You are here:
EPIC Alert >>
 EPICAlert 17
EPIC Alert 3.17  EPICAlert 17 (2 October 1996)
Volume 3.17 October 2, 1996
Published by the
Electronic Privacy Information Center
Table of Contents
 White House Releases New Clipper Proposal
 International Crypto Symposium Held in Paris for OECD
 OECD Crypto Experts Meet in Paris
 Human Rights Groups Release Crypto Resolution
 E-FOIA Bill Approved by House and Senate
 P-TRAK SSN System Criticism Continues
 Avrahami Files Appeal to State Supreme Court
 Upcoming Conferences and Events
The White House has released the latest version of the keyescrow/recovery plan intended to promote government access to encodedcommunications.
The new proposal follows similar proposals in whichthe Administration offers to relax export regulations in exchange foran industry
commitment to establish key escrow encryption.
Under the plan announced by the Office of the Vice President onOctober 1, 1996, companies would be allowed to export 56-bitencryption
systems for the next two years if they setup a formalprocess to fully develop a key escrow system. After two years,
non-escrow systems would be prohibited. Jurisdiction for the controlof exports would also be transferred from the State Department
to theCommerce Department. The Justice Department would be given veto powerover export applications. The White House plans to introducelegislation
for key escrow centers.
According to the statement released by the Vice President, theAdministration will continue to promote key escrow encryption throughthe
purchase of key recovery products, bilateral and multilateraldiscussions, federal cryptographic and key recovery standards, andfederal
The statement also said that "the Administration's initiative isbroadly consistent with the recent recommendations of the NationalResearch
Council." However, the NRC report recommended againstgovernment promotion of key escrow encryption, noting that "the risksof key
escrow encryption are considerable," Earlier this year, theInternet Society also endorsed a recommendation of the InternetArchitecture
Board and the Internet Engineering Steering Group whichsaid that "such policies are against the interests of consumers andthe business
community, and are largely irrelevant to issues ofmilitary security."
IBM announced that it would establish an industry consortium tosupport the plan, and several US hardware companies signed on.
However, Netscape head Jim Barkesdale described the proposal as"extortion". Bipartisan criticism was also heard from Congress. BothSenator
Leahy and Senator Burns quickly issued releases criticizingthe proposal.
The software industry expressed opposition to the White House plan.
The Software Publishers Association, the Business Software Alliance,
and the International Technology Association of America criticized theproposal.
More information on Clipper 4.0 is available at:
On September 25, 1996 cryptographers, human rights advocates, legalscholars, and delegates to the Organization for Economic Cooperationand
Development met in Paris to explore issues concerning cryptographypolicy. The symposium was scheduled to coincide with an OECD meetingto
consider new guidelines on international cryptography policy. Theconference on the "Public Voice in the Development of InternationalEncryption
Policy" was sponsored by EPIC and Planete Internet and heldin the Centre de Conferences des Internationales.
Justice Michael Kirby, a member of the High Court of Australia andformer chair of the OECD expert panels on security and privacy,
openedthe conference with remarks that placed the current effort to developcryptography guidelines in the larger context of the OECD's
work onprivacy and information security and the ongoing need to recognizehuman rights concerns.
Justice Kirby, drawing on his international human rights work in thearea of HIV/AIDS, urged participants to keep in mind ten principlesfor
the development of sound policies. Justice Kirby concluded hisremarks with an appeal that "the claims of national security and lawenforcement
agencies be attained within a context ofconstitutionalism, the rule of law and respect for, and effectiveprotection of human rights."
Kirby reminded those present that"respect of human rights, and especially individual privacy" is "theultimate common denominator
of the OECD."
Welcoming remarks were provided Mr. Norman Reaburn the Chair of theOECD Expert Panel on Cryptography Policy, Mr. John Dryden the head
ofthe OECD Secretariat, and Mr. Marc Rotenberg the director of theElectronic Privacy Information Center (EPIC) in Washington, DC.
Thepanels were moderated by OECD delegates from Australia, Canada,
Germany, and Japan.
The first panel "Cryptography Policy: The View of Cryptographers"
featured Dr. Ross Anderson of the University of Cambridge, Dr. MattBlaze of AT&T Laboratories, Dr. Whitfield Diffie of Sun Microsystems,
Mr. Yves Le Roux of Digital Research, and Dr. Herb Lin of the NationalResearch Council.
The second panel "Human Rights Issues in the Development ofCryptography Policy" featured Mr. Dave Banisar of EPIC, Mme. LouiseCadoux
of the Commission Nationale de l'Informatique et des LibertÚs,
Mr. Simon Davies of Privacy International, Mr. Barry Steinhardt withthe American Civil Liberties Union, and Mr. Alain Weber of the
FrenchHuman Rights League
The third panel "User Needs for Strong Cryptography" featured Dr.
Brian Carpenter of the Internet Architecture Board, Dr. StÚphaneBortzmeyer of the Association des Utilisateurs d'Internet, and Mr.
Phil Zimmerman of the Pretty Good Privacy Inc.
The final panel "Legal Dimensions and Cryptography Policy" featuredMr. Victor Mayer-Schoenberger of the Austrian Institute for Law
andPolicy, Mr. Kevin O'Connor the Australian Privacy Commissioner, andProf. Joel Reidenberg of the Fordham Law School and the Sorbonne.
The complete program for the EPIC/Planete Internet conference, thespeech of Justice Kirby, remarks of speakers, and other resources
Following the EPIC/Planete Internet conference, the OECD Membercountries met in Paris for two days to discuss Cryptography PolicyGuidelines
that could provide internationally comparable criteria forencryption of computerised information.
According to the OECD, the Guidelines identify the issues whichcountries should take into consideration in formulating cryptographypolicies
at the national and international level. An OECD pressstatement said that, "Discussions have focused on the rights of usersto choose
cryptographic methods, the freedom of the market to developthem, interoperability, consequences for the protection of personaldata
and privacy, lawful access to encrypted data, and reducing thebarriers to international trade."
The OECD Guidelines will be non-binding recommendations to Membergovernments, meaning that they will not be part of international
nor will they endorse any specific cryptography system.
The Group of Experts on Cryptography Policy will continue discussionsthe week of December 16, with a view to completion this year
of adraft of the Guidelines which would be forwarded for approval by theCouncil of the OECD early in 1997.
The complete text of the OECD press statement is available in englishat:
The complete text of the OECD press statement is available in frenchat:
More than a dozen international human rights and cyber rightsorganizations recently endorsed a resolution in Support of the Freedomto
Use Encryption. The resolution was released in Paris on September25, just prior to the meeting of the OECD.
Noting that "national governments have already taken steps to detainand to harass users and developers of cryptography technology"
andthat "cryptography is already in use by human rights advocates whoface persecution by their national governments," the organizationsurged
the OECD to "base its cryptography policies on the fundamentalright of citizens to engage in private communication."
The organizations further urged the OECD to "resist policies thatwould encourage the development of communication networks designed
The organizations that endorsed the resolution included ALCEI(Electronic Frontiers Italy), the American Civil Liberties Union,
Association des Utilisateurs d'Internet, CITADEL-EF France, ComputerProfessionals for Social Responsibility, cyberPOLIS, Digital CitizensFoundation
in the Netherlands, EFF-Austin, Electronic FrontierAustralia, Electronic Frontier Canada, Electronic Frontier Foundation,
Electronic Privacy Information Center, Human Rights Watch, NetAction,
and Privacy International
The campaign was organized by the Global Internet Liberty Coalition, anew coalition of national and international human rights and
The complete text of the crypto resolution is available at:
Congress has passed and sent to the President the Electronic Freedomof Information Act Amendments of 1996. The "E-FOIA" legislationrequires
federal agencies to make information available to requestersin electronic form "if the record is readily reproducible by theagency
in that form or format." It also requires agencies to maintainindices of previously released documents that are "likely to becomethe
subject of subsequent requests," and to make such indicesavailable "by computer telecommunications" no later than December 31,
The legislation also attempts to tackle the perennial problem ofagency delays in responding to FOIA requests. These provisions includethe
establishment of "multitrack processing of requests ... based onthe amount of work or time (or both) involved," and the expeditedprocessing
of requests upon a showing of "compelling need." It islikely that these new provisions, like earlier FOIA amendmentsdesigned to improve
public access, will be applied narrowly by federalagencies and become the subject of litigation.
The text of the E-FOIA legislation is available at:
Opposition to the proliferation of commercial databases exploded intopublic view recently when the Lexis-Nexis P-TRAK "personal locator"
system prompted a flood of angry e-mail and telephone calls to theinformation service company. The P-TRAK database originally allowedLexis-Nexis
subscribers to search under an individual's name andaccess telephone numbers, addresses, previous addresses, maiden namesand Social
Security numbers (SSNs). After an initial flurry ofcomplaints in June, the company claimed that it had eliminated SSNsfrom its database.
After the recent flare-up, the firm provided aclarification: SSNs are no longer searchable using an individual'sname, but a subscriber
can start with an SSN (or any nine-digitnumber, for that matter), and obtain all of the personally-identifyinginformation that goes
along with that number.
