WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 1997 >> [1997] EPICAlert 5

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 4.05 [1997] EPICAlert 5


Volume 4.05 April 8, 1997

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] OECD Releases Crypto Guidelines
[2] White House Floats Draft Crypto Bill
[3] FAA Calls for Collecting SSNs of all Air Travelers
[4] Groups Urge IETF to Fix Cookies
[5] National Research Council Reports on Privacy of Medical Systems
[6] FTC To Conduct Hearings on Privacy, Investigate Databases
[7] NTIA Files Comments on Privacy of Telephone Calling Information
[8] Upcoming Conferences and Events

[1] OECD Releases Crypto Guidelines

The Organization for Economic Cooperation and Development (OECD), a 29country international organization, released on March 27 its longanticipated Guidelines for Cryptography Policy. The Guidelines areintended to promote the use of cryptography, to develop electroniccommerce through a variety of commercial applications, to bolster userconfidence in networks, and to provide for data security and privacyprotection.

The Cryptography Policy Guidelines are a non-binding agreement thatidentifies the basic issues that countries should consider in drawing upcryptography policies at the national and international level. TheRecommendation culminates one year of intensive talks to draft theGuidelines. They are designed to assist decision-makers in the publicand private sectors in developing and implementing coherent national andinternational policies for the effective use of cryptography. Membercountries are encouraged to establish new, or amend existing, policiesto reflect them.

The Guidelines set out eight basic Principles for cryptography policy inthe areas of trust, user choice, market development, technicalstandards, privacy, lawful access, liability and internationalcooperation. The key recommendations of the OECD include:

-- Recognition of commercial importance of cryptography. The Guidelines recognize that cryptography is an effective tool for the secure use of information technology by ensuring confidentiality, integrity and availability of data and providing authentication and non-repudiation mechanisms.

-- Rejection of key escrow encryption. The U.S. sought endorsement for government access to private keys. Initial drafts of the guidelines included this recommendation. The final draft does not. OECD countries rejected this approach.

-- Endorsement of voluntary, market-driven development of crypto products. The OECD emphasized open, competitive markets to promote trade and commerce in new cryptographic methods.

-- Need for critical assessment of key escrow. The OECD Guidelines recommend that countries which are considering key escrow techniques to consider also "the risks of misuse, the additional expense of any supporting infrastructure, the prospects of technical failure,
and other costs."

-- Endorsement of strong privacy safeguards. The OECD adopted one of strongest privacy principles found in any international agreement,
including the obligation to apply the OECD privacy principles to crypto products and services. The OECD also noted favorably the development of anonymous payment schemes which would minimize the collection of personal data.

-- Removal of Restrictions on Cryptography. The OECD urged member countries to remove, and avoid creating, obstacles to trade based on cryptography policy. This guideline should lead to further liberalization of export control policies among the OECD member countries.

Drafting of the Guidelines for Cryptography Policy began in early 1996.
More than 100 representatives from OECD Member countries participated,
including government officials from commerce, industry, telecommunicationsand foreign ministries, law enforcement and security agencies, privacy anddata protection commissions, as well as representatives of private sectorand privacy advocates.

The Global Internet Liberty Campaign (, aninternational coalition of civil liberties and human rights organizations,
organized a conference for the OECD delegates in Paris in September 1996.
The conference contributed significantly to the OECD's finalrecommendations.

The Guidelines, the OECD press announcement and additional commentary areavailable at:

[2] White House Floats Draft Crypto Bill

The White House has released a new draft proposal on key escrow encryptionto the Congress. The draft (dated March 12) is entitled the "ElectronicData Security Act of 1997." The legislation is the latest attempt to pushforward the result the Administration sought to achieve with the failedClipper Chip initiative -- ensuring government access to all encryptedcommunications through government-escrowed keys.

To achieve this goal, the bill would create incentives for all persons andorganizations to use a government-certified Certificate Authority (CA) toestablish their identities for any electronic transactions. The CA wouldensure that there was an escrow system in place before it would issue anidentification certificate to the user.

Government agencies would likely refuse to communicate with persons andentities not using a government certified CA. Agencies would also likelypressure others over whom they have substantial regulatory or economicpower, such as banks, state agencies, and government contractors, torequire that government-certified CA's are used to communicate with them.
Another provision would require any person who "manufactures, imports,
packages, distributes or labels" encryption products to state whether theyuse a key recovery agent.

The draft bill also provides that if non-escrowed cryptography is usedduring the commission of a crime, an additional five year prison sentencecould be imposed. Another provision, apparently intended to gain industrysupport, would limit the potential civil liability of any "CertificationAuthority" or "Key Recovery Agent" who obtains a government certification.

