You are here:
EPIC Alert >>
 EPICAlert 13
EPIC Alert 3.13  EPICAlert 13 (10 July 1996)
Volume 3.13 July 10, 1996
Published by the
Electronic Privacy Information Center
Table of Contents
 Clipper Returns ... Again
 Commerce Notice for Key Escrow Panel
 Supreme Court Rules on Cable Censorship
 Justice Department Appeals CDA Decision
 FBI File Controversy Continues to Grow
 Crypto Hearings Update
 EU Committee Approves Telecom Privacy Directive
 Upcoming Conferences and Eventss
Marking the fourth time that the Clinton Administration has tried topush though a proposal for key escrow encryption, the Department
ofCommerce announced this week that the Secretary of Commerce willappoint a panel to advise on the implementation of a "key managementinfrastructure."
The KMI proposal was first put forward by the WhiteHouse in May. The proposal called for the creation of a key managementinfrastructure
which would require users to disclosure their privatekeys to a government certified escrow agent. It was quickly dubbed"Clipper III,"
and widely criticized by the public and members ofCongress. (See EPIC Alert 3.10
The new proposal also flies in the face of the recent findings of anextensive report from the National Research Council which concludedthat
it would be a mistake to continue "aggressive promotion" of keyescrow encryption. The NRC found that there was insufficientexperience
to support large scale deployment of key escrow; key escrowwould not solve the most serious law enforcement problems; key escrowwill
have "a significant negative impact" on the development of newinformation services and technologies; and key escrow will skew marketdevelopment
of encryption applications.
The KMI proposal also contradicts a recent recommendation by theDepartment of Commerce's own Computer System Security and PrivacyAdvisory
Board which endorsed the conclusions of the NRC report. (SeeEPIC Alert 3.11
More information is available at http://www.epic.org/crypto/key_escrow/
[Federal Register: July 8, 1996 (Volume 61, Number 131)]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
DEPARTMENT OF COMMERCE
Technical Advisory Committee To Develop a Federal InformationProcessing Standard for the Federal Key Management Infrastructure;
Notice of Establishment
In accordance with the provisions of the Federal Advisory CommitteeAct, 5 U.S.C. App. 2, and the General Services Administration
rule on Federal Advisory Committee Management, 41 CFR Part 101-6, andafter consultation with GSA, the Secretary of Commerce has determinedthat
the establishment of the Technical Advisory Committee to Develop aFederal Information Processing Standard for the Federal Key ManagementInfrastructure
is in the public interest in connection with theperformance of duties imposed on the Department by law.
The Committee will advise the Secretary on the development of adraft Federal Information Processing Standard for the Federal KeyManagement
The Committee will consist of no more than twenty-four members tobe appointed by the Secretary to assure a balanced representation
amongindividuals with established expertise in cryptography and theimplementation and use of cryptographic systems.
The Committee will function solely as an advisory body, and incompliance with provisions of the Federal Advisory Committee Act.
Thecharter will be filed under the Act, fifteen days from the date ofpublication of this notice.
Interested persons are invited to submit comments regarding theestablishment of this committee to Edward Roback, Computer Security,
National Institute of Standards and Technology, Gaithersburg, MD 20899,
Dated: June 27, 1996.
Chief Counsel for the Technology Administration.
In a precursor to the impending review of the Communications DecencyAct, the Supreme Court on June 28 struck down two provisions and
upheldone of a law on regulating "indecent" programming on cable television.
The Court splintered on the case, generating a total of five opinions,
with most of the decision lacking a solid majority. The effects on theCDA case are unclear.
In the first part of the decision, Denver Area Education versus FCC,
No. 95-124 and 95-227, a plurality of four judges upheld section 10(a)
of the cable legislation, which allows cable companies to restrict"patently offensive" programming on "leased access" channels. Leasedaccess
channels are channels set aside for use by third partycommercial entities for programming such as infomercials and shoppingchannels.
The decision creates a new standard for review described byadvocates as "fuzzy scrutiny" that looks at an "extremely importantproblem
. . . without imposing an unnecessarily great restriction onspeech."
In the only part of the decision that garnered a majority, the Courtstruck down Section 10(b) of the act which required that all "patentlyoffensive"
material on leased access channels be placed on a specialchannel and that subscribers who wished to view the channel send awritten
request to the cable company thirty days in advance of theprogramming.
The Court, with a majority of six judges, ruled that the provision wasnot narrowly tailored. It recognized that there are other alternativesincluding
lockboxes and the V-chip (without ruling on itsconstitutionality) that could also have been used. The Court alsorecognized the privacy
interest in the list created by the provisionand its chilling effect on free speech:
the "written notice" requirement will further restrict viewing by subscribers who fear for their reputations should the operator,
advertently or inadvertently, disclose the list of those who wish to watch the "patently offensive" channel.
Cf. Lamont v. Postmaster General, 381 U.S. 301, 307 (1965)
(finding unconstitutional a requirement that recipients of Communist literature notify the Post Office that they wish to receive
Finally, a plurality of four judges struck down section 10(c) whichallowed cable operators to restrict "patently offensive" programming
onpublic access channels. It noted that cable TV companies have nothistorically had editorial control over these channels and that
thereis already an infrastructure of boards and managers that set policy forthe channels. It found no examples of the channels being
used for thekind of programming banned, but noted the fears of programmers whobelieved that the cable companies would use the new
powers abusively torestrict other "borderline" programming.
On July 1, 1996, the Justice Department filed a notice with the USDistrict Court in Philadelphia noting its appeal to the US SupremeCourt
of the lower court's decision striking down provisions of theCommunications Decency Act.
The CDA contains provisions allowing for a direct appeal to the SupremeCourt. Section 561 allows for expedited review of the decision
directlyto the Court instead of the usual appeal to the Court of Appeals:
(b) Appellate Review. -- Notwithstanding any other provision of law, an interlocutory or final judgment, decree, or order of
court of 3 judges in an action under subsection (a) holding this
title or an amendment made by this title, or any provision thereof,
unconstitutional shall be reviewable as a matter of right by direct appeal to the Supreme Court. Any such appeal shall be filed
not more than 20 days after entry of such judgment, decree, or order.
More information on the CDA decision is available at:
In early June, the House Government Reform and Oversight Committeerevealed that the White House had requested the FBI file on formerTravel
Office employee Billy Dale. Soon after, it was also revealedthat the White House had obtained hundreds other individuals' FBIfiles.
Some of the files requested by the White House were those ofmembers of previous Republican administrations. So far, 481 files areknown
to have been sent to the White House and there are unconfirmedreports of hundreds more. The White House is claiming that the fileswere
obtained as part of a bureaucratic mistake.
The White House and the FBI quickly apologized for their action. WhiteHouse Chief of Staff Leon Panetta said, "A mistake has been
It is inexcusable and I think an apology is owed to those that wereinvolved." FBI Director Louis J. Freeh described the disclosure
offiles as an "egregious violations of privacy" and noted that "the FBIgave inadequate protection to the privacy interests of persons
Despite these apologies, the FBI maintains that its release ofconfidential information to the White House was not against the law.
The Privacy Act of 1974, which does not apply to the White House,
requires that record-holding agencies, such as the FBI, get thepermission of an individual before disclosing their record. Althoughthe
FBI did not have the appropriate permissions, they claim they didnot violate the Privacy Act because their actions fall under the"routine
use" exception in the Act. A report by Howard Shapiro, FBIGeneral Counsel, states that the routine use "to assist the recipientagency
in the performance of any authorized function where access torecords in this system is declared by the recipient agency to berelevant
to that function" is applicable because the White Houserequests appeared to be legitimate requests.
Legal scholars note that if the FBI's claim of "routine use" survivesjudicial scrutiny, the Privacy Act's safeguards will have littlemeaning.
Even revised internal policies designed to prevent similarincidents from happening in the future could be relaxed in the future.
A Senate oversight committee may soon hold hearings to consider whetheramendments to the Privacy Act are necessary to ensure protection
ofpersonal information held in federal agencies.
More information on the FBI files issue is available from:
On June 26, Senator Conrad Burns chaired the second hearing on S. 1726,
the "Pro-CODE" bill. The hearings examined civil liberties issuesraised by encryption policy and encryption techniques. Witnessesincluded
Phil Zimmermann of Pretty Good Privacy, Whit Diffie of SunMicrosystems, Phil Karn of Qualcomm, Barbara Simons of USACM and MarcRotenberg
The hearing took place in the wake of revelations of the FBI filesabuses. Both Committee members and witnesses spoke to the need
toprotect citizens' communications from overzealous government action.
Senator John Ashcroft emphasized protecting individuals' privacy: "Theevents this last week or two bring into sharp focus the need
. . . tohave private items that are not abused, and to think that somehow wewould have to register with a government agency some
way for them toparticipate in the most private of our understandings, your thoughts,
unless we chose not to record them, is a very troubling thought."
