WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 1997 >> [1997] EPICAlert 12

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 4.12 [1997] EPICAlert 12


Volume 4.12 September 4, 1997

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] SSA to Restore Online Web Service
[2] Freeh Makes It Official: FBI Wants Mandatory Key Escrow
[3] Crypto in the Courts: Update on Bernstein, Karn & Junger
[4] Media Group Says "No" to Internet Ratings
[5] U.S. Government Web Sites Fail to Protect Privacy
[6] Consumer Groups Question FTC Privacy Report
[7] Clinton Signs IRS Browsing Bill
[8] Upcoming Conferences and Events

[1] SSA to Restore Online Web Service

The Social Security Administration announced today it would put amodified version of the Personal Earnings and Benefits EstimateStatement (PEBES) service back on-line before the end of the year. Theservice was suspended on April 9, following public concerns about therisk of improper access to personal information held by the agency.

The Social Security Administration said that the new service would bebased on an "opt-in" privacy standard. Individuals couldaffirmatively choose to request the on-line delivery of PEBESinformation by first obtaining an authentication code that would onlybe delivered to a registered email address. Records of individualswho did not request the code would not be available at the web site.

The SSA also said that it would limit the amount of information madeavailable on-line. Payment records would not be accessible at the SSAweb site, although they will still be sent by the U.S. mail.

Privacy experts expressed support for the SSA recommendations, sayingthat the agency has done a good job meeting with the public,
consulting with experts, and developing sensible standards to protectpersonal information.

The SSA experience with Internet service delivery is being watchedclosely by other federal agencies as well as private companies whohope to take advantage of the Internet and avoid public concerns aboutprivacy.

The SSA PEBES Service is available at:
More information on the SSA and Online Privacy is available at:

[2] Freeh Makes It Official: FBI Wants Mandatory Key Escrow

Publicly confirming long-standing internal Bureau policy for the firsttime, FBI Director Louis Freeh told a Senate subcommittee on September3 that legislation is needed to mandate the inclusion of key escrowfeatures in encryption programs intended for domestic use. Testifyingbefore the Judiciary Subcommittee on Terrorism, Technology andGovernment Information, Freeh said:

What we would recommend from a law enforcement point of view is that the legislation contain a provision that would require the manufacturers of encryption products and services, those which will be used in the United States or imported into the United States for use, include a feature which would allow for the immediate, lawful decryption of the communications or the electronic information once that information is found by a judge to be in furtherance of a criminal activity or a national security matter.

There are a number of ways that that could be implemented, but what we believe we need as a minimum is a feature implemented and designed by the manufacturers of the products and services here that will allow law enforcement to have an immediate lawful decryption of the communications in transit or the stored data. That could be done in a mandatory manner. It could be done in an involuntary manner.
But the key is that we would have the ability, once we have the court order in hand, to get that information and get it real-time without waiting for what it would take for a supercomputer to give us,
which is too long for life or safety reasons.

While Administration officials have long denied any intention tomandate the use of key escrow within the United States, declassifieddocuments obtained by EPIC under the Freedom of Information Act inAugust 1995 revealed the government's ultimate agenda. In a briefingdocument titled "Encryption: The Threat, Applications and PotentialSolutions," and sent to the National Security Council in February1993, the FBI, NSA and DOJ concluded that:

Technical solutions, such as they are, will only work if they are incorporated into *all* encryption products.
To ensure that this occurs, legislation mandating the use of Government-approved encryption products or adherence to Government encryption criteria is required.

Additional information on the declassified material obtained by EPIC,
including images of selected documents, is available at:

[3] Crypto in the Courts: Update on Bernstein, Karn & Junger Cases

On August 25, a federal judge in San Francisco declared the CommerceDepartment's cryptography export regulations unconstitutional as aninfringement of free speech and issued an injunction against theirenforcement. The decision was the second ruling in favor of DanielBernstein, an Illinois math professor and cryptographer who attemptedto publish his Snuffle encryption program on the Internet. LastDecember, Judge Marilyn Patel similarly found the State Department'sencryption export restrictions unconstitutional, but the ClintonAdministration released new rules shortly after the decision, underthe auspices of the Commerce Department.

In response to an emergency motion filed by the government, JudgePatel ruled on August 28 that most of the injunction would be put onhold pending review by the Ninth Circuit Court of Appeals. Part ofthe injunction will, however, remain in effect -- after September 8,
Bernstein will be free to publish his Snuffle 5.0 software on theInternet without fear of prosecution.

