TUCoPS :: Privacy :: priv_217.txt

Privacy Digest 2.17 5/13/93

PRIVACY Forum Digest     Thursday, 13 May 1993     Volume 02 : Issue 17

          Moderated by Lauren Weinstein (lauren@vortex.com)
                Vortex Technology, Topanga, CA, U.S.A.
	
                     ===== PRIVACY FORUM =====

   	  The PRIVACY Forum digest is supported in part by the 
	      ACM Committee on Computers and Public Policy.


CONTENTS
	Clipper on "Wall Street Journal Report" 
	   (Lauren Weinstein; PRIVACY Forum Moderator)
	DMV Records (Rasch@DOCKMASTER.NCSC.MIL)
	NIST Advisory Board Seeks Comments on Crypto
	   (Clipper-Capstone Chip Info)


 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

ALL submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to
"list-maint@vortex.com".  All submissions included in this digest represent
the views of the individual authors and all submissions will be considered
to be distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system.  Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.  All PRIVACY Forum materials are also
available through the Internet Gopher system via a gopher server on
site "gopher.vortex.com".

For information regarding the availability of this digest via FAX, please
send an inquiry to privacy-fax@vortex.com, call (310) 455-9300, or FAX
to (310) 455-2364.
-----------------------------------------------------------------------------

VOLUME 02, ISSUE 17

   Quote for the day:

	"Life is like a sewer.  What you get out of it depends
	 on what you put into it."

		-- Tom Lehrer (1928- )

		   Preamble to the song "We Will All Go Together
		   When We Go" on the album "An Evening Wasted
		   with Tom Lehrer" (1953)

	
----------------------------------------------------------------------

Date:    Sun, 9 May 93 16:20 PDT
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Clipper on "Wall Street Journal Report"

Greetings.  Last Sunday's (5/9/93) edition of the television news program
"Wall Street Journal Report" featured a somewhat brief segment on encryption.
Starting with the issues revolving around the theft of U.S. trade secrets
and information by outside governments, it then led to the topic of
encryption systems, mentioning DES, RSA, and finally Clipper. 

They discussed the controversy surrounding Clipper, and included brief
soundbites from both NIST and Electronic Frontier Foundation spokespersons.
There was even a brief shot of what was purported to be the Clipper chip
itself (surface mount, I think).  Clipper was identified in the piece
as being developed by NSA, but it was the NIST spokesman who was asked
if a "backdoor" existed in the chip (the reply was "no"... not the biggest
surprise answer ever spoken, to be sure).

As short mainstream television media pieces go, it was a reasonably accurate
presentation.  It seemed clear that some officials had presented the view
that society needed to make a decision about the level of security that
should be allowed the public.  The implication seemed clear that this might
involve banning "non-compliant" encryption systems if that view wins out.

--Lauren--

------------------------------

Date:    Fri, 7 May 93 09:59 EDT
From:    Rasch@DOCKMASTER.NCSC.MIL
Subject: DMV Records

I am working on a research project, and need some help.  In how many
states is it illegal for a citizen to obtain DMV records on others?  In
which states are such records publicly available?  What are the
procedures for obtaining such records?  I'd like any help I can get.

------------------------------

Date:    Tue, 11 May 93 13:43:21 EDT
From:    Clipper-Capstone Chip Info <clipper@csrc.ncsl.nist.gov>
Subject: NIST Advisory Board Seeks Comments on Crypto

Note: This file has been posted to the following groups:
            RISKS Forum
            Privacy Forum
            Sci.crypt
            Alt.privacy.clipper

and will be made available for anonymous ftp from csrc.ncsl.nist.gov,
filename pub/nistgen/cryptmtg.txt and for download from the NIST 
Computer Security BBS, 301-948-5717, filename cryptmtg.txt.


Note: The following notice is scheduled to appear in the Federal Register this
week.  The notice announces a meeting of the Computer System Security and
Privacy Advisory Board (established by the Computer Security Act of 1987) and
solicits public and industry comments on a wide range of cryptographic issues. 
Please note that submissions due by 4:00 p.m. May 27, 1993.  
			   -----------------------


                            DEPARTMENT OF COMMERCE
                National Institute of Standards and Technology

                          Announcing a Meeting of the

              COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD


AGENCY:   National Institute of Standards and Technology 


ACTION:   Notice of Open Meeting


SUMMARY:  Pursuant to the Federal Advisory Committee Act, 5
U.S.C. App., notice is hereby given that the Computer System
Security and Privacy Advisory Board will meet Wednesday, June 2,
1993, from 9:00 a.m. to 5:00 p.m.,  Thursday, June 3, 1993, from
9:00 a.m. to 5:00 p.m., and Friday, June 4, 1993 from 9:00 a.m.
to 1:00 p.m.  The Advisory Board was established by the Computer
Security Act of 1987 (P.L. 100-235) to advise the Secretary of
Commerce and the Director of NIST on security and privacy issues
pertaining to Federal computer systems and report its findings to
the Secretary of Commerce, the Director of the Office of
Management and Budget, the Director of the National Security
Agency, and the appropriate committees of the Congress.  All
sessions will be open to the public.

DATES:    The meeting will be held on June 2-4 1993.  On June 2
and 3, 1993 the meeting will take place from 9:00 a.m. to 5:00
p.m. and on June 4, 1993 from 9:00 a.m. to 1:00 p.m.

Public submissions (as described below) are due by 4:00 p.m.
(EDT) May 27, 1993 to allow for sufficient time for distribution
to and review by Board members.

ADDRESS:   The meeting will take place at the National Institute
of Standards and Technology, Gaithersburg, MD.  On June 2, 1993,
the meeting will be held in the Administration Building, "Red
Auditorium," on June 3 the meeting will be held in the
Administration Building, "Green Auditorium," and on June 4, 1993
in the Administration Building, Lecture Room "B."

Submissions (as described below), including copyright waiver if
required, should be addressed to:  Cryptographic Issue
Statements, Computer System Security and Privacy Advisory Board,
Technology Building, Room B-154, National Institute of Standards 
and Technology, Gaithersburg, MD, 20899 or via FAX to 
301/948-1784.  Submissions, including copyright waiver if
required, may also be sent electronically to
"crypto@csrc.ncsl.nist.gov".



                                      -2-
AGENDA:

- Welcome and Review of Meeting Agenda
- Government-developed "Key Escrow" Chip Announcement Review
- Discussion of Escrowed Cryptographic Key Technologies
- Review of Submitted Issue Papers
- Position Presentations & Discussion
- Public Participation
- Annual Report and Pending Business
- Close

PUBLIC PARTICIPATION:  

This Advisory Board meeting will be devoted to the issue of the
Administration's recently announced government-developed "key
escrow" chip cryptographic technology and, more broadly, to
public use of cryptography and government cryptographic policies
and regulations.  The Board has been asked by NIST to obtain
public comments on this matter for submission to NIST for the
national review that the Administration's has announced it will
conduct of cryptographic-related issues.  Therefore, the Board is
interested in: 1)  obtaining public views and reactions to the
government-developed "key escrow" chip technology announcement,
"key escrow" technology generally, and government cryptographic
policies and regulations 2) hearing selected summaries of written
views that have been submitted, and 3) conducting a general
discussion of these issues in public.

The Board solicits all interested parties to submit well-written,
concise issue papers, position statements, and background
materials on areas such as those listed below.  Industry input is
particularly encouraged in addressing the questions below.  

Because of the volume of responses expected, submittors are asked
to identify the issues above to which their submission(s) are
responsive.  Submittors should be aware that copyrighted
documents cannot be accepted unless a written waiver is included
concurrently with the submission to allow NIST to reproduce the
material.  Also, company proprietary information should not be
included, since submissions will be made publicly available.  

This meeting specifically will not be a tutorial or briefing on
technical details of the government-developed "key escrow" chip
or escrowed cryptographic key technologies.  Those wishing to
address the Board and/or submit written position statements are
requested to be thoroughly familiar with the topic and to have
concise, well-formulated opinions on its societal ramifications. 






                                      -3-

Issues on which comments are sought include the following:

1.    CRYPTOGRAPHIC POLICIES AND SOCIAL/PUBLIC POLICY ISSUES

Public and Social policy aspects of the government-developed "key
escrow" chip and, more generally, escrowed key technology and
government cryptographic policies.

Issues involved in balancing various interests affected by
government cryptographic policies.

2.    LEGAL AND CONSTITUTIONAL ISSUES

Consequences of the government-developed "key escrow" chip
technology and, more generally, key escrow technology and
government cryptographic policies.

3.    INDIVIDUAL PRIVACY

Issues and impacts of cryptographic-related statutes,
regulations, and standards, both national and international, upon
individual privacy.

Issues related to the privacy impacts of the government-developed
"key escrow" chip and "key escrow" technology generally.

4.    QUESTIONS DIRECTED TO AMERICAN INDUSTRY

4.A  Industry Questions: U.S. Export Controls

4.A.1 Exports - General 

What has been the impact on industry of past export controls on
products with password and data security features for voice or
data?

Can such an impact, if any, be quantified in terms of lost export
sales or market share?  If yes, please provide that impact.

How many exports involving cryptographic products did you attempt
over the last five years?  How many were denied?  What reason was
given for denial?

Can you provide documentation of sales of cryptographic equipment
which were lost to a foreign competitor, due solely to U.S.
Export Regulations.

What are the current market trends for the export sales of
information security devices implemented in hardware solutions? 
For software solutions?


                                      -4-

4.A.2  Exports - Software

If the U.S. software producers of mass market or general purpose
software (word processing, spreadsheets, operating environments,
accounting, graphics, etc.) are prohibited from exporting such
packages with file encryption capabilities, what foreign
competitors in what countries are able and willing to take
foreign market share from U.S. producers by supplying file
encryption capabilities?

What is the impact on the export market share and dollar sales of
the U.S. software industry if a relatively inexpensive hardware
solution for voice or data encryption is available such as the
government-developed "key escrow" chip?

What has been the impact of U.S. export controls on COMPUTER
UTILITIES software packages such as Norton Utilities and PCTools?

What has been the impact of U.S. export controls on exporters of
OTHER SOFTWARE PACKAGES (e.g., word processing) containing file
encryption capabilities?

What information does industry have that Data Encryption Standard
(DES) based software programs are widely available abroad in
software applications programs?

4.A.3  Exports - Hardware

Measured in dollar sales, units, and transactions, what have been
the historic exports for:

            Standard telephone sets
            Cellular telephone sets
            Personal computers and work stations            
            FAX machines
            Modems
            Telephone switches

What are the projected export sales of these products if there is
no change in export control policy and if the government-
developed "key escrow" chip is not made available to industry?

What are the projected export sales of these products if the
government-developed "key escrow" chip is installed in the above
products, the above products are freely available at an
additional price of no more than $25.00, and the above products
are exported WITHOUT ADDITIONAL LICENSING REQUIREMENTS?

What are the projected export sales of these products if the
government-developed "key escrow" chip is installed in the above
products, the above products are freely available at an
additional price of no more than $25.00, and the above products 

                                      -5-

are to be exported WITH AN ITAR MUNITIONS LICENSING REQUIREMENT
for all destinations?

What are the projected export sales of these products if the
government-developed "key escrow" chip is installed in the above
products, the above products are freely available at an
additional price of no more than $25.00, and the above products
are to be exported WITH A DEPARTMENT OF COMMERCE LICENSING
REQUIREMENT for all destinations?

4.A.4  Exports - Advanced Telecommunications 

What has been the impact on industry of past export controls on
other advanced telecommunications products?

Can such an impact on the export of other advanced
telecommunications products, if any, be quantified in terms of
lost export sales or market share?  If yes, provide that impact.


4.B  Industry Questions:  Foreign Import/Export Regulations

How do regulations of foreign countries affect the import and
export of products containing cryptographic functions?  Specific
examples of countries and regulations will prove useful.


4.C  Industry Questions: Customer Requirements for Cryptography

What are current and future customer requirements for information
security by function and industry?  For example, what are current
and future customer requirements for domestic banking,
international banking, funds transfer systems, automatic teller
systems, payroll records, financial information, business plans,
competitive strategy plans, cost analyses, research and
development records, technology trade secrets, personal privacy
for voice communications, and so forth?  What might be good
sources of such data?

What impact do U.S. Government mandated information security
standards for defense contracts have upon demands by other
commercial users for information security systems in the U.S.? 
In foreign markets?

What threats are your product designed to protect against?  What
threats do you consider unaddressed?

What demand do you foresee for a) cryptographic only products,
and b) products incorporating cryptography in: 1) the domestic
market, 2) in the foreign-only market, and 3) in the global
market?


                                      -6-

4.D  Industry Questions:  Standards

If the European Community were to announce a non-DES, 
non-public key European Community Encryption Standard (ECES), how
would your company react?  Include the new standard in product
line?  Withdraw from the market?  Wait and see? 

What are the impacts of government cryptographic standards on
U.S. industry (e.g., Federal Information Processing Standard 46-1
[the Data Encryption Standard] and the proposed Digital Signature
Standard)?


5.  QUESTIONS DIRECTED TO THE AMERICAN BUSINESS COMMUNITY

5.A  American Business:  Threats and Security Requirements

Describe, in detail, the threat(s), to which you are exposed and
which you believe cryptographic solutions can address.

Please provide actual incidents of U.S. business experiences with
economic espionage which could have been thwarted by applications
of cryptographic technologies.

What are the relevant standards of care that businesses must
apply to safeguard information and what are the sources of those
standards other than Federal standards for government
contractors?

What are U.S. business experiences with the use of cryptography
to protect against economic espionage, (including current and
projected investment levels in cryptographic products)?


5.B  American Business:  Use of Cryptography

Describe the types of cryptographic products now in use by your
organization.  Describe the protection they provide (e.g., data
encryption or data integrity through digital signatures).  Please
indicate how these products are being used.

Describe any problems you have encountered in finding,
installing, operating, importing, or exporting cryptographic
devices.

Describe current and future uses of cryptographic technology to
protect commercial information (including types of information
being protected and against what threats).

Which factors in the list below inhibit your use of cryptographic
products?


                                      -7-

Please rank:

--    no need
--    no appropriate product on market
--    fear of interoperability problems
--    regulatory concerns
--       a) U.S. export laws
--       b) foreign country regulations
--       c) other
--    cost of equipment
--    cost of operation
--    other

Please comment on any of these factors.

In your opinion, what is the one most important
unaddressed need involving cryptographic technology?

Please provide your views on the adequacy of the government-
developed "key escrow" chip technological approach for the
protection of all your international voice and data communication
requirements.  Comments on other U.S. Government cryptographic
standards?

6.  OTHER

Please describe any other impacts arising from Federal government
cryptographic policies and regulations. 

Please describe any other impacts upon the Federal government in
the protection of unclassified computer systems.  

Are there any other comments you wish to share?

The Board agenda will include a period of time, not to exceed ten
hours, for oral presentations of summaries of selected written
statements submitted to the Board by May 27, 1993.  As
appropriate and to the extent possible, speakers addressing the
same topic will be grouped together.  Speakers, prescheduled by
the Secretariat and notified in advance, will be allotted fifteen
to thirty minutes to orally present their written statements. 
Individuals and organizations submitting written materials are
requested to advise the Secretariat if they would be interested
in orally summarizing their materials for the Board at the
meeting.

Another period of time, not to exceed one hour, will be reserved
for oral comments and questions from the public.  Each speaker
will be allotted up to five minutes; it will be necessary to
strictly control the length of presentations to maximize public
participation and the number of presentations.


                                      -8-

Except as provided for above, participation in the Board's
discussions during the meeting will be at the discretion of the
Designated Federal Official.

Approximately thirty seats will be available for the public,
including three seats reserved for the media.  Seats will be
available on a first-come, first-served basis.  

FOR FURTHER INFORMATION CONTACT:  Mr. Lynn McNulty, Executive
Secretary and Associate Director for Computer Security, Computer
Systems Laboratory, National Institute of Standards and
Technology, Building 225, Room B154, Gaithersburg, Maryland
20899, telephone: (301) 975-3240.

SUPPLEMENTARY INFORMATION:  Background information on the
government-developed "key escrow" chip proposal is available from
the Board Secretariat; see address in "for further information"
section.  Also, information on the government-developed "key
escrow" chip is available electronically from the NIST computer
security bulletin board, phone 301-948-5717.

The Board intends to stress the public and social policy aspects,
the legal and Constitutional consequences of this technology, and
the impacts upon American business and industry during its
meeting.  

It is the Board's intention to create, as a product of this
meeting, a publicly available digest of the important points of
discussion, conclusions (if any) that might be reached, and an
inventory of the policy issues that need to be considered by the
government.  Within the procedures described above, public
participation is encouraged and solicited.


/signed/
Raymond G. Kammer, Acting Director


May 10, 1993
Date  

------------------------------

End of PRIVACY Forum Digest 02.17
************************

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH