The following document is from the PRIVACY Forum Archive at Vortex Technology, Woodland Hills, California, U.S.A. For direct web access to the PRIVACY Forum and PRIVACY Forum Radio, including detailed information, archives, keyword searching, and related facilities, please visit the PRIVACY Forum via the web URL: http://www.vortex.com ----------------------------------------------------------------------- PRIVACY Forum Digest Sunday, 21 September 1997 Volume 06 : Issue 13 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. http://www.vortex.com ===== PRIVACY FORUM ===== ------------------------------------------------------------------- The PRIVACY Forum is supported in part by the ACM (Association for Computing Machinery) Committee on Computers and Public Policy, "internetMCI" (a service of the Data Services Division of MCI Telecommunications Corporation), and Cisco Systems, Inc. - - - These organizations do not operate or control the PRIVACY Forum in any manner, and their support does not imply agreement on their part with nor responsibility for any materials posted on or related to the PRIVACY Forum. ------------------------------------------------------------------- CONTENTS CPSR Warns About Encryption Legislation (Susan Evoy) EPIC and PI Charge US Violates Intl Crypto Agreement (Dave Banisar) House panel votes behind closed doors to build in Big Brother (Declan McCullagh) USACM Applauds California Legislature (ACM US Public Policy Office) Electronic Bracelets for Children (Roger Clarke) Internet access to criminal records info (Nancy Talner) Debate about an ISO privacy standard (Colin Bennett) SSA to Restore Online Web Service (from EPIC Alert 4.12) (Marc Rotenberg) Amended Complaint Filed in Cleveland Crypto Suit (Peter D. Junger) Peter Neumann to Receive Social Responsibility Award (Susan Evoy) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic list handling system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the list handling system. Please follow the instructions above for getting the "help" information, which includes details regarding the "index" and "get" commands, which are used to access the PRIVACY Forum archive via the list handling system. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com"; full keyword searching of all PRIVACY Forum files is available via WWW access. ----------------------------------------------------------------------------- VOLUME 06, ISSUE 13 Quote for the day: "You'll laugh. You'll cry. You'll kiss three bucks goodbye! Get in line now!" -- Narrator (Paul Frees) "Hardware Wars" (Pyramid Films; 1978) ---------------------------------------------------------------------- Date: Wed, 17 Sep 1997 00:50:27 -0700 From: Susan Evoy Subject: CPSR Warns About Encryption Legislation September 16, 1997 For Immediate Release For More Information: Andy Oram 617 499 7479 Aki Namioka 206-587-6825 COMPUTER EXPERTS WARN ABOUT RESTRICTIVE ENCRYPTION LEGISLATION Computer Professionals for Social Responsibility (CPSR) today strongly protested Congressional initiatives to add onerous restrictions to the Security And Freedom through Encryption (SAFE) bill (H.R. 695). CPSR President, Aki Namioka, stated "The Weldon-Dellums amendment to H.R. 695 reflects a major disregard for civil liberties and a profound misunderstanding of computer and Internet technology. This is a complete reversal of the intent of SAFE legislation." "These proposed bans on encryption are clearly attempts at restriction of free speech," Namioka said. "Bernstein v. US Department of State stated that encryption is a constitutionally protected method of communication". "The public is not being represented in this assault on privacy and freedom of speech", according to CPSR member Andy Oram. CPSR points out that encryption legislation regulates a type of computer technology that is becoming more and more central to modern communications. Encryption is critical to online commerce, because it protects trade secrets and assures users that money is being transferred properly. In the form of digital signatures, encryption allows someone to pass a contract across the Internet or stand behind a public statement. Encryption may soon be built into networking protocols for authentication purposes. And it is used heavily by human rights activists and other political figures in many countries to protect themselves and their sources from arrest and assassination; even in North America it is seen as critical by many to protect private thoughts exchanged among colleagues. CPSR outlined several problems with the proposed legislation: 1. Bans on encryption are violations of free speech, as ruled by U.S. District Judge Patel in the case of Bernstein v. U.S. Dept. of State. Beyond this case, which covers the teaching and publication of information about encryption, it would be a gross and unprecedented violation of free speech to ban types of software or formats for transmitting data, as the amendments to SAFE would do. 2. In order to continue communicating with sites using the encryption technologies required in the bill, all current Internet sites and users would have to purchase, install, and test new systems. This is a burden that many businesses, particularly Internet services with their low profit margins, cannot afford. 