The Sixth GVU WWW survey is now available. The most comprehensive pollof Internet user attitudes looks at a wide range of issues, from userdemographics to modem speeds and views on Internet commerce. Butperhaps of most interest (at least to readers of the EPIC Alert) is thesurvey's detailed examination of the Net's view of privacy and dataprotection. Here are the highlights (5 indicates complete, total,
metaphysical agreement; 1 means the opposite):
- Anonymity and new laws to protect privacy received high ratings.
Nearly everyone felt strongly that people ought to be able to haveprivate communications over the Internet (4.7). Users greatly valueanonymity on the Internet (4.5). Most people also prefer anonymouspayment systems (3.9) and feel that the Internet needs new laws toprotect privacy (3.8).
- Users also made clear that they want to control their demographicinformation (4.4). While users tend not to like junk mail (2.3), theywere even more opposed to receiving mass e-mailings (1.7). Likewise,
while users believe that magazines do not have the right to reselldemographic information (2.1), they feel even stronger with respect toWWW sites selling demographic information (1.8).
The survey concluded, "The notion that people like to receive targetedmarketing material is not supported by the data, regardless of themedium. There is high agreement on these issues across strata."
- Many users (70%) said that they would not fill out registration formsaccurately unless web operators were more forthcoming about the use ofdata collected. Over 62% report that they do not trust the collectingsite.
Similar concerns among Internet users were found in the 1996Equifax/Harris Consumer Privacy Survey released in mid-November. Amongthe key findings of that poll:
- 60% of Internet users favor anonymity, agreeing that "users should beable to visit Internet sites and use e-mail without having to givetheir real identities."
- An even greater percentage of Internet users (71%) feel thatproviders of on-line services should not be able to "track the placesusers go on the Internet in order to send these users targetedmarketing offers."
- The Harris-Equifax poll also found that Internet users were morelikely to favor the creation of a federal privacy commission thannon-users.
More information about the Sixth GVU WWW Survey is available at:
Further information on the Harris poll may be obtained from Louis Harris
and Associates, Ic. 111 Fifth Ave., New York, NY 10002. 212/539-9600.
The Commerce Department is circulating draft regulations that differsharply from earlier assurances made by the White House to relax exportcontrols on strong encryption. The draft regulations state that it isthe aim of the Commerce Department to promote "a worldwide keymanagement infrastructure with the use of key recovery and key escrowencryption items." The proposal contrasts with earlier assurances thatencryption standards would be voluntary and market-driven.
The regulations would amend the Export Administration Regulations (EAR)
by imposing national security and foreign policy controls ("EI" forEncryption Items) on certain information security systems andequipment, cryptographic devices (including recoverable encryptionsoftware) and related technology.
For the first time, the Administration makes clear what it means by"Key Recovery Encryption." The regulations state that
For purposes of this rule, "recovery encryption products" refer to
encryption products (including software) which allow law enforcement
officials to obtain under proper legal authority and without the
cooperation or knowledge of the user, the plaintext of encrypted data and communications.
This is an exact description of the original Clipper encryptionproposal that was widely opposed by Internet users and industry when itwas announced in 1993.
The Bureau of Export Administration's review committee, which nowincludes a representative from the Department of Justice, will considerall applications for mass-market encryption before permitting export.
The two-year window for 56-bit key length DES is now just six months.
Applicants must provide a "satisfactory business and marketing plan forexporting recoverable items and services," subsequent renewal is notautomatic, and will "depend on the applicant's adherence to explicitbenchmarks and milestones as set forth in the plan submitted for theinitial license application." Even key escrow and key recoveryencryption items will require that "prior to the export or reexport, akey recovery agent satisfactory to the Bureau of Export Administrationhas been identified."
The regulations indicate that approved key recovery products will notbe interoperable with non-key recovery products ("The product'scryptographic functions shall interoperate with . . . non-key recoveryproducts only when the key recovery product permits access to thekey(s) or other escrowed material/information needed to decryptciphertext generated or received by the key recovery product"). Theregulations also favor key recovery agents who have "an active U.S.
government security clearance of Secret or higher issued or updatedwithin the last five years."
The transfer of crypto export jurisdiction from the State Department toCommerce Department has also failed to correct one of the key defectsin administrative rulemaking. The Administration continues to contendthat the proposed regulations should not be subject to theAdministrative Procedures Act (APA) because the regulations involve "amilitary or foreign affairs function of the United States."
Upon formal issuance, the regulations will go into effect immediatelyas an "interim rule." Although the Commerce Department asserts thatthe APA's public comment requirements are not applicable, the draftregulations state that "because of the importance of the issues raisedby these regulations, this rule is issued in interim form and commentswill be considered in the development of final regulations." EPIC hasformally requested that the Department accept comments via the Internetupon formal issuance of the proposed regulations.