Marc Rotenberg, director of the Electronic Privacy Information Center,
said that "current encryption policies are destined for the historybooks," and stressed the point that the government should not dictatetechnical
standards for encryption. "It is absolutely critical thatusers be able to choose from a wide range of good tools that aredesigned
to protect privacy and security."
The Committee and the witnesses also discussed the implications ofstrong cryptography for law enforcement. There was general agreementthat
cryptography would prevent many crimes of opportunity, although itcould make some investigations more difficult. Everyone recognizedthat
the potential negative uses of cryptography are already possiblebut that good uses require encouragement. Whitfield Diffie noted:
"Asmall number of people in a conspiracy can secure their communicationsrather readily. But the legitimate applications of cryptography
requirea worldwide infrastructure . . . and as long as we delay thedevelopment of that infrastructure, we are giving the relativeadvantage
to the bad guys rather than the good guys."
The final hearing on the Pro-CODE bill will take place on June 24.
Officials from law enforcement and intelligence agencies are expectedto testify.
More information about export control issues can be found at:
The EU Telecommunications Committee approved on June 27 a directive ontelecommunications privacy for digital networks. The new directiveestablishes
several new privacy requirements and follows the recentlyenacted directive on privacy and data protection.
The directive requires free per-line and per-call blocking for CallerID services. In addition, automatic rejection of blocked calls
must beoffered for free. These provisions can be overridden only in limitedcircumstances.
Other information collected for call placement can be kept only untilthe service is completed. Billing data can only be kept for
thestatutory period in which it could be challenged. Member countriesmust also ensure that "the privacy of calling users and calledsubscribers
is preserved" for itemized bills.
On telemarketing, automated calls with pre-recorded messages are bannedunless the individual has given affirmative consent. Member
countriesare required "to ensure that unsolicited calls for promotional oradvertising/research purposes are not allowed in respect
of subscriberswho do not wish to receive these calls."
On wiretapping, the directive prohibits any wiretaps that are notlegally authorized. It requires that for a "particular risk of a
breachof the security of the network" such as mobile telephones, thatsubscribers be informed and that the service provider must offerencryption.
DEF CON IV. July 26-28. Las Vegas, NV. Annual hacker convention.
Contact: dtangentdefcon.org or http://www.defcon.org/.
Surveillance Expo 96. August 19-21. McLean, Virginia. Sponsored byRoss Associates. Contact: Marilyn Roseberry 703-450-2200.
Fifth International Information Warfare Conference, "Dominating theBattlefields of Business and War", September 5-6, 1996. Washington,
DC. Sponsored by Interpact, NCSA, OSS. Contact: infowar96ncsa.com
Advanced Surveillance Technologies II. September 16, 1996. Ottawa,
Canada. Sponsored by EPIC and Privacy International. Contact:
http://www.privacy.org/pi/conference/ottawa/ or email piprivacy.org.
"Privacy Beyond Borders", 18th International Privacy and DataProtection Conference. September 18-20, 1996. Ottawa, Canada.
Sponsored by the Privacy Commissioner of Canada. Contact:
CPSR Annual Meeting. October 19-20. Washington DC. Contact: phylandaol.com.
(Send calendar submissions to Alertepic.org)
The EPIC Alert is a free biweekly publication of the ElectronicPrivacy Information Center. To subscribe, send email toepic-newsepic.org with the subject: "subscribe" (no quotes).
Back issues are available via http://www.epic.org/alert/
The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 to focuspublic
attention on emerging privacy issues relating to the NationalInformation Infrastructure, such as the Clipper Chip, the DigitalTelephony
proposal, medical record privacy, and the sale of consumerdata. EPIC is sponsored by the Fund for Constitutional Government, anon-profit
organization established in 1974 to protect civil libertiesand constitutional rights. EPIC publishes the EPIC Alert, pursuesFreedom
of Information Act litigation, and conducts policy research.
For more information, email infoepic.org, HTTP://www.epic.org orwrite EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax).
If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible. Checks should
be made out to "The Fund for Constitutional Government" and sent to EPIC,
666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003.
Your contributions will help support Freedom of Information Act and First
Amendment litigation, strong and effective advocacy for the right of
privacy and efforts to oppose government regulation of encryption and
funding of the National Wiretap Plan.
Thank you for your support.