBS, 301-948-5717, filename cryptmtg.txt. Note: The following notice is scheduled to appear in the Federal Register this week. The notice announces a meeting of the Computer System Security and Privacy Advisory Board (established by the Computer Security Act of 1987) and solicits public and industry comments on a wide range of cryptographic issues. Please note that submissions due by 4:00 p.m. May 27, 1993. ----------------------- DEPARTMENT OF COMMERCE National Institute of Standards and Technology Announcing a Meeting of the COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD AGENCY: National Institute of Standards and Technology ACTION: Notice of Open Meeting SUMMARY: Pursuant to the Federal Advisory Committee Act, 5 U.S.C. App., notice is hereby given that the Computer System Security and Privacy Advisory Board will meet Wednesday, June 2, 1993, from 9:00 a.m. to 5:00 p.m., Thursday, June 3, 1993, from 9:00 a.m. to 5:00 p.m., and Friday, June 4, 1993 from 9:00 a.m. to 1:00 p.m. The Advisory Board was established by the Computer Security Act of 1987 (P.L. 100-235) to advise the Secretary of Commerce and the Director of NIST on security and privacy issues pertaining to Federal computer systems and report its findings to the Secretary of Commerce, the Director of the Office of Management and Budget, the Director of the National Security Agency, and the appropriate committees of the Congress. All sessions will be open to the public. DATES: The meeting will be held on June 2-4 1993. On June 2 and 3, 1993 the meeting will take place from 9:00 a.m. to 5:00 p.m. and on June 4, 1993 from 9:00 a.m. to 1:00 p.m. Public submissions (as described below) are due by 4:00 p.m. (EDT) May 27, 1993 to allow for sufficient time for distribution to and review by Board members. ADDRESS: The meeting will take place at the National Institute of Standards and Technology, Gaithersburg, MD. On June 2, 1993, the meeting will be held in the Administration Building, "Red Auditorium," on June 3 the meeting will be held in the Administration Building, "Green Auditorium," and on June 4, 1993 in the Administration Building, Lecture Room "B." Submissions (as described below), including copyright waiver if required, should be addressed to: Cryptographic Issue Statements, Computer System Security and Privacy Advisory Board, Technology Building, Room B-154, National Institute of Standards and Technology, Gaithersburg, MD, 20899 or via FAX to 301/948-1784. Submissions, including copyright waiver if required, may also be sent electronically to "crypto@csrc.ncsl.nist.gov". -2- AGENDA: - Welcome and Review of Meeting Agenda - Government-developed "Key Escrow" Chip Announcement Review - Discussion of Escrowed Cryptographic Key Technologies - Review of Submitted Issue Papers - Position Presentations & Discussion - Public Participation - Annual Report and Pending Business - Close PUBLIC PARTICIPATION: This Advisory Board meeting will be devoted to the issue of the Administration's recently announced government-developed "key escrow" chip cryptographic technology and, more broadly, to public use of cryptography and government cryptographic policies and regulations. The Board has been asked by NIST to obtain public comments on this matter for submission to NIST for the national review that the Administration's has announced it will conduct of cryptographic-related issues. Therefore, the Board is interested in: 1) obtaining public views and reactions to the government-developed "key escrow" chip technology announcement, "key escrow" technology generally, and government cryptographic policies and regulations 2) hearing selected summaries of written views that have been submitted, and 3) conducting a general discussion of these issues in public. The Board solicits all interested parties to submit well-written, concise issue papers, position statements, and background materials on areas such as those listed below. Industry input is particularly encouraged in addressing the questions below. Because of the volume of responses expected, submittors are asked to identify the issues above to which their submission(s) are responsive. Submittors should be aware that copyrighted documents cannot be accepted unless a written waiver is included concurrently with the submission to allow NIST to reproduce the material. Also, company proprietary information should not be included, since submissions will be made publicly available. This meeting specifically will not be a tutorial or briefing on technical details of the government-developed "key escrow" chip or escrowed cryptographic key technologies. Those wishing to address the Board and/or submit written position statements are requested to be thoroughly familiar with the topic and to have concise, well-formulated opinions on its societal ramifications. -3- Issues on which comments are sought include the following: 1. CRYPTOGRAPHIC POLICIES AND SOCIAL/PUBLIC POLICY ISSUES Public and Social policy aspects of the government-developed "key escrow" chip and, more generally, escrowed key technology and government cryptographic policies. Issues involved in balancing various interests affected by government cryptographic policies. 2. LEGAL AND CONSTITUTIONAL ISSUES Consequences of the government-developed "key escrow" chip technology and, more generally, key escrow technology and government cryptographic policies. 3. INDIVIDUAL PRIVACY Issues and impacts of cryptographic-related statutes, regulations, and standards, both national and international, upon individual privacy. Issues related to the privacy impacts of the government-developed "key escrow" chip and "key escrow" technology generally. 4. QUESTIONS DIRECTED TO AMERICAN INDUSTRY 4.A Industry Questions: U.S. Export Controls 4.A.1 Exports - General What has been the impact on industry of past export controls on products with password and data security features for voice or data? Can such an impact, if any, be quantified in terms of lost export sales or market share? If yes, please provide that impact. How many exports involving cryptographic products did you attempt over the last five years? How many were denied? What reason was given for denial? Can you provide documentation of sales of cryptographic equipment which were lost to a foreign competitor, due solely to U.S. Export Regulations. What are the current market trends for the export sales of information security devices implemented in hardware solutions? For software solutions? -4- 4.A.2 Exports - Software If the U.S. software producers of mass market or general purpose software (word processing, spreadsheets, operating environments, accounting, graphics, etc.) are prohibited from exporting such packages with file encryption capabilities, what foreign competitors in what countries are able and willing to take foreign market share from U.S. producers by supplying file encryption capabilities? What is the impact on the export market share and dollar sales of the U.S. software industry if a relatively inexpensive hardware solution for voice or data encryption is available such as the government-developed "key escrow" chip? What has been the impact of U.S. export controls on COMPUTER UTILITIES software packages such as Norton Utilities and PCTools? What has been the impact of U.S. export controls on exporters of OTHER SOFTWARE PACKAGES (e.g., word processing) containing file encryption capabilities? What information does industry have that Data Encryption Standard (DES) based software programs are widely available abroad in software applications programs? 4.A.3 Exports - Hardware Measured in dollar sales, units, and transactions, what have been the historic exports for: Standard telephone sets Cellular telephone sets Personal computers and work stations FAX machines Modems Telephone switches What are the projected export sales of these products if there is no change in export control policy and if the government- developed "key escrow" chip is not made available to industry? What are the projected export sales of these products if the government-developed "key escrow" chip is installed in the above products, the above products are freely available at an additional price of no more than $25.00, and the above products are exported WITHOUT ADDITIONAL LICENSING REQUIREMENTS? What are the projected export sales of these products if the government-developed "key escrow" chip is installed in the above products, the above products are freely available at an additional price of no more than $25.00, and the above products -5- are to be exported WITH AN ITAR MUNITIONS LICENSING REQUIREMENT for all destinations? What are the projected export sales of these products if the government-developed "key escrow" chip is installed in the above products, the above products are freely available at an additional price of no more than $25.00, and the above products are to be exported WITH A DEPARTMENT OF COMMERCE LICENSING REQUIREMENT for all destinations? 4.A.4 Exports - Advanced Telecommunications What has been the impact on industry of past export controls on other advanced telecommunications products? Can such an impact on the export of other advanced telecommunications products, if any, be quantified in terms of lost export sales or market share? If yes, provide that impact. 4.B Industry Questions: Foreign Import/Export Regulations How do regulations of foreign countries affect the import and export of products containing cryptographic functions? Specific examples of countries and regulations will prove useful. 4.C Industry Questions: Customer Requirements for Cryptography What are current and future customer requirements for information security by function and industry? For example, what are current and future customer requirements for domestic banking, international banking, funds transfer systems, automatic teller systems, payroll records, financial information, business plans, competitive strategy plans, cost analyses, research and development records, technology trade secrets, personal privacy for voice communications, and so forth? What might be good sources of such data? What impact do U.S. Government mandated information security standards for defense contracts have upon demands by other commercial users for information security systems in the U.S.? In foreign markets? What threats are your product designed to protect against? What threats do you consider unaddressed? What demand do you foresee for a) cryptographic only products, and b) products incorporating cryptography in: 1) the domestic market, 2) in the foreign-only market, and 3) in the global market? -6- 4.D Industry Questions: Standards If the European Community were to announce a non-DES, non-public key European Community Encryption Standard (ECES), how would your company react? Include the new standard in product line? Withdraw from the market? Wait and see? What are the impacts of government cryptographic standards on U.S. industry (e.g., Federal Information Processing Standard 46-1 [the Data Encryption Standard] and the proposed Digital Signature Standard)? 5. QUESTIONS DIRECTED TO THE AMERICAN BUSINESS COMMUNITY 5.A American Business: Threats and Security Requirements Describe, in detail, the threat(s), to which you are exposed and which you believe cryptographic solutions can address. Please provide actual incidents of U.S. business experiences with economic espionage which could have been thwarted by applications of cryptographic technologies. What are the relevant standards of care that businesses must apply to safeguard information and what are the sources of those standards other than Federal standards for government contractors? What are U.S. business experiences with the use of cryptography to protect against economic espionage, (including current and projected investment levels in cryptographic products)? 5.B American Business: Use of Cryptography Describe the types of cryptographic products now in use by your organization. Describe the protection they provide (e.g., data encryption or data integrity through digital signatures). Please indicate how these products are being used. Describe any problems you have encountered in finding, installing, operating, importing, or exporting cryptographic devices. Describe current and future uses of cryptographic technology to protect commercial information (including types of information being protected and against what threats). Which factors in the list below inhibit your use of cryptographic products? -7- Please rank: -- no need -- no appropriate product on market -- fear of interoperability problems -- regulatory concerns -- a) U.S. export laws -- b) foreign country regulations -- c) other -- cost of equipment -- cost of operation -- other Please comment on any of these factors. In your opinion, what is the one most important unaddressed need involving cryptographic technology? Please provide your views on the adequacy of the government- developed "key escrow" chip technological approach for the protection of all your international voice and data communication requirements. Comments on other U.S. Government cryptographic standards? 6. OTHER Please describe any other impacts arising from Federal government cryptographic policies and regulations. Please describe any other impacts upon the Federal government in the protection of unclassified computer systems. Are there any other comments you wish to share? The Board agenda will include a period of time, not to exceed ten hours, for oral presentations of summaries of selected written statements submitted to the Board by May 27, 1993. As appropriate and to the extent possible, speakers addressing the same topic will be grouped together. Speakers, prescheduled by the Secretariat and notified in advance, will be allotted fifteen to thirty minutes to orally present their written statements. Individuals and organizations submitting written materials are requested to advise the Secretariat if they would be interested in orally summarizing their materials for the Board at the meeting. Another period of time, not to exceed one hour, will be reserved for oral comments and questions from the public. Each speaker will be allotted up to five minutes; it will be necessary to strictly control the length of presentations to maximize public participation and the number of presentations. -8- Except as provided for above, participation in the Board's discussions during the meeting will be at the discretion of the Designated Federal Official. Approximately thirty seats will be available for the public, including three seats reserved for the media. Seats will be available on a first-come, first-served basis. FOR FURTHER INFORMATION CONTACT: Mr. Lynn McNulty, Executive Secretary and Associate Director for Computer Security, Computer Systems Laboratory, National Institute of Standards and Technology, Building 225, Room B154, Gaithersburg, Maryland 20899, telephone: (301) 975-3240. SUPPLEMENTARY INFORMATION: Background information on the government-developed "key escrow" chip proposal is available from the Board Secretariat; see address in "for further information" section. Also, information on the government-developed "key escrow" chip is available electronically from the NIST computer security bulletin board, phone 301-948-5717. The Board intends to stress the public and social policy aspects, the legal and Constitutional consequences of this technology, and the impacts upon American business and industry during its meeting. It is the Board's intention to create, as a product of this meeting, a publicly available digest of the important points of discussion, conclusions (if any) that might be reached, and an inventory of the policy issues that need to be considered by the government. Within the procedures described above, public participation is encouraged and solicited. /signed/ Raymond G. Kammer, Acting Director May 10, 1993 Date ------------------------------ End of PRIVACY Forum Digest 02.17 ************************