Another legal challenge to export controls on cryptography is likelyto move forward in federal court in Washington, DC. In that case,
cryptographer Phil Karn is seeking approval to export a diskettecontaining a verbatim copy of the source code printed in the book"Applied Cryptography" (which is widely available and freelyexportable). After being litigated under the previous StateDepartment export regulations, Karn's case was remanded forreconsideration under the new Commerce Department regulations.
Commerce issued its ruling on August 22, finding that certain programson the diskette were classified as controlled encryption items, andsubject to prior licensing before export. That ruling paves the wayfor Karn to renew his challenge before the court. EPIC submitted afriend of the court brief in support of Karn in previous proceedingsbefore the DC Circuit Court of Appeals.

In the third legal challenge, Professor Peter Junger has filed anamended complaint in federal court in Cleveland. Junger wishes topublish a number of encryption programs, written by himself andothers, on his Web site as part of the materials used in his course inComputing and the Law at Case Western Reserve University. He seeksnot only relief for himself but also a preliminary and permanentinjunction enjoining the Commerce Department from "interpreting,
applying and enforcing the encryption software and technologyprovisions" of regulations against "any person who desires to discloseor 'export' ... encryption software and technology." The complaintalleges that those encryption regulation violate the freedom of speechand of the press that are protected, particularly from priorrestraints such as licensing requirements, by the First Amendment, ashas already been held by Judge Patel in the Bernstein case.

Additional information on the Bernstein case is available at:

Additional information on the Karn case is available at:
Additional information on the Junger case is available at:

[4] Media Group Says "No" to Internet Ratings

Internet rating proposals suffered a serious setback on August 28,
when the Internet Content Coalition (ICC) decided not to pursue arating scheme for online news sites. The ICC, which includesentertainment, technology, and news companies, had earlier expressedits willingness to develop criteria for assigning an "N" rating toWebsites devoted to news coverage. Sites carrying such a rating wouldbe exempt from filtering and blocking systems designed to limit accessto "offensive" online material. The blocking approach was touted at aWhite House meeting in July, convened to create a "family-friendly"
Internet in the wake of the Supreme Court decision striking down theCommunications Decency Act.

In recent weeks, criticism of filtering and blocking systems hasincreased, with both the American Library Association and the AmericanCivil Liberties Union issuing position papers warning that suchapproaches could infringe on free speech. Controversies have arisenacross the country as local libraries have considered proposals toinstall blocking software on library computers connected to theInternet.

The ICC's recent action calls into question the viability of suchsystems, which can be configured to block access to unrated Websites.
If major news sources such as CNN, MSNBC and NEWS.COM elect not torate their content, both institutional and individual users willlikely be less inclined to install software filters and lose access tosuch resources. As a result, the debate over news ratings will have asignificant impact on the deployment of filtering systems, and newsorganizations appear to be strongly opposed to ratings. According tothe Netly News, Time Inc. New Media's Editor-in-Chief Dan Okrent saidafter the ICC meeting that "Everyone in the room agreed to a generalstatement that as news organizations we will not rate our content andwe oppose the efforts of others to rate our content."

Additional information on ratings, filtering and blocking is availableat:

[5] U.S. Government Web Sites Fail to Protect Privacy

A new report by the public interest group OMB Watch reveals that manyU.S. government Web sites do not adhere to the requirements of thePrivacy Act of 1974 to protect personal privacy.

OMB Watch reviewed 70 federally-run sites linked from the White HouseWeb page. The group found that only 17 percent provide adequatenotices as required by the Privacy Act. According to the report, 31of the surveyed sites collected personal information, but only 11 ofthose sites contain notices on how the information will be used. Nosites allowed individuals to access their own records. According toOMB Watch, three sites that used cookies to track visitorsdiscontinued their use after reviewing a draft of the report.

The OMB Watch report was based on a previous report conducted by EPICentitled "Surfer Beware," which surveyed the privacy policies of 100top commercial web sites. The OMB Watch study examined the collectionof personal information, notices on collection, Privacy Actstatements, and the use of cookies.

The report is available at:

[6] Consumer Groups Question FTC Privacy Report

Several privacy and consumer organizations that participated in theFederal Trade Commission's Consumer Privacy Workshop earlier this yearhave questioned the accuracy of a preliminary report submitted by theFTC to Senator John McCain, chairman of the Senate Commerce Committee.

The report from the FTC downplayed public concerns about privacy anddescribed the efforts of a few companies to develop privacy policies.
But the Consumer Federation of America, the Center for MediaEducation, the Electronic Frontier Foundation, the Electronic PrivacyInformation Center, and the Privacy Rights Clearinghouse said that theFTC preliminary report "does not adequately reflect the substance ofthe hearings or the views of consumer organizations thatparticipated."

The consumer and privacy groups specifically took issue with the FTC'sclaim that the public favored self-regulatory approaches. According tothe organizations, survey research presented at the Workshop clearlyshowed that "Internet users favor legislation today to protectpersonal privacy."

The groups cited the survey conducted by Professor Alan Westin forAmerican Laws and Business which found that "58 percent of computerusers wanted government to pass laws now on how personal informationcan be collected and used on the Net." Professor Westin also foundthat "Only 24 percent say government should limit its role torecommending standards." Other privacy polls have found similarsupport for passage of privacy legislation.

The original letter from the Senate Commerce Committee asked theCommission to "investigate the compilation, sale, and usage ofelectronically transmitted data bases that include identifiablepersonal information of private citizens without their knowledge."
Privacy experts believe that the FTC has yet to complete its work.

The FTC letter to Senator McCain:
Letter from Consumer and Privacy Groups to Senator McCain:
Original letter from the Senate Commerce Committee to the FTC:
EPIC's page on the Federal Trade Commission:

[7] Clinton Signs IRS Browsing Bill

President Clinton signed the Taxpayer Browsing Protection Act of 1997(Public Law 105-35) into law on August 5. The new law criminalizes theunauthorized "browsing" of taxpayer information by IRS employees.
Previously, only the disclosure of such records was prohibited. Thelaw unanimously passed the House in April and the Senate on July 23.

Under the new law, the potential penalties for IRS employees orcontractors, and other Federal and State employees having access toFederal tax information, is a $1,000 fine and one year in jail.
Federal employees can also be dismissed without going through theusual civil service removal procedures. The new law allows the filingof civil suits for the unauthorized viewing of records. Individualsalso must be informed if it is found that their records have beenimproperly accessed.

Demand for changes in the existing law erupted after the GeneralAccounting Office revealed that during fiscal years 1994 and 1995,
there were over 1,500 instances where IRS employees were accused ofunlawful browsing. A third of those cases were closed without action.

More information on the browsing law is available at:

[8] Upcoming Conferences and Events

TELECOM Interactive 97. September 8-14, 1997. Geneva, Switzerland.
Sponsored by the International Telecommunications Union. Contact: or

Cryptography and the Internet. September 15, 1997. Brussels, Belgium.
Sponsored by Privacy International. Contact: Deadline 10 Sept 1997.

19th Annual International Privacy and Data Protection Conference.
September 17-18, 1997. Brussels, Belgium. Sponsored by Belgium DataProtection and Privacy Commission. Email
International Conference on Privacy. September 23-26, 1997. Montreal,
Canada. Sponsored by Lavery, De Billy law firm.

Net Worth, Net Work: Technology and Values for the Digital Age.
October 4-5. University of Cal, Berkeley. Sponsored by CPSR. Contact:
20th National Information Systems Security Conference. October 7-10.
Baltimore, MD. Sponsored by NIST and NSA. Contact:

EPIC International Privacy Conference. October 20,1997. GeorgetownUniversity Law Center, Washington, DC. Sponsored by EPIC. Contact:

Managing the Privacy Revolution '97. October 21-23, 1997. Washington,
DC. Sponsored by Privacy and American Business. Contact:
RSA'98 -- The 1998 RSA Data Security Conference. January 12-16, 1998.
San Francisco, CA. Contact or

(Send calendar submissions to

The EPIC Alert is a free biweekly publication of the Electronic PrivacyInformation Center. To subscribe, send email to wihthe subject: "subscribe" (no quotes) or use the subscription form at:
Back issues are available at:

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord privacy, and the collection and sale of personal information.
EPIC is sponsored by the Fund for Constitutional Government, anon-profit organization established in 1974 to protect civil libertiesand constitutional rights. EPIC publishes the EPIC Alert, pursuesFreedom of Information Act litigation, and conducts policy research.
For more information, e-mail, orwrite EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "The Fund forConstitutional Government" and sent to EPIC, 666 Pennsylvania Ave.,
SE, Suite 301, Washington DC 20003. Individuals with First Virtualaccounts can donate at
Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and funding of the National Wiretap Plan.

Thank you for your support.

END EPIC Alert 4.12

WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback