PRIVACY Forum Archive Document

PRIVACY Forum Home Page

PFIR - "People For Internet Responsibility" Home Page

Vortex Technology Home Page


PRIVACY Forum Digest       Monday, 11 March 1996       Volume 05 : Issue 06

            Moderated by Lauren Weinstein (lauren@vortex.com)         
              Vortex Technology, Woodland Hills, CA, U.S.A.
        
                       ===== PRIVACY FORUM =====              

    -------------------------------------------------------------------
               The PRIVACY Forum is supported in part by the          
                 ACM (Association for Computing Machinery)
                 Committee on Computers and Public Policy,      
          "internetMCI" (a service of the Data Services Division         
      of MCI Telecommunications Corporation), and Cisco Systems, Inc.
                                 - - -
             These organizations do not operate or control the     
          PRIVACY Forum in any manner, and their support does not
           imply agreement on their part with nor responsibility   
        for any materials posted on or related to the PRIVACY Forum.
    -------------------------------------------------------------------


CONTENTS 
        Flying the friendly skies anonymously (Wulf Losee)
        Taping Conversations (Daniel L. Hawes)
        AT&T reverses itself (Joseph S. Fulda)
        Re: AT&T and other phone access accounts (Chris Hibbert)
        Medical records in Maryland (Keep InforM.D.)
        New web page and risks to personal information (Joseph Richardson)
        Garage Door Openers (Carl Minie)
        A far-reaching privacy bill (Beth Givens)
        EPIC on Crypto Bill (David Sobel)


 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to
"list-maint@vortex.com". 

All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system.  Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.  

All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "gopher.vortex.com/".  Access to PRIVACY Forum
materials is also available through the Internet World Wide Web (WWW) via
the Vortex Technology WWW server at the URL: "http://www.vortex.com";
full keyword searching of all PRIVACY Forum files is available via
WWW access.
-----------------------------------------------------------------------------

VOLUME 05, ISSUE 06

   Quote for the day:

        Pinky: "What are we going to do tomorrow night, Brain?"

        Brain: "The same thing we do every night, Pinky.
                Try to take over the world!"

                    -- Rob Paulsen and Maurice LaMarche
                       "Pinky & The Brain" (1995- )

----------------------------------------------------------------------

Date:    Sat, 24 Feb 1996 12:50:39 -0800
From:    Wulf Losee <WLosee@Getty.Edu>
Subject: Flying the friendly skies anonymously

Recently, when taking a business flight from LA to San Francisco, I
encountered a new an obnoxious "security" requirement that the FAA
has imposed.  I was asked to show a photo ID when checking my
luggage at the ticket counter.  

Normally I do not carry my driver's license with me when I fly to cities
with good public transportation systems (unless I'm going to rent a car).
I've found that it's too easy to lose important documents (such as a
driver's license) in the hustle-and-bustle of traveling.  When the United
Airlines check-in clerk asked me for a photo ID, ironically, I was able to
produce my license which, this time, I had forgotten to leave safely at
home.  I asked the counter clerk what would have happened if I didn't
produce a photo ID -- would they have not let me on the plane?  She
looked troubled (as if that situation had never come up before?), and
replied that my luggage might be subjected to extra scrutiny and that I
might be "monitored".   I asked her why they are doing these ID checks,
and she replied that it has been FAA policy since the Unabomber threat
against LAX.

Having had a security background, I was also interested in how United
(and their FAA masters) would handle a passive challenge to their photo
ID regulation on my flight back from San Francisco.   Being the
subversive and stubborn individual that I am, I was prepared to go as far
as missing my flight to see what their response would be.  When I
checked my luggage, the clerk asked me for a photo ID, and I said I had
none.  She said: "You must have a photo ID!"   I said: "sorry, no one
notified me that I had to bring a photo ID with me to fly".  She left her
booth to get assistance.  An audible groan went up with the people
trapped in line behind me.  The woman directly behind me started to
harangue me -- "Everybody knows you have to bring an ID with you fly
now!"  I'm afraid I told her she was full of something -- something that the
CDA won't allow me to mention over the Internet.  A harried supervisor
returned and expressed his amazement that I didn't have a photo ID.  I
replied that I didn't know we had become a police state where we had to
prove who we were every time we travel.  "Well, it's FAA policy," he
replied.  I said that they were welcome to search me and my luggage to
see that I was carrying nothing dangerous or illegal.  He took me out of
line at that point.  He started calling his supervisor, pleading what to do.
"Well, do you have any ID?  Any ID at all?" he asked.  I produced a
credit card (not one of those cards with photos on them).  He sighed in
relief (but he didn't even check my name against the name on the ticket)
and let me proceed through.  

