========================================================================= ________________ _______________ _______________ /_______________/\ /_______________\ /\______________\ \\\\\\\\\\\\\\\\\ \ ||||||||||||||||| / //////////////// \\\\\\\\\\\\\\\\\/ ||||||||||||||||| / //////////////// \\\\\\_______/\ ||||||_______\ / //////_____\ \\\\\\\\\\\\\ \ |||||||||||||| / ///////////// \\\\\\\\\\\\\/____ |||||||||||||| / ///////////// \\\\\___________/\ ||||| / //// \\\\\\\\\\\\\\\\ \ ||||| / //// \\\\\\\\\\\\\\\\/ ||||| \//// ========================================================================= EFFector Online Volume 07 No. 13 October 7, 1994 editors@eff.org A Publication of the Electronic Frontier Foundation ISSN 1062-9424 In This Issue: EFF Organizational Changes: New Exec. Dir., New Privacy Project Rep. Edwards Announcement on Digital Telephony, Oct. 7, 1994 National Research Council Study of National Cryptography Policy Computers, Freedom and Privacy '95 - Call for Participation EFF's Godwin to Speak at Criminal Law in Cyberspace Conf., 10/27/94 OTA Report - Information Security & Privacy in Network Environments GPO Puts Bills Online, but Wants You to Pay for Them Twice Horde of New NII Documents Online at EFF What YOU Can Do ---------------------------------------------------------------------- Subject: EFF Organizational Changes: New Exec. Dir., New Privacy Project --------------------------------------------------------------------------- ** Taubman Executive Director, Berman Policy Director ** September 28, 1994 The Chairman and Board of Directors of the Electronic Frontier Foundation (EFF) today announced the immediate appointment of Andrew E. Taubman as Executive Director of EFF. The Board of Directors approved the hiring of Mr. Taubman at its most recent meeting in mid-July. At the same time, Jerry Berman, Executive Director since January 1992, was appointed the Director of Policy. The move was made to effect the best placement of talents and experience. Mr. Taubman will focus on EFF as an organization, while Mr. Berman's role in policy and legislative development will continue in recognition of the increased significance of EFF's political role in Washington. "I am delighted to welcome Drew to EFF, where we expect him to play a major role in orchestrating the next phase of development of the organization. The Board went through a long and thoughtful process to find the best candidate, and in Drew we believe we have him," said Mitchell Kapor, co-founder of EFF. Prior to joining EFF, Mr. Taubman was the President/Managing Partner of The Taubman Group, a Cleveland-based management consultancy created in 1985 for public sector and related organizations. His professional positions include appointments as Vice President of the Cleveland Institute of Music, Ohio; Executive Director of The Ohio Caring Foundation's Caring Program For Children, Cincinnati; Director of Development and Alumni Affairs/Associate Director of the University of Cincinnati Foundation, Ohio; Associate Director of Development at Wright State University, Dayton, Ohio; Cultural Arts Director of The Leo Yassenoff Center, Columbus, Ohio; and Development Officer, Public Television and Radio at Michigan State University, East Lansing, Michigan. His community involvement as a committee member/officer or trustee has been regular and diversified in health care and the arts. He has consulted and testified on healthcare reform, social service, education, and the arts. Mr. Taubman received his BA in Arts Administration from Michigan State University and has continued his professional education with a focus on the non-profit sector. ** EFF Privacy and Technology Project ** An additional organizational change at EFF was the creation in May of the Privacy and Technology Project. This project is headed by Janlori Goldman, former Director of the Privacy and Technology Project at the ACLU. Ms. Goldman is assisted by Staff Counsel Deirdre K. Mulligan, a 1994 graduate of Georgetown Law School, who assisted on the ACLU project while a Public Interest Law Scholar in law school. ** Legal Services and Community Building ** Concurrent with the implementation of these recent changes, EFF's Board of Directors is committed to continued support for Legal Services and increased development of the Community Building aspect of EFF's mission. "I am very optimistic about this change," said co-founder John Perry Barlow. "Jerry Berman needs to be in a position to focus on policy, and we think we've built an organization that can support his efforts rather than require his continuous attention to administrative detail. EFF has a revitalized focus on community services and understanding the issues involved in civilizing cyberspace. Drew Taubman is exactly the person to run this phase of EFF." For further information, please contact Kathleen Zaffina at kzaffina@eff.org or 202/347-5400. ------------------------------ Subject: Rep. Edwards Announcement on Digital Telephony, Oct. 7, 1994 --------------------------------------------------------------------- Representative Don Edwards (D-CA), Chairman of the House Judiciary Subcommittee on Civil and Constitutional Rights, and principal House author of the Digital Telephony bill which passed the House Wednesday, asked EFF to forward the attached memo to the net community. This memo does not represent EFF statements or policy. Please direct any comments to the office of Rep. Edwards. Please feel free to distribute this document widely. Thank you _____________________________________________________________________________ Date: October 7, 1994 To: Persons Interested in the Digital Telephony "Wiretap" Bill From: Don Edwards Chairman Subcommittee on Civil and Constitutional Rights House Judiciary Committee My legislation, H.R. 4922, would be a major improvement over the current relationship between the telecommunications industry and law enforcement. Currently, the FBI holds the upper hand regarding decisions about security and privacy, in a relationship that is shielded from public scrutiny. In my estimation, there should be no doubt that future telecommunications systems and services will be designed with law enforcement wiretap needs in mind. Indeed, in opposing my bill the phone companies argued that no legislation was needed because they were working to accommodate law enforcement's demands without legislation. For me, therefore, the key questions were whether that accommodation would be developed in the sunshine and whether privacy would be a requirement given equal status with the requirements of law enforcement. ** Closed Door Meetings or Sunshine ** For over a year, an industry committee that includes all of the major phone companies, cellular providers and equipment manufacturers has been working with the FBI and other law enforcement agencies to develop design proposals to ensure wiretap accessibility in new and existing systems. The sloe mission of the committee is to satisfy law enforcement's stated "needs". Privacy is not within the charter of standards for digital switches, cellular systems, evolving Personal Communications Services, the Advanced Intelligent Network, and cable TV systems. The process is totally closed to the public. All participants in the meetings are required to sign non-disclosure agreements. Without legislation, that process will continue behind closed doors. ** Three Principles of Accountability ** This status quo is unacceptable. Deliberations of industry and law enforcement regarding the future of the telecommunications system should be controlled in three ways, which my legislation would achieve: (1) Statutory parameters must be set on the scope of what can be required of telephone companies. Under current practice, law enforcement is defining its "needs" to industry, which accepts them without question. Our bill, in contrast, has substantially narrowed law enforcement's capability requirements, setting a floor. In terms of capacity, our bill specifically requires a notice and comment rule-making in the Federal Register, so the whole country can know what law enforcement is doing. (2) Privacy must be a requirement on an equal footing with law enforcement interests. Our bill, for the first time ever, requires telephone companies to affirmatively protect the privacy and security of communications not authorized to be intercepted, and gives the FCC regulatory authority over industry compliance with privacy standards. Up until now, phone companies have had no duty to protect privacy. Whether communications were secure or not had Been an artifact of telephone technology. (3) There must be sunshine and accountability. Without H.R. 4922, the phone companies will never have to tell anybody what they have done to "accommodate" law enforcement. My bill requires that industry standards be published. It gives any member of the public the right to challenge any standard before the FCC and in court if it does not adequately protect privacy. All FCC proceedings will be on the public record. The General Accounting office will report every two years on what modifications have been made in telecommunications systems and what modifications are being sought. ** Internet Exempted from Wiretap Requirements in HR 4922 ** Finally, I should remind all interested persons that the bill does not cover the Internet. The report on the bill clearly states: "The definition of telecommunications carrier does not include persons or entities to the extent that they are engaged in providing information services, such as electronic mail providers, on-line services providers such as Compuserve, Prodigy, America-On-Line, or Mead Data, or Internet service providers." _____________________________________________________________________________ For a copy of the latest version of the bill, see: ftp.eff.org, /pub/EFF/Policy/Digital_Telephony/digtel94.bill gopher.eff.org, 1/EFF/Policy/Digital_Telephony, digtel94.bill http://www.eff.org/pub/EFF/Policy/Digital_Telephony/digtel94.bill See digtel94_analysis.eff in the same directory for EFF's analysis of the Leahy/Edwards Digital Telephony legislation. ------------------------------ Subject: National Research Council Study of National Cryptography Policy ------------------------------------------------------------------------ ** A Study of National Cryptography Policy ** September 14, 1994 Cryptographic technologies are critical to a wide variety of important military and civilian applications involving sensitive or classified information that must be protected from unauthorized disclosure. In addition, cryptography is a key component of most authentication technologies, i.e., technologies to guarantee the identity of a message's sender. National cryptography policy has important implications for U.S. economic competitiveness, national security, law enforcement interests, and protection of the rights of private U.S. citizens. In an attempt to clarify some of the relevant policy issues, Public Law 103-160 (passed by the U.S. Congress in November 1993) called for a comprehensive study from the National Research Council on cryptographic technologies and national cryptography policy. The study will commence in the first week of October 1994. As this study proceeds, the committee will make all feasible attempts to solicit a wide range of input and commentary from interested parties. Input will be presented to the committee through a mix of briefings, presentations, consultations, invited and contributed papers, and testimony at regional public hearings. In addition, members of the interested public are invited to submit input to the committee as described below. The study plans to address the following issues: * the impact of current and possible future restrictions and standards regarding cryptographic technology on - the availability of such technology to foreign and domestic parties with interests hostile to or competitive with the national security, economic, commercial, and privacy interests of the U.S. government, U.S. industry, and private U.S. citizens; - the competitiveness of U.S. manufacturers of such technology in the international market; - the competitiveness and performance of commercial U.S. users of such technology; - U.S. national security and law enforcement interests; * the strength of various cryptographic technologies known and anticipated that are relevant for commercial and private purposes; * current and anticipated demand for information systems security based on cryptography; * the impact of foreign restrictions on the use of, importation of, and the market for cryptographic technology; * the extent to which current cryptography policy is adequate for protecting U.S. interests in privacy, public safety, national security, and economic competitiveness; * strengths and weaknesses of current key escrow implementation schemes; * how technology now and in the future can affect the feasible policy options for balancing the national security and law enforcement interests of government and the privacy and commercial interests of U.S. industry and private U.S. citizens; * recommendations for the process through which national security, law enforcement, commercial, and privacy interests are balanced in the formulation of national cryptography policy. The study will be conducted by a 17-member committee (listed at the end of this document) that collectively has expertise in computer and communications technology; cryptographic technologies and cryptanalysis; foreign, national security, and intelligence affairs; law enforcement; science policy; trade policy; commercial and business dimensions of computer technology (hardware and software vendors, users of cryptographic technologies); and interests in privacy and civil liberties. A subpanel of the full committee will be cleared at the SI level and have access to all relevant information to ensure that the findings, conclusions, and recommendations of the unclassified report are consistent with what is known in the classified world. The project plan calls for the study to be delivered approximately two years after full processing of all necessary security clearances. However, the NRC will make every attempt to deliver the study sooner, and it currently believes that the core work of the study will be completed about 18 to 20 months after funding for the study has been received. Additional time will be devoted to dissemination of the study report and follow-up activities. The final report of the study committee is subject to NRC review procedures that ensure the objectivity and integrity of all NRC reports. The main text of the report will be unclassified; classified annexes (if any) will be made available only to those with the appropriate security clearances. ** Providing Input to the Committee ** The questions that the study is expected to examine are provided above. Members of the interested public are invited to submit their views on these questions and any other questions that you believe the committee should be addressing through either of the channels below. If desired, requests for personal presentations to the committee should be submitted through these channels as well; the committee will respond affirmatively to as many such requests as possible, but time and resource constraints will limit the number of such requests that can be honored. Internet: send comments and other correspondence to CRYPTO@NAS.EDU. U.S. Mail: Cryptography Project Computer Science and Telecommunications Board National Research Council Mail Stop HA-560 2101 Constitution Avenue, NW Washington, DC 20418 ** Committee to Study National Cryptography Policy ** Kenneth Dam, committee chair, was Deputy Secretary of State (1982- 1985) and is currently the Max Pam Professor of American and Foreign Law at the University of Chicago Law School. General W. Y. Smith, retired, committee vice-chair, is president emeritus of the Institute for Defense Analyses, and has also served in a number of military posts including that of deputy commander in chief of the U.S. European Command in Germany. Lee Bollinger, formerly dean of the University of Michigan Law School, is currently provost of Dartmouth College and a constitutional scholar. Ann Caracristi, retired, was Deputy Director of the National Security Agency (1980-1982). Benjamin Civiletti was U.S. Attorney General (1979-1981), and is currently in private practice with the law firm Venable, Baetjer, Howard and Civiletti. Colin Crook is senior technology officer for Citicorp. Samuel Fuller is vice president of corporate research at Digital Equipment Corporation. Leslie Gelb is president of the Council on Foreign Relations. He served as Assistant Secretary of State for Politico-Military Affairs (1977-1980). Ronald Graham is a director of information sciences at AT&T Bell Labs and a professor of mathematics at Rutgers University. Martin Hellman is professor of electrical engineering at Stanford University. Dr. Hellman was one of the inventors of public key encryption. Julius Katz is president of Hills & Company, and was deputy United States trade representative (1989-1993). Peter Neumann is principal scientist in the Computer Science Laboratory at SRI International. He is the chairman of the ACM committee on computers and public policy, and a member of the ACM study group on cryptography policy. Raymond Ozzie is president of Iris Associates, a wholly-owned subsidiary of the Lotus Development Corporation. Iris Associates is the developer of Lotus Notes. Kumar Patel is vice chancellor for research at UCLA. Edward Schmults was Deputy Attorney General of the United States (1981-1984) and is a former senior vice president for external relations and general counsel for the GTE Corporation. Elliot Stone is executive director of the Massachusetts Health Data Consortium, which is responsible for the collection and analysis of the state's large health care databases. Willis Ware, retired, is with the RAND Corporation as senior computer scientist emeritus. He chairs the Computer System Security and Privacy Advisory Board which was established by the Computer Security Act of 1987. ** Staff and Organizations ** Marjory Blumenthal is director of the Computer Science and Telecommunications Board (CSTB). Herbert Lin is study director and senior staff officer of the CSTB. Inquiries about this study should be directed to him at 202-334-3191 or via Internet at HLIN@NAS.EDU. The National Research Council (NRC) is the operating arm of the Academy complex, which includes the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The NRC provides impartial and independent advice to the federal government and other policy makers, by applying top scientific and technical talent to answer questions of national significance. In addition, the NRC often acts as a neutral party in convening meetings among multiple stakeholders on various controversial issues, thereby facilitating the generation of consensus. Within the NRC, the CSTB considers technical and policy issues pertaining to computer science, telecommunications, and associated technologies as critical resources and sources of national economic strength. A list of CSTB publications is available on request to CSTB@NAS.EDU or by calling 202-334-2605. ------------------------------ Subject: Computers, Freedom and Privacy '95 - Call for Participation -------------------------------------------------------------------- The Fifth Conference on Computers, Freedom and Privacy -- CFP'95 Call for Participation Sponsored by the Association for Computing Machinery and Stanford Law School 28 - 31 March 1995 San Francisco Airport Marriott Hotel Burlingame, California INVITATION This is an invitation to submit session and topic proposals for inclusion in the program of the Fifth Conference on Computers, Freedom and Privacy. Proposals may be for individual talks, panel discussions, debates, or other presentations in appropriate formats. Proposed topics should be within the general scope of the conference, as outlined below. SCOPE The advance of computer and telecommunications technologies holds great promise for individuals and society. From convenience for consumers and efficiency in commerce to improved public health and safety and increased participation in democratic institutions, these technologies can fundamentally transform our lives. New computer and telecommunications technologies are bringing new meanings to our freedoms to speak, associate, be left alone, learn, and exercise political power. At the same time these technologies pose threats to the ideals of a just, free, and open society. Political, social, and economic fairness may hinge on ensuring those who are poor, disabled, or otherwise disadvantaged have access to these technologies. Personal privacy is increasingly at risk from invasion by high-tech surveillance and eavesdropping. The myriad databases containing personal information maintained in the public and private sectors expose private life to constant scrutiny. Technological advances also enable new forms of illegal activity, posing new problems for legal and law enforcement officials and challenging the very definitions of crime and civil liberties. But technologies used to combat these crimes can threaten the traditional barriers between the individual and the state. Even such fundamental notions as speech, assembly and property are being transformed by these technologies, throwing into question the basic Constitutional protections that have guarded them. Similarly, information knows no borders; as the scope of economies becomes global and as networked communities transcend international boundaries, ways must be found to reconcile competing political, social, and economic interests in the digital domain. The Fifth Conference on Computers, Freedom and Privacy will assemble experts, advocates and interested people from a broad spectrum of disciplines and backgrounds in a balanced public forum to explore and better understand how computer and telecommunications technologies are affecting freedom and privacy in society. Participants will include people from the fields of computer science, law, business, research, information, library science, health, public policy, government, law enforcement, public advocacy, and many others. Topics covered in previous CFP conferences include: Personal Information and Privacy Access to Government Information Computers in the Workplace Electronic Speech, Press and Assembly Governance of Cyberspace Role of Libraries on the Information Superhighway Free Speech, Cryptography, and the Public Communications Network We are also actively seeking proposals with respect to other possible topics on the general subject of computers, freedom and privacy. Some new topics we are considering include: Telecommuting: Liberation or Exploitation? Courtesy, and the Freedom to be Obnoxious Commercial Life on the Net How Does the Net Threaten Government Power? Are Computers Killing Intellectual Property? Universal Access to Network Services The Meaning of Freedom in the Computer Age Government-Mandated Databases PROPOSAL SUBMISSION All proposals should be accompanied by a position statement of at least one page, describing the proposed topic. Proposals for panel discussions, debates and other multi-person presentations should include a list of proposed participants and session chair. Proposals should be sent to: CFP'95 Proposals Stanford Law and Technology Policy Center Stanford Law School Stanford, California 94305-8610 or by email to: cfp95@forsythe.stanford.edu with the word "Proposal" in the subject line. Proposals should be submitted as soon as possible to allow thorough consideration for inclusion in the formal program. The deadline for submissions is 1 November 1994. STUDENT PAPER COMPETITION Full time students are invited to enter the student paper competition. Winners will receive a scholarship to attend the conference and present their papers. Papers should not exceed 2,500 words and should examine how computer and telecommunications technologies are affecting freedom and privacy in society. All papers should be submitted to Professor Gary T. Marx by 20 November 1994. Authors may submit their papers either by sending them as straight text via email to: Gary.Marx@colorado.edu or by sending six printed copies to: Professor Gary T. Marx University of Colorado Campus Box 327 Boulder, Colorado 80309-0327 (303) 492-1697 Submitters should include the name of their institution, degree program, and a signed statement affirming that they are a full-time student at their institution and that the paper is an original, unpublished work of their own. INFORMATION For more information on the CFP'95 program and advance registration, as it becomes available, write to: CFP'95 Information Stanford Law and Technology Policy Center Stanford Law School Stanford, California 94305-8610 or send email to: cfp95@forsythe.stanford.edu with the word "Information" in the subject line. Please distribute and post this notice! ------------------------------ Subject: EFF's Godwin to Speak at Criminal Law in Cyberspace Conf., 10/27/94 ---------------------------------------------------------------------------- District of Columbia Bar Association The New Technology Committee of the Computer Law Section, and the Criminal Law and Individual Rights Section, invite you to a Panel Discussion entitled: ** CRIMINAL LAW IN CYBERSPACE: OUTLAWS ON THE NET ** Speakers: Scott Charney, Chief, Computer Crimes Unit of the U.S. Department of Justice Mike Godwin, Counsel to the Electronic Frontier Foundation Mark D. Rasch, Arent Fox Kintner Plotkin & Kahn Moderator: Andrew Grosso, Co-Chair, New Technology Committee Whenever a new technology becomes prevalent, the law enters a period of struggle during which it tries to find adequate means for resolving disputes involving that technology, and for protecting the rights of people affected by it. We are now in such a period for the Internet and the developing National Information Infrastructure (NII). Of all legal fields, the struggle concerning the criminal law is the most pronounced, since old statutes must be narrowly construed to protect civil liberties, while used in a creative fashion in order to deter malevolent acts which have never seen before. This program focuses on computer network crime having national and international ramifications, including several recent investigations and prosecutions. This panel brings together noted experts in the field of civil liberties and computer crime to discusses the issues presented by the latest developments in this area. Scott Charney is the Chief of the Computer Crimes Unit of the U. S. Department of Justice, and is actively involved in the formulation of federal policy with regard to computer-related crimes. Mike Godwin is the On Line Legal Counsel for the Electronic Frontier Foundation who is a respected defender of civil liberties for telecommunications users. Mark D. Rasch is prominent defense attorney who, while an attorney with the Fraud Section of the Department of Justice, prosecuted the "Internet Worm" case in 1989. Andrew Grosso, the panel moderator, is a Co-Chair of the New Technology Committee and a former federal prosecutor. Written materials by the panelists will be distributed. Date: Thursday, October 27, 1994 Time: 12:00 Noon Place: D.C. Bar Headquarters 1250 H Street, N.W. Cost: Box Lunch: $25.00 for Section members and students; $30.00 for Non-Members. Program Only: $19.00 for Section Members and students; $24.00 for Non-Members. ** Registration Form ** Mail to: Computer Law Section D.C. Bar, 1250 H Street, N.W. 6th Floor Washington, D.C. 20005-3908 Please reserve ____________ spaces(s) for me at the October 27 program. Enclosed is my check for __________ made payable to the DC Bar. Checks must be received by October 25. Sorry, phone reservations cannot be accepted. Name(s) Phone(s) Bar No(s). Bar Member? _____________ ____________ ___________ Yes/No _____________ ____________ ___________ Yes/No _____________ ____________ ___________ Yes/No Please notify the Sections Office (202-626-3463) if you require any special dietary or physical accommodations. ------------------------------ Subject: OTA Report - Information Security & Privacy in Network Environments ---------------------------------------------------------------------------- U.S. CONGRESS OFFICE OF TECHNOLOGY ASSESSMENT Washington, DC 20510 ** Information Security and Privacy in Network Environments ** The OTA report "Information Security and Privacy in Network Environments" is now available. The report was released on September 23, 1994. Ordering information and details about electronic access are at the end of this file. ** Congress Must Step in to Protect Personal Privacy ** As electronic transactions and records become central to everything from commerce and tax records to health care, new concerns arise for the security and privacy of networked information. These concerns, if not properly resolved, threaten to limit networking's full potential in terms of participation and usefulness, says the congressional Office of Technology Assessment (OTA) in a report released today. Some 20 to 30 million people worldwide can exchange messages over the Internet. Every day U.S. banks transfer about $1 trillion among themselves, and New York markets trade an average of $2 trillion in securities. Nearly all of these transactions pass over information networks. The report "Information Security and Privacy in Network Environments" focuses on safeguarding unclassified information in networks, not on the security or survivability of networks themselves, or on the reliability of network services to ensure information access. Appropriate safeguards must account for--and anticipate-- technical, institutional, and social changes that increasingly shift responsibility for safeguarding information to the end users, says OTA. The laws currently governing commercial transactions, data privacy, and intellectual property were largely developed for a time when telegraphs, typewriters, and mimeographs were the commonly used office technologies and business was conducted with paper documents sent by mail. Technologies and business practices have dramatically changed, but the law has been slower to adapt, says OTA. Information safeguards, especially those based on cryptography, are achieving new prominence. OTA emphasizes that decisions about cryptography policy will affect the everyday lives of most Americans because cryptography will help ensure the confidentiality and integrity of health records and tax returns, speed the way to electronic commerce, and manage copyrighted material in electronic form. Congress has a vital role in formulating national cryptography policy, says OTA, and more generally in safeguarding electronic information and commercial transactions and protecting personal privacy in a networked society. A field of applied mathematics/computer science, cryptography is the technique of concealing the contents of a message by a code or a cipher. The message is unintelligible without special knowledge of some secret (closely held) information, the key that "unlocks" the encrypted text and reveals the original text. Key management is fundamental to security. It includes generation of the encryption key or keys, as well as their storage, distribution, cataloging, and eventual destruction. The federal government still has the most expertise in cryptography, says OTA. As a developer, user, and regulator of safeguard technologies, the federal government faces a fundamental tension between two important policy objectives: fostering the development and widespread use of cost- effective safeguards; and--through use of federal standards and export controls--controlling the proliferation of commercial safeguard technologies that can impair U.S. signals-intelligence and law-enforcement capabilities. The concern is reflected in the ongoing debates over key- escrow encryption and the government's Escrowed Encryption Standard (EES). The Clinton Administration announced the "escrowed-encryption" initiative, often called the "Clipper chip," in 1993. This type of encryption is intended to allow easy decryption by law enforcement when the equivalent of a wiretap has been authorized. The Department of Commerce issued the EES, developed by the National Security Agency (NSA), as a federal information processing standard for encrypting unclassified information in February 1994. The initiative in general and the EES in particular have seen intense public criticism and concern, OTA reports. The controversy and unpopularity stem in large part from privacy concerns and the fact that government-designated "escrow agents" will hold the users' cryptographic keys. Congress has asked the National Research Council (NRC) to conduct a major study, expected to be available in 1996, which would support a broad review of cryptography. OTA presents several options for congressional consideration in the course of such a review. Because the timing of the NRC review is out of phase with the government's implementation of key-escrow encryption, one option would be to place a hold on further deployment of key-escrow encryption, pending a congressional policy review. An important outcome of a broad review of national cryptography policy, says OTA, would be the development of more open processes to determine how cryptography will be deployed throughout society, including the development of infrastructures to support electronic commerce and network use of copyrighted materials. More openness would build trust and confidence in government operations and leadership and allow for public consensus-building. OTA examines and offers policy options for congressional consideration in three areas: 1) cryptography policy, including federal information processing standards and export controls; 2) guidance on safeguarding unclassified information in federal agencies; and 3) legal issues and information security, including electronic commerce, privacy, and intellectual property. Requesters for the report are the Senate Committee on Governmental Affairs and the House Subcommittee on Telecommunications and Finance. OTA is a nonpartisan analytical agency that serves the U.S. Congress. Its purpose is to aid Congress with the complex and often highly technical issues that increasingly affect our society. ** Congressional Comment ** Senator John Glenn (D-OH) Chairman, Senate Committee on Governmental Affairs: "In the new electronic age, we are relying more and more on information technology to streamline government, educate our children, make health care more accessible and affordable, and make our businesses more productive and competitive. This rush to embrace a new age of technology must not, however, obscure our ongoing responsibility to protect important information and maintain the personal privacy of citizens. "Because we need policies and practices to match the reality of this new age, I joined with Senator Roth in asking the Office of Technology Assessment (OTA) to study security and privacy issues in the network environment. I am very happy to say that OTA's report provides an excellent summary of these issues. More importantly, OTA spells out clear steps that Congress and the Executive Branch should consider if we are to develop policies and practices equal to the task of providing security and privacy protections in an increasingly networked world. "The Senate Committee on Governmental Affairs, which I chair has already rung warning bells in this area. Our oversight of agency operations has uncovered threats to security and privacy as diverse as foreigners hacking into Department of Defense computers and IRS employees browsing through computerized taxpayer records. We must recognize that new technologies, particularly the development of computer networks, are leapfrogging security and privacy controls designed for a simpler time. Policies and practices for managing paper file cabinets simply are no match for the instantaneous world-wide flow of data through computer networks. "Addressing the needs of this new world demands that we find fair balancing points among often competing imperatives for personal privacy, law enforcement, national security, governmental efficiency, and economic competitiveness. OTA's very insightful report highlights the need for the development of new security and privacy controls, which should be done openly, with thorough debate and public accountability. Therefore, in the next Congress, this Committee will continue its oversight of agency operations and will pursue legislation to ensure that government agencies handle data from citizens and businesses responsibly, and that government employees entrusted with maintaining security are held accountable for breaches or misuse of their responsibilities. "I commend the Office of Technology Assessment for its timely and very insightful contribution to the development of policies and practices that can match the realities of the emerging electronic information age." Senator William V. Roth, Jr. (R-DE), Ranking Republican, Senate Committee on Governmental Affairs: "Since 1988, computer network security breaches have grown dramatically, increasing 50% per year on the Internet --today's information highway. The ability of the government to protect Americans' most private information is at stake. For example, the Internal Revenue Service is among those agencies who rely increasingly on computer networks for such things as filing tax returns. Anyone who pays federal taxes has to wonder who might be browsing through their personal financial data. "We need to recognize the potential danger and act accordingly. Last year, I asked the Office of Technology Assessment to look at such problems and recommend changes. Its report highlights how today's government institutions are poorly structured to deal with information security. Moreover, the report underscores the fact that much more work must be done. I intend to pursue hearings on the report and amendments to the Computer Security Act." ** How to Obtain This Report ** * ORDERING INFORMATION: For copies of the 252-page report "Information Security and Privacy in Network Environments" for congressional use, please call (202) 224-9241. Copies for noncongressional use are available from the Superintendent of Documents for $16.00 each. To order, call (202) 512-0132 (GPO's main bookstore) or (202) 512-1800 and indicate stock number 052-003-01387-8. Or you can send your check or your VISA or MasterCard number and expiration date to Superintendent of Documents, P.O. Box 371954, Pittsburgh, PA 15250-7974 , [FAX (202) 512-2250]. For free 8-page summaries, please call (202) 224-8996. Federal Express service is available for an additional $8.50 per order. * ELECTRONIC ACCESS: The full report is available electronically. To download via ftp from OTA, use the following procedures: ftp to otabbs.ota.gov (152.63.20.13) Login as anonymous. Password is your e-mail address. The files are located in /pub/information.security and the file names and sizes are: 01README.TXT (3K) 02ORDER.INFO.TXT (4K) FOREWORD.TXT (3K) ADVISORY.PANEL.TXT (3K) STAFF.TXT (1K) TOC.TXT (2K) CH1.TXT (93K) CH2.TXT (169) CH3.TXT (172K) CH4.TXT (299K) APPC.TXT (36K) APPD.TXT (3K) APPE.TXT (4K) Appendix A--Congressional Letters of Request and Appendix B--Computer Security Act and Related Documents--are not available electronically. ------------------------------ Subject: GPO Puts Bills Online, but Wants You to Pay for Them Twice ------------------------------------------------------------------- The US Federal Government Printing Office announced last week that it "now has all Congressional Bills available online", as part of its "GPO Access" program. "The Congressional Bills database contains all published versions of House and Senate bills introduced since the start of the 103d Congress." Though the GPO promises updates to the database by 6am each publishing day, the service is still of limited usefulness to those trying to track the progress of active legislation. Worse yet, GPO expects you to pay for online access to the bills, and the Federal Register, even though your taxes paid for them already, and even though the documents are not covered by copyright and are often available from a variety of internet servers (generally piecemeal - sites tend to archive only those documents related to their own interests, though others are more comprehensive but lagging behind or prohibitively expensive). The Library of Congress' own LOCIS system provides the text of bills via telnet. Without user fees. However, this method of access leaves a lot to be desired compared to ftp, gopher, or WWW access. The GPO's Sept. 27, 1994 press release outlined several payment schedules ranging from $35/mo. to $375/year for full or partial single-workstation access. Other problems include failure to implement the system in accordance with simple and widespread standards (e.g. it is necessary to purchase a specialized WAIS client to use the GPO's wide-area information server's features), and failure to provide all of the available material to dialup users as opposed to internet users. On the bright side, access to Federal Depository Library patrons is free, when there's a connection at all and a terminal available. And the posting of the bills for a fee can be regarded as something of a good start (i.e., it did not require additional legislation to whip the GPO into gear). But is this enough to make this move by the GPO applaudable? Or is this just a mildly "better than nothing" arrangement? That's up to you to decide. Comments can be submitted to +1 202 512 1530 (voice), +1 202 512 1262 (fax), or help@eids05.eids.gpo.gov. For the original GPO press release, see: ftp.eff.org, /pub/Alerts/gpo_online.announce gopher.eff.org, 1/Alerts, gpo_online.announce http://www.eff.org/pub/Alerts/gpo_online.announce [Note: "Flaming" the GPO admins will not help. What might go a long way, over time, to getting these problems resolved are reasoned submissions explaining why failure to adhere to the WAIS standard, and why charging for access to something that is far cheaper to produce than its paper equivalent (and already paid for anyway), are perhaps misguided solutions. Readers might additionally like to know that Congress's General Accounting Office (GAO) is now putting it's material online, but also for a fee.] ------------------------------ Subject: Horde of New NII Documents Online at EFF ------------------------------------------------- There's been a flurry of document-releasing recently at the Information Infrastructure Task Force, the National Performance Review, the National Telecommunications and Information Administration, and the Patent & Trademark Office. EFF is archiving many of the more important documents, including several time-sensitive notices of inquiry, annoucements of conferences, and requests for comments, all of which YOU can participate in. How much of this is hype and how much of this deserves serious attention is a good question, but one might wish to keep in mind that the more agencies talk about regulating NII issues at the same time they are talking about the NII being more like (or just plain being) the Internet, the closer they are to talking about regulating the Internet outright. Speak up now or forever hold thy peace. There are several Requests for Comment included in here, and you owe it to yourself to submit clear and direct comments letting regulators know what you think needs to be done or not done. Available from: ftp.eff.org, /pub/EFF/Policy/OP/ gopher.eff.org, 1/EFF/Policy/OP http://www.eff.org/pub/EFF/Policy/OP/ [NOTE: Due to large number of IITF docs, IITF material may be moved to a Gov_docs subdirectory of .../OP - if you find that the files aren't there, just append Gov_docs to the paths above. This move is not imminent, but probably eventual.] cat_iitf.charter - Charter of the IITF Committee on Applications and Tech. fed_med_edu_agri_nii_funding.notices - pile of Federal govt. funding mechan- ism and grant notices re: agricultur- al telecom, telemedicine, and distance learning. gii_iitf.note - Short IITF document on the Global Information Infrastructure. Maybe some less parochial memes are catching on? hiawg_iitf.charter - Charter of the IITF Health Information and Applications Working Group iitf.faq - factsheet on IITF, what it is, and what it does. iitf_0912.report - monthly IITF Committee Report for Sept. 1994 iitf_goals_nii.paper - Selection of IITF papers, "The Information Infrastruc- ture: Reaching Society's Goals". nii_access_051394_ntia_cpuc_hearing.summary - Summary of NTIA and Calif. Pub. Utility Commission hearing on open access and the NII nii_access_051394_ntia_cpuc_hearing.transcript - transcript of above hearing nii_prinicples_progress.report - Clinton Administration "NII Progress Report" and "NII Principles and Actions: A Checklist of Progress" report, 93-94. See also WWW version at: gopher://www.arpa.mil:80/0/NII_Report_94.html nist_nii_framework.report - NIST report, "Framework for NII Services". See http://www.eff.org/papers/otherpapers.html for WWW version with graphics. npr_it_082294.report - NPR report, "Reengineering Through Information Technology" ntia_iitf_nii_94_hearings.report - NTIA/IITF summary of 1994 hearings on NII, open access and universal service. Subtitled "America Speaks Out", natch. ntia_iitf_uniserv_conf.announce - Announcement of NTIA/IITF virtual conference on universal service and the NII. * TIME SENSITIVE - DEADLINE: OCT. 14, 1994 * ntia_uniserv_access.noi - NTIA Notice of Inquiry on NII universal service & open access issues. * TIME SENSITIVE - DEADLINE: DEC. 14, 1994 omb_gils.notice - OMB bulletin on establishment of a Government Information Locator Service (GILS) pto_iitf_nii_security.rfc - Request for Comments and Notice of Hearing (PTO and IITF) on Commercial Security in the NII. * TIME SENSITIVE - DEADLINE: OCT. 13, 1994 * pto_intprop_extension.rfc - Extenstion to deadline for comments submitted in response to PTO's Request for Comments on draft report on the NII and Intellectual Property Rights. * TIME SENSITIVE - DEADLINE: OCT. 21, 1994 * putting_ii_to_work_iitf.report - IITF report: "Putting Information Infrastructure to Work" putting_ii_to_work_iitf.comments - public comments from a variety of individuals and organizations on the above report s1822_doc_irving_092094.testimony - Dept. of Commerce Asst. Secy. Larry Irving's Sept. 20 1994 US Senate testimony before the Antitrust, Monopolies and Bus- iness Rights Subcommittee of the Judiciary on S. 1822, the would-be Communications Act of 1994 (Senate companion to the Markey bill, HR. 3636, which implemented most of EFF's Open Platform NII provisions) satel_gii_doc_irving_hr_072894.testimony - Dept. of Commerce's Larry Irving testimony to House of Rep. on satellite-based technologies and the GII tpwg_cat_iitf.charter - Charter of the Technology Policy Working Group of the Committee on Applications and Technology of IITF ------------------------------ Subject: What YOU Can Do ------------------------ "The net poses a fundamental threat not only to the authority of the government, but to all authority, because it permits people to organize, think, and influence one another without any institutional supervision whatsoever. The government is responding to this threat with the Clipper Chip." - John Seabrook, "My First Flame", _New_Yorker_ 06/06/94 Ensuring the democratic potential of the technologies of computer-mediated communication requires active participation in the political processes that shape our destinies. Government agencies, legislatures and heads of state are accustomed to making decisions about the future of technology, media, education, and public access to information, with far-reaching and long-lasting effects on citizens and their lives, but are accustomed to doing so with little input or opposition from anyone but the largest of corporations, and other government representatives. Now, more than ever, EFF is working to make sure that you can play an active role in making these choices. Our members are making themselves heard on the whole range of issues. EFF collected over 5000 letters of support for Rep. Maria Cantwell's bill to liberalize restrictions on cryptography. We also gathered over 1400 letters supporting Sen. Leahy's open hearings on the proposed Clipper encryption scheme, which were held in May 1994. And EFF collected over 90% of the public comments that were submitted to NIST regarding whether or not Clipper should be made a federal standard. Additionally, EFF has worked for the passage of legislation that would ensure open access to the information infrastructure of today and tomorrow, and continues to provide some of the best online resources on privacy, intellectual freedom, the legalities of networking, and public access to government representatives and information. You *know* privacy, freedom of speech and ability to make your voice heard in government are important. You have probably participated in our online campaigns and forums. Have you become a member of EFF yet? The best way to protect your online rights is to be fully informed and to make your opinions heard. EFF members are informed and are making a difference. Join EFF today! For EFF membership info, send queries to membership@eff.org, or send any message to info@eff.org for basic EFF info, and a membership form. ------------------------------ Administrivia ============= EFFector Online is published by: The Electronic Frontier Foundation 1001 G Street NW, Suite 950 E Washington DC 20001 USA +1 202 347 5400 (voice) +1 202 393 5509 (fax) +1 202 638 6119 (BBS - 16.8k ZyXEL) +1 202 638 6120 (BBS - 14.4k V.32bis) Internet: ask@eff.org Internet fax gate: remote-printer.EFF@9.0.5.5.3.9.3.2.0.2.1.tpc.int Coordination, production and shipping by: Stanton McCandlish, Online Activist/SysOp/ArchivistReproduction of this publication in electronic media is encouraged. Signed articles do not necessarily represent the views of EFF. To reproduce signed articles individually, please contact the authors for their express permission. Press releases and EFF announcements may be reproduced individ- ually at will. To subscribe to EFFector via email, send message body of "subscribe effector-online" (no "quotes") to listserve@eff.org, which will add you to a subscription list for EFFector. To get the latest issue, send any message to er@eff.org, and it will be mailed to you automagically. You can also get ftp.eff.org, /pub/EFF/Newsletters/EFFector/current at any time. ------------------------------ Internet Contact Addresses -------------------------- Membership & donations: membership@eff.org Legal services: ssteele@eff.org Hardcopy publications: pubs@eff.org Technical questions/problems, access to mailing lists: eff@eff.org General EFF, legal, policy or online resources queries: ask@eff.org End of EFFector Online v07 #13 ****************************** $$