Also, contrary to claims of the Lexis/Nexis company, the personal datawas not publicly available, nor is it similar to "white pages"
information. In fact, Lexis/Nexis obtained the P-TRAK personal locatorinformation from TransUnion, a credit reporting agency. The
twocompanies exploited a loophole in the Fair Credit Reporting Act whichleaves credit "header" information unprotected even though
theassociated credit report could not be disclosed.
In the wake of the P-TRAK episode, the Federal Trade Commissionrecommended that Congress take steps to provide greater protection
forsensitive information. The FTC says that it has received "numerouscomplaints "... concerning recently-introduced, widely-availablecommercial
services that provide, for a fee, identifying informationon individuals." Congress adjourned before it could act, but is likelyto
take up the issue next year.
Additional information on the misuse of Social Security numbers isavailable at:
Ram Avrahami, the Virginia resident who brought suit last year againstU.S. News and World Report for selling his name without his
has appealed the decision of a lower court to the Virginia StateSupreme Court.
Mr. Avrahami argues that the lower court wrongly dismissed his claim.
He argues that under Virginia law "the unauthorized sale, exchange, orrental of a person's name as part of a mailing list violates
thePrivacy Act's prohibition on using a person's name for the purposes oftrade." He also contends, among other points, that "the
MailPreference Service established by the Direct Marketing Association isno substitute for the 'written consent' required by the
U.S. News & World Report will reply to Mr. Avrahami's motion and thenthe Virginia Supreme Court must decide whether to review the
decisionof the lower court.
More information on Avrahami v. US News & World Report is availableat:
"Managing Privacy in Cyberspace and Across National Borders." October8-10, 1996. Washington, DC. Sponsored by Privacy and AmericanBusiness.
Contact: Lorrie Sherwood, (201) 996-1154.
"The Information Society: New Risks & Opportunities in Privacy,"
October 17-18, 1996. Bruxelles, Belgium. Sponsored by the EuropeanParliament. Contact: http://www.droit.fundp.ac.be/privacy96.html
"Communications Unleashed - What's at Stake? Who Benefits? How to GetInvolved!" October 19-20, 1996. Washington DC. Sponsored by CPSR
andGeorgetown University. Contact: phylandaol.com.
"19th National Information Systems Security Conference." October22-25, 1996. Baltimore, MD. Sponsored by NSA & NIST. Contact: TammyGrice
National Consumer Rights Litigation Conference: Defending ConsumerAccess to Justice. October 26-28. Washington, DC. Sponsored by theNational
Consumer Law Center. Contact: NCSL: (617) 523-7398 (fax).
ETHICOMP96: The Third International Conference on Ethical Issues ofInformation Technology, November 6-8, 1996. Madrid, Spain. Contact:
"CFP97: Commerce & Community." March 11-14, 1997. Burlingame,
California. Sponsored by the Association for Computing Machinery.
Contact: Cfp97cfp.org or http://www.cfp.org.
"Eurosec'97, the Seventh Annual Forum on Information Systems Qualityand Security." March 17-19. 1997. Paris, France. Sponsored by
XPConseil. Contact: http://ourworld.compuserve.com/homepages/eurosec/
"INET 97 -- The Internet: The Global Frontiers." June 24-27, 1997.
Kuala Lumpur, Malaysia. Sponsored by the Internet Society. Contact:
inet97isoc.org or http://www.isoc.org/inet97.
(Send calendar submissions to Alertepic.org)
The EPIC Alert is a free biweekly publication of the ElectronicPrivacy Information Center. To subscribe, send email toepic-newsepic.org with the subject: "subscribe" (no quotes).
Back issues are available via http://www.epic.org/alert/
The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 to focuspublic
attention on emerging privacy issues relating to the NationalInformation Infrastructure, such as the Clipper Chip, the DigitalTelephony
proposal, medical record privacy, and the sale of consumerdata. EPIC is sponsored by the Fund for Constitutional Government, anon-profit
organization established in 1974 to protect civil libertiesand constitutional rights. EPIC publishes the EPIC Alert, pursuesFreedom
of Information Act litigation, and conducts policy research.
For more information, email infoepic.org, HTTP://www.epic.org orwrite EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax).
If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible. Checks should
be made out to "The Fund for Constitutional Government" and sent to EPIC,
666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003.
Your contributions will help support Freedom of Information Act and First
Amendment litigation, strong and effective advocacy for the right of
privacy and efforts to oppose government regulation of encryption and
funding of the National Wiretap Plan.
Thank you for your support.