3. Law enforcement will not benefit from restricting the export of encryption. Strong encryption software already exists outside the United States, and the technical understanding for creating such software is widely published. 4. Restrictions on export damage the international competitiveness of the companies that offer encryption products, add unnecessarily to the costs of developing such products, and ultimately leave the users of those products vulnerable to malicious attack. The heavy controls imposed by the bill contrast strongly with the Clinton Administration's claim in its recent white paper, A Framework for Global Electronic Commerce, released onJuly 1, 1997, to maintain a "hands-off" stance toward the Internet. 5. While the amendment is claimed to be "technologically neutral," a better description of it would be "technically untried." The only technology proposed up to now to meet the bill's goal of providing unencrypted content to law enforcement are key recovery systems, but no such system on the scale required by the bill has ever been tested. Experts examining the requirements for such systems have predicted them to be costly, insecure, and burdensome. But even key recovery systems could probably not be implemented in such a way as to provide the "immediate" access to unencrypted data that the law demands. Compliance of the bill would require new, currently unknown technologies, and possibly the highly intrusive installation of special decryption software on each user's computer. 6. The amendment unduly expands the powers of government. Current court-ordered wiretap standards could be bypassed. Current requirements that law enforcement must demonstrate probable cause for a wiretap would be eliminated. There are so many aspects of dubious constitutionality in the current version of the encryption bill that Congress faces another humiliation in the courts like that dealt to the Communications Decency Act. CPSR calls on Congress to protect our freedoms and reject the encryption measures. To allow the benefits of modern electronic networks to be reaped, cryptography products that provide for real privacy should be available, without government intrusion. # # # # Computer Professionals for Social Responsibility (www.cpsr.org) CPSR is a public-interest alliance of computer scientists and others interested in the impact of computer technology on society. CPSR's goal is to direct public attention to difficult choices concerning the applications of computing and how those choices affect society. -- Duff Axsom, Executive Director http://www.cpsr.org/home.html Computer Professionals for Social Responsibility P.O. Box 717, Palo Alto, CA 94302 Phone: (650) 322-3778 Fax: (650) 322-4748 Email: duff@cpsr.org [ The proposed legislation, in its current form, does indeed seem onerous in its implications. Regular readers of this digest are aware that I'm an advocate of balancing the legitimate needs of privacy and law enforcement in these areas, and have frequently stated this explicitly--I don't take an absolutionist view on either side. However, the negative impact of the proposed encryption bill (as it stands today) on civil liberties, commerce, and a range of other areas that could affect us all is startling, and suggests that the pendulum is swinging too far and too fast in one direction. If the proposed language of the bill stands, it would seem best to scratch the entire legislation and start over again with a *balanced* sequence of public hearings and an open and broad-ranging debate over all aspects of these issues. -- PRIVACY Forum MODERATOR ] ------------------------------ Date: Mon, 15 Sep 1997 00:57:11 +0100 From: Dave Banisar Subject: EPIC and PI Charge US Violates Intl Crypto Agreement Press Release. Privacy Groups Criticize United States Crypto Policy. Charge US Violation of International Agreement. Brussels - Two leading privacy organizations said today that the United States cryptography policy violates an international agreement reached earlier this year by more than two dozen countries at the Organization for Economic Cooperation and Development. The Electronic Privacy Information Center and Privacy International said that recent legislative proposals introduced in the United States to establish controls on the use of data scrambling technology are contrary to the principles adopted by the OECD and should be withdrawn. Marc Rotenberg, the director of EPIC and a member of the expert panel that drafted the guidelines, said that "the OECD framework is based on the voluntary, market-driven development of encryption products and services. The Guidelines emphasize the importance of privacy protection and the need for careful assessment of any key escrow proposal. Their were specifically intended to remove technical and legal obstacles to the use of cryptography. But the US policy now points in exactly the opposite direction -- extensive government regulation, little regard for privacy, and the rapid development of key escrow techniques regardless of the consequences." Mr. Rotenberg said that the OECD member countries considered and explicitly rejected the US recommendation that cryptography policy be based on law enforcement access to private communications. "That proposal was turned down by the OECD member countries. The United States accepted the judgment of the OECD and endorsed the final recommendations. The U.S. should now honor its commitment," said Mr. Rotenberg. Simon Davies, Director General of Privacy International, said "The rush to encourage technologies for communications surveillance comes at exactly the wrong time. Illegal wiretapping is on the rise around the world. Dissidents, political opponents, journalists, and human rights organizers are most often the targets." The current issue of the International Privacy Bulletin includes a review of worldwide privacy abuses in 1996. Electronic surveillance features prominently in the report. The review is based on "The Country Reports for Human Rights Practices," prepared annually by the U.S. State Department. Mr. Rotenberg and Mr. Davies said that the U.S. policy now stands as the single greatest barrier to the development of tools to protect privacy and security on the Internet. The statement was made at a conference this week in Belgium, hosted by Privacy International and EPIC, on "Cryptography and the Internet: Developing Privacy and Security Policy for the European Information Society." Participants from more than twenty countries attended the event. The Electronic Privacy Information Center is a civil liberties organizations, based in Washington, DC. Privacy International is a human rights organization concerned with privacy, surveillance and data protection issues worldwide. It is based in London. Both organizations are members of the Global Internat Liberty Campaign. WEB RESOURCES o EPIC [http://www.epic.org/] o Privacy International [http://www.privacy.org/pi/] o Global Internet Liberty Campaign [http://www.gilc.org/] o Brussels Cryptography Conference [http://www.privacy.org/pi/conference/brussels/] o OECD Cryptography Policy Guidelines [http://www.oecd.org/dsti/iccp/crypto_e.html] CONTACT (15-17 September) Marc Rotenberg, EPIC (Brussels +32 2 227 05 05, voicemail +1 202 298 0824) Simon Davies, PI (Brussels +32 2 513 29 73) ------------------------------ Date: Thu, 11 Sep 1997 23:37:39 -0700 (PDT) From: Declan McCullagh Subject: House panel votes behind closed doors to build in Big Brother Software that protects your privacy is a controlled substance that may no longer be sold, a Congressional committee decided today. Meeting behind closed doors this morning, the House Intelligence committee voted to replace a generally pro-encryption bill with an entirely rewritten draft that builds in Big Brother into all future encryption products. (The Senate appears to be moving in a similar direction.) The new SAFE bill -- titled in a wonderfully Orwellian manner the "Security and Freedom through Encryption" act even though it provides neither -- includes these provisions: SELLING CRYPTO: Selling unapproved encryption products (that do not include "immediate access to plaintext") becomes a federal crime, immediately after this bill becomes law. Five years in jail plus fines. Distributing, importing, or manufacturing such products after January 31, 2000 is another crime. NETWORK PROVIDERS: Anyone offering scrambled "network service" including encrypted web servers or even "ssh" would be required to build in a backdoor for the government by January 31, 2000. This backdoor must provide for "immediate decryption or access to plaintext of the data." TECHNICAL STANDARDS: The Attorney General will publish technical requirements for such backdoors in network service and encryption products, within five months after the president signs this bill. LEGAL TO USE CRYPTO: "After January 31, 2000, it shall not be unlawful to use any encryption product purchased or in use prior to such date." GOVERNMENT POWERS: If prosecutors think you may be selling, importing, or distributing non-backdoor'd crypto or are "about" to do so, they can sue. "Upon the filing of the complaint seeking injunctive relief by the Attorney General, the court shall automatically issue a temporary restraining order against the party being sued." Also, there are provisions for holding secret hearings, and "public disclosure of the proceedings shall be treated as contempt of court." You can request an advisory opinion from the government to see if the program you're about to publish violates the law. ACCESS TO PLAINTEXT: Courts can issue orders, ex parte, granting police access to your encrypted data. But all the government has to do to get one is to provide "a factual basis establishing the relevance of the plaintext" to an investigation. They don't have to demonstrate probable cause, which is currently required for a search warrant. More interestingly, this explicitly gives the FISA court jurisdiction (yes, the secret court that has never denied a request for a wiretap). If they decode your messages, they'll tell you within 90 days. GOVERNMENT PURCHASING: Federal government computer purchases must use a key escrow "immediate decryption" backdoor after 1998. Same with networks "purchased directly with Federal funds to provide the security service of data confidentially." Such products can be labeled "authorized for sale to U.S. government" ENCRYPTION EXPORTS: The Defense & Commerce departments will control exports of crypto. Software "without regard to strength" can be exported if it includes a key escrow backdoor and is first submitted to the government. Export decisions aren't subject to judicial review, and the "president may by executive order waive any provision of this act" if he thinks it's a threat to national security. Within 15 days, he must send a classified briefing to Congress. ADVISORY PANEL: Creates the Encryption Industry and Information Security Board, with seven members from Justice, State, FBI, CIA, White House, and six from the industry. INTERNATIONAL: The president can negotiate international agreements and perhaps punish noncompliant governments. Can you say "trade sancation?" (Other provisions barring the use of crypto in a crime and some forms of cryptanalysis are also in the bill.) Next the Commerce Committee will vote on SAFE, and a former FBI agent-turned-Congressman is vowing to ensure that similar language to this is included. (The committees are voting on the bill in parallel, and a four-person team of Congressmen is working to forge a compromise before Commerce votes.) Then the heads of the five committees that have rewritten the legislation will sit down and work out another compromise. If it's acceptable to the House Rules committee -- and if the FBI/NSA get what they want it will be -- the bill can move to the floor for a vote. That's why the encryption outlook in Congress is abysmal. Crypto-advocates have lost, and lost miserably. A month ago, the debate was about export controls. Now the battle is over how strict the //domestic// controls will be. It's sad, really, that so many millions of lobbyist-dollars were not only wasted, but used to advance legislation that has been morphed into a truly awful proposal. I wrote more about this at: http://cgi.pathfinder.com/netly/opinion/0,1042,1385,00.html -Declan ------------------------------ Date: Wed, 10 Sep 1997 06:02:32 -0400 From: ACM US Public Policy Office Subject: USACM APPLAUDS CALIFORNIA LEGISLATURE PRESS RELEASE Association for Computing U.S. Public Policy Office September 8, 1997 USACM APPLAUDS CALIFORNIA LEGISLATURE FOR UNANIMOUSLY ENDORSING RELAXED EXPORT CONTROLS ON ENCRYPTION As the Congress prepares to address the issue of computer security and privacy, the California legislature has sent a clear message that relaxing controls on cryptography is a critical first step. On September 5, the California legislature passed a resolution that calls on the California members in Congress to support legislation that would make it easier for US companies to develop and market strong cryptography products. The resolution was sponsored by Representative Vasconcellos (D. San Jose) and passed without opposition. Dr. Barbara Simons, chair of the policy committee for the Association for Computing (USACM), said that the California resolution makes clear that industry and users are united in support of good cryptography. "We believe that Congress should support the Security and Freedom Act, sponsored by Representative Goodlatte. The legislation will help protect security and privacy on the internet. It will be a serious mistake for the administration to oppose the development of this technology," said Dr. Simons. On August 26, USACM Chair Barbara Simons spoke in support of the Vasconcellos resolution before a California Senate committee. Also participating at the Committee hearing were Dr. Whit Diffie from Sun, Kelly Blough from PGP, Jack Wilson of ACL Datacom, Chuck Marson representing the California Internet Industry Alliance (Netscape, Microsoft, AOL, CompuServe and Netcom), and a representative of the Software Publishers Association. Undersecretary of Commerce Reinsch wrote a letter opposing the resolution. The Association for Computing (ACM) is an international non-profit educational and scientific society with 76,000 members worldwide, 60,000 of whom reside in the U.S. USACM, the Association for Computing's U.S. Public Policy Office, serves as the focal point for ACM's interaction with U.S. government organizations, the computing community and the U.S. public in all matters of U.S. public policy related to information technology. The USACM web site is located at http://www.acm.org/usacm/ For more information, please contact USACM Chair Barbara Simons at 408/256-3661 or USACM Associate Director Lauren Gelman at 202/544-4859. /\ /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ Association for Computing, + http://www.acm.org/usacm/ Office of U.S. Public Policy * +1 202 544 4859 (tel) 666 Pennsylvania Ave., SE Suite 302 B * +1 202 547 5482 (fax) Washington, DC 20003 USA + gelman@acm.org To subscribe to the ACM Washington Update, send e-mail to: listserv@acm.org with "subscribe WASHINGTON-UPDATE name" (no quotes) in the body of the message. ------------------------------ Date: Wed, 10 Sep 1997 09:32:47 +1000 From: Roger Clarke Subject: Electronic Bracelets for Children On page 2 of this morning's SMH: http://www.smh.com.au/daily/content/970910/national/national2.html "The Northern Territory is considering using electronic bracelets to impose a night-time curfew on children. Those children selected for the scheme ... would be banned from roaming the streets at night and their activities monitored via a computer-linked electronic device strapped to their wrists or ankles. ... it was too early to say whether the electronically monitored curfew would apply only to children with past convictions, or could be used to monitor children who had never committed a criminal offence". Pity that the relevant Minister's email address fails, and so does the search-function on the N.T. government's pages ... However, his Press Secretary, Warwick, on (08) 8999 6811, confirms that the Press Release is *not* on the web; but he's faxing it to me. Of course, this actually is a set-up between me and me mate Steve Hatton, Minister for Correctional Services for N.T., to help promote my paper, at: http://www.anu.edu.au/people/Roger.Clarke/DV/IDCards97.html Roger Clarke http://www.anu.edu.au/people/Roger.Clarke/ http://www.etc.com.au/Xamax/ Xamax Consultancy Pty Ltd, 78 Sidaway St, Chapman ACT 2611 AUSTRALIA Tel: +61 6 288 1472, and 288 6916 mailto:Roger.Clarke@anu.edu.au Visiting Fellow, Faculty of Engineering and Information Technology The Australian National University Canberra ACT 0200 AUSTRALIA Information Sciences Building Room 211 Tel: +61 6 249 3666 ------------------------------ Date: Tue, 5 Aug 1997 21:22:00 -0400 (EDT) From: NTalner@aol.com Subject: Internet access to criminal records info [ From Risks-Forum Digest; Volume 19 : Issue 28 -- PRIVACY Forum MODERATOR ] The Washington State Patrol is starting a pilot project called the WATCH program, which was authorized by the 1997 legislature. The program will make criminal history information available on the Internet so that anyone who wants to run a background check on someone for employment purposes (or to deny housing rental or just to snoop) can do so without going through the state patrol. This raises some dilemmas regarding privacy, public records access, and allowing people to rehabilitate themselves from a criminal conviction. For example, under current law, you can get a conviction vacated after a certain period of time and then answer "no" when asked by employers if you have a conviction, but this is useless if anybody can find the record anyway. Also, current law allows background checks on criminal records to be done for certain jobs, but not for every job. Under the new system, anyone who has ever had a criminal case may risk having jobs, housing, and many other things denied to them because of that case. It is further clear that under current public disclosure law, most conviction records are public. Can anybody help me analyze these issues and propose a remedy that maintains access to public records while at the same time lessens the ongoing punishment of individuals who can never escape their past? Thanks. Nancy Talner ------------------------------ Date: Mon, 8 Sep 1997 11:22:25 -0700 From: Colin Bennett Subject: Debate about an ISO privacy standard Subscribers might be interested in recent debates about the desirability of an ISO standard for privacy protection. The initiative has been quietly debated for over a year as a result of Canadian pressure to elevate the Canadian Standards Association's "Model Code for the Protection of Information" to the status of an international instrument, similar to the series of ISO quality management standards in the ISO 9000 series. Such a standard has been regarded as an efficient way for organizations to demonstrate "adequate data protection" to European authorities. But the idea has also run into a certain amount of resistance from American business and from ANSI (the American National Standards Institute). The issues are complicated and should, in my view, be actively engaged by privacy advocates around the world. I have recently written a report entitled "The Prospects for an International Standard for the Protection of Personal Information." It is available at URL: www.cous.uvic.ca/poli/cben.htm (Under unpublished papers). I would be interested in any comments. Prof. Colin J.Bennett Department of Political Science University of Victoria Victoria, B.C. V8W 3P5 CJB@Uvic.ca ------------------------------ Date: Thu, 4 Sep 1997 18:26:47 -0400 From: Marc Rotenberg Subject: SSA to Restore Online Web Service (from EPIC Alert 4.12) The Social Security Administration announced today it would put a modified version of the Personal Earnings and Benefits Estimate Statement (PEBES) service back on-line before the end of the year. The service was suspended on April 9, following public concerns about the risk of improper access to personal information held by the agency. The Social Security Administration said that the new service would be based on an "opt-in" privacy standard. Individuals could affirmatively choose to request the on-line delivery of PEBES information by first obtaining an authentication code that would only be delivered to a registered email address. Records of individuals who did not request the code would not be available at the web site. The SSA also said that it would limit the amount of information made available on-line. Payment records would not be accessible at the SSA web site, although they will still be sent by the U.S. mail. Privacy experts expressed support for the SSA recommendations, saying that the agency has done a good job meeting with the public, consulting with experts, and developing sensible standards to protect personal information. The SSA experience with Internet service delivery is being watched closely by other federal agencies as well as private companies who hope to take advantage of the Internet and avoid public concerns about privacy. The SSA PEBES Service is available at: http://s3abaca.ssa.gov/pro/batch-pebes/bp-7004home.shtml More information on the SSA and Online Privacy is available at: http://www.epic.org/privacy/databases/ssa/ [ While this indeed represents a step forward from the original system, it still must be viewed only as an initial step, and obviously must improve further over time. In particular, since e-mail addresses can be trivially created and destroyed, the existence of a valid e-mail destination says nothing about the identity of the person making the request. However, the new procedures do at least provide a potential means for tracking some forms of system abuse. -- PRIVACY Forum MODERATOR ] ------------------------------ Date: Wed, 03 Sep 1997 06:50:46 -0400 From: "Peter D. Junger" Subject: Amended Complaint Filed in Cleveland Crypto Suit Press Release New Complaint Filed in Suit Challenging Constitutionality of Regulations Forbidding Publication of Software on Internet Suit Seeks to Enjoin Enforcement of Regulations on ``Export'' of Encryption Software Programmers Are Entitled to at Least as Much Constitutional Protection as Pornographers, Professor Claims --------------------------------------------- Cleveland, Ohio, Tuesday, September 2, 1997 For Immediate Release For More Information Contact: Peter D. Junger (216) 368-2535 Gino Scarselli (216) 291-8601 Raymond Vasvari (216) 622-1780 Or see URL: http://samsara.law.cwru.edu/comp_law/jvc/ To be added to, or removed from, the list of those who were sent this press release, please send e-mail to . ------ Cleveland, Ohio, September 2. -- In the wake of last week's decision in Bernstein v. U.S. Department of State, in which Judge Patel of the federal district court in San Francisco held that the regulations that forbid the publication of encryption software on the Internet or the World Wide Web