PRIVACY Forum Archive Document

PRIVACY Forum Home Page

PFIR - "People For Internet Responsibility" Home Page

Vortex Technology Home Page


PRIVACY Forum Digest      Sunday, 5 October 1997      Volume 06 : Issue 14

            Moderated by Lauren Weinstein (lauren@vortex.com)         
              Vortex Technology, Woodland Hills, CA, U.S.A.
                         http://www.vortex.com 

                       ===== PRIVACY FORUM =====              

    -------------------------------------------------------------------
                 The PRIVACY Forum is supported in part by
               the ACM (Association for Computing Machinery)     
                 Committee on Computers and Public Policy,      
          "internetMCI" (a service of the Data Services Division         
      of MCI Telecommunications Corporation), and Cisco Systems, Inc.
                                 - - -
             These organizations do not operate or control the     
          PRIVACY Forum in any manner, and their support does not
           imply agreement on their part with nor responsibility   
        for any materials posted on or related to the PRIVACY Forum.
    -------------------------------------------------------------------


CONTENTS 
        Shadows in the Mirror: The Looming Problems of Web Caching
           (Lauren Weinstein; PRIVACY Forum Moderator)
        House Committee Rejects Domestic Crypto Ban (EPIC-News List)
        ID Cards to Cost $10 Billion (EPIC-News List)
        FC: ACLU, EPIC oppose deviant Markey-White version of SAFE
           (Declan McCullagh)
        New PGP "Everything the FBI ever dreamed of" (Martin Minow)


 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are by an automatic list handling system;
for subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to
"list-maint@vortex.com". 

All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the list handling system.  Please follow the instructions above
for getting the "help" information, which includes details regarding the 
"index" and "get" commands, which are used to access the PRIVACY Forum 
archive via the list handling system.

All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "gopher.vortex.com/".  Access to PRIVACY Forum
materials is also available through the Internet World Wide Web (WWW) via
the Vortex Technology WWW server at the URL:  "http://www.vortex.com"; full
keyword searching of all PRIVACY Forum files is available via WWW access.
-----------------------------------------------------------------------------

VOLUME 06, ISSUE 14

   Quote for the day:

           "Kiss my ankh."

                -- Harold Fine (Peter Sellers)
                   "I Love You, Alice B. Toklas!" (Warner Bros.; 1968)

----------------------------------------------------------------------

Date:    Sun, 5 Oct 97 10:58 PDT
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Shadows in the Mirror: The Looming Problems of Web Caching

Greetings.  As the World Wide Web has continued its explosive growth,
it seems as if new potential areas of concern pop up almost every day.
Often these worries revolve around the use of technologies for
purposes, or in ways, for which they were not originally intended.

Such seems to be the emerging situation regarding "caching" of web pages.
Considered a mundane technical issue by most net users who have even heard
of it, caching carries an array of promises and problems, with some of the
latter impacting areas ranging from reliability to hacking, from freedom
of information to censorship, from security to privacy.

Caching refers to the growing practice of some Information Service Providers
(ISPs) of maintaining local copies of web pages for their subscribers, and
using technical means to encourage (or require) that their users access
those pages only from the local "cache", and not from the actual remote
sites from which the web pages originated.

The ostensible reasons for caching are valid and important ones.  In some
environments, security/firewall requirements have dictated a level of
control where "proxy servers", using local caching, have been deemed the
most practical procedure for allowing user access to the Web.  Caching also
can impart significant bandwidth savings, to the extent that users (for
example, in a cable TV, cable modem environment) can be forced to retrieve
"popular" pages from the local ISP's server, rather than having all accesses
going out over limited bandwidth facilities to the Internet proper.
This reduces load on both the outside network and on the remote web servers
themselves.

But as usual with our technological marvels, there are a number of serious
potential problems surrounding caching, about which we should all be
concerned.  Some of these problems are technical, some are the result of the
vacuum of laws relating to these areas, and some are even more directly
political and could impact basic expectations relating to freedom of speech
and privacy.

Research regarding these impacts is pretty much in the early stages, and so
are studies and surveys of these issues relating to caching.  I'm not going
to present a detailed analysis in this message, but let's very briefly
explore a list of items to be thinking about:

-- How recent are the pages in local caches?  How often do caches
   refresh their data from the original sources?  Where caching
   interval requests are present on the original pages, what guarantee
   is there that caches will honor those requests?

-- What happens to pages that are frequently updated or that display
   "dynamically created" content (that is, content that varies with each
   access)?  Will cache users be presented with old, static versions of
   these pages?  Will some caches attempt to "penalize" such pages with less
   frequent caching (this is apparently already a significant issue). 

-- To what degree do centralized caches of web pages present a centralized
   target for hacking?  What recourse do sites have against caches who leave
   copies of the original sites' pages vulnerable to outside alteration, or
   caches that even subtly or overtly alter, modify, or add to the content
   of the original pages without the original sites' permission?  How will
   typical users know if they're looking at the original, "accurate" pages
   or a modified, corrupt, or stale copy?  Cryptographic signing techniques
   seem likely to be of only limited assistance for a variety of reasons.

-- To what extent do centralized caches simplify surveillance of user web
   browsing activity, censorship, and other controls over what users may
   access?  Efforts to create a worldwide hierarchy of caches (the so-called
   "global mesh") may potentially introduce a range of risks, especially in
   those countries where government authorities already exercise a large
   degree of control over access to the net by their citizens.  Caches,
   without appropriate safeguards, could greatly exacerbate these problems.  

-- What about the copyright rights of the original sites whose pages are
   being cached?  Can sites effectively choose not to be cached?  If so,
   will they suffer "access limitation" retaliation by some caches, making
   it difficult or impossible for users behind those caches to access those
   pages?

-- Will Web search engines begin returning references to cached versions of
   web pages rather than the "real" pages under the originating sites'
   control?  To what extent could this further confuse the question of where
   the pages are really coming from or how accurate they are?

-- What happens to the web access statistics collected by centralized
   caches?  Caches prevent the originating sites from accurately judging the
   viewerships of their pages, since cached hits are never known to the
   originating site.  In fact, the more popular the site, the more likely it
   may be to be heavily cached, and for their statistics to be even more
   dramatically skewed downward due to cached "diversion" of their hits and
   other page view statistics.  Many sites depend on these statistics to
   help them in determining their page update schedules and allocation of
   page design resources.  Advertising decisions and rates are often made
   based on the assumption of the accurate local availability of these
   statistics.
 
   Of even greater concern may be the possible misuse of cached statistical
   data.  The information privacy policies of the originating web sites mean
   nothing if the hit data collected by a cache regarding cached pages is
   under the control solely of that caching entity.  This can include
   sensitive information about sites and users viewing those pages and
   selecting particular links.  Is the caching organization free to do
   whatever they like with that information?  Sell it for marketing lists?
   Provide it for investigative purposes as they see fit?  Sell it to
   commercial databases?  A given originating site may have very strict
   policies regarding any information collected regarding sites or
   users who visit their web server.  But a cache may have a completely 
   different policy, or no policy at all.  The privacy implications
   are vast.

                            -------

I think that's enough to provide the flavor of the issues involved.
Yes friends, another can of worms, indeed.  Without a doubt caching
technologies are a powerful tool that will be crucial to the
continued growth and development of the Internet and the World Wide Web.
Properly designed, they can bring significant benefits that clearly
need to be explored.  But their potential downside appears very real
as well, and could impact fundamental issues of privacy, freedom
of speech, and other cherished beliefs that many people consider
to be their rights.  Before caching becomes entrenched in the
Internet infrastructure, it would do us well to consider these
impacts, and what we want to do about them--technically, legislatively,
and politically.  The window of opportunity to do this is now.

--Lauren--
Moderator, PRIVACY Forum 
http://www.vortex.com

------------------------------

Date: Fri, 26 Sep 1997 16:42:47 -0400
From: "EPIC-News List" <epic-news@epic.org>
Subject: House Committee Rejects Domestic Crypto Ban

    [ From EPIC Alert 4.13 -- PRIVACY Forum Moderator ]

The House Commerce Committee has rejected an FBI-backed proposal to
impose the first-ever domestic controls on encryption.  In a 35-16
vote on September 24, the committee defeated an amendment to the SAFE
crypto bill offered by Reps. Michael Oxley (R-OH) and Thomas Manton
(D-NY) that would have banned the domestic manufacture and sale of
encryption products that do not provide law enforcement agencies easy
access to encrypted information.  Speaking in opposition to the
amendment, many committee members cited the unprecedented assault on
privacy and civil liberties that would result if the FBI proposal was
adopted.

While surviving the draconian Oxley-Manton amendment, the SAFE bill,
originally introduced by Rep. Bob Goodlatte (R-VA) to relax U.S.
export controls on encryption products, did not emerge from the
Commerce Committee unscathed.  The committee adopted an amendment
offered by Reps. Ed Markey (D-MA) and Rick White (R-WA) that would
create a new National Electronic Technologies (NET) Center within the
Justice Department.  The NET Center would engage in research and
"examine encryption techniques and methods to facilitate the ability
of law enforcement to gain efficient access to plaintext of
communications and electronic information."  The NET Center would be
authorized to seek the assistance of "any department or agency of the
Federal Government" in support of its mission, thereby providing
explicit statutory authority for National Security Agency involvement
in domestic law enforcement activities.  The Markey-White amendment
also doubles the penalty for the use of encryption in furtherance of a
felony and provides that "No person shall be subject to civil or
criminal liability for providing access to the plaintext of encrypted
communications or electronic information to any law enforcement
official or authorized government entity, pursuant to judicial
process."

In a letter sent to the Commerce Committee prior to the vote, EPIC
joined with the American Civil Liberties Union, Eagle Forum, Americans
for Tax Reform and other groups in urging members to oppose "any
proposal establishing a legal structure for key recovery even if
temporarily 'voluntary,' any so-called 'compromise' provision drawn
from Oxley-Manton . . . , and any new proposal that would limit the
availability and use of strong encryption."

The fate of the SAFE bill is now uncertain.  The original Goodlatte
language has been substantially amended by five House committees, with
contradictory results.  Rep. Gerald Solomon (R-NY), chairman of the
House Rules Committee, has indicated that he will not send the
legislation to the House floor unless it contains the Oxley-Manton
domestic controls.  As such, SAFE may no longer be a viable vehicle
for the reform of encryption policy that it was originally intended to
promote.

PDF versions of House Commerce Committee documents on the SAFE bill
are available at:

     http://www.house.gov/commerce/full/092497/markup.htm

------------------------------

Date: Fri, 26 Sep 1997 16:42:47 -0400
From: "EPIC-News List" <epic-news@epic.org>
Subject: ID Cards to Cost $10 Billion

    [ From EPIC Alert 4.13 -- PRIVACY Forum Moderator ]

The Social Security Administration announced on September 22 that it
would cost up to $10 billion to re-issue Social Security cards as
tamper-proof identifiers.

Congress required the SSA to assess the cost as part of the 1996
immigration and welfare bills.  The SSA report reviews the history of
the SSN from its creation in 1935 through the current day.  The report
declines to make any policy recommendations, but recognizes some of
the privacy issues raised by the use of the SSN as a national
identifier.  An appendix to the report includes pending legislation
that would limit the SSN's use.

The report examines the different technologies for ID cards from basic
plain plastic cards to smart cards, including those that would include
a picture or biometric identifier.  It notes that SSA cannot
accurately assess how many actual SSNs are in use -- the agency is
only able to estimate a range between 269 and 327 million.  At least
10 million are estimated to be duplicate numbers.

More information on national identification cards is available at:

     http://www.epic.org/privacy/id_cards/

------------------------------

Date: Mon, 29 Sep 1997 10:12:41 -0400
From: Declan McCullagh <declan@well.com>
Subject: FC: ACLU, EPIC oppose deviant Markey-White version of SAFE

Last week, you'll recall, the House Commerce committee approved the deviant
Markey-White amendments as a "compromise" package.

Note the ACLU says: "It is now clear that any version of this bill will be
used to attack domestic encryption protection."

-Declan

                                ---------

FOR IMMEDIATE RELEASE   Contact: Emily Whitfield (212) 549-2566
Thursday, September 25, 1997    Phil Gutis (202) 675-2312

WASHINGTON -- Citing civil liberties concerns, the House Commerce Committee
late yesterday overwhelmingly beat back an attempt by law enforcement to
hijack what had been introduced as a pro-privacy encryption bill.

The American Civil Liberties Union, which supported the original version of
 H.R. 695, the Security and Freedom through Encryption Act ("SAFE") applauded
the committee's action, but said it could not support the new version of
SAFE, which contains a new set of civil liberties problems.

"We survived the hijacking only to find that we are still in enemy
territory," said Donald Haines, Legislative Counsel on privacy and cyberspace
issues for the ACLU's Washington National Office. "It is now clear that any
version of this bill will be used to attack domestic encryption protection.
Therefore, the ACLU strongly opposes bringing any encryption legislation to
the floor at this time."

The amendment that was rejected yesterday sought to reverse the original
intent of SAFE, a bill that would ease controls on export of strong
encryption technology.  Sponsored by Reps. Michael Oxley, R-OH, and Thomas
Manton, D-NY, it would have given law enforcement agencies easy access to
every private computer file, e-mail, telephone conversation, and online
communication in America. By providing this "backdoor" for law enforcement,
the ACLU said the amendment would leave a door open to others seeking
unauthorized access to private communications.

But in rejecting the law enforcement power grab, the Committee essentially
re-wrote the SAFE bill, adopting amendments that would:

( Establish a "codebreaking" center for law enforcement that would improperly
involve the National Security Agency (NSA) in domestic affairs.
( Reinstate an objectionable provision in the original SAFE bill that would
criminalize, for the first time ever, the use of domestic encryption.
( Double the penalties for criminal use of encryption, up to a maximum of 20
years in prison.
( Provide immunity for anyone who turns over encryption "keys" to law
enforcement, setting the stage for a mandatory "back door" for law
enforcement access to private files and communications.

"We were heartened that privacy and free speech were cited by so many
committee members as the reason why the FBI amendment had to be rejected,"
Haines said. "We now call upon all members of the House to take these
fundamental civil liberties into account in considering any bill addressing
the use of encryption."

With yesterday's vote, the last of five versions of the SAFE bill may now
proceed to the House Rules Committee for a decision on how the bill will be
presented to the House.  The chairman of that committee, Gerald Solomon,
R-NY, has vowed publicly to block any version of SAFE that does not have the
Oxley-Manton amendment.

In a letter sent to members of the Commerce Committee yesterday, the ACLU
joined a broad spectrum of groups in calling for "no compromise on privacy
protection by encryption." The letter urged the members to oppose the
Oxley-Manton amendment, as well as  any  attempts to limit the right of all
Americans to get and use whatever encryption protection they want.

The letter was signed by the ACLU, Americans for Tax Reform, The Eagle Forum,
Electronic Privacy Information Center, Privacy International and the United
States Privacy Council.

"All efforts, direct and indirect, to restrict our right to the greatest
possible privacy protection must be rejected," Haines said.  "Whether you are
sending sensitive corporate documents or your family's travel plans, you have
a right to speak privately."

The last three committees to act on SAFE (National Security, Intelligence and
Commerce) have all added anti-privacy provisions, while bills from the
Judiciary and International Affairs committees lack provisions to protect
First Amendment rights in the the use of encryption.  Both those bills also
contain the criminalization provision present in the other bills, although
without the even stiffer penalties added to the new version of SAFE.

A group of leading scientific, educational and engineering organizations also
voiced their opposition yesterday to any legislation imposing strict domestic
controls on encryption.   The groups said that the amendment would have a
"grave effect" on cryptographic research in the United States, and  could
also negatively impact U.S. commerce while benefiting overseas companies not
subject to controls.

Encryption programs scramble information so that it can only be read with a
"key" -- a code the recipient uses to unlock the scrambled electronic data.
As more of our messages are sent via computers, digital switches, and
wireless phones, they must be encrypted, otherwise our messages can be seized
and read by others.

There are no laws that now prohibit using as strong encryption as possible
inside the United States. But, unless keys are made available to the
government, the Clinton Administration bans export of encryption equipment
and software, treating the products as "munitions."

In response to these continued attacks on privacy rights, the ACLU this
summer launched Take Back Your Data!, a nationwide citizen campaign to fight
for legal reforms to privacy laws and resist further encroachments on the
right to privacy.  Through its website at www.aclu.org, the ACLU urges
visitors to contact their elected officials and voice support for or
opposition to pending legislation.

In addition, the ACLU said that it is drafting omnibus privacy legislation
that would, if adopted, fulfill the basic goals of the Take Back Your Data!
campaign.  The legislation will be unveiled later this fall, followed by a
broad-based effort to encourage members of Congress to co-sponsor the
legislation.

------------------------------

Date: Fri, 3 Oct 1997 07:30:33 -0700
From: Martin Minow <minow@apple.com>
Subject: New PGP "Everything the FBI ever dreamed of"

An article in today's (Fri, Oct 3) New York Times (CyberTimes)
<http://www.nytimes.com/library/cyber/week/100397pgp.html>;
describes the new release of "PGP for Business Security 5.5," which
contains mechanisms that incorporate key recovery mechanism that can either
be volontary or be enforced by using PGP's software for controlling a
company's SMTP server -- the server can verify that all encrypted messages
include the corporate public key (or conform to other corporate policies):

"The new version also includes some of the most sophisticated techniques
for enforcing this policy through the corporation. The most novel may be a
new version of software controlling a company's SMTP server, the machine
that acts as the central mailroom for a corporation. PGP provides a
software agent that will read all of the mail to make sure that it complies
with the corporate policy. This may include requiring all messages to be
signed with digital signatures or include a backdoor that the management
can use to read the message. If the software agent discovers a message
violates the policy, it can either return it to sender or simply log a copy.

"PGP implements the backdoor with a central key. Each message is  encrypted
with both the public key of the recipient and the public key of the
management. The message can only be read by someone holding the
corresponding private keys, in this case the recipient and the management.
The software allows the management to use different master keys for
different departments by customizing the software.

... "Bruce Schneier, an encryption expert and author of the popular book
Applied Cryptography, said that the new announcement "sounds like
everything the FBI ever dreamed of." He also predicts that criminals will
find ways to circumvent the restrictions while honest people may be more
vulnerable to illicit use of the master key."
---
Coincidently, the same issue of the New York Times has an editorial
<http://www.nytimes.com/yr/mo/day/editorial/03fri4.html>; attacking
FBI director Louis Freeh's request that Congress "outlaw the
manufacture and distribution of encryption programs the Government cannot
instantly crack.

Martin Minow minow@apple.com

------------------------------

End of PRIVACY Forum Digest 06.14
************************


PRIVACY Forum Home Page

Vortex Technology Home Page

Copyright © 2005 Vortex Technology. All Rights Reserved.