You are here:
EPIC Alert >>
 EPICAlert 6
EPIC Alert 1.06  EPICAlert 6 (28 October 1994)
Volume 1.06 October 28, 1994
Published by the Electronic Privacy Information Center (EPIC)
Washington, DC (Alertepic.org)
Table of Contents
 FTC Orders Trans Union to Stop Selling Credit Reports to Marketers
 State Department Rules 1st Amendment Doesn't Apply to Disks
 FBI Director May Ask For Mandatory Key Escrow Legislation
 Clipper: Alive and Well
 EPIC on Compuserve
 New Files in the Archive
 Upcoming Conferences and Events
 FTC Cracks down on Trans Union
The Federal Trade Commission on October 18 ordered Trans Union, one ofthe nation's largest credit bureaus, to stop selling consumercredit
information in its files to direct marketers in violation ofthe Fair Credit Reporting Act (FCRA). This decision follows a yearafter
TRW, another large credit bureau, signed a consent decree withthe FTC to limit selling credit information. Equifax, the otherlarge
credit bureau, also stopped voluntarily selling credit info
for marketing last year.
Trans Union, through its Transmark target marketing division, createdlists of individuals based on credit-related criteria and then
soldthe information to companies to use for target marketing. TheCommission ruled that target marketing was illegal under the FCRAbecause
the law requires that the consumer initiate the transactionbefore the information can be released. It also found that thecompanies
had full access to consumers' names and were aware of thecriteria under which the names had been chosen from the Trans Uniondatabase,
which is also an illegal disclosure of credit information.
Trans Union has said they will appeal and plan to continue selling theinformation in the meanwhile. Under a newly passed law, Trans
Unionmust ask for a stay of the order after 60 days before they cancontinue selling the information. Ed. Mierwizinski, Consumer ProgramDirector
of US Public Interest Research Group's Washington Officehailed the FTC's actions "its a good decision. I predict if theytry and appeal,
they will loose."
 State Dept: 1st Amendment Doesn't Apply to Disks
The State Department ruled on October 7 that some forms of electronicspeech are not protected by the First Amendment and can be prohibitedfrom
export. The decision raises questions about the protection offree speech on the information superhighway.
The controversy arose over the export of an electronic version ofApplied Cryptography: Protocols, Algorithms, and Source Code in C(John
Wiley and Sons, 1994) by Bruce Schneier. The agency ruled thatelectronic source code for computer programs that containscryptographic
algorithms is not protected under the First Amendmentand thus is not exportable under current law. The ruling follows justa few months
after the same department OK'd the export of the samecode in printed form. Under current State Department rules, the export ofalmost
allsoftware with confidentiality and privacy features is prohibitedunless permission is granted by the National Security Agency prior
Earlier this year Schneier and San Diego engineer Phil Karn requestedand received permission to export the printed version, which
containsover 100 pages of source code for different cryptographic algorithmsin a type face easily converted to electronic form by
a standardcomputer scanner. The book has sold over 17,000 copies worldwide inless than one year.
When Karn and Schneier requested permission to export the disks, whichhave the exact same information as is contained in the book,
WilliamRobinson, the director of the Office of Defense Trade Controls,
rejected the request stating "the text files on the subject disk arenot an exact representation of what is found in AppliedCryptography...each
source code listing has been partitioned into itsown file and has the capability of being easily compiled into anexecutable subroutine
. . . This is an added value to any end userthat wishes to incorporate encryption into a product."
Computer users and experts are critical of the distinction. Karn noted"with the widespread availability of optical character recognition(OCR)
equipment and software, even printed information such as theBook is easily turned into 'machine readable' disk files equivalent tothe
diskette." Bob Stratton, a Senior Engineer at AlterNet "Whetherits in a book or on a disk, it doesn't matter. The technology [thecryptography
code] will flow no matter what."
When Karn and Schneier appealed the decision, Martha C. Harris, theDeputy Assistant Secretary for Export Controls at the State Departmentstated
"We...have concluded that continued control over the export ofsuch material is consistent with the protections of the FirstAmendment"
She noted that a high level, interagency review hadresulted from the request. Bob Peck, a First Amendment lawyer with theAmerican
Civil Liberties Union notes "any claim that the FirstAmendment is inapplicable because of the medium is just not valid."
Karn plans to appeal the decision.
 Clipper: Alive and Well
Vice President Gore's July letter to Rep. Maria Cantwell led someobservers to to hail the "death of Clipper." Others (including EPICand
Sen. Patrick Leahy) maintained that the Gore letter simplyre-stated earlier Administration pronouncements on the encryptionissue
and did not represent a change in policy.
Any lingering doubts were laid to rest recently by Lynn McNulty, theAssociate Director for Computer Security at the National Institute
ofStandards and Technology (NIST). Speaking at a conference sponsoredby the Electronic Messaging Association, McNulty gave a presentationentitled
"Clipper: Alive and Well." Noting that some media reportshad pronounced Clipper dead, McNulty said simply "that is notcorrect."
He reported that the government is "moving ahead toimplement key escrow," and that the designated escrow agents are, infact, escrowing
keys. To date, 10,000 Clipper-equipped telephoneunits have been purchased by the law enforcement community. And theNational Security
Agency is continuing to aggressively market its keyescrow technology to private manufacturers.
 FBI Director May Ask For Mandatory Key Escrow Legislation
At a conference on Global Cryptography earlier this month, FBIDirector Louis Freeh suggested that if the administration's Clipperkey
escrow encryption scheme was not widely adopted, he may askCongress for legislation making it mandatory. The FBI confirmed tocomments
to reporters Brock Meeks and Steven Levy.
Excerpt from transcript of Freeh talk as faxed to MIchael Froomkin bythe FBI:
[note: bracked material is summary of earlier exchange]
Q: [If people pre-encrypt while using Clipper, would] the policy thenhave to change?
A: The terms of encryption being a voluntary standard? Oh yea,
definitely, I mean if five years from now we solve the access problembut what we are hearing is all encrypted I'll probably ah, if
I amstill here, be talking about that in a very important way. Sure, Imean the objective is the same. The objective is for us to
get thoseconversations whether they are by an alligator clipped or or [_sic_]
ones and zeros wherever they are, what ever they are, I need them.
 EPIC on Compuserve
EPIC has joined that National Computer Security Association and theNational Computer Ethics & Responsibilities Campaign in hosting
aforum on privacy, security and ethical issues on the CompuserveInformation System.
EPIC materials, including back issues of the Alert, programdescription and reports are available in Library 2. Discussion ofprivacy
topics are in Section 2 (EPIC/Ethics).
To access the forum, use the keyword: NCSA.
 New Files at the Archive
OTA Report on Cryptography
Final Version of HR 4922/S 2375. - The Communications Assistance forLaw Enforcement Act of 1994
HR 5199 - Encryption Standards and Procedures Act of 1994
Files related to the Applied Cryptography Export Decision
The CPSR Internet Library is a free service available viaFTP/WAIS/Gopher/listserv from cpsr.org:/cpsr. Materials from PrivacyInternational,
the Taxpayers Assets Project and the Cypherpunks arealso archived. For more information, contact ftp-admincpsr.org.
 Upcoming Privacy Related Conferences and Events
2nd ACM Conference on Computer and Communications Security, Fairfax,
Virginia. Nov 2-4, 1994. Sponsored by: ACM SIGSAC, Hosted by: BellAtlantic, George Mason University. Contact: gongcsl.sri.com
Ethics in the Computer Age Conference. Gatlinburg, Tennessee. November11-13. Sponsored by ACM. Contact: jkizzautcvm.utc.edu
The Technology for Information Security Conference '94 (TISC '94).
Galveston, Texas. Dec. 5-8, sponsored by: NASA Johnson Space CenterMission Operations Directorate (MOD), MOD AIS Security EngineeringTeam,
and the ISSA. Contact: John D'Agostino(dagostinkillerbee.jsc.nasa.gov).
Second International Conference on Information Warfare: "Chaos on theElectronic Superhighway" Jan 18-19, Montreal, CA. January 18,
Sponsored by NCSA. Contact: Mich Kabay (75300.3232compuserve.com).
(Send calendar submissions to Alertepic.org)
To subscribe to the EPIC Alert, send the message:
SUBSCRIBE CPSR-ANNOUNCE Firstname Lastname
to listservcpsr.org. You may also receive the Alert by reading theUSENET newsgroup comp.org.cpsr.announce.
Back issues are available via FTP/WAIS/Gopher/HTTP from cpsr.org/cpsr/alert and on Compuserve at Keyword: NCSA, Library 2 (EPIC/Ethics)
The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus
public attention on emerging privacy issues relating to theNational Information Infrastructure, such as the Clipper Chip, theDigital
Telephony proposal, medical record privacy, and the sale ofconsumer data. EPIC is sponsored by the Fund for ConstitutionalGovernment
and Computer Professionals for Social Responsibility. EPICpublishes the EPIC Alert and EPIC Reports, pursues Freedom ofInformation
Act litigation, and conducts policy research on emergingprivacy issues. For more information email infoepic.org, or writeEPIC, 666
Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1202 544 9240 (tel), +1 202 547 5482 (fax).
The Fund for Constitutional Government is a non-profit organizationestablished in 1974 to protect civil liberties and constitutionalrights.
Computer Professionals for Social Responsibility is a nationalmembership organization of people concerned about the impact oftechnology
on society. For information contact: cpsr-infocpsr.org
END EPIC Alert 1.06
CPSR ANNOUNCE LIST END
To alter or end your subscription to this mailing list,
write to listservcpsr.org. For general information send the message:
HELPTo unsubscribe, send the message:
UNSUBSCRIBE CPSR-ANNOUNCEYou need to do this from the same machine you subscribed from.
In both cases, leave the subject blank, or at least not resembling anerror message.