without a license from the Department of Commerce ``are an unconstitutional prior restraint in violation of the First Amendment'', lawyers for Professor Peter Junger of Case Western Reserve University Law School, in Cleveland, Ohio, filed a an amended complaint in his suit to enjoin the government from enforcing those same regulations. The regulations, which were initially part of the International Traffic in Arms Regulations (``ITAR'') administered by the Department of State and which are now contained in the Export Administration Regulations (``EAR'') administered by the Department of Commerce, originally required one to apply for and obtain a license under the ITAR before disclosing any cryptographic software in any way to ``foreign persons''. Under the EAR, however, one is permitted to export such software in books and other ``hard copy'', but is still required to obtain a license before publishing the same software on the Internet or the World Wide Web or in other electronic form or media. The amended complaint, which names Secretary of Commerce Daley as the primary defendant, simplifies the issues by focusing only on the new version of the regulations that are set out in the EAR. In that complaint Professor Junger, who wishes to publish a number of encryption programs, written by himself and others, on his World Wide Site as part of the materials used in his course in Computing and the Law, seeks not only relief for himself but also a ``preliminary and permanent injunction enjoining the defendants . . . from interpreting, applying and enforcing the encryption software and technology provisions of EAR against any person who desires to disclose or `export' . . . encryption software and technology.'' The complaint alleges that those encryption regulation violate the freedom of speech and of the press that are protected, particularly from prior restraints such as licensing requirements, by the First Amendment to the United States Constitution as has already been held by Judge Patel in the Bernstein case. The question of whether the export regulations on cryptography should be relaxed is being hotly debated in Congress at the present time and the software industry has expended considerable sums lobbying in favor of weakening or abolishing those regulations, claiming that they cause severe damage to the software industry in the United States and that the restriction on the export of cryptographic software written in the United States is leading to the export of programming jobs from the United States to other countries without such regulations. Professor Junger points out, however, that the case involves far more than the effect of the EAR on the writing and publication of cryptograpic programs by the software industry. ``The government's claim is not that the publication of encryption software is not protected by the First Amendment,'' he says. ``Rather its claim is that no publication of software is protected, because software is functional. ``If the government can constitutionally require me to get a license, which I probably can't get, before I publish encryption software, they could require me to get a licencse before I publish any sort of software. And they just might do that it in order to standardize the programs that are available and limit competition in favour of certain selected large companies. They already have provisions that allow IBM or Microsoft to get a license to export fairly strong encryption programs that are not available to me or to any other individual programmer or small enterprise.'' ``What tends to get overlooked,'' Junger adds, ``is that computer programs are not a floppy disk that one sticks into a computer to make it work. Computer programs are written and published by human beings just as, for example, pornography is. The Supreme Court recently held in Reno v. ACLU that the full protection of the First Amendment extends to pornography in cyberspace. I find it hard to believe that programmers are not entitled to at least as much constitutional protection as pornographers.'' Copies of the amended complaint will shortly be available at and . -30- -- Peter D. Junger--Case Western Reserve University Law School--Cleveland, OH EMAIL: junger@samsara.law.cwru.edu URL: http://samsara.law.cwru.edu ------------------------------ Date: Wed, 17 Sep 1997 00:15:19 -0700 From: Susan Evoy Subject: Peter Neumann to Receive Social Responsibility Award September 16, 1997 For Immediate Release Contact: Duff Axsom 650-322-3778 Peter Neumann To Receive Social Responsibility Award Palo Alto, CA. Peter Neumann, a national authority on computer security and risk, will be given the prestigious Norbert Wiener Award for excellence in promoting socially responsible