More information on cryptography policy is available at:

[3] FAA Calls for Collecting SSNs of all Air Travelers

On March 13, the FAA issued a call for comments on a FAA proposal torequire airlines to collect substantial personal information on eachpassenger, including full name, address, next of kin, Social SecurityNumber and date of birth. The purpose of this collection would be tofacilitate identification of victims of airplane crashes. The proposalanticipates that passengers would have to provide this information in orderto board an aircraft.

The proposal raises a number of substantive threats to personal privacy.
One major problem is that it appears to violate the Privacy Act of 1974,
which limits the ability of government agencies to collect the SSN. Therealso appear to be no limitations on the use of the collected information,
creating a risk that the data could be put to a wide variety of unrelateduses by both the airlines and government agencies.

One potential use of this information would be in connection with thecontroversial "profiling" proposals recently recommended by the GoreCommission. The use of the Social Security Number would simplify thecomparison of passenger records with other databases. It appears likelythat the FAA is using this proposal as a less controversial rationale todemand the collection of personal information rather than specificallyincluding it in the profiling proposal, which has already generatedconsiderable public and editorial opposition.

More information on the proposal and other FAA activities is available atthe EPIC Airline Security Page:

[4] Groups Urge IETF to Fix Cookies

Several leading consumer, civil liberties, and children's advocacyorganizations have urged an Internet standards organization to fix aproblem with web browser software that allows companies and governmentagencies operating web sites to track the activities of Internet users.

The groups say that there is a problem with the so-called "cookies"
technology. Cookies make it possible to read information on users'
computers and find out where they go on the Internet. Some companies in theon-line advertising industry use cookies data to collect personalinformation for advertising and marketing.

The Internet Engineering Task Force, a loose coalition of technical expertsresponsible for the development of standards for the Internet is meetingthis week in Memphis to consider a wide range of technical issuesconcerning the Internet, including a proposal to limit the ability ofcompanies to use cookies.

The proposed safeguard has come under attack by several companies engagedin interactive advertising and marketing. According to a March 31, 1997article in Ad Age, these groups are now drafting a "counter-proposal" tohead-off the IETF recommendation.

In the letter, the groups express support for RFC 2109, the proposal for anHTTP State Management Mechanism. The letter further says that"transparency" -- the ability of users to see and exercise control over thedisclosure of personally identifiable information -- is a criticalguideline for the development of sensible privacy practices on theInternet"

The letter was signed by the Center for Media Education, ComputerProfessionals for Social Responsibility, the Consumer Federation ofAmerican, the Consumer Project on Technology, the Electronic FrontierFoundation, the Electronic Privacy Information Center, National Associationof Elementary School Principals, NetAction, Privacy International, theUnited States Privacy Council, and more than one hundred Internet users.

The coalition letter, and more information about cookies, is available at:

[5] National Research Council Reports on Privacy of Medical Systems

The National Research Council has released a report on the privacy ofmedical systems. The report, entitled "For the Record: ProtectingElectronic Health Information," calls for measures by government, companiesand consumers to better protect the privacy of medical records.

The NRC recommended a two-prong approach to dealing with medical privacy,
involving the revision of organizational practices to deter unauthorizedaccess to and/or misuse of electronic medical records, and implemention ofmore stringent technical measures as a safeguard in case the first prongproves ineffective.

The NRC also proposes that health-related organizations adopt fairinformation practices similar to those contained in the federal Privacy Actof 1974. Consumers should have access to a privacy ombudsman that not onlyprovides such information, but could also address patient grievances overviolations of privacy.

The NRC waffled on fundamental issues such as the desirability of nationaldatabases of medical information and the creation of a unique nationalpatient identifier, but expressed concerns over the ramifications forprivacy entailed in such a system. Also proposed by the NRC, althoughadmittedly difficult to implement, is the identification of parties whichmay inappropriately link patient information. Using the Social SecurityNumber, the NRC states, is in its current form insufficient to protect theprivacy of individuals.

More information on medical privacy is available at:

[6] FTC To Conduct Hearings on Privacy, Investigate Databases

The Federal Trade Commission has announced that it will convene a publicworkshop devoted to consumer information privacy on June 10-13, 1997. Thisis a follow-up to FTC workshops held last summer.

The workshop is intended to gather information on the collection,
compilation, sale and use of computerized data bases that contain sensitiveidentifying information, as well as self-regulatory efforts, technologicalinnovations and unsolicited e-mail. The workshop will also address thesedevelopments as they pertain to children's personal information.

The workshop will gather information for a new computer data base studythat the FTC has also announced. However, this study will be limited to"look up services" which contain personal identifying information, such asthe Lexis-Nexis P-TRAK service. Importantly, the FTC will not addresscomputer databases used primarily for direct marketing purposes, medicaland student records or the use of computer credit reports for employmentpurposes.

Interested participants must submit written comments by April 15, 1997.

More information is available at the FCC web page:


[7] NTIA Files Comments on Privacy of Telephone Calling Information

The Commerce Department's National Telecommunications and InformationAdministration (NTIA) recommended on March 27 that the FederalCommunications Commission (FCC) establish more specific policies to protectthe privacy of information gathered about consumers by telephone companies.
The recommendations cover Customer Proprietary Network Information (CPNI).
CPNI is the information that is gathered by phone companies in the processof delivering services, such as numbers called, length of calls, and timescalls were made. The FCC is currently conducting a rulemaking on CPNIunder the Telecommunications Act of 1996.

The law limits the use and disclosure of CPNI information:

a telecommunications carrier that receives or obtains customer proprietary network information by virtue of its provision of a telecommunications service shall only use,
disclose, or permit access to individually identifiable customer proprietary network information in its provision of (A) the telecommunications service from which such information is derived, or (B) services necessary to, or used in, the provision of such telecommunications service,
including the publishing of directories.

NTIA recommended that phone companies provide a list of uses for theinformation and provide consumers with an opportunity to opt-out of thosedisclosures. However, this appears to contradict the text of Section 702of the Act, which requires that phone companies obtain prior writtenconsent before they can share the information and use the information formarketing purposes. Telephone companies have been pressing the FCC torelax that requirement and to require customers to contact them before thetelcos stop selling the information. Public interest groups such asComputer Professionals for Social Responsibility and NetAction are arguingfor more consumer protection.

The NTIA comments are available at:


[8] Upcoming Conferences and Events

Culture and Democracy revisited in the Global Information Society.
May 8 - 10, 1997. Corfu, Greece. Sponsored by IFIP-WG9.2/9.5. Contact:
Can Trusted Third Parties Be Trusted?: A Public Debate on The UKDTI Crypto Proposal. May 19, 1997. London, UK. Sponsored by PrivacyInternational and the London School of Economics. Contact:
CYBER://CON.97: Rules for Cyberspace?:Governance, Standards andControl. June 4 - 7, 1997. Chicago, Illinois. Sponsored by the JohnMarshall Law School. Contact:

Ethics in the Computer Society: The Second Annual Ethics andTechnology Conference. June 6 - 7, 1997. Chicago, Ill. Sponsored byLoyola University Chicago.
Public Workshop on Consumer Privacy. June 10-13, 1997. Washington, DC.
Sponsored by the Federal Trade Commission. Contact:
INET 97 -- The Internet: The Global Frontiers. June 24-27, 1997. KualaLumpur, Malaysia. Sponsored by the Internet Society. Contact: or
Privacy Laws & Business 10th Anniversary Conference. July 1-3, 1997.
St. John's College, Cambridge, England. Contact:

Communities, Culture, Communication, and Computers (C**5): On the Role ofProfessionals in the Information Age. August 20-22, 1997, Paderborn,
Germany. Sponsored by FIFF. Contact:
AST3: Cryptography and Internet Privacy. Sept. 15, 1997. Brussels,
Belgium. Sponsored by Privacy International. Contact:

19th Annual International Privacy and Data Protection Conference.
Sept. 17-18, 1997. Brussels, Belgium. Sponsored by Belgium DataProtection and Privacy Commission.

International Conference on Privacy. September 23-26, 1997. Montreal,
Canada. Sponsored by the Commission d'Acces a l'information du Quebec.

Managing the Privacy Revolution '97. October 21-23, 1997. Washington,
DC. Sponsored by Privacy and American Business. Contact:
(Send calendar submissions to

The EPIC Alert is a free biweekly publication of the Electronic PrivacyInformation Center. To subscribe, send email to withthe subject: "subscribe" (no quotes) or use the subscription form at:

Back issues are available at:

The Electronic Privacy Information Center is a public interest researchcenter in Washington, DC. It was established in 1994 to focus publicattention on emerging privacy issues such as the Clipper Chip, the DigitalTelephony proposal, national ID cards, medical record privacy, and thecollection and sale of personal information. EPIC is sponsored by the Fundfor Constitutional Government, a non-profit organization established in1974 to protect civil liberties and constitutional rights. EPIC publishesthe EPIC Alert, pursues Freedom of Information Act litigation, and conductspolicy research. For more information, email,
HTTP:// or write EPIC, 666 Pennsylvania Ave., SE, Suite 301,
Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax).

If you'd like to support the work of the Electronic Privacy InformationCenter, contributions are welcome and fully tax-deductible. Checks shouldbe made out to "The Fund for Constitutional Government" and sent to EPIC,
666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003. Individuals withFirst Virtual accounts can donate at
Your contributions will help support Freedom of Information Act and FirstAmendment litigation, strong and effective advocacy for the right ofprivacy and efforts to oppose government regulation of encryption andfunding of the National Wiretap Plan.

Thank you for your support.

END EPIC Alert 4.05

WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback