PRIVACY Forum Digest Friday, 3 December 1993 Volume 02 : Issue 36 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy. CONTENTS Re: "On the Road to Nosiness?" (Paul Robinson) Re: "On the Road to Nosiness?" (Randall Davis) Re: "On the Road to Nosiness?" (Olivier MJ Crepin-Leblond) Re: Privacy of cellular phones (Brinton Cooper) Re: Privacy of cellular phones (Martin Minow) Digitized Photos (Mich Kabay) United Parcel Service signatures (Jim Carroll) GPO Access Act Implementation Proceeds; Electronic FOIA Bill Introduced; OMB Proposes Government Information Locator Service; (ALA Washington Office) New Docs Reveal NSA Role in Telephony Proposal (Dave Banisar) Sen. Simon Introduces Major Privacy Bill; Senator Simon's Statement on Introduction; Privacy Commission Bill Section Headings; Bill to Remove Crypto Export Controls Introduced in House; (Dave Banisar) A study of National Cryptography Policy (Marjory Blumenthal) DIAC-94 Call for Participation (Paul Hyland) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. ALL submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All submissions included in this digest represent the views of the individual authors and all submissions will be considered to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are also available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". For information regarding the availability of this digest via FAX, please send an inquiry to privacy-fax@vortex.com, call (818) 225-2800, or FAX to (818) 225-7203. ----------------------------------------------------------------------------- VOLUME 02, ISSUE 36 Quote for the day: "Don't torture yourself Gomez--that's my job." -- Morticia Addams (Anjelica Huston) "The Addams Family" (Theatrical; 1991) ---------------------------------------------------------------------- Date: Sun, 28 Nov 1993 12:20:45 -0500 (EST) From: "Tansin A. Darcos & Company" <0005066432@MCIMAIL.COM> Subject: Re: "On the Road to Nosiness?" ---- From: Paul Robinson Organization: Tansin A. Darcos & Company, Silver Spring, MD USA ----- "Joel A. Fine" , writes: > Dan Gillmor writes: > > ...suppose some future road officials decide to install new > > cameras and higher-capacity transmission lines, allowing the > > system to scan locations, license-plate numbers and drivers' > > faces into the computer. > > A similar system is already in place in Campbell, California, and > several nearby municipalities, for the purpose of enforcing speed > limits. An unmanned radar-camera combination automatically > photographs speeding motorists and records their speed at the time > the picture was taken. Several days later, the driver receives a > copy of the photo, along with a bill for the appropriate fine for > the traffic violation. The driver never talks with, or sees, a > traffic cop. They probably repealed the old law that required that an infraction be witnessed by a police officer. Mere pictures of the same should not be sufficient. Photo radar makes me sick and I abhor its existence as just another form of fascist state control. Now you are removed from arguing that a person made a mistake, you have to argue that the (presumably infallible) camera made a mistake, a much higher presumption of guilt having been foisted upon you. The California State Constitution requirement that requires that any person charged with a criminal offense be tried by a jury (and it does not exempt mere fines; ALL criminal cases are supposed to be so triable) is routinely ignored as well. --- Note: All mail is read/responded every day. If a message is sent to this account, and you expect a reply, if one is not received within 24 hours, resend your message; some systems do not send mail to MCI Mail correctly. Paul Robinson - TDARCOS@MCIMAIL.COM ------------------------------ Date: Sun, 21 Nov 93 19:44:14 est From: davis@ai.mit.edu (Randall Davis) Subject: Re: "On the Road to Nosiness?" Date: Mon, 08 Nov 1993 10:24:54 -0800 From: "Joel A. Fine" Subject: Re: "On the Road to Nosiness?" Dan Gillmor writes: > ...suppose some future road officials decide to install new > cameras and higher-capacity transmission lines, allowing the > system to scan locations, license-plate numbers and drivers' > faces into the computer. A similar system is already in place in Campbell, California, and several nearby municipalities, for the purpose of enforcing speed limits. An unmanned radar-camera combination automatically photographs speeding motorists and records their speed at the time the picture was taken. Several days later, the driver receives a copy of the photo, along with a bill for the appropriate fine for the traffic violation. A (NJ?) newspaper carried a story a few years back about a driver who had received one of those photos and tickets, and who responded by mailing in a photograph of the appropriate amount of money. The Motor Vehicle folks replied by mailing him a photo of a pair of handcuffs. He paid up. [ I've heard this story before, and I'm still not completely convinced that this "handcuffs photo" response actually occurred. In any case, it's an amusing story. -- MODERATOR ] ------------------------------ Date: Mon, 22 Nov 1993 11:02:52 +0000 From: Olivier MJ Crepin-Leblond Subject: Re: "On the Road to Nosiness?" > Date: Mon, 08 Nov 1993 10:24:54 -0800 > From: "Joel A. Fine" > Subject: Re: "On the Road to Nosiness?" > [ on the subject of roadside cameras ] > A similar system is already in place in Campbell, California, and > several nearby municipalities, for the purpose of enforcing speed > limits. An unmanned radar-camera combination automatically photographs > speeding motorists and records their speed at the time the picture was > taken. Several days later, the driver receives a copy of the photo, > along with a bill for the appropriate fine for the traffic violation. > The driver never talks with, or sees, a traffic cop. Here in London such a scheme has been active for over a year. The cameras actually have a film inside them. One of the first days of trial, the police thought that they'd be able to use one film for more than a week. The film was used-up in a few hours. Since that time, of course, the London motorist has trained to recognise the cameras and slow-down at their sight (only to pick-up speed a few hundred yards later ;-) As a result, it is rumoured that not all cameras have a film in them, but since nobody wants to take a chance, they have the desired effect of slowing down the traffic and making it adhere to the speed limits. A "nice" touch is the flash that the camera has, so that you can be seen even at night. A disturbing thought, however is what one feels in the middle of the night, say at 3:00am, when nobody is around, the speed limit is ridiculously low, and you're alone in the car. When passing by the cameras, you always feel that someone is watching you. Definitely not my cup of tea as far as the future is concerned. -- Olivier M.J. Crepin-Leblond, Digital Comms. Section, Elec. Eng. Department Imperial College of Science, Technology and Medicine, London SW7 2BT, UK Internet/Bitnet: - Janet: ------------------------------ Date: Sun, 21 Nov 93 23:24:43 GMT From: Brinton Cooper Subject: Re: Privacy of cellular phones There have been many remarks in these forums, recently, of this type: "Too bad the cop had to break the (eavesdropping) law. At least he caught a crook. The crook had it coming, so what's the harm?" Here's the harm: You, a law-abiding citizen, are having an innocent cellular phone conversation with your equally law-abiding spouse when an officer of the law illegally eavesdrops on your conversation. The segment of conversation which she hears (perhaps out of context) sounds to her like a discussion of concurrent legal activity so she determines your location, then tracks you down and arrests you. Now you've done nothing wrong. However, YOU HAVE BEEN ARRESTED. So if your job, as mine, depends upon holding a security clearance, every time you are asked subsequently, "Have you ever been ARRESTED for a crime?" you must answer in the affirmative, then go through the whole mess and explain yourself. You may even have to discuss the content of the phone conversation. (Well, you may not HAVE to, but, then, "you don't have to work here, either.") Further, YOU HAVE BEEN ARRESTED, detained from free exercise of your liberties. You may be held overnight, perhaps in an urban jail in (name your least favorite big city) where you may well be harmed or worse (must I draw you a picture?) by other inmates. All this happens because it's OK for the cop to break the law if it results in arresting a "crook." And who's a "crook," anyway? Are all detainees crooks? Are we guilty before the law until we prove ourselves innocent, or is it the other way around? This is a quiz. You may flunk. _Brint ------------------------------ Date: Mon, 22 Nov 93 09:22:15 -0800 From: Martin Minow Subject: Re: Privacy of cellular phones In a note to Privacy 02.35, Les Earnest (les@sail.stanford.edu) notes that the location of a cellular phone can be determined to less than a square mile by measuring the signal strength at nearby transceiver sites. By measuring the *time* that a signal arrives at three or more sites -- something that is fairly easy to do using commercially-available high precision "atomic" clocks -- it should be easy to locate a phone to a few square meters. Note also, that the receiving sites need not be co-located with the cellular phone transceivers. (Three sites are needed to locate a site, but more sites would allow for more accurate determination.) Martin Minow minow@apple.com ------------------------------ Date: 23 Nov 93 16:52:27 EST From: "Mich Kabay / JINBU Corp." <75300.3232@compuserve.com> Subject: Digitized Photos [ From RISKS FORUM Digest -- MODERATOR ] [ The author quotes an Associated Press newswire item regarding plans by fourteen U.S. states and two Canadian provinces to begin using digitized photos on drivers' licenses. It notes that such photos could be easily altered, matched, transmitted, etc., and points out that privacy experts are concerned about potential misuse of these digitized images. -- MODERATOR ] The article goes on to explain that privacy advocates are already worried about the potential for abuse. Possible abuses include o release of the pictures to the direct-marketing industry, which could target specific categories of people (e.g., bald people or those in need of dental care) for campaigns; o illegal use by criminals to stalk, harass or intimidate victims. The FBI is claimed to be interested in nationwide picture files and is currently upgrading its databases to handle pictures such as those from motor vehicle licenses. Even in police work, such files could be misused: ``For example, courts have frowned on police roundups of all young black men near a crime scene -- but police could use the computer to scan the pictures of every driver living in the area.'' Police could greatly increase the number of pictures shown to witnesses of crimes by including thousands of photos of innocent people--with a likely increase in the number of false positive misidentifications. Because the pictures will be stored in digital fashion, changing them will be very easy. Privacy watchdogs urge caution and thought as the systems are implemented. Michel E. Kabay, Ph.D. Director of Education National Computer Security Assn ------------------------------ Date: Fri, 19 Nov 1993 11:00:44 -0500 From: jcarroll@jacc.com (Jim Carroll) Subject: United Parcel Service signatures [ From RISKS FORUM Digest -- MODERATOR ] UPS (United Parcel Service) arrived at my doorstep the other day, with yet another package for delivery. I signed the little handheld machine that they carry around, to signify my receipt of the package. I've been doing this for the last couple of years. UPS is the only courier (in Canada, in any event) to use these handy little devices. However, I began to wonder this time about UPS and signatures. UPS must have collected my signature in digital form over 50 times now through the past few years. Maybe my signature exists in some UPS database at this point? Maybe a smart hacker somewhere in the bowels of has figured out a way to download my signature from their field device? Maybe my digital signature can be misused in some fashion? What are the risks that are posed by UPS collecting digital signatures? Might those risks be compounded as more companies implemented field devices such as UPS? What should we as consumers being doing to protect ourselves? Should I even bother signing with my real signature, or should I just print out my name? Perhaps there is an interesting issue here that RISKS should explore. Jim Carroll, J.A. Carroll Consulting, Mississauga, Ontario jcarroll@jacc.com +1.905.855.2950 Co-Author, "The Canadian Internet Handbook", due March 1994 ------------------------------ Date: Wed, 1 Dec 1993 12:55:54 -0500 From: ALA Washington Office Subject: GPO ACCESS ACT IMPLEMENTATION PROCEEDS ELECTRONIC FOIA BILL INTRODUCED OMB PROPOSES GOVERNMENT INFORMATION LOCATOR SERVICE [ Combined subject field by MODERATOR ] [ Extracted from ALAWON; Vol. 2, No. 54 -- MODERATOR ] American Library Association Washington Office *************************************************************************** GPO ACCESS ACT IMPLEMENTATION PROCEEDS The Superintendent of Documents has held two meetings to describe the implementation of the Government Printing Office Electronic Information Access Enhancement Act of 1993 (PL 103-40). The first was held at GPO on October 22 to consult with information companies, while a similar meeting for depository librarians was conducted in Chicago at the Depository Library Council meeting on November 2. Under the GPO Access Act, the Superintendent of Documents is required to (1) maintain an electronic directory of federal electronic information; (2) provide a system of online access to the Congressional Record, the Federal Register and other appropriate publications; and (3) operate an electronic storage facility for federal electronic information. Work has begun on all three components of the legislation. For example, GPO's prototype locator should be operational by June 1994. The implementation will use a phased approach, and the initial set of information will be available by January 1994, with additional agencies or information sources being added gradually thereafter. The result will not be a single, central locator, but rather a series of inter-related, individual locators in several different locations. According to GPO, the prototype locator will: * allow federal depository libraries and members of the public access to an electronic Locator Service in order to obtain data on selected federal information services and products as well as to facilitate access to the referenced information. * provide a basis for the collection of data on user characteristics and needs, as well as tracking Prototype Locator usage. * demonstrate the feasibility of integrating the Prototype Locator with the other components of the GPO Access System, particularly the Online Interactive System. GPO has set up a free Special Interest Group (SIG) on the Federal Bulletin Board to announce continuing developments under the GPO Access legislation. The SIG is named GPOACCES. You can also use the electronic mail service (E-mail) to send comments by addressing a message to GPOACCES. To access The Federal Bulletin Board, contact the GPO Office of Electronic Information Dissemination Services (EIDS) by telephone at (202) 512-1265 or by Fax at (202) 512-1262. *************************************************************************** ELECTRONIC FOIA BILL INTRODUCED On November 23, Senators Patrick Leahy (D-VT) and Hank Brown (R-CO) introduced S. 1782, Electronic Freedom of Information Improvement Act of 1993 (see November 23 _Congressional Record_, pp. S17056-8). Senator Leahy said S. 1782 will give the public access to the records of federal agencies maintained in electronic form, and takes steps to alleviate the endemic delays in processing requests for government records. Without specifically naming the GPO Access Act, Senator Leahy referred to it in his introductory statement: "We recognized the importance of such electronic access when we recently passed a law requiring that people have online access to important Government publications, such as the Federal Register, the CONGRESSIONAL RECORD, and other documents put out by the Government Printing Office." *************************************************************************** OMB PROPOSES GOVERNMENT INFORMATION LOCATOR SERVICE The Office of Management and Budget is promoting the establishment of an agency-based Government Information Locator Service (GILS). In the November 19 _Federal Register_, pp. 61109-10, OMB requested comments on a draft design concept for the proposed GILS, and announced a public meeting on the proposed GILS. To receive a paper copy of the draft document, or to request an opportunity to speak at the public meeting, contact Barbara Banks, Information Policy Branch, Office of Information and Regulatory Affairs, OMB, Room 3235, New Executive Office Building, Washington DC 20503. Telephone: (202) 395-4814. Comments on the draft design concept should be received by December 15, 1993, at the above address. The public meeting will be held on December 13, 2 to 4 p.m., in the auditorium at the Department of Interior, 1849 C Street, NW, Washington, DC. In addition to paper copy, the draft design concept will be available on the FedWorld bulletin board. FedWorld can be accessed by using a modem to dial 703/321-8020. For further instructions to access FedWorld, call 703/487-4608. The document will also be available on the Internet via anonymous File Transfer Protocol from 130.11.48.107 as /pub/gils.doc (Microsoft Word for Windows format) or /pub/gils.txt (ASCII text format). Electronic comments on the draft may be submitted via electronic mail to the following OMB X.400 mail address: /s=gils/c=us/admd=telemail/prmd=gov+eop. (Internet users should add /@sprint.com at the end of the address.) The OMB notice says that the public would be served by GILS directly or through intermediaries. Central disseminating agencies such as the Government Printing Office and the National Technical Information Service would act as intermediaries to GILS, as would public libraries and private sector information services offering GILS contents through kiosks, 800 numbers, electronic mail, bulletin boards, FAX, and off-line media such as floppy disks, CD-ROM, and printed works. GILS would supplement, but not necessarily supplant, other agency information dissemination mechanisms and commercial information sources. ------------------------------ Date: Wed, 1 Dec 1993 14:54:51 EST From: Dave Banisar Subject: New Docs Reveal NSA Role in Telephony Proposal >From the CPSR Alert 2.06 (Dec. 1, 1993) New Docs Reveal NSA Involvement in Digital Telephony Proposal A series of memoranda received by CPSR from the Department of Commerce last week indicate that the National Security Agency was actively involved in the 1992 FBI Digital Telephony Proposal. Two weeks ago, documents received by CPSR indicated that the FBI proposal, code named "Operation Root Canal," was pushed forward even after reports from the field found no cases where electronic surveillance was hampered by new technologies. The documents also revealed that the Digital Signature Standard was viewed by the FBI as "[t]he first step in our plan to deal with the encryption issue." The earliest memo is dated July 5, 1991, just a few weeks after the Senate withdrew a Sense of Congress provision from S-266, the Omnibus Crime Bill of 1991, that encouraged service and equipment providers to ensure that their equipment would "permit the government to obtain the plain text contents of voice, data and other communications...." The documents consist of a series of fax transmittal sheets and memos from the Office of Legal Counsel in the Department of Commerce to the National Security Agency. Many attachments and drafts, including more detailed descriptions of the NSA's proposals, were withheld or released with substantial deletions. Also included in the documents is a previously released public statement by the National Telecommunications and Information Administration entitled "Technological Competitiveness and Policy Concerns." The document was requested by Rep. Jack Brooks and states that the proposal could obstruct or distort telecommunications technology development by limiting fiber optic transmission, ISDN, digital cellular services and other technologies until they are modified, ... could impair the security of business communications ... that could facilitate not only lawful government interception, but unlawful interception by others, [and] could impose industries ability to offer new services and technologies. CPSR is planning to appeal the Commerce Department's decision to withhold many of the documents. To subscribe to the Alert, send the message: "subscribe cpsr " (without quotes or brackets) to listserv@gwuvm.gwu.edu. Back issues of the Alert are available at the CPSR Internet Library FTP/WAIS/Gopher cpsr.org /cpsr/alert Computer Professionals for Social Responsibility is a national, non-partisan, public-interest organization dedicated to understanding and directing the impact of computers on society. Founded in 1981, CPSR has 2000 members from all over the world and 22 chapters across the country. Our National Advisory Board includes a Nobel laureate and three winners of the Turing Award, the highest honor in computer science. Membership is open to everyone. For more information, please contact: cpsr@cpsr.org or visit the CPSR discussion conferences on The Well (well.sf.ca.us) or Mindvox (phantom.com). ------------------------------ Date: Wed, 1 Dec 1993 14:06:41 EST From: Dave Banisar Subject: Sen. Simon Introduces Major Privacy Bill; Senator Simon's Statement on Introduction; Privacy Commission Bill Section Headings; Bill to Remove Crypto Export Controls Introduced in House; [ Combined subject field by MODERATOR ] [ Extracted from CPSR Alert 2.06 -- MODERATOR ] Computer Professionals for Social Responsibility Washington Office (Alert@washofc.cpsr.org) [1] Sen. Simon Introduces Major Privacy Bill [2] Senator Simon's Statement on Introduction [3] Privacy Commission Bill Section Headings ... [5] Bill to Remove Crypto Export Controls Introduced in House [1] Senator Simon Introduces Major Privacy Bill Senator Paul Simon (D-IL) has introduced legislation to create a privacy agency in the United States. The bill is considered the most important privacy measure now under consideration by Congress. The Privacy protection Act of 1993, designated S. 1735, attempts to fill a critical gap in US privacy law and to respond to growing public concern about the lack of privacy protection. The Vice President also recommended the creation of a privacy agency in the National Performance Review report on reinventing government released in September. The measure establishes a commission with authority to oversee the Privacy Act of 1974, to coordinate federal privacy laws, develop model guidelines and standards, and assist individuals with privacy matters. However, the bill lacks authority to regulate the private sector, to curtail government surveillance proposals, and has a only a small budget for the commission. Many privacy experts believe the bill is a good first step but does not go far enough. The Senate is expected to consider the bill in January when it returns to session. ------------------------------------------------------------- [2] Senator Simon's Statement on Introduction (From the Congressional Record, November 19, 1993) Mr. Simon. "Mr. President, I am introducing legislation today to create a Privacy Protection Commission. The fast-paced growth in technology coupled with American's increasing privacy concerns demand Congress take action. "A decade ago few could afford the millions of dollars necessary for a mainframe computer. Today, for a few thousand dollars, you can purchase a smaller, faster, and even more powerful personal computer. Ten years from now computers will likely be even less expensive, more accessible, and more powerful. Currently, there are "smart" buildings, electronic data "highways", mobile satellite communication systems, and interactive multimedia. Moreover, the future holds technologies that we can't even envision today. These changes hold the promise of advancement for our society, but they also pose serious questions about our right to privacy. We should not fear the future or its technology, but we must give significant consideration to the effect such technology will have on our rights. "Polls indicate that the American public is very concerned about this issue. For example, according to a Harris-Equifax poll completed this fall, 80 percent of those polled were concerned about threats to their personal privacy. In fact, an example of the high level of concern is reflected in the volume of calls received by California's Privacy Rights Clearinghouse. Within the first three months of operation. The California Clearinghouse received more than 5,400 calls. The Harris-Equifax poll also reported that only 9 percent of Americans felt that current law and organizational practices adequately protected their privacy. This perception is accurate. The Privacy Act of 1974 was created to afford citizens broad protection. Yet, studies and reviews of the act clearly indicate that there is inadequate specific protection, too much ambiguity, and lack of strong enforcement. "Furthermore, half of those polled felt that technology has almost gotten out of control, and 80 percent felt that they had no control over how personal information about them is circulated and used by companies. A recent article written by Charles Piller for MacWorld magazine outlined a number of privacy concerns. I ask unanimous consent the article written by Charles Piller be included in the record following my statement. These privacy concerns have caused the public to fear those with access to their personal information. Not surprisingly, distrust of business and government has significantly climbed upwards from just three years ago. "In 1990, the United States General Accounting Office reported that there were conservatively 910 major federal data banks with billions of individual records. Information that is often open to other governmental agencies and corporations, or sold to commercial data banks that trade information about you, your family, your home, your spending habits, and so on. What if the data is inaccurate or no longer relevant? Today's public debates on health care reform, immigration, and even gun control highlight the growing public concern regarding privacy. "The United States has long been the leader in the development of privacy policy. The framers of the Constitution and the Bill of Rights included an implied basic right to privacy. More than a hundred years later, Brandeis and Warren wrote their famous 1890 article, in which they wrote that privacy is the most cherished and comprehensive of all rights. International privacy scholar Professor David Flaherty has argued successfully that the United States invented the concept of a legal right to privacy. In 1967, Professor Alan Westin wrote privacy and freedom, which has been described as having been of primary influence on privacy debates world-wide. Another early and internationally influential report on privacy was completed in 1972 by the United States Department of Health, Education, and Welfare advisory committee. A Few years later in 1974, Senator Sam Ervin introduced legislation to create a federal privacy board. The result of debates on Senator Ervin's proposal was the enactment of the Privacy Act of 1974. The United States has not addressed privacy protection in any comprehensive way since. "International interest in privacy and in particular data protection dramatically moved forward in the late 1970's. In 1977 and 1978 six countries enacted privacy protection legislation. As of September 1993, 27 countries have legislation under consideration. I ask unanimous consent that a list of those countries be included in the record following my statement. Among those considering legislation are former Soviet Block countries Croatia, Estonia, Slovakia, and Lithuania. Moreover, the European Community Commission will be adopting a directive on the exchange of personal data between those countries with and those without data or privacy protection laws. "Mr. President, a Privacy Protection Commission is needed to restore the public's trust in business and government's commitment to protecting their privacy and willingness to thoughtfully and seriously address current and future privacy issues. It is also needed to fill in the gaps that remain in federal privacy law. "The Clinton Administration also recognizes the importance for restoring public trust. A statement the Office of Management and Budget sent to me included the following paragraph: [T]he need to protect individual privacy has become increasingly important as we move forward on two major initiatives, Health Care Reform and the National Information Infrastructure. The success of these initiatives will depend, in large part, on the extent to which Americans trust the underlying information systems. Recognizing this concern, the National Performance Review has called for a commission to perform a function similar to that envisioned by Senator Simon. Senator Simon's bill responds to an issue of critical importance. "In addition, the National Research Council recommends the creation of 'an independent federal advisory body ...' In their newly released study, Private Lives and Public Policies. "It is very important that the Privacy Protection Commission be effective and above politics. Toward that end, the Privacy Protection Commission will be advisory and independent. It is to be composed of 5 members, who are appointed By the President, by and with the consent of the Senate, with no more than 3 from the same political party. The members are to serve for staggered seven year terms, and during their tenure on the commission, may not engage in any other Employment. "Mr. President, I am concerned about the creation of additional bureaucracy; therefore the legislation would limit the number of employees to a total of 50 officers and employees. The creation of an independent Privacy Protection Commission is imperative. I have received support for an independent privacy protection commission from consumer, civil liberty, privacy, library, technology, and law organizations, groups, and individuals. I ask unanimous consent that a copy of a letter I have received be included in the record following my statement. "What the commission's functions, make-up, and responsibilities are will certainly be debated through the Congressional process. I look forward to hearing from and working with a broad range of individuals, organizations, and businesses on this issue, as well as the administration. "I urge my colleagues to review the legislation and the issue, and join me in support of a privacy protection commission. I ask unanimous consent that the text of the bill be included in the record." ------------------------------------------------------------- [3] Privacy Commission Bill Section Headings Section 1. Short Title. Section 2. Findings and Purpose. Section 3. Establishment of a Privacy Protection Commission. Section 4. Privacy Protection Commission. Section 5. Personnel of The Commission. Section 6. Functions of The Commission. Section 7. Confidentiality of Information. Section 8. Powers of the Commission. Section 9. Reports and Information. Section 10. Authorization of Appropriations. A full copy of the bill, floor statement and other materials will be made available at the CPSR Internet Library. ------------------------------------------------------------- [5] Bill to Remove Crypto Export Controls Introduced in House On November 22, 1993, Congresswoman Maria Cantwell (D-WA) introduced HR 3627 to transfer jurisdiction over the export of software with non-military encryption to the Department of Commerce from the Department of State. The State Department defers to the National Security Agency on exports that contain cryptography. The mandates that no export licenses are required for mass market or public domain software but retains restrictions on countries "of terrorist concern" and nations currently being embargoed. It also expands licenses for financial institutions. A full copy of the bill, press release and analysis is available from the CPSR Internet Library. See below for retrieval information. ------------------------------ Date: Thu, 02 Dec 93 08:45:28 EST From: "Marjory Blumenthal" Subject: A study of National Cryptography Policy [ From RISKS DIGEST -- MODERATOR ] As part of the Defense Authorization Bill for FY 1994, the U.S. Congress has asked the Computer Science and Telecommunications Board (CSTB) of the National Research Council (NRC) to undertake a study of national policy with respect to the use and regulation of cryptography. The report of the study committee is due two years after all necessary security clearances have been processed, probably sometime summer 1996, and is subject to NRC review procedures. The legislation states that 120 days after the day on which the report is submitted to the Secretary of Defense, the Secretary shall submit the report to the Committees on Armed Services, Intelligence, Commerce, and the Judiciary of the Senate and House of Representatives in unclassified form, with classified annexes as necessary. This study is expected to address the appropriate balance in cryptography policy among various national interests (e.g., U.S. economic competitiveness (especially with respect to export controls), national security, law enforcement, and the protection of the privacy rights of individuals), and the strength of various cryptographic technologies known today and anticipated in the future that are relevant for commercial purposes. The federal process through which national cryptography policy has been formulated is also expected to be a topic of consideration, and, if appropriate, the project will address recommendations for improving the formulation of national cryptographic policy in the future. This project, like other NRC projects, will depend heavily on input from industry, academia, and other communities in the concerned public. Apart from the study committee (described below), briefings and consultations from interested parties will be arranged and others will be involved as anonymous peer reviewers. It is expected that the study committee will be a high-level group that will command credibility and respect across the range of government, academic, commercial, and private interests. The committee will include members with expertise in areas such as: - relevant computer and communications technology; - cryptographic technologies and cryptanalysis; - foreign, national security, and intelligence affairs; - law enforcement; - commercial interests; and - privacy and consumer interests. All committee members (and associated staff) will have to be cleared at the "SI/TK" level; provisions have been made to expedite the processing of security clearances for those who do not currently have them. Committee members will be chosen for their stature, expertise, and seniority in their fields; their willingness to listen and consider fairly other points of view; and their ability to contribute to the formulation of consensus positions. The committee as a whole will be chosen to reflect the range of judgment and opinion on the subject under consideration. The detailed composition of the committee has not yet been decided; suggestions for committee members are sought from the community at large. Note that NRC rules regarding conflict of interest forbid the selection as committee members of individuals that have substantial personal financial interests that might be significantly affected by the outcome of the study. Please forward suggestions for people to participate in this project to CSTB@NAS.EDU by DECEMBER 17, 1993; please include their institutional affiliations, their field(s) of expertise, a note describing how the criteria described above apply to them, and a way to contact them. For our administrative convenience, please put in the "SUBJECT:" field of your message the words "crypto person". Finally, some people have expressed concern about the fact that the project will involve consideration of classified material. Arguments can and have been made on both sides of this point, but in any event this particular ground rule was established by the U.S. Congress, not by the CSTB. Whether one agrees or disagrees with the asserted need for classification, the task at hand is to do the best possible job given this constraint. On the National Research Council The National Research Council (NRC) is the operating arm of the Academy complex, which includes the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The NRC is a source of impartial and independent advice to the federal government and other policy makers that is able to bring to bear the best scientific and technical talent in the nation to answer questions of national significance. In addition, it often acts as a neutral party in convening meetings among multiple stakeholders on any given issue, thereby facilitating the generation of consensus on controversial issues. The Computer Science and Telecommunications Board (CSTB) of the NRC considers technical and policy issues pertaining to computer science, telecommunications, and associated technologies. CSTB monitors the health of the computer science, computing technology, and telecommunications fields, including attention as appropriate to the issues of human resources and information infrastructure and initiates studies involving computer science, computing technology, and telecommunications as critical resources and sources of national economic strength. A list of CSTB publications is available on request. ------------------------------ Date: Thu, 2 Dec 1993 17:49:50 EDT From: Paul Hyland Subject: DIAC-94 Call for Participation Call for Workshop Proposals Developing an Effective and Equitable Information Infrastructure Directions and Implications of Advanced Computing (DIAC-94) Symposium Cambridge, MA, USA April 23 - 24, 1994 The National Information Infrastructure (NII) is being proposed as the next- generation "information superhighway" for the 90's and beyond. Academia, libraries, government agencies, as well as media and telecommunication companies are involved in the current development. Computer Professionals for Social Responsibility (CPSR) and other organizations believe that critical issues regarding the use of the NII deserve increased public visibility and participation and is using the DIAC Symposium to help address this concern. The DIAC-94 symposium is a two-day symposium and will consist of presentations on the first day and workshops on the second day. The DIAC Symposia are held biannually and DIAC-94 will be CPSR's fifth such conference. We encourage your participation both through attending and through conducting a workshop. We are currently soliciting workshop proposals. We suggest proposals on the following themes but any topic relating to the symposium theme is welcome. Systems and Services Policy + Community networks + Funding + Information services + Role of government + Delivery of social services + Economic modelling of networks + Privacy (including medical) + Commercialization of the NII + Educational support + Universal access + Meeting diverse needs + Freedom of expression and community standards Electronic Democracy Directions and Implications + Access to information + Ubiquitous computing + Electronic town meetings + Global hypertext and multimedia + Threats to democracy + Computing in the workplace + Economic and class disparities + Computing and the environment International Issues Traditional and Virtual Communities + Language differences + MUDs + Cultural diversity + Communication ethics, values, and styles + National and international + Gender relations in cyberspace priorities + Cooperative projects + Networking for indigenous peoples Workshops will be an hour and half in length. The proposal should include title, presenter, purpose of workshop, references, and plan. Workshops should substantially involve the audience and proposals in which some group product or action plan is created are preferred. As the proposals may be collected into a book, workshop proposals should be clear and informative to people who don't participate in the workshop. Proposals are due February 15, 1994 and acceptance and rejection notices will be sent by March 15, 1994. To discuss workshops or to submit proposals for workshops contact the program chair, Doug Schuler, doug.schuler@cpsr.org. Electronic submissions are encouraged but paper versions are also acceptable (send them to CPSR/Seattle - - - - DIAC '94 Workshop Submission, P.O. Box 85481, Seattle, WA 98145-1481). Sponsored by Computer Professionals for Social Responsbility Potential co-sponsors are being sought. Please contact us if your organization would like to help with this event. For more information on co-sponsorship or on general issues, contact conference chair, Coralee Whitcomb, cwhitcomb@bentley.edu. ------------------------------ End of PRIVACY Forum Digest 02.36 ************************