More information on the Key Recovery Access Policy may be obtained at:
In an order issued on December 6, the U.S. Supreme Court noted probablejurisdiction in the government's appeal of the lower court decisionstriking down the Communications Decency Act. The Court set a briefingschedule that requires the Justice Department to file its brief byJanuary 21; the plaintiffs' briefs are due on February 20. Oralargument will likely be heard in late March and a decision is expectedby July.
The Court's order sets the stage for what is likely to be a landmarkdecision that will apply the First Amendment to the Internet for thefirst time. A special three-judge court in Philadelphia ruledunanimously on June 12 that the CDA imposes an unconstitutionalrestriction of online speech. Another panel of judges in New Yorksubsequently reached the same conclusion. EPIC participated in thePhiladelphia case, ACLU v. Reno, as both a plaintiff and co-counsel.
More information on the CDA and the proceedings in ACLU v. Reno isavailable at:
While the U.S. government continues to push forward with encryptionschemes based on third party access to keys, European user associationsand governments have said recently that users should be free to choosecryptographic methods.
The Council of European Professional Informatics Societies (CEPIS),
issued recommendations in November calling for free use ofcryptography. CEPIS is composed of twenty information technologyprofessional societies with a total of 200,000 members across Europe.
CEPIS called on governments to set policies that "all individuals andorganizations in the private and public sectors should be able to storeand transmit data to others, with confidentiality protectionappropriate for their requirements, and should have ready access to thetechnology to achieve this." It also called for "the opportunity forindividuals or organizations in the private and public sectors tobenefit from information systems should not be reduced byincommensurable measures considered necessary for the enforcement oflaw." Finally CEPIS said that governments should discuss with expertswhether restrictions on encryption were the most efficient and sensibleway to fight crime.
On October 29, the European Electronic Messaging Association (EEMA)
wrote the European Union that they were being put at a disadvantage byU.S. export controls laws on cryptography and called on the EU to pressfor relaxation through the GATT and WTO trading agreements. The EEMAalso called for "no restrictions on the access to the U.S. originatedSoftware Development Kits required to develop Secured Products, ... norestrictions on the development, sale and usage of Secured Productswithin market areas (for example, within the European Union), and ...
the export or import of Secured Products to or from market areas onlybe controlled where there are real security issues at stake."
Finally, the Danish IT-Security Council issued a report in Novemberrecommending that there be no restrictions on citizen's rights to usecryptography. The Council found that a limitation on general access tocryptography can inflict measurable damage to data security and the banon cryptography would mainly affect the behavior of normal citizens,
More information on international cryptography issues is available at:
World Leaders are meeting in Geneva, Switzerland for the next severalweeks to work on three new treaties on intellectual property. Themeetings are being convened by the World Intellectual PropertyOrganization.
One measure, the "Treaty for the Sui Generis Protection of Databases"
would give database owners rights over information in databases, evenif that information was in the public domain. Scientific organizationsbelieve it would hinder scientific research; library groups believe itwould radically expand copyright to cover public domain documents suchas government generated materials. In 1991, the U.S. Supreme Courtruled that a publisher does not have any rights to information merelybecause they typed it into an electronic format; they only possessrights for original material such as editorial decisions and layout.
The other controversial treaty, dealing with copyright, is opposed by awide variety of parties, including telecommunications companies andonline providers. Opposition is focused on several provisions,
including the effect on "fair use" of copyrighted materials and whetherthe treaty would penalize the creation of temporary copies of materialsfor purposes of transmission and web browsing.
Privacy concerns have also been raised about the copyright managementsystems that may be developed to track the use of digital informationby individuals.
The proposed copyright treaty is similar to bills that were rejected byCongress in the last session after intense opposition was raised.
Several experts on intellectual property have said that the UnitedStates is attempting to achieve an international agreement on issuesthat it cannot resolve domestically.
More information on the WIPO treaties is available from the DigitalFuture Coalition at:
Once a year we ask readers of the EPIC Alert to consider a contributionto support the work of the Electronic Privacy Information Center. Yoursupport helps makes possible this publication as well as our many otheractivities.
We are a non-profit, public interest research organization. We receivesupport from individual contributors, private foundations, andcompanies. Contributions to EPIC support our Freedom of InformationAct, crypto and First Amendment litigation, our privacy and free speechadvocacy, and the development of our Web site. Contributions are alsofully tax-deductible.
There are several ways to support EPIC. It is easiest to send us acheck or money order. You can also send us e-cash via First Virtual orDigiCash. Checks should be sent to EPIC, 666 Pennsylvania Ave., SESuite 301, Washington, DC 20003.
We appreciate your support and welcome your suggestions.
More information about supporting EPIC is available at:
 EPIC Bookstore Opens / epic.org Upgraded
In association with Amazon.com, the Electronic Privacy InformationCenter is pleased to announce the opening of the EPIC Bookstore,
offering perhaps the most comprehensive collections of books onprivacy, free speech, crypto, and online liberty available anywhere onthe Internet.
Featured books currently include:
- "The Right to Privacy" by Ellen Alderman & Caroline Kennedy
- "Shamans, Software, and Spleens: Law and the Construction ofthe Information Society" by James Boyle
- "Above the Law: Secret Deals, Political Fixes, and Other
Misadventures of the U.S. Department of Justice" by David Burnham
- "Who Knows: Safeguarding Your Privacy in a NetworkedWorld" by Ann Cavoukian & Don Tapscott
- "Idoru" by William Gibson
- "Where Wizards Stay Up Late: The Origins of the Internet" byKatie Hafner and Matthew Lyon
- "Computer Related Risks" by Peter G. Neumann
- "Applied Cryptography" by Bruce Schneier
- "24 Hours in Cyberspace: Photographed on One Day by 150 ofthe World's Leading Photojournalists" by Rick Smolan and others
- "Snowcrash" by Neal Stephenson
The EPIC Bookstore includes hundreds of titles on Computer Security,
Cryptography, the First Amendment and Free Speech, Open Government,
and Privacy. Drop by and browse the cyber shelves. Amazon will even
provide gift wrapping.
The EPIC web site has also been upgraded with a new logo, cleanformat, and new organization. Take a look!
 Upcoming Conferences and Events
1997 RSA Data Security Conference. January 28-31, 1997. San Francisco,
CA. Contact: http://www.rsa.com
Financial Cryptography 1997 (FC97). February 24-28, 1997. Anguilla,
BWI. Sponsored by the International Association for CryptologicResearch. http://www.cwi.nl/conferences/FC97
CFP97: Commerce & Community. March 11-14, 1997. Burlingame, California.
Sponsored by the Association for Computing Machinery. Contact:
cfp97cfp.org or http://www.cfp.org
Eurosec'97: the Seventh Annual Forum on Information Systems Quality andSecurity. March 17-19. 1997. Paris, France. Sponsored by XP Conseil.
Ethics in the Computer Society: The Second Annual Ethics and TechnologyConference. June 6-7, 1997. Chicago, Ill. Sponsored by LoyolaUniversity Chicago. http://www.math.luc.edu/ethics97
INET 97 -- The Internet: The Global Frontiers. June 24-27, 1997. KualaLumpur, Malaysia. Sponsored by the Internet Society. Contact:
inet97isoc.org or http://www.isoc.org/inet97
Privacy laws & Business 10th Anniversary Conference. July 1-3, 1997.
St. John's College, Cambridge, England. Contact:
AST3: Cryptography and Privacy. September 15, 1997. Brussels, Belgium.
Sponsored by Privacy International and EPIC. Contact: piprivacy.org.
International Conference on Privacy. September 23-26, 1997. Montreal,
Canada. Sponsored by the Commission d'Acces a l'information du Quebec.
(Send calendar submissions to Alertepic.org)
The EPIC Alert is a free biweekly publication of the ElectronicPrivacy Information Center. To subscribe, send email toepic-newsepic.org with the subject: "subscribe" (no quotes)
or use the subscription form at:
Back issues are available via http://www.epic.org/alert/
The Electronic Privacy Information Center is a public interest researchcenter in Washington, DC. It was established in 1994 to focus publicattention on emerging privacy issues such as the Clipper Chip, theDigital Telephony proposal, national id cards, medical record privacy,
and the collection and sale of personal information. EPIC is sponsoredby the Fund for Constitutional Government, a non-profit organizationestablished in 1974 to protect civil liberties and constitutionalrights. EPIC publishes the EPIC Alert, pursues Freedom of InformationAct litigation, and conducts policy research. For more information,
email infoepic.org, HTTP://www.epic.org or write EPIC, 666Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240(tel), +1 202 547 5482 (fax).
If you'd like to support the work of the Electronic Privacy InformationCenter, contributions are welcome and fully tax-deductible. Checksshould be made out to "The Fund for Constitutional Government" and sentto EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003.
Individuals with First Virtual accounts can donate athttp://www.epic.org/epic/support.html
Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for the rightof privacy and efforts to oppose government regulation of encryptionand funding of the National Wiretap Plan.