You are here:
EPIC Alert >>
 EPICAlert 4
EPIC Alert 2.04  EPICAlert 4 (9 March 1995)
Volume 2.04 March 9, 1995
Published by the Electronic Privacy Information Center (EPIC)
Washington, DC infoepic.org
Table of Contents
 EPIC Files Suit Against National Security Council
 Supreme Court Rules on Use of Inaccurate Computer Records
 Caller ID Privacy Protection Fails in Two More States
 Industry Groups Urge Pervasive Crypto Implementation
 IRS Issues "Correction' Notice on Compliance 2000
 Caller ID Study Finds FCC Out of Step
 Wiretap Watch: FBI Issues Wiretap Notice, Questionnaire
 Upcoming Conferences and Events
 EPIC Files Suit Against National Security Council
SECRET GOVERNMENT BOARD UNDER SCRUTINY Senator Roth Awaits Outcome
Washington, DC - The Electronic Privacy Information Center, a public policy group in Washington, today filed suit seeking documents
about a secret government working group responsible for developing policies on information security.
President Clinton established the Security Policy Board last September by secret directive. The Board will have a significant
impact on the development of the National Information Infrastructure.
To date, very little information concerning the Board's activities have been made public.
"Secrecy and classified directives will take us the wrong direction on the information highway," said David Sobel, legal counsel
Sobel cited the Clinton Administration's controversial Clipper Chip as an example of misguided security policy. The Clipper initiative
attempted to make it easy for the government to intercept private messages on the Internet.
"The Clipper fiasco makes clear that it is a mistake to let secret government agencies set standards for the nation's communications
infrastructure," according to Sobel.
Presidential Decision Directive 29, which established the Security Policy Board, is the most recent White House pronouncement on
information security policy. In 1984 National Security Decision Directive 145 gave the National Security Agency (NSA) new powers
to issue policies and develop standards for civilian agencies and the private sector. The Reagan directive was strongly opposed
civil liberties organizations, and industry groups.
In response, Congress enacted the Computer Security Act of 1987.
That law restricted NSA's role to the protection of classified information systems. But then National Security Directive 42, issued
by President Bush in 1990, expanded the role of NSA and the National Security Council in establishing government-wide security
Marc Rotenberg, the director of EPIC said, "This is a battle over the accountability and oversight of government computer policy.
These decisions must be made in the bright light of day."
According to earlier documents obtained by EPIC, one component of the Security Policy Board will have responsibility for "both
the classified and the sensitive but unclassified world." The document states that "[t]he emerging reliance upon a common National
Information Infrastructure makes it increasingly difficult to accept the logic of two separate but parallel structures for the
formulation of information systems security policy and the development of supporting technology."
Senator William V. Roth, Jr. (R-DE), the chair of the Senate Governmental Affairs Subcommittee on Investigations, said about the
EPIC suit, "One of of the principal goals of the Computer Security Act was to ensure that privacy of data on individuals held by
the federal government was
protected. The mechanism for that was putting elected officials in charge of policy and procedures. If the new security policy
board takes control away from elected officials it could be a return to 1984. I look forward to the court's assessment of the role
of this new board."
EPIC is currently litigating several Freedom of Information Act cases on government computer policy. The non-profit organization
is seeking the disclosure of information concerning the Clipper Chip and the FBI's "digital telephony" national wiretap plan.
 Supreme Court Rules on Use of Inaccurate Computer Records
The Supreme Court ruled on March 1 that evidence obtained in a search prompted by erroneous information on a police computer can
be admitted in court. In _Arizona v. Evans_, the Court reversed the decision of the Arizona Supreme Court. The 7-2 decision holds
that an unjustified arrest and search caused by an administrative error by a court employee who did not update a computer database
did not warrant the suppression of the evidence obtained through the search.
The Arizona Supreme Court had ruled that the evidence should be suppressed because:
It is repugnant to the principles of a free society that a person should ever be taken into police custody because of a computer
error precipitated by government carelessness. As automation increasingly invades modern life, the potential for Orwellian
mischief grows. Under such circumstances, the exclusionary rule is a 'cost' we cannot afford to be without.
Chief Justice Rehnquist, writing for the majority, reasoned that excluding the evidence would not deter future errors because it
was a court employee, not a law enforcement official, who forgot to update the record.
Justices O'Connor and Souter concurred with the decision, but also expressed concern with errors brought on by computerization.
Justice O'Connor recommended that accuracy must be ensured in the record systems relied upon by law enforcement.
Surely it would not be reasonable for the police to rely, say,
on a recordkeeping system, their own or some other agency's,
that has no mechanism to ensure its accuracy over time and that routinely leads to false arrests, even years after the probable
cause for any such arrest has ceased to exist (if it ever existed)....
In recent years, we have witnessed the advent of powerful,
computer-based recordkeeping systems that facilitate arrests in ways that have never before been possible. The police, of
course, are entitled to enjoy the substantial advantages this technology confers. They may not, however, rely on it blindly.
With the benefits of more efficient law enforcement mechanisms comes the burden of corresponding constitutional responsibilities.
Justice Stevens, in a strongly worded dissent, rejected Rehnquist's premise that the 4th Amendment is only a constraint on the
actions of individual law enforcement officials. He argued that it places a constraint on the entire sovereign and that the exclusionary
rule was not an "extreme sanction," but merely places the two parties back at the same place they would have been had there been
no illegal search.
Stevens reviewed the Founding Fathers' reasons for the 4th Amendment and called for stronger protections:
The offense to the dignity of the citizen who is arrested,
handcuffed, and searched on a public street simply because some bureaucrat has failed to maintain an accurate computer data
base strikes me as equally outrageous.
Justice Ginsburg also strongly rejected the majority's opinion.
She recognized that computer technology can compound errors by
widely disseminating them:
Widespread reliance on computers to store and convey information generates, along with manifold benefits, new possibilities
of error, due to both computer malfunctions and operator mistakes. Most germane to this case, computerization greatly amplifies
an error's effect, and correspondingly intensifies the need for prompt correction; for inaccurate data can infect not only
one agency, but the many agencies that share access to the database.
She suggested that all computers under government control should be
subject to the exclusionary rule (not just those controlled by the police) to ensure the accuracy of their records:
In this electronic age, particularly with respect to recordkeeping, court personnel and police officers are not neatly compartmentalized
actors. Instead, they serve together to carry out the State's information-gathering objectives.
Whether particular records are maintained by the police or the courts should not be dispositive where a single computer
database can answer all calls. Not only is it artificial to distinguish between court clerk and police clerk slips; in practice,
it may be difficult to pinpoint whether one official, e.g., a court employee, or another, e.g., a police officer, caused the
error to exist or to persist. Applying an exclusionary rule as the Arizona court did may well supply a powerful incentive
to the State to promote the prompt updating of computer records.
The case has been remanded back down to the Arizona courts which may come up with an independent state basis to exclude the evidence.
 Caller ID Blocking Fails in Pennsylvania and Wisconsin
Following the disclosure by the New York Times that Caller ID blocking had failed in New York State, newspapers report that at
least two other states have had similar problems with the controversial phone service.
The Philadelphia Inquirer reported on March 1 that the phone numbers of more than 13,000 Bell Atlantic customers were improperly
Bell Atlantic did not inform the customers or the Public Utility Commission for several weeks, until they corrected the problem.
The phone company described the problem as "human error" in many cases and a software programming error in others. The Pennsylvania
PUC is investigating to see if Bell Atlantic violated state law by not informing customers of the error when it was discovered.
Last month, after the NYNEX problems in New York State were uncovered,
Ameritech revealed that nearly 1,000 customers in Wisconsin also were unprotected after signing up for the service.
 Industry Groups Urge Pervasive Crypto Implementation
Three leading international industry organizations have called for the lifting of governmental restrictions on cryptographic technology.
In a policy statement submitted to the G-7 Global Information Society Summit in Brussels, the European Association of Manufacturers
of Business Machines and Information Technology Industry (EUROBIT), the Information Technology Industry Council (ITI), and the
Japan Electronic Industry Development Association (JEIDA) said:
We want governments to recognize that their explicit support for the Global Information Infrastructure necessarily entails
implicit support for the general use of cryptographic technology.
Without pervasive cryptographic technology there can be no basis for privacy or trust, and the main benefits of the new industrial
revolution cannot be realized. If the Information Society is to develop, public policy must reflect the fact that this technology
will be used everywhere. Cryptography is essential both to the confidentiality of information and to information integrity,
including proof of correctness and electronic signatures. ...
We do of course recognize the legitimate needs of national authorities to enforce the rule of law, and to maintain national
security, but individuals and businesses have needs too - the need for privacy, and the need to operate on a basis of trust
and unless those needs are met the Information Society may not happen.
The organizations made the following recommendations:
* That governments, industry and users must agree on the cryptographic techniques to be used in the Global Information
Infrastructure and on a procedure for verifying that products conform to the techniques so agreed;
* That the agreed techniques and the agreed verification procedures must be made public;
* That the agreed techniques must be based on private sector led,
voluntary consensus international standards;
* That products implementing the agreed techniques should not be subject to import controls, restrictions on use within
or restrictive licensing;
* That products implementing the agreed techniques should be exportable to all countries, except those which are subject
to UN embargo; and
* That users and suppliers of products implementing the agreed techniques should be free to make technical and economic
choices about modes of implementation and operation, including a choice between implementation in hardware or software
EPIC had also urged the G-7 delegates to move toward strong cryptographic safeguards for privacy protection. (See EPIC Alert
 IRS Issues "Clarification" on Compliance 2000 Program Notice
Stating that its original December 20, 1994, notice may have "not adequately distinguished among the various uses of the compliance
system," the IRS has released a supplemental notice announcing that it will "clarify the notice to better describe more precisely
the type of activities covered."
The "clarification" states that "the system will not be used to support large scale data matching in order to identify for contact
by IRS officials." It distinguishes that information collected to "support compliance research on broadly shared characteristics
and compliance trends of large groups" from law enforcement actions. The notice states that the data collected for research purposes
will not be used to "select individuals for enforcement actions" or for enforcement actions.
It does admit that this information, which is described as market segment research," will include more information then ever before
from third parties and will allow for more use of this information.
However, it asserts that "life style or other highly personal information, even in the aggregate" will not be included.
EPIC has filed a Freedom of Information Act request with the IRS to determine the scope of the collection and use of this information.
 New Study Finds FCC Out of Step on Caller ID
EXPERTS SAY FCC MUST RECONSIDER CALLER ID
Proposed FCC Rule is a Mistake
WASHINGTON -- In a letter delivered to the Commissioners of the FCC,
two professors of communication recommend that the FCC drop a proposed regulation that would limit the privacy of telephone customers.
The letter accompanies a report on a study conducted by Professor Roopali Mukherjee of Indiana University and Professor Rohan Samarajiva
of the Ohio State University titled "Regulating 'Caller ID':
Emulation, Learning, and Inducement in the Policy Process."
According to the report, the vast majority of states make available at least two privacy options for the controversial Caller ID
also called Calling Line ID or CLID. However, the FCC is proposing that only the weaker privacy option be available to telephone
The report finds that:
* A clear majority of states provide both per-call and per-line blocking for CLID
* Over time states have moved from policies that provide fewer choices to customers to other more inclusive options
* The proposed FCC rule is both (a) inconsistent with the state regulation of CLID and (b) out of phase with
the development of CLID policies
Professor Samarajiva said, "Our assessment is based on a careful review of the proceedings in 48 jurisdictions. We believe that
it would be a mistake for the FCC to ignore the experience of the states that have looked closely at the CLID service."
Marc Rotenberg, the director of the Electronic Privacy Information Center in Washington DC and one of the experts who testified
in the state proceedings on CLID, said "The FCC should consider carefully the report of Professor Mukherjee and Professor Samarajiva.
The conclusion is unmistakable. The current FCC proposal is a serious mistake."
The FCC rule is expected to take effect on April 12.
 Wiretap Watch: FBI Begins Wiretap Law Implementation
On February 23, the FBI issued a Federal Register Notice on the "Implementation of the Communications Assistance for Law Enforcement
Act." According to the notice, there is now a Telecommunications Industry Liaison Unit in the Engineering Section, Information
Resources Division of the FBI to work with industry on the implementation of the new wiretap compliance requirements.
The FBI is expected to publish estimated wiretap capacity requirements
in the Federal Register by October 28, 1995. Carriers will then have three years to redesign the nation's phone system so that
all networks have the capability to:
- Isolate a particular electronic communication - Isolate call-identifying information - Deliver intercepted information to
a remote government monitoring location - Deliver information to the government without disclosing the government's
Washington Telecom Week on March 3 revealed that one of the first activities of the new Liaison Unit will be to send a questionnaire
to telephone companies asking for information on installing wiretaps since January 1993, a curious request since the FBI claimed
last year that it already had evidence of obstacles to electronic surveillance.
The FBI will use the information to determine technical capacity requirements.
The FBI will also be filing a notice in the Commerce Business Daily asking for comments on cost and payment procedures. For more
information about the FBI's wiretap plans, the FBI Telecommunications Industry Liaison Unit can be reached toll free at 1-800-551-0336.
 Upcoming Privacy Related Conferences and Events
Access, Privacy, and Commercialism: When States Gather Personal Information. College of William and Mary, Williamsburg, VA, Mar.17.
Contact: Trotter Hardy 804/221-3826.
"Intelligent Transportation: Serving the User Through Deployment" Mar.
15-17, Washington, DC. Sponsored by ITS America. Call Sandra Fitzgerald (202) 484-2902. (This conference is notable for its *lack*
of specific discussion of privacy issues over the 3 day, 70 panel meeting.)
Computers, Freedom and Privacy '95. Burlingame, CA. Mar. 28-31, 1995.
Sponsored by Stanford University and ACM. Speakers include John Morgridge (Cisco), Esther Dyson (Rel 1.0), Roger Wilkins (George
Mason University), Margaret Jane Radin (Stanford Law School), and Willis H.
Ware (Rand). Contact: cfp95forsythe.stanford.edu.
Privacy Advocates meeting. Burlingame, CA (in conjunction with CFP).
Apr. 1, 1995. Contact Robert Ellis Smith, Privacy Journal 401/274-7861 or 0005101719mcimail.com.
ETHICOMP95: An international conference on the ethical issues of using Information Technology. DeMontfort University, Leicester,
ENGLAND, March 28-30, 1995. Speakers include Simon Davies (Privacy International) Contact: Simon Rogerson srogdmu.ac.uk 44 533
577475 (phone) 44 533 541891 (Fax).
National Net '95: Reaching Everyone. Washington, DC. Apr. 5-7, 1995.
Sponsored by EDUCOM. The privacy panel will include Brock Meeks (CyberWire Dispatch), Bob Gellman (former Hill staffperson), and
Barry Steinhardt (ACLU). Contact: net95educom.edu or call 202/872-4200.
Information Security and Privacy in the Public Sector. Hyatt Dulles,
VA. Apr. 19-20, 1995. Sponsored by AIC Conferences. Speakers include Joan Winston (OTA), Lynn McNulty (NIST), Marc Rotenberg (EPIC),
Dorothy Denning (Georgetown University), David Banisar (EPIC) and Jim Bidzos (RSA). Contact: Scott Kessler 212/952-1899 x308
INET '95. Honolulu, HI. June 28-30, 1995. Sponsored by the Internet Society. Contact inet95isoc.org.
Advanced Surveillance Technologies. Sept. 4, 1995. Copenhagen,
Denmark. Sponsored by Privacy International and EPIC. Contact piepic.org.
"Managing the Privacy Revolution." Privacy & American Business. Oct.
31 - Nov. 1, 1995. Washington, DC. Speakers include C.B. Rogers (Equifax). Contact Alan Westin 201/996-1154.
(Send calendar submissions to Alertepic.org)
The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. To subscribe, send the message:
SUBSCRIBE CPSR-ANNOUNCE Firstname Lastname
to listservcpsr.org. You may also receive the Alert by reading the USENET newsgroup comp.org.cpsr.announce.
Back issues are available via FTP/WAIS/Gopher/HTTP from cpsr.org /cpsr/alert and on Compuserve (Go NCSA), Library 2 (EPIC/Ethics).
An HTML version of the current issue is available from http://epic.digicash.com/epic
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to
focus public attention on emerging privacy issues relating to the National Information Infrastructure, such as the Clipper Chip,
the Digital Telephony proposal, medical record privacy, and the sale of consumer data. EPIC is sponsored by the Fund for Constitutional
Government and Computer Professionals for Social Responsibility.
EPIC publishes the EPIC Alert and EPIC Reports, pursues Freedom of Information Act litigation, and conducts policy research on
emerging privacy issues. For more information, email infoepic.org, WWW at HTTP://epic.digicash.com /epic or write EPIC, 666 Pennsylvania
SE, Suite 301, Washington, DC 20003. (202) 544-9240 (tel), (202)
The Fund for Constitutional Government is a non-profit organization established in 1974 to protect civil liberties and constitutional
rights. Computer Professionals for Social Responsibility is a national membership organization of people concerned about the impact
of technology on society. For information contact:
If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible.
Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave.,
SE, Suite 301, Washington DC 20003.
Your contributions will help support Freedom of Information Act litigation, strong and effective advocacy for the right of privacy
and efforts to oppose Clipper and Digital Telephony wiretapping proposals.
END EPIC Alert 2.04