PRIVACY Forum Archive Document
PRIVACY Forum Digest Sunday, 5 October 1997 Volume 06 : Issue 14 Moderated by Lauren Weinstein (email@example.com) Vortex Technology, Woodland Hills, CA, U.S.A. http://www.vortex.com ===== PRIVACY FORUM ===== ------------------------------------------------------------------- The PRIVACY Forum is supported in part by the ACM (Association for Computing Machinery) Committee on Computers and Public Policy, "internetMCI" (a service of the Data Services Division of MCI Telecommunications Corporation), and Cisco Systems, Inc. - - - These organizations do not operate or control the PRIVACY Forum in any manner, and their support does not imply agreement on their part with nor responsibility for any materials posted on or related to the PRIVACY Forum. ------------------------------------------------------------------- CONTENTS Shadows in the Mirror: The Looming Problems of Web Caching (Lauren Weinstein; PRIVACY Forum Moderator) House Committee Rejects Domestic Crypto Ban (EPIC-News List) ID Cards to Cost $10 Billion (EPIC-News List) FC: ACLU, EPIC oppose deviant Markey-White version of SAFE (Declan McCullagh) New PGP "Everything the FBI ever dreamed of" (Martin Minow) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "firstname.lastname@example.org" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic list handling system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "email@example.com". Mailing list problems should be reported to "firstname.lastname@example.org". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the list handling system. Please follow the instructions above for getting the "help" information, which includes details regarding the "index" and "get" commands, which are used to access the PRIVACY Forum archive via the list handling system. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com/". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com"; full keyword searching of all PRIVACY Forum files is available via WWW access. ----------------------------------------------------------------------------- VOLUME 06, ISSUE 14 Quote for the day: "Kiss my ankh." -- Harold Fine (Peter Sellers) "I Love You, Alice B. Toklas!" (Warner Bros.; 1968) ---------------------------------------------------------------------- Date: Sun, 5 Oct 97 10:58 PDT From: email@example.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Shadows in the Mirror: The Looming Problems of Web Caching Greetings. As the World Wide Web has continued its explosive growth, it seems as if new potential areas of concern pop up almost every day. Often these worries revolve around the use of technologies for purposes, or in ways, for which they were not originally intended. Such seems to be the emerging situation regarding "caching" of web pages. Considered a mundane technical issue by most net users who have even heard of it, caching carries an array of promises and problems, with some of the latter impacting areas ranging from reliability to hacking, from freedom of information to censorship, from security to privacy. Caching refers to the growing practice of some Information Service Providers (ISPs) of maintaining local copies of web pages for their subscribers, and using technical means to encourage (or require) that their users access those pages only from the local "cache", and not from the actual remote sites from which the web pages originated. The ostensible reasons for caching are valid and important ones. In some environments, security/firewall requirements have dictated a level of control where "proxy servers", using local caching, have been deemed the most practical procedure for allowing user access to the Web. Caching also can impart significant bandwidth savings, to the extent that users (for example, in a cable TV, cable modem environment) can be forced to retrieve "popular" pages from the local ISP's server, rather than having all accesses going out over limited bandwidth facilities to the Internet proper. This reduces load on both the outside network and on the remote web servers themselves. But as usual with our technological marvels, there are a number of serious potential problems surrounding caching, about which we should all be concerned. Some of these problems are technical, some are the result of the vacuum of laws relating to these areas, and some are even more directly political and could impact basic expectations relating to freedom of speech and privacy. Research regarding these impacts is pretty much in the early stages, and so are studies and surveys of these issues relating to caching. I'm not going to present a detailed analysis in this message, but let's very briefly explore a list of items to be thinking about: -- How recent are the pages in local caches? How often do caches refresh their data from the original sources? Where caching interval requests are present on the original pages, what guarantee is there that caches will honor those requests? -- What happens to pages that are frequently updated or that display "dynamically created" content (that is, content that varies with each access)? Will cache users be presented with old, static versions of these pages? Will some caches attempt to "penalize" such pages with less frequent caching (this is apparently already a significant issue). -- To what degree do centralized caches of web pages present a centralized target for hacking? What recourse do sites have against caches who leave copies of the original sites' pages vulnerable to outside alteration, or caches that even subtly or overtly alter, modify, or add to the content of the original pages without the original sites' permission? How will typical users know if they're looking at the original, "accurate" pages or a modified, corrupt, or stale copy? Cryptographic signing techniques seem likely to be of only limited assistance for a variety of reasons. -- To what extent do centralized caches simplify surveillance of user web browsing activity, censorship, and other controls over what users may access? Efforts to create a worldwide hierarchy of caches (the so-called "global mesh") may potentially introduce a range of risks, especially in those countries where government authorities already exercise a large degree of control over access to the net by their citizens. Caches, without appropriate safeguards, could greatly exacerbate these problems. -- What about the copyright rights of the original sites whose pages are being cached? Can sites effectively choose not to be cached? If so, will they suffer "access limitation" retaliation by some caches, making it difficult or impossible for users behind those caches to access those pages? -- Will Web search engines begin returning references to cached versions of web pages rather than the "real" pages under the originating sites' control? To what extent could this further confuse the question of where the pages are really coming from or how accurate they are? -- What happens to the web access statistics collected by centralized caches? Caches prevent the originating sites from accurately judging the viewerships of their pages, since cached hits are never known to the originating site. In fact, the more popular the site, the more likely it may be to be heavily cached, and for their statistics to be even more dramatically skewed downward due to cached "diversion" of their hits and other page view statistics. Many sites depend on these statistics to help them in determining their page update schedules and allocation of page design resources. Advertising decisions and rates are often made based on the assumption of the accurate local availability of these statistics. Of even greater concern may be the possible misuse of cached statistical data. The information privacy policies of the originating web sites mean nothing if the hit data collected by a cache regarding cached pages is under the control solely of that caching entity. This can include sensitive information about sites and users viewing those pages and selecting particular links. Is the caching organization free to do whatever they like with that information? Sell it for marketing lists? Provide it for investigative purposes as they see fit? Sell it to commercial databases? A given originating site may have very strict policies regarding any information collected regarding sites or users who visit their web server. But a cache may have a completely different policy, or no policy at all. The privacy implications are vast. ------- I think that's enough to provide the flavor of the issues involved. Yes friends, another can of worms, indeed. Without a doubt caching technologies are a powerful tool that will be crucial to the continued growth and development of the Internet and the World Wide Web. Properly designed, they can bring significant benefits that clearly need to be explored. But their potential downside appears very real as well, and could impact fundamental issues of privacy, freedom of speech, and other cherished beliefs that many people consider to be their rights. Before caching becomes entrenched in the Internet infrastructure, it would do us well to consider these impacts, and what we want to do about them--technically, legislatively, and politically. The window of opportunity to do this is now. --Lauren-- Moderator, PRIVACY Forum http://www.vortex.com ------------------------------ Date: Fri, 26 Sep 1997 16:42:47 -0400 From: "EPIC-News List" <firstname.lastname@example.org> Subject: House Committee Rejects Domestic Crypto Ban [ From EPIC Alert 4.13 -- PRIVACY Forum Moderator ] The House Commerce Committee has rejected an FBI-backed proposal to impose the first-ever domestic controls on encryption. In a 35-16 vote on September 24, the committee defeated an amendment to the SAFE crypto bill offered by Reps. Michael Oxley (R-OH) and Thomas Manton (D-NY) that would have banned the domestic manufacture and sale of encryption products that do not provide law enforcement agencies easy access to encrypted information. Speaking in opposition to the amendment, many committee members cited the unprecedented assault on privacy and civil liberties that would result if the FBI proposal was adopted. While surviving the draconian Oxley-Manton amendment, the SAFE bill, originally introduced by Rep. Bob Goodlatte (R-VA) to relax U.S. export controls on encryption products, did not emerge from the Commerce Committee unscathed. The committee adopted an amendment offered by Reps. Ed Markey (D-MA) and Rick White (R-WA) that would create a new National Electronic Technologies (NET) Center within the Justice Department. The NET Center would engage in research and "examine encryption techniques and methods to facilitate the ability of law enforcement to gain efficient access to plaintext of communications and electronic information." The NET Center would be authorized to seek the assistance of "any department or agency of the Federal Government" in support of its mission, thereby providing explicit statutory authority for National Security Agency involvement in domestic law enforcement activities. The Markey-White amendment also doubles the penalty for the use of encryption in furtherance of a felony and provides that "No person shall be subject to civil or criminal liability for providing access to the plaintext of encrypted communications or electronic information to any law enforcement official or authorized government entity, pursuant to judicial process." In a letter sent to the Commerce Committee prior to the vote, EPIC joined with the American Civil Liberties Union, Eagle Forum, Americans for Tax Reform and other groups in urging members to oppose "any proposal establishing a legal structure for key recovery even if temporarily 'voluntary,' any so-called 'compromise' provision drawn from Oxley-Manton . . . , and any new proposal that would limit the availability and use of strong encryption." The fate of the SAFE bill is now uncertain. The original Goodlatte language has been substantially amended by five House committees, with contradictory results. Rep. Gerald Solomon (R-NY), chairman of the House Rules Committee, has indicated that he will not send the legislation to the House floor unless it contains the Oxley-Manton domestic controls. As such, SAFE may no longer be a viable vehicle for the reform of encryption policy that it was originally intended to promote. PDF versions of House Commerce Committee documents on the SAFE bill are available at: http://www.house.gov/commerce/full/092497/markup.htm ------------------------------ Date: Fri, 26 Sep 1997 16:42:47 -0400 From: "EPIC-News List" <email@example.com> Subject: ID Cards to Cost $10 Billion [ From EPIC Alert 4.13 -- PRIVACY Forum Moderator ] The Social Security Administration announced on September 22 that it would cost up to $10 billion to re-issue Social Security cards as tamper-proof identifiers. Congress required the SSA to assess the cost as part of the 1996 immigration and welfare bills. The SSA report reviews the history of the SSN from its creation in 1935 through the current day. The report declines to make any policy recommendations, but recognizes some of the privacy issues raised by the use of the SSN as a national identifier. An appendix to the report includes pending legislation that would limit the SSN's use. The report examines the different technologies for ID cards from basic plain plastic cards to smart cards, including those that would include a picture or biometric identifier. It notes that SSA cannot accurately assess how many actual SSNs are in use -- the agency is only able to estimate a range between 269 and 327 million. At least 10 million are estimated to be duplicate numbers. More information on national identification cards is available at: http://www.epic.org/privacy/id_cards/ ------------------------------ Date: Mon, 29 Sep 1997 10:12:41 -0400 From: Declan McCullagh <firstname.lastname@example.org> Subject: FC: ACLU, EPIC oppose deviant Markey-White version of SAFE Last week, you'll recall, the House Commerce committee approved the deviant Markey-White amendments as a "compromise" package. Note the ACLU says: "It is now clear that any version of this bill will be used to attack domestic encryption protection." -Declan --------- FOR IMMEDIATE RELEASE Contact: Emily Whitfield (212) 549-2566 Thursday, September 25, 1997 Phil Gutis (202) 675-2312 WASHINGTON -- Citing civil liberties concerns, the House Commerce Committee late yesterday overwhelmingly beat back an attempt by law enforcement to hijack what had been introduced as a pro-privacy encryption bill. The American Civil Liberties Union, which supported the original version of H.R. 695, the Security and Freedom through Encryption Act ("SAFE") applauded the committee's action, but said it could not support the new version of SAFE, which contains a new set of civil liberties problems. "We survived the hijacking only to find that we are still in enemy territory," said Donald Haines, Legislative Counsel on privacy and cyberspace issues for the ACLU's Washington National Office. "It is now clear that any version of this bill will be used to attack domestic encryption protection. Therefore, the ACLU strongly opposes bringing any encryption legislation to the floor at this time." The amendment that was rejected yesterday sought to reverse the original intent of SAFE, a bill that would ease controls on export of strong encryption technology. Sponsored by Reps. Michael Oxley, R-OH, and Thomas Manton, D-NY, it would have given law enforcement agencies easy access to every private computer file, e-mail, telephone conversation, and online communication in America. By providing this "backdoor" for law enforcement, the ACLU said the amendment would leave a door open to others seeking unauthorized access to private communications. But in rejecting the law enforcement power grab, the Committee essentially re-wrote the SAFE bill, adopting amendments that would: ( Establish a "codebreaking" center for law enforcement that would improperly involve the National Security Agency (NSA) in domestic affairs. ( Reinstate an objectionable provision in the original SAFE bill that would criminalize, for the first time ever, the use of domestic encryption. ( Double the penalties for criminal use of encryption, up to a maximum of 20 years in prison. ( Provide immunity for anyone who turns over encryption "keys" to law enforcement, setting the stage for a mandatory "back door" for law enforcement access to private files and communications. "We were heartened that privacy and free speech were cited by so many committee members as the reason why the FBI amendment had to be rejected," Haines said. "We now call upon all members of the House to take these fundamental civil liberties into account in considering any bill addressing the use of encryption." With yesterday's vote, the last of five versions of the SAFE bill may now proceed to the House Rules Committee for a decision on how the bill will be presented to the House. The chairman of that committee, Gerald Solomon, R-NY, has vowed publicly to block any version of SAFE that does not have the Oxley-Manton amendment. In a letter sent to members of the Commerce Committee yesterday, the ACLU joined a broad spectrum of groups in calling for "no compromise on privacy protection by encryption." The letter urged the members to oppose the Oxley-Manton amendment, as well as any attempts to limit the right of all Americans to get and use whatever encryption protection they want. The letter was signed by the ACLU, Americans for Tax Reform, The Eagle Forum, Electronic Privacy Information Center, Privacy International and the United States Privacy Council. "All efforts, direct and indirect, to restrict our right to the greatest possible privacy protection must be rejected," Haines said. "Whether you are sending sensitive corporate documents or your family's travel plans, you have a right to speak privately." The last three committees to act on SAFE (National Security, Intelligence and Commerce) have all added anti-privacy provisions, while bills from the Judiciary and International Affairs committees lack provisions to protect First Amendment rights in the the use of encryption. Both those bills also contain the criminalization provision present in the other bills, although without the even stiffer penalties added to the new version of SAFE. A group of leading scientific, educational and engineering organizations also voiced their opposition yesterday to any legislation imposing strict domestic controls on encryption. The groups said that the amendment would have a "grave effect" on cryptographic research in the United States, and could also negatively impact U.S. commerce while benefiting overseas companies not subject to controls. Encryption programs scramble information so that it can only be read with a "key" -- a code the recipient uses to unlock the scrambled electronic data. As more of our messages are sent via computers, digital switches, and wireless phones, they must be encrypted, otherwise our messages can be seized and read by others. There are no laws that now prohibit using as strong encryption as possible inside the United States. But, unless keys are made available to the government, the Clinton Administration bans export of encryption equipment and software, treating the products as "munitions." In response to these continued attacks on privacy rights, the ACLU this summer launched Take Back Your Data!, a nationwide citizen campaign to fight for legal reforms to privacy laws and resist further encroachments on the right to privacy. Through its website at www.aclu.org, the ACLU urges visitors to contact their elected officials and voice support for or opposition to pending legislation. In addition, the ACLU said that it is drafting omnibus privacy legislation that would, if adopted, fulfill the basic goals of the Take Back Your Data! campaign. The legislation will be unveiled later this fall, followed by a broad-based effort to encourage members of Congress to co-sponsor the legislation. ------------------------------ Date: Fri, 3 Oct 1997 07:30:33 -0700 From: Martin Minow <email@example.com> Subject: New PGP "Everything the FBI ever dreamed of" An article in today's (Fri, Oct 3) New York Times (CyberTimes) <http://www.nytimes.com/library/cyber/week/100397pgp.html> describes the new release of "PGP for Business Security 5.5," which contains mechanisms that incorporate key recovery mechanism that can either be volontary or be enforced by using PGP's software for controlling a company's SMTP server -- the server can verify that all encrypted messages include the corporate public key (or conform to other corporate policies): "The new version also includes some of the most sophisticated techniques for enforcing this policy through the corporation. The most novel may be a new version of software controlling a company's SMTP server, the machine that acts as the central mailroom for a corporation. PGP provides a software agent that will read all of the mail to make sure that it complies with the corporate policy. This may include requiring all messages to be signed with digital signatures or include a backdoor that the management can use to read the message. If the software agent discovers a message violates the policy, it can either return it to sender or simply log a copy. "PGP implements the backdoor with a central key. Each message is encrypted with both the public key of the recipient and the public key of the management. The message can only be read by someone holding the corresponding private keys, in this case the recipient and the management. The software allows the management to use different master keys for different departments by customizing the software. ... "Bruce Schneier, an encryption expert and author of the popular book Applied Cryptography, said that the new announcement "sounds like everything the FBI ever dreamed of." He also predicts that criminals will find ways to circumvent the restrictions while honest people may be more vulnerable to illicit use of the master key." --- Coincidently, the same issue of the New York Times has an editorial <http://www.nytimes.com/yr/mo/day/editorial/03fri4.html> attacking FBI director Louis Freeh's request that Congress "outlaw the manufacture and distribution of encryption programs the Government cannot instantly crack. Martin Minow firstname.lastname@example.org ------------------------------ End of PRIVACY Forum Digest 06.14 ************************
Vortex Technology Home Page
Copyright © 2005 Vortex Technology. All Rights Reserved.