use of computing technology. Computer Professionals for Social Responsibility (CPSR) annually honors an outstanding leader for personal dedication to increasing the public awareness of the social and political consequences of the uses of technology. Dr. Neumann will be honored October 4, 1997 at the CPSR Annual Conference in Berkeley, CA. "Peter Neumann is a remarkable scholar and social activist", said CPSR president Aki Namioka. "His contributions to our knowledge about the risks and reliability of computing technology are widely published in scientific journals, but even more importantly he initiated the public dialogue through open discussion in one of the most widely read computer online USENET newsgroups, RISKS Forum (comp.risks)." "Dr. Neumann is a pioneer in linking the risks in using technology to our most cherished rights to privacy and our need for a secure environment", stated Namioka. "CPSR is extremely proud to present the Norbert Wiener Award for 1997 to a truly important citizen, an activist and a distinguished scientist. He was one of the early members of CPSR and helped bring public awareness to the major flaws in the Strategic Defense Initiative (SDI) during the Reagan administration." The Norbert Wiener Award was established in 1987 by CPSR in memory of the originator of the field of cybernetics. Norbert Wiener was among the first to examine the social and political consequences of computing technology. His book, The Human Use of Human Beings, pointed out the dangers of nuclear war and the role of scientists in weapons development in 1947, shortly after Hiroshima. Dr. Neumann's research on the implications of computing gained wide recognition when he created the ACM SIGSOFT Software Engineering Notes in 1976 with considerable attention to risks issues, and then created the online Risks Forum in 1985. He was also co-author of the National Research Council (NRC) report, Computers at Risk in 1990. Dr. Neumann is the author of Computer-Related Risks, published in 1995 by The Association for Computing (ACM) and Addison-Wesley Publishing Company. Computer-Related Risks summarizes many real events involving computer technologies and the people who depend on those technologies, with widely ranging causes and effects. It considers problems attributable to hardware, software, people, and natural causes. More information about this book can be found at: http://heg-school.awl.com/cseng/authors/neumann/crrisks/crrisks.html His expertise in the issues of privacy and cryptography are demonstrated in his role as an author of the seminal study, Cryptography's Role in Securing the Information Society for the NRC. He served on the Expert Panel of the U.S. House of Representatives' Judiciary Subcommittee on Civil and Constitutional Rights. He is a member of the U.S. General Accounting Office's newly formed Executive Council on Information Management and Technology. Over five decades, Dr. Neumann, Principal Scientist at SRI International in Menlo Park, CA, has been concerned with critical computer and communications systems issues such as security, reliability and human safety. He holds a Ph.D. from Harvard and was a Fulbright scholar at the Technicsche Hochschule, Darmstadt, Germany. He has worked in the computer field since 1953. He is a Fellow of the American Association for the Advancement of Science, the Association for Computing Machinery (ACM), and the Institute of Electrical and Electronics Engineers (IEEE). He was the recipient of the Electronic Frontier Foundation Pioneer Award in 1996 and the ACM SIGSOFT Distinguished Service Award in 1997. More information and access to many of his writings may be obtained at his webpage, http://www.CSL.sri.com/neumann.html. CPSR was founded in 1981 by computer professionals in the Silicon Valley concerned about the use of computers in nuclear weapons systems. CPSR has grown into a national public interest alliance of computer scientists, information technology professionals, and others concerned about the critical choices facing society in the applications of computer related technology. CPSR has 22 Chapters throughout the United States and is based in Palo Alto, CA. # # # # -- Duff Axsom, Executive Director http://www.cpsr.org/home.html Computer Professionals for Social Responsibility P.O. Box 717, Palo Alto, CA 94302 Phone: (650) 322-3778 Fax: (650) 322-4748 Email: duff@cpsr.org [ My special congratulations to Peter for this well-deserved award! Peter is Chairman of the ACM Committee on Computers and Public Policy, of which I'm a member and with which the PRIVACY Forum is affiliated. Again, congratulations! -- PRIVACY Forum MODERATOR ] ------------------------------ End of PRIVACY Forum Digest 06.13 ************************