Upon arrival at LAX, I could detect no signs that my checked luggage had
been searched.

It occurs to me that the days when one could anonymously purchase a
ticket with cash are over.  Being able to travel anonymously in the US (at
least by air) is no longer a real possibility (unless one has access to
counterfeit IDs).  It seems likely that airports will soon become, if they are
not already, a point where the government actively tracks the
movements of its citizens (for their own good, of course!).  Likewise, I
was surprised at how poorly airline security responded to my ploy of
claiming not to have a photo ID.   I suspect that my ploy will not be
possible in the near future, as the airlines and FAA develop ways to
tighten up on security.  

Any comments from my fellow Privacy readers?

Thanks,
Wulf

I do not speak for my employer, and my employer does not speak for me. 

        [ The airport system operates on the basis of various "alert"
          levels.  In the wake of terrorist activity anywhere in the world,
          these levels may be raised here in the U.S., and afterwards may
          not rapidly fall to their original levels.  Additionally,
          the standard of "normal" security is being gradually raised
          throughout the system.  One of the most serious of these
          security issues relates to checked baggage.  The airlines need
          to try make sure that no baggage gets onto a plane that doesn't
          have an identifiable face to go with it.  Are these measures
          overly intrusive?  Probably not, given the scope of the potential
          problem.  In some parts of the world the "normal" security
          standard is much higher, and definitely more intrusive.
          Are these measures guarantees against terrorist events?
          Of course not; a determined person who doesn't care about their
          own safety is nearly impossible to stop--as recent events
          again underscore.  But in an imperfect world, it's all a matter
          of balance.
                        -- MODERATOR ]

------------------------------

Date:    6 Mar 1996 11:43:26 EDT
From:    dlh@marsmedia.com (Dlh)
Subject: Taping Conversations

==== In response to "CHARLES R TREW" <CTREW@MAIL.LOC.GOV>
==== Subject: Taping Conversations, in reply to a query
==== regarding taping of teacher/parent interviews at a school
==== from David J. Coles <DJC1143@aol.com>

==== COLES SAID:
I am a teacher in a large school system.  Recently I had a conference
with a very abusive parent.  The tone and actions  of this parent were
very threatening to me.  I feel I need some protection at future
conferences.

Is it legal for me to tape record future conferences with this parent?
Is it legal to do so without his knowledge?  Must I inform him in
advance if I intend to tape the conference?  If he refuses, may I
still legally tape the conference?

==== TREW SAID:
Any calls made to you at your home are fair game and, contrary to
popular belief, you do not have to inform the other party you are
recording.  For most practical purposes most phone calls are fair
game for either party on the line, restrictions are primarily
against third parties listening in unbeknownst to the other two.
As I said, though you are in a sensitive spot at the office.

Finally, if you decide to tape your office, home, phone, etc.
never indicate to your subject you are going to tape them.
You will all but guarantee an unpleasant discussion. If it's legal,
it's your business anyway. If you are unsure you can always play
the tape for your lawyer and then make a determination.

==== COMMENTS BY DAN HAWES:
While Federal law permits the recording of a private telephone
conversation when any party to the conversation consents, there
are a few states which have enacted laws with stricter standards,
requiring the consent of all parties prior to the recording.

Note that eavesdropping using any kind of device is prohibited to
the same extent as is recording, with respect to private conversations.
In addition, Virginia law, and probably the laws of some other states,
imposes further restrictions upon the recording of telephone
conversations as a matter of admissibility of evidence.  Unless the
conversation involves an admission of criminal wrongdoing or
is in itself criminal in nature, the party recording the conversation
must advise all other parties of the fact of the recording, and must
state the identity of all parties to the conversation, the date and
the time, at the beginning of the taped part of the conversation, or
the tape will be inadmissible as evidence.

Also, note that the proscription against the nonconsensual recording
and eavesdropping only applies to private conversations, not all
conversations.  And in this context, the term, "private" means that
the individual has a "reasonable expectation of privacy" as that
phrase has been used by the U.S. Sup. Ct. in interpreting the "search
and seizure" logic of the Fourth Amendment.  This is because the laws
prohibiting nonconsensual recording were enacted pursuant to the
Federal Omnibus Crime Control and Safe Streets Act of 1968, and were
intended to clarify the conditions under which law enforcement
agencies could conduct surveillance on citizens.

Finally, as to the suggestion that one tape first and ask the attorney
later, I would advise the opposite.  If the taping was criminal in
nature, it will be illegal for the attorney to keep the tape, and it
will be illegal to destroy the tape.  While the attorney does not have
to disclose the identity of the client, he will have to turn the tape
over to the court as possible evidence, which may amount to the same
thing. Also, some states require proof of a "willful" violation, as
opposed to an "intentional" violation.  The difference is that proof
of acting on advice of counsel is a defense to a "willful" violation
(proof of an "intentional" violation requires only a showing that the
person made the recording - to which insanity and mental incompetence
are the only defenses).  Ask the attorney first.  If in doubt, don't.

Remember that the only "real" evidence is what a witness sworn to
tell the truth will tell the court under oath.  Documents, tapes,
charts, etc. are only for the purpose of supporting testimony.
Instead of taping, make contemporaneous hand-written notes of the
conversation, identifying the date, time, person spoken with, and
the relevant details of the conversation.  You can refer to your
contemporaneous notes in a trial to refresh your recollection of
what was said.  Also, there is federal case law to the effect that
having another person listen in on an extension telephone is not
"eavesdropping using a device"; this is permissible in most states.
This is a complicated area of law.  Get advice of counsel before
using any kind of device to eavesdrop on, listen to, or record the
private conversations of other people.  Violations are generally
punished as felonies.  It isn't something to make mistakes about.

Daniel L. Hawes, Attorney at Law  (Virginia)
Practice Limited to Civil Litigation.

------------------------------

Date:    Sun, 25 Feb 1996 03:23:38 -0800 (PST)
From:    Joseph S Fulda <kcla@csulb.edu>
Subject: AT&T reverses itself

The AT&T Universal Card (both VISA and MASTERCARD) used to require a PIN 
for telephone access to billing information--one of the few card-issuers 
to so require.  The password now is just one's zip code.  I inquired as 
to why the change was effected and was told that AT&T's customers didn't 
like having to use a PIN!  Reminds one, yet again, that the price of 
liberty is eternal vigilance.  To AT&T's credit, however, the billing 
information now omits the credit line and available credit remaining.

Joseph S Fulda, CSE, PhD              Telephone: (212) 927-0662
701 West 177th Street, #21            
New York, NY 10033                    E-mail: kcla@csulb.edu

                [ In fact, reports indicate that quite a variety
                  of information is indeed available via this system,
                  virtually all of it of the sort that by all rights
                  should be protected by a PIN.  I'd urge persons
                  carrying these cards to contact their customer 
                  service reps (the number is usually printed on the
                  back of the cards) and make your feelings known
                  about the ease with which your credit card
                  information can be accessed without reasonable
                  protections.  Such complaints, if made by enough
                  people, can have an impact.

                                -- MODERATOR ]
                  

------------------------------

Date:    Sun, 25 Feb 96 11:24:10 -0800
From:    Chris Hibbert <hibbert@netcom.com>
Subject: Re: AT&T and other phone access accounts

DPeretz@accessone.com wrote about AT&T's InfoExpress system which
allows anyone to access someone else's account history without a
password, and then use the information gained as evidence that they
are the person who owns the account and change various options on the
account.  When DPeretz asked the account rep to turn off InfoExpress,
s/he was informed that it wasn't possible.

When I encounter this problem, the next request I make is that a
password be added to my account, both for the phone access, and to
make change orders.  I haven't tried it in the case of a telephone
company's services, but many other firms are quite willing to go
along.  I'm also please to report that the almost never let me add the
password over the phone without detailed identifying information.
Usually, they won't do it over the phone at all, and ask for a request
in writing.  

I also have usually been able to get the company to include a prompt.
The clerks don't always understand that, but I can usually get them to
use it correctly.  I think they're putting the prompt in a comment
field, but it works.

Sample dialogue:

Me:  This is Chris Hibbert.  My account # is xxxx.  I'd like to order
yyy.

Rep:  One moment... I have your account here.  It says I'm supposed to
ask you for a password.

Me:  Oh right.  Now which password was that?  Is there a prompt there?
What hint did I give?

Rep:  What do you mean?  Oh, I see.  It says I should ask you for a
color.

Me.  Oh, of course.  Then the password is "Olive drab."

This way I can use a different password for each service, and I can
make them obscure.  I get a hint that'll help me, but presumably not
an imposter.

Chris

                        [ Some firms will do this.  Many won't. 
                          My experience is that this option is most often
                          not available, and in somes cases where it
                          is available the passwords are not
                          uniformally required to get at the info
                          (e.g. if you claim you forgot the password
                          they might go ahead and give you the information
                          anyway!)  A poorly implemented password system,
                          by giving an "illusion" of security, can be
                          worse than no passwords at all.

                                        -- MODERATOR ]

------------------------------

Date: Mon, 26 Feb 1996 03:18:45 +0500
From: "Keep InforM.D." <informed@access.digex.net>
Subject: Medical records in Maryland

In 1993, the Maryland legislature passed a sweeping health care reform bill
known as HB 1359.  This 81 page bill - signed by Governor Schaefer created
(among other things) the Health Care Access and Cost Commission (HCACC) and
charged them to create a database of ALL encounters with providers of care
by patients.  The following must be reported to A STATE AGENCY (HCACC)
WITHOUT YOUR CONSENT !!!  

Taken from HCACC Notice of Proposed Action dated 06/23/95

(1)Patient ID (your insurance ID number encrypted)
(2)Patient Date of Birth
(3)Patient Sex 
(4)Patient Race (W,B,Asian or Pacific Islander,Native American, Other)
(5)Patient ZIP Code
(6)Patient Covered by Other Insurance
(7)Coverage Type (Medigap,Individual,Self Insured,Employer Plan,Public
Employee) 
(8) Delivery System Type (HMO,P(oint) O(f) S(ervice),PPO or other
Managed Care, Indemnity)
(9) Claim Related Condition (Non accident, Work, Auto accident, Other
accident)
(10) Practitioner Tax ID
(11) Participating Provider Indicator (Yes, No, Not coded)
(12) Claim Total Charge
(13) Claim Allowed Charge
(14)Reimbursement Amount
(15) Patient Liability (Patient copay and/or deductibles)
(16) Type of Bill (interim or final etc)
(17) Claim Control Number (the internal control number used by insurers   to
track claims)
(18) Claim Paid Date
(19) Number of Diagnosis Codes (up to ten indicators of your illness)
(20) Number of Line Items (up to 15 procedures)
(21) Diagnosis Codes (see (19))
(22) Service From Date (beginning treatment date)
(23) Service Thru date (ending date)
(24)Type of Service (Phys, Pharmacy,Lab,Medical equipment, Surgery,Dental)
(25) Place of Service (Inpatient, Outpatient hospital, Office, Surgicenter,
Home, State or Local Clinic, Hospice,Intermediate Care Facility,
Comprehensive Care Facility
(26) Service Location Zip Code 
(27) Unit Indicator (Miles, Anesthesia,Visits, Oxygen Units, Blood Units)
(28) The Number of Units in (27)
(29) Procedure Code ( What Care was Provided)
(30) & (31) Modifiers
(32) Servicing Practice Identifier
(33) Billed Charge
(34) Amount Allowed

also---
Collect appropriate information relating to prescription drugs for each type
of patient encounter with a pharmacist ...

Issue 1
You will not have the right to deny the state access to this information.

Issue 2
Psychiatric patients, in an effort to protect themselves from outsiders
gaining knowledge of their treatment, pay the bills themselves to avoid the
insurance company making a record and their employer finding out they are in
treatment.  THEY WILL LOSE THAT PROTECTION!!!

Issue 3 
In 1996 and beyond, do you really want a governmental agency to have this
access to your personal life ?

Issue 4
This information MUST BE PUBLISHED BY LAW.  With all of the 34 items above,
it will be very easy to identify you.  This information will be sold without
restriction.

Issue 5
Notice that RACE is a required element.

Issue 6
Does the state need to know your prescriptions ?  Lets suppose a
pharmaceutical company buys the information (they do in Florida- I verified
it!!) they could mail brochures to you on drugs THEY want you to take.

Issue 7
Florida tracks only 80 surgical and medical codes.  Why does the state need
everything ?

Issue 8
What could a divorce lawyer do with the information (custody battle, etc)

Issue 9
What about patients who are HIV+ or have AIDS ?

Issue 10
Most states (No. Carolina, Virginia, California, Utah, ) who have created a
much more limited version have already sold or given the database to a
PRIVATE CONCERN.  So don't be lulled into thinking that the state will
always have control.  In the law - they are allowed to contract with ANY
nonprofit entity that is not an insurer.

WHAT CAN YOU DO ?

HB 557 mandates that you CONSENT in writing EACH TIME you are treated.  That
Hearing is set for Thursday FEBRUARY 29, 1996 in the Environmental Matters
hearing room (Room 160) in The Lowe House Office Building in Annapolis Maryland.

If you can't attend please call your representative at 1-800-492-7122.

Other bills (HB 1018, HB 1030, HB 1031) related to this matter will be heard
that day also.

YOU CAN E-MAIL ME YOUR SENTIMENTS AND I WILL TAKE THEM WITH ME AND PRESENT
THEM ON YOUR BEHALF WHEN I TESTIFY.

e-mail 
informed@access.digex.net

Do not give up your right to privacy.  You must act to save it.  It is about
to be stripped from you if you don't speak up. 

Keep InforM.D.
Health Care News and Legislative Services
P. O. Box 709
Riderwood, Maryland 21139-0709
informed@access.digex.net

------------------------------

Date: Thu, 7 Mar 1996 09:11:41 -0500
From: Joseph125@aol.com
Subject: New web page and risks to personal information

    [ From Risks-Forum Digest; Volume 17 : Issue 86 ]

The web page of the week in the most recent Information Week is
www.switchboard.com.  It is a compilation of the telephone white pages from
all across the nation.  You can search on combinations of last name, first
name, city and state to find long lost friends, relatives or just
interesting names.  (A quick search found a Santa Claus in FL and a Bunny
Easter in WA.)

This kind of information is not particularly new, of course.  What is
interesting is that Switchboard allows you to register by identifying your
listing and sending your email address.  They send back a password.  Now you
can login and add or modify information in your listing or even make your
listing "unlisted".  It is clearly a very easy thing to use throwaway email
addresses to modify any number of listings.  Switchboard admits as much in
their policy statement (http://www2.switchboard.com/policy.htm) saying that
their security is "designed to discourage" such impersonation.  They will
correct any falsification with appropriate documentation and take steps
(this seems to mean blocking access from the offending email address) to
prevent additional occurrences including, if applicable, legal action.  (I
fear there is very little substance behind that claim.)

Despite Switchboard's benevolent claims, the possibilities make me nervous.

I should note that when a listing has been modified by a user, it appears
with an asterisk.

Joseph Richardson (Joseph125@aol.com)

        [ I've already been in contact with the operators of this 
          service and expressed my concerns to them (I received a polite
          reply back indicating that they are at least aware of these   
          issues).  The ability to modify entries, without (in my view)
          adequate verification procedures was indeed my first concern
          as well.  To their credit, it's refreshing to see an organization
          providing such data that at least publicly acknowledges that
          these issues exist. 

          As far as the data itself is concerned, it does indeed appear to
          be based on white pages info, though in some cases listings that
          appear in telco records as first initial/last name may be shown
          with the full first name; this is a matter of concern to some
          people.  There appears to be considerable stale data in the
          database (which is to be expected), and anecdotal evidence
          suggests that city names in particular may have a particularly
          high error rate.  For the many persons who have their listings
          without any address shown in the telco records, the database
          apparently inserts a city name "guess" (based on phone prefix?)
          which appears to often be way off the mark.

          As usual, I urge you to make your feelings about this service,
          both pro and con, known to the folks who are operating it.
                                
                        -- PRIVACY Forum MODERATOR ]

------------------------------

Date:    Mon, 26 Feb 1996 14:50:33 -0500
From:    Carl Minie <CarlM@qsc1po.qstr.com>
Subject: Garage Door Openers

Greetings:

I have heard several "teasers" for local and/or national news programs
lately which promise to tell me how a crook could get into my house
"with the touch of a button".  I never watch TV long enough to hear the
actual program, but I assume they are referring to machines which
cycle through the limited number of infrared frequencies and/or patterns
used by garage door openers until they hit the one that opens your
garage door.  I have read of such devices in "The Whole Spy Catalog"
and other unusual sources.  My questions, for anyone informed about
garage door openers or burglary techniques or both, would be:

1) Is this a growing problem, or just another way to keep you watching
more commercials until the news comes on?

2) How difficult are these devices to come by?  Do I need a license,
or just some letterhead and checks printed with "Barabbas Garage
Door Openers And House Cleaners Inc."?

3) Is there any way to prevent one of these devices from working on
my garage door, other than setting the "Lock" switch on the inside of
the door which also prevents me from using my own remote?

Thank you for your replies.

                [ Like most security-oriented devices, there is
                  a range of protection offered by different
                  equipment.  It is certainly true that most garage door
                  systems on the market until recently used either
                  no codes (!) or simple/limited code systems that could
                  indeed be easily cracked by the appropriate devices.
                  There are newer systems now that use long word length,
                  pseudorandom, key-changes-with-each-use codes,
                  and these can be very secure.  It's worth noting,
                  however, that a person determined to gain entry
                  to your garage is likely to use very low tech, but 
                  very effective, means to do so, that won't involve
                  any electronics at all...

                                -- MODERATOR ]

------------------------------

Date:    Thu, 29 Feb 1996 18:21:56 -0800 (PST)
From:    Beth Givens <bgivens@pwa.acusd.edu>
Subject: A far-reaching privacy bill

California state senator Steve Peace has introduced a bill,
which if it passes, will give consumers a great deal of control
over their personal information. The bill reads in part:

        "No person or corporation may use or distribute for profit
any personal information concerning a person without that person's
written consent. Such information includes, but is not limited to,
an individual's credit history, finances, medical history,
purchases, and travel patterns."

Senator Peace himself admits that the language is very broad at
this time, and that the bill will no doubt be altered radically
before it comes up for a vote. 

Beth Givens                             Voice: 619-260-4160
Project Director                        Fax: 619-298-5681
Privacy Rights Clearinghouse            Hotline (Calif. only):
Center for Public Interest Law             800-773-7748
University of San Diego                    619-298-3396 (elsewhere)
5998 Alcala Park                        e-mail: bgivens@acusd.edu
San Diego, CA 92110                     http://pwa.acusd.edu/~prc

------------------------------

Date:    6 Mar 1996 14:07:25 -0500
From:    "David Sobel" <sobel@epic.org>
Subject: EPIC on Crypto Bill

Washington, DC
March 6, 1996

Sen. Patrick Leahy (D-VT) and several other co-sponsors have introduced 
the Encrypted Communications Privacy Act of 1996 (S.1587).  The proposed 
legislation comes in the midst of an ongoing debate concerning U.S. 
encryption policy and at a time when the need for secure electronic 
communications is becoming widely recognized.  The explosive growth of 
the Internet underscores the need for policies that encourage the 
development and use of robust security technologies to protect sensitive 
personal and commercial information in the digital environment.  The 
Electronic Privacy Information Center (EPIC) has long advocated adoption 
of a national encryption policy that emphasizes the protection of 
personal data and encourages the widespread dissemination of privacy-
enhancing technologies.

The text of the proposed legislation is available at:

     http://www.epic.org/crypto/legislation/s1587.html


                             Analysis 

The proposed Encrypted Communications Privacy Act addresses a number of 
unresolved issues concerning the use of encryption technology.  The 
proposed legislation would:

- Relax export controls by transferring authority for export decisions 
to the Secretary of Commerce, and mandate the removal of controls on 
"generally available" encryption software;
 
- Create a legal framework for key escrow agents, including an 
obligation to disclose keys and assist law enforcement, and establish 
penalties for improper disclosure;

- Affirm the freedom to use and sell encryption within the United 
States; and

- Criminalize the use of encryption which may have the effect of 
obstructing a felony investigation.


  Export Control
  --------------

The bill moves encryption policy in the right direction by placing 
export control authority in the Commerce Department, rather than the 
State Department and the National Security Agency (NSA) -- the agencies 
currently charged with that responsibility.  However, the legislation 
would only remove export controls on encryption software to the extent 
that software with similar capabilities is "generally available," or in 
the "public domain or publicly available."  Likewise, controls would be 
lifted on hardware with encryption capabilities only if "a product 
offering comparable security is commercially available from a foreign 
supplier."  These limitations raise two concerns:

1) The Commerce Department historically has been dependent upon NSA for 
assessments of the worldwide availability of encryption technology.  The 
Commerce Department recently released the results of a survey it 
conducted of foreign encryption products.  Portions of the Department's 
report were classified by NSA and withheld from public disclosure   
(EPIC is currently seeking the release of the complete report in a 
lawsuit filed under the Freedom of Information Act; Electronic Privacy 
Information Center v. Department of Commerce, C.A. No. 95-2228 
(D.D.C.)).  By conditioning the relaxation of export controls on a 
finding that similar products are "generally available," the legislation 
will likely perpetuate NSA's ability to influence export determinations 
and to thwart public oversight of Commerce Department actions.

2) The "generally available" requirement will continue to hamper the 
development of innovative security technology by U.S. firms.  
Restricting exports to products comparable to those already "available 
from a foreign supplier" will ensure that foreign, and not domestic, 
firms will be on the leading edge of privacy-enhancing technology.  This 
is necessarily a non-competitive trade policy that will continue to 
obstruct the development of strong encryption.

EPIC supports the efforts of the bill's sponsors to liberalize export 
control, but EPIC believes the bill should go further. EPIC supports the 
complete repeal of these out-dated barriers to the development and 
dissemination of software and hardware with encryption capabilities.  
This is a necessary step to ensure the development of a secure Global 
Information Infrastructure that promotes on-line commerce and preserves 
individual privacy.


   Key Escrow Procedures
   ---------------------

As currently drafted, the bill does little to roll back the deployment 
of Clipper-inspired key-escrow encryption within the federal government.  
Indeed, a significant portion of the legislation is devoted to 
establishing a legal framework for the management of key-escrow systems 
in the private sector.  

The bill would restrict certain activities by key holders and impose 
criminal and civil penalties for the unauthorized disclosure of keys.  
Key holders could only release keys (1) with the consent of the person 
whose key is held; (2) as may be "necessarily incident to the holding of 
the key;" and (3) to law enforcement or investigative officers pursuant 
to federal wiretap law or the Foreign Intelligence Surveillance Act.  
Under the current bill, keys could be disclosed to law enforcement 
officials without satisfying a warrant requirement.

The legislation also establishes reporting requirements on the number of 
orders and extensions served on key holders to obtain access to 
decryption keys or decryption assistance consistent with current 
reporting requirements in the federal wiretap statute.  However, there 
are no provisions for notifying the subject of an investigation when 
keys are disclosed, even for the purpose of alerting the subject that 
the security of keys may have been compromised.

Statutory protection for the privacy of encryption keys appears to be a 
worthy goal.  The bill's key-escrow procedures, however, must be 
considered in the context of the larger policy debate concerning 
encryption.  Beginning with Clipper and continuing with the more recent 
"commercial key-escrow" proposal, law enforcement agencies and the 
national security community have lobbied aggressively for the 
implementation of key-escrow systems that would provide government the 
ability to decrypt secure data.  Such proposals have also been supported 
by companies that have received substantial government contracts or 
promises of special deals on export licenses.  Users and most businesses 
have remained firmly opposed to the key-escrow concept.  Indeed, there 
is virtually no installed base for key-escrow encryption, while the 
number of users of non-escrowed encryption is in the millions.  By 
placing a Congressional imprimatur on the key-escrow concept, the 
legislation will have the effect of supporting an escrow scheme that has 
already been rejected by users and businesses.  A statutory scheme that 
creates a legal framework for key-escrow is contrary to the privacy 
interests of network users and the security needs required for network 
development.

EPIC recommends that the key escrow provisions of the bill be dropped.


   Freedom to Use and Sell Encryption
   ----------------------------------

The proposed legislation appears to affirm an absolute right to use and 
sell encryption, but a close reading of the bill shows otherwise.  The 
proposed legislation provides that it "shall be lawful for any person 
within ... the United States ... to use any encryption ..."  and "to 
sell in interstate commerce any encryption ..."  It then modifies that 
language with the words "except as provided in this Act and the 
amendments made in this Act or in any other law."

As described below, the bill then sets out the first criminal penalties 
yet proposed for the domestic use of encryption.  Other similar 
provisions could easily be added.  Since there is currently no 
regulation of encryption in the United States, supporters of the bill 
must explain what will be accomplished by this effort to establish a 
government regulatory scheme for the use of encryption.

EPIC believes that there is a fundamental constitutional right to use 
encryption and would support only an unconditional articulation of that 
right.  The current statutory framework clearly opens the door to 
further regulation of privacy-enhancing technologies.


   "Unlawful Use of Encryption"
   ----------------------------

The proposed legislation contains the first explicit criminal penalties 
for the use of encryption within the United States.  It would 
criminalize the use of encryption to "obstruct, impede, or prevent the 
communication of information in furtherance of a felony ... to an 
investigative or law enforcement officer."  This provision is unlikely 
to add much to the existing legal arsenal available to law enforcement 
agencies or prosecutors.  Use of encryption in furtherance of a crime 
could currently be prosecuted under existing conspiracy and obstruction 
of justice statutes.  The effect of the proposed provision could be to 
discourage the deployment of encryption where it is appropriate and to 
raise unnecessary suspicion about the use of routine security 
procedures.  The net result could be an increased risk to public safety 
and network security.

EPIC recommends that this provision be struck from the bill.  As 
currently drafted, it is far too broad to serve any useful purpose.


   Conclusion
   ----------

The proposed Encrypted Communications Privacy Act provides an 
opportunity to revise outdated encryption policies that have undermined 
network security, jeopardized personal privacy and frustrated public 
accountability.  Although the current draft of the bill does not go far 
enough in removing antiquated controls on the export of encryption 
technology, the proposal recognizes the need for sweeping changes to the 
export regime.  Removal of export restrictions on encryption technology 
is a pressing need and Congress should address the issue expeditiously.

Less desirable is the bill's promotion of key-escrow encryption.  This 
is the Clipper-like scheme that should finally be laid to rest.   
Congressional action on key-escrow management is unnecessary and the 
issue certainly need not be addressed in conjunction with a relaxation 
of export controls.  Legislation concerning key-escrow will have a 
detrimental effect on the development of secure network technologies and 
necessary privacy safeguards.  EPIC will remain opposed to this 
provision.

EPIC commends the sponsors of the proposed legislation for moving the 
public debate on the relaxation of export controls forward and 
recognizing the need for an overhaul of an out-dated policy.  We are 
confident that further consideration of the unnecessary and potentially 
dangerous provisions contained in the current version will result in a 
legislative approach that best serves the needs of all concerned -- 
users, industry and government.

------------------------------

End of PRIVACY Forum Digest 05.06
************************


PRIVACY Forum Home Page

Vortex Technology Home Page

Copyright © 2005 Vortex Technology. All Rights Reserved.