WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 1996 >> [1996] EPICAlert 17

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 3.17 [1996] EPICAlert 17


Volume 3.17 October 2, 1996

Published by the

Electronic Privacy Information Center

Washington, D.C.

Table of Contents

[1] White House Releases New Clipper Proposal

[2] International Crypto Symposium Held in Paris for OECD

[3] OECD Crypto Experts Meet in Paris

[4] Human Rights Groups Release Crypto Resolution

[5] E-FOIA Bill Approved by House and Senate

[6] P-TRAK SSN System Criticism Continues

[7] Avrahami Files Appeal to State Supreme Court

[8] Upcoming Conferences and Events

[1] White House Releases New Clipper Proposal

The White House has released the latest version of the keyescrow/recovery plan intended to promote government access to encodedcommunications. The new proposal follows similar proposals in whichthe Administration offers to relax export regulations in exchange foran industry commitment to establish key escrow encryption.

Under the plan announced by the Office of the Vice President onOctober 1, 1996, companies would be allowed to export 56-bitencryption systems for the next two years if they setup a formalprocess to fully develop a key escrow system. After two years,
non-escrow systems would be prohibited. Jurisdiction for the controlof exports would also be transferred from the State Department to theCommerce Department. The Justice Department would be given veto powerover export applications. The White House plans to introducelegislation for key escrow centers.

According to the statement released by the Vice President, theAdministration will continue to promote key escrow encryption throughthe purchase of key recovery products, bilateral and multilateraldiscussions, federal cryptographic and key recovery standards, andfederal funding.

The statement also said that "the Administration's initiative isbroadly consistent with the recent recommendations of the NationalResearch Council." However, the NRC report recommended againstgovernment promotion of key escrow encryption, noting that "the risksof key escrow encryption are considerable," Earlier this year, theInternet Society also endorsed a recommendation of the InternetArchitecture Board and the Internet Engineering Steering Group whichsaid that "such policies are against the interests of consumers andthe business community, and are largely irrelevant to issues ofmilitary security."

IBM announced that it would establish an industry consortium tosupport the plan, and several US hardware companies signed on.
However, Netscape head Jim Barkesdale described the proposal as"extortion". Bipartisan criticism was also heard from Congress. BothSenator Leahy and Senator Burns quickly issued releases criticizingthe proposal.

The software industry expressed opposition to the White House plan.
The Software Publishers Association, the Business Software Alliance,
and the International Technology Association of America criticized theproposal.

More information on Clipper 4.0 is available at:

[2] International Crypto Symposium Held in Paris for OECD

On September 25, 1996 cryptographers, human rights advocates, legalscholars, and delegates to the Organization for Economic Cooperationand Development met in Paris to explore issues concerning cryptographypolicy. The symposium was scheduled to coincide with an OECD meetingto consider new guidelines on international cryptography policy. Theconference on the "Public Voice in the Development of InternationalEncryption Policy" was sponsored by EPIC and Planete Internet and heldin the Centre de Conferences des Internationales.

Justice Michael Kirby, a member of the High Court of Australia andformer chair of the OECD expert panels on security and privacy, openedthe conference with remarks that placed the current effort to developcryptography guidelines in the larger context of the OECD's work onprivacy and information security and the ongoing need to recognizehuman rights concerns.

Justice Kirby, drawing on his international human rights work in thearea of HIV/AIDS, urged participants to keep in mind ten principlesfor the development of sound policies. Justice Kirby concluded hisremarks with an appeal that "the claims of national security and lawenforcement agencies be attained within a context ofconstitutionalism, the rule of law and respect for, and effectiveprotection of human rights." Kirby reminded those present that"respect of human rights, and especially individual privacy" is "theultimate common denominator of the OECD."

Welcoming remarks were provided Mr. Norman Reaburn the Chair of theOECD Expert Panel on Cryptography Policy, Mr. John Dryden the head ofthe OECD Secretariat, and Mr. Marc Rotenberg the director of theElectronic Privacy Information Center (EPIC) in Washington, DC. Thepanels were moderated by OECD delegates from Australia, Canada,
Germany, and Japan.

The first panel "Cryptography Policy: The View of Cryptographers"
featured Dr. Ross Anderson of the University of Cambridge, Dr. MattBlaze of AT&T Laboratories, Dr. Whitfield Diffie of Sun Microsystems,
Mr. Yves Le Roux of Digital Research, and Dr. Herb Lin of the NationalResearch Council.

The second panel "Human Rights Issues in the Development ofCryptography Policy" featured Mr. Dave Banisar of EPIC, Mme. LouiseCadoux of the Commission Nationale de l'Informatique et des LibertÚs,
Mr. Simon Davies of Privacy International, Mr. Barry Steinhardt withthe American Civil Liberties Union, and Mr. Alain Weber of the FrenchHuman Rights League
The third panel "User Needs for Strong Cryptography" featured Dr.
Brian Carpenter of the Internet Architecture Board, Dr. StÚphaneBortzmeyer of the Association des Utilisateurs d'Internet, and Mr.
Phil Zimmerman of the Pretty Good Privacy Inc.

The final panel "Legal Dimensions and Cryptography Policy" featuredMr. Victor Mayer-Schoenberger of the Austrian Institute for Law andPolicy, Mr. Kevin O'Connor the Australian Privacy Commissioner, andProf. Joel Reidenberg of the Fordham Law School and the Sorbonne.

The complete program for the EPIC/Planete Internet conference, thespeech of Justice Kirby, remarks of speakers, and other resources areavailable at:

[3] OECD Crypto Experts Meet in Paris

Following the EPIC/Planete Internet conference, the OECD Membercountries met in Paris for two days to discuss Cryptography PolicyGuidelines that could provide internationally comparable criteria forencryption of computerised information.

According to the OECD, the Guidelines identify the issues whichcountries should take into consideration in formulating cryptographypolicies at the national and international level. An OECD pressstatement said that, "Discussions have focused on the rights of usersto choose cryptographic methods, the freedom of the market to developthem, interoperability, consequences for the protection of personaldata and privacy, lawful access to encrypted data, and reducing thebarriers to international trade."

The OECD Guidelines will be non-binding recommendations to Membergovernments, meaning that they will not be part of international law,
nor will they endorse any specific cryptography system.

The Group of Experts on Cryptography Policy will continue discussionsthe week of December 16, with a view to completion this year of adraft of the Guidelines which would be forwarded for approval by theCouncil of the OECD early in 1997.

The complete text of the OECD press statement is available in englishat:

The complete text of the OECD press statement is available in frenchat:

[4] Human Rights Groups Release Crypto Resolution

More than a dozen international human rights and cyber rightsorganizations recently endorsed a resolution in Support of the Freedomto Use Encryption. The resolution was released in Paris on September25, just prior to the meeting of the OECD.

Noting that "national governments have already taken steps to detainand to harass users and developers of cryptography technology" andthat "cryptography is already in use by human rights advocates whoface persecution by their national governments," the organizationsurged the OECD to "base its cryptography policies on the fundamentalright of citizens to engage in private communication."

The organizations further urged the OECD to "resist policies thatwould encourage the development of communication networks designed forsurveillance."

The organizations that endorsed the resolution included ALCEI(Electronic Frontiers Italy), the American Civil Liberties Union,
Association des Utilisateurs d'Internet, CITADEL-EF France, ComputerProfessionals for Social Responsibility, cyberPOLIS, Digital CitizensFoundation in the Netherlands, EFF-Austin, Electronic FrontierAustralia, Electronic Frontier Canada, Electronic Frontier Foundation,
Electronic Privacy Information Center, Human Rights Watch, NetAction,
and Privacy International
The campaign was organized by the Global Internet Liberty Coalition, anew coalition of national and international human rights and cyberrights organizations.

The complete text of the crypto resolution is available at:

[5] E-FOIA Bill Approved by House and Senate

Congress has passed and sent to the President the Electronic Freedomof Information Act Amendments of 1996. The "E-FOIA" legislationrequires federal agencies to make information available to requestersin electronic form "if the record is readily reproducible by theagency in that form or format." It also requires agencies to maintainindices of previously released documents that are "likely to becomethe subject of subsequent requests," and to make such indicesavailable "by computer telecommunications" no later than December 31,

The legislation also attempts to tackle the perennial problem ofagency delays in responding to FOIA requests. These provisions includethe establishment of "multitrack processing of requests ... based onthe amount of work or time (or both) involved," and the expeditedprocessing of requests upon a showing of "compelling need." It islikely that these new provisions, like earlier FOIA amendmentsdesigned to improve public access, will be applied narrowly by federalagencies and become the subject of litigation.

The text of the E-FOIA legislation is available at:

[6] P-TRAK SSN System Criticism Continues

Opposition to the proliferation of commercial databases exploded intopublic view recently when the Lexis-Nexis P-TRAK "personal locator"
system prompted a flood of angry e-mail and telephone calls to theinformation service company. The P-TRAK database originally allowedLexis-Nexis subscribers to search under an individual's name andaccess telephone numbers, addresses, previous addresses, maiden namesand Social Security numbers (SSNs). After an initial flurry ofcomplaints in June, the company claimed that it had eliminated SSNsfrom its database. After the recent flare-up, the firm provided aclarification: SSNs are no longer searchable using an individual'sname, but a subscriber can start with an SSN (or any nine-digitnumber, for that matter), and obtain all of the personally-identifyinginformation that goes along with that number.

Also, contrary to claims of the Lexis/Nexis company, the personal datawas not publicly available, nor is it similar to "white pages"
information. In fact, Lexis/Nexis obtained the P-TRAK personal locatorinformation from TransUnion, a credit reporting agency. The twocompanies exploited a loophole in the Fair Credit Reporting Act whichleaves credit "header" information unprotected even though theassociated credit report could not be disclosed.

In the wake of the P-TRAK episode, the Federal Trade Commissionrecommended that Congress take steps to provide greater protection forsensitive information. The FTC says that it has received "numerouscomplaints "... concerning recently-introduced, widely-availablecommercial services that provide, for a fee, identifying informationon individuals." Congress adjourned before it could act, but is likelyto take up the issue next year.

Additional information on the misuse of Social Security numbers isavailable at:

[7] Avrahami Files Appeal to State Supreme Court

Ram Avrahami, the Virginia resident who brought suit last year againstU.S. News and World Report for selling his name without his consent,
has appealed the decision of a lower court to the Virginia StateSupreme Court.

Mr. Avrahami argues that the lower court wrongly dismissed his claim.
He argues that under Virginia law "the unauthorized sale, exchange, orrental of a person's name as part of a mailing list violates thePrivacy Act's prohibition on using a person's name for the purposes oftrade." He also contends, among other points, that "the MailPreference Service established by the Direct Marketing Association isno substitute for the 'written consent' required by the Privacy Act."

U.S. News & World Report will reply to Mr. Avrahami's motion and thenthe Virginia Supreme Court must decide whether to review the decisionof the lower court.

More information on Avrahami v. US News & World Report is availableat:

[8] Upcoming Conferences and Events

"Managing Privacy in Cyberspace and Across National Borders." October8-10, 1996. Washington, DC. Sponsored by Privacy and AmericanBusiness. Contact: Lorrie Sherwood, (201) 996-1154.

"The Information Society: New Risks & Opportunities in Privacy,"
October 17-18, 1996. Bruxelles, Belgium. Sponsored by the EuropeanParliament. Contact:

"Communications Unleashed - What's at Stake? Who Benefits? How to GetInvolved!" October 19-20, 1996. Washington DC. Sponsored by CPSR andGeorgetown University. Contact:

"19th National Information Systems Security Conference." October22-25, 1996. Baltimore, MD. Sponsored by NSA & NIST. Contact: TammyGrice (301) 948-2067.

National Consumer Rights Litigation Conference: Defending ConsumerAccess to Justice. October 26-28. Washington, DC. Sponsored by theNational Consumer Law Center. Contact: NCSL: (617) 523-7398 (fax).

ETHICOMP96: The Third International Conference on Ethical Issues ofInformation Technology, November 6-8, 1996. Madrid, Spain. Contact:

"CFP97: Commerce & Community." March 11-14, 1997. Burlingame,
California. Sponsored by the Association for Computing Machinery.
Contact: or

"Eurosec'97, the Seventh Annual Forum on Information Systems Qualityand Security." March 17-19. 1997. Paris, France. Sponsored by XPConseil. Contact:

"INET 97 -- The Internet: The Global Frontiers." June 24-27, 1997.
Kuala Lumpur, Malaysia. Sponsored by the Internet Society. Contact: or

(Send calendar submissions to

The EPIC Alert is a free biweekly publication of the ElectronicPrivacy Information Center. To subscribe, send email with the subject: "subscribe" (no quotes).

Back issues are available via

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 to focuspublic attention on emerging privacy issues relating to the NationalInformation Infrastructure, such as the Clipper Chip, the DigitalTelephony proposal, medical record privacy, and the sale of consumerdata. EPIC is sponsored by the Fund for Constitutional Government, anon-profit organization established in 1974 to protect civil libertiesand constitutional rights. EPIC publishes the EPIC Alert, pursuesFreedom of Information Act litigation, and conducts policy research.
For more information, email, HTTP:// orwrite EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax).

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible. Checks should
be made out to "The Fund for Constitutional Government" and sent to EPIC,
666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003.

Your contributions will help support Freedom of Information Act and First
Amendment litigation, strong and effective advocacy for the right of
privacy and efforts to oppose government regulation of encryption and
funding of the National Wiretap Plan.

Thank you for your support.

WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback