TUCoPS :: Privacy :: priv_218.txt

Privacy Digest 2.18 5/27/93

PRIVACY Forum Digest     Thursday, 27 May 1993     Volume 02 : Issue 18

          Moderated by Lauren Weinstein (lauren@vortex.com)
                Vortex Technology, Topanga, CA, U.S.A.
	
                     ===== PRIVACY FORUM =====

   	  The PRIVACY Forum digest is supported in part by the 
	      ACM Committee on Computers and Public Policy.

   	   **************************************************
	   *						    *
  	   *    PRIVACY Forum One Year Anniversary Issue    *
	   *						    *
   	   **************************************************

CONTENTS
	PRIVACY Brief (Lauren Weinstein; PRIVACY Forum Moderator)
	Library of Congress Information System now on Internet
	   (Lauren Weinstein; PRIVACY Forum Moderator)
	Can Wiretaps Remain Cost-Effective? (Robin Hanson)
	Electronic fingerprinting of welfare recipients in CA
	   (James I. Davis)
        ComSec in Australia [Roger] (Klaus Brunnstein)
	NIST Answers to Jim Bidzos' Questions (Jim Bidzos)
	Data Protection Agency created in Spain (Rafael Fernandez Calvo)
        Calif requires ID? (Bruce Jones)


 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

ALL submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to
"list-maint@vortex.com".  All submissions included in this digest represent
the views of the individual authors and all submissions will be considered
to be distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system.  Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.  All PRIVACY Forum materials are also
available through the Internet Gopher system via a gopher server on
site "gopher.vortex.com".

For information regarding the availability of this digest via FAX, please
send an inquiry to privacy-fax@vortex.com, call (310) 455-9300, or FAX
to (310) 455-2364.
-----------------------------------------------------------------------------

VOLUME 02, ISSUE 18

   Quote for the day:

	"This paper is 100% unrecycled.  Whole forests were
	 leveled, thousands of small furry animals left homeless,
	 and vast virgin landscapes devastated, to make this book."

		-- From the last page of "Science Made Stupid"
		   by Tom Weller (1985)

	 	   [ I strongly recommend this book! -- MODERATOR ]
	
----------------------------------------------------------------------

PRIVACY Brief (from the Moderator)

---

A New York State Federal Judge has ruled against the federal
anti-autodialing-solicitation law, which would have banned
most autodialer solicitation machines.  The decision was apparently
based on free-speech grounds, and also related to concerns that
certain non-commercial uses of autodialer solicitation units
were exempted under the law.  The ultimate impact of this ruling 
is unclear at this time.

------------------------------

Date:    Thu, 27 May 93 11:30 PDT
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Library of Congress Information System now on Internet

Greetings.  As of around May 1, the U.S. Library of Congress is accessible
over the Internet.  Not only is collection catalog searching available,
but (of potential particular interest to PRIVACY Forum readers) access to
the Congressional legislation tracking system, including both past and
current sessions of Congress, is also included.  You can search for
legislation in a variety of manners, including keywords, and you can
determine where new proposed legislation currently stands in the legislative
process.

The hostname for telnet access is "locis.loc.gov".  Their FTP server is
"seq1.loc.gov".  Note that (at this time) telnet access is generally only
available during the hours that the Library is physically open to the
public.

--Lauren--

------------------------------

Date:    Wed, 26 May 93 10:46:32 PDT
From:    Robin Hanson <hanson@ptolemy.arc.nasa.gov>
Subject: Can Wiretaps Remain Cost-Effective?

U.S. Phone companies spend more than 4000 times as much running the
phone system (~$138b) as U.S. police spend on legal domestic phone
wiretaps ($30m), to listen to phone conversations without the consent
of either party.  So even if wiretaps are worth several times what
police spend on them, and even if spy agencies spend a similar amount
on wiretaps, we can justify only the slightest modification of our
phone system to accommodate wiretaps.  Yet the new wiretap chip, and
last year's FBI digital telephony bill, both threaten to raise our
phone bills by far more than they reduce our taxes for police.

Dorothy Denning claims that wiretaps are worth "billions of dollars
per year", based on amounts fined, recovered, etc.  But this is just
the wrong way to estimate the value of police services, according to
standard texts on law enforcement economics.  Instead, the value of
each wiretap should be not far from how much police (or spies) would
be willing to pay extra for that wiretap.  Given alternatives to use
hidden microphones, informants, offer immunity, investigate someone
else, or to decriminalize or raise the punishment for some crimes, it
seems hard to imagine police would on average be willing to pay four
times as much as they do now.  Even then, the option to wiretap the
average phone line would be worth only twelve cents a month.

Yet phone companies must perceive substantial costs to supporting
wiretaps, even relative to wanting to stay on the good side of police;
why else would police be complaining about lack of support?
Government policies attempting to preserve wiretaps in the face of
technological change would discourage a full global market for phone
systems, while government decree would displace marketplace evolution
of standards for representing, encrypting, and exchanging voice.  Do
you think these factors would raise the average $78 monthly phone bill
by more than twelve cents?  Even the wiretap chip itself, sold for $26
each while private chips without wiretap support sell for $10, would
cost people who buy a new phone every five years an extra 27 cents per
month.  And FBI estimates of phone company costs to develop new
software to support wiretaps suggest software costs alone could be
over $6 per phone line.

The central question is this: would police agencies still be willing
to pay for each wiretap, if each wiretapping agency were charged its
share of the full cost, to phone users, of forcing phones to support
wiretaps?  And why not let the market decide the answer?  Currently,
police must pay phone company "expenses" to support wiretaps.  So why
not let phone companies sell police the option to perform legal
wiretaps on given sets of phone lines, at whatever price the two
parties can negotiate?  Phone companies could then offer discounts to
customers who use phones with wiretap chips, and each person could
decide if the extra cost and risk of privacy invasion was worth the
price to make life easier for the police.  Or why not increase the
punishment for crimes committed using wiretap-avoiding technology?

If it turns out wiretaps aren't worth their cost, so be it.  Less than
one part in 1000 of police budgets are spent on wiretaps, and wiretaps
weren't even legal before 1968.

Robin Hanson  hanson@ptolemy.arc.nasa.gov 
415-604-3361  MS-269-2, NASA Ames Research Center, Moffett Field, CA 94035
510-651-7483  47164 Male Terrace, Fremont, CA  94539-7921 

	[ A longer version of this paper (approx. 24K bytes) is available
	  in the PRIVACY Forum archives.  To access:

	    Via Anon FTP: From site "ftp.vortex.com": /privacy/wiretap-cost.Z
					          or: /privacy/wiretap-cost

	    Via e-mail: Send mail to "listserv@vortex.com" with
	                the line:

			    get privacy wiretap-cost

		        as the first text in the BODY of your message.

	    Via gopher: From the gopher server on site "gopher.vortex.com"
		in the "*** PRIVACY Forum ***" area under "wiretap-cost".

							-- MODERATOR ]


------------------------------

Date:    Sun, 23 May 1993 11:33:44 -0700
From:    "James I. Davis" <jdav@well.sf.ca.us>
Subject: Electronic fingerprinting of welfare recipients in CA

I spoke on Thursday (5/13) at a hearing before the San Francisco
Social Services Commission regarding their plan to begin requiring
that welfare recipients submit to electronic fingerprinting as a
condition of receiving public assistance. I am sending out a copy
of my remarks (it's a rather long posting) under "separate cover."

Here is some background information on the issue:

I collected most of the data contained in my remarks from
interviews with various people, and some memos and press releases
from various agencies. I understand that there is a small piece in
a recent _Mother Jones_ about the experience in LA, which supports
the points I made in my remarks. I have a more pointed piece in
the CPSR/Berkeley newsletter if you are interested.

In June of 1991, Los Angeles County began requiring electronic
fingerprints as a condition of receiving General Assistance (GA).
GA is a state-mandated, county administered program for indigent
adults. The system is ostensibly designed to deter people from
receiving benefits under multiple names, although their are many
aspects of the system that could bear more serious scrutiny than
it has received to date.

LA is spending some $9.4 million over five years on the Automated
Fingerprint Image Reporting and Match System (AFIRM), AFIRM was
developed by computer services giant Electronic Data Systems. In
February of this year, Alameda County started using the system, at
an estimated cost of $1.3 million. San Francisco is currently
considering adopting the system. The Department of Social Services
says it will cost $1 million to implement, but I think that is
low. The AFIRM proposal was approved by the SF Social Services
Commission on May 13, and the matter now goes to the SF Board of
Supervisors, who must approve a change in the ordinance governing
GA, to include the fingerprinting requirement. The next step will
be a hearing before one or more committees (perhaps Willie
Kennedy's on social policy, and/or the finance committee), most
likely in early June.

Any suggestions for questions about the system will be very
helpful, especially questions about technical, privacy and
security issues. It is clear that SF plans to link the system up
with other counties and share data with them regularly. Also if
you have any expertise on fingerprinting and law enforcement, I
need some info on that.

The AFIRM system only makes sense if it is installed on as wide a
basis, and for as many public assistance programs as possible. On
the other hand, the more counties that refuse to participate, the
less likely it will be to take root. I think that there is an
opportunity to stop it at the SF Board of Supervisors...

Jim D.

------------------------------

Date:    Thu, 20 May 1993 09:22:00 EDT
From:    brunnstein@rz.informatik.UNI-HAMBURG.DBP.DE
Subject: Re: ComSec in Australia [Roger]

----------------------------Original message----------------------------
Roger, friends, as a follow-up to Roger's message to a distinguished list and
to Risk Forum, I append a message which gives some background of the technology
applied. I've some details of the technical details (some only in Germany :-).
Greetings from Hamburg, site of IFIP World Congress 1994 Klaus Brunnstein

==================

Delivery-date: Monday, May 3, 1993 at 18:27 GMT+0100
From:<S=brunnstein;OU=rz;OU=informatik;P=uni-hamburg;A=dbp;C=de>
To:Risk Forum <S=risks;OU=csl;O=sri;P=com;A=dbp;C=de> [confirm]
Subject:Mobile ComSec in Europe (A5)

Stimulated by the "Cripple Clipper" Chip discussions, I invested some time
to investigate the European approach in this area. Mobile communication
security is practically available, since some time, in Western Europe based on
some technology which will now alsp be applied in Australia [see Roger Clarke:
Risk Forum 14.56). In contacts with people from producers, carriers and Telecom

research, I collected the following facts:

     - Dominated by Western European telecommunications enterprises, a
       CCITT subsidiary (CEPT=Conference Europeenne des Administrations des
       Postes et des Telecommunications; founded 1959, presently 26 European
       countries, mainly from Western/Northern Europe) formed a subgroup
       (ETSI=European Telecommunications Standards Institute) which specified,
       in a special Memorandum of Understanding (MoU) the GSM standard (=Groupe
       Special Mobile). Presently, ETSI (planned as EEC's Standardisation
       Institute in this area) has 250 members from industry (63%), carrier
       (14%), government (10%), appliers and research (together 10%). Research
       here means essentially Telecom and related "research" institutes.

     - GSM documents specify roughly the functional characteristics including
       secure encryption of transmitted digital messages (see "European digital
       cellular telecommunication system (phase 2): Security Related Network
       Functions"). Apart from protocols, details of algorithms are secret.

     - GSM contains 3 secret algorithms (only given to experts with established
       need-to-know, esp. carriers or manufacturers):
           Algorithm A3: Authentication algorithm,
           Algorithm A8: Cipher Key Generator (essentially a 1-way function),
                         and
           Algorithm A5: Ciphering/Deciphering algorithm (presently A5/1,A5/2).
       Used in proper sequence, this set of algorithms shall guarantee that
       NOBODY can break the encrypted communication.

     - Mobile stations are equipped with a chipcard containing A3 and A8, plus
       an ASIC containing A5; the (non-mobile) base stations (from where the
       communication flows into the land-based lines) is equipped with an ASIC
       realising A5 encryption, and it is connected with an "authentication
       center" using (ASIC, potentially software based) A3 and A8 algorithms to
       authenticate the mobile participant and generate a session key.

     - When a secure communication is started (with the chipcard inserted in
       the mobile station), authentication of the mobile participant is perfor-
       med by encrypting the individual subscriber key Ki (and some random seed

       exchanged between the mobile and base station) with A3 and sending this
       to the base station where it is checked against the stored identity.
       Length of Ki: 128 bit.

     - If authentified, the individual subscriber key Ki (plus some random seed
       exchanged between mobile and basis station) is used to generate a
       session key Kc; length of Kc: 64 bit. Different from Clipper, a session
       key may be used for more than one session, dependent on the setting of
       a flag at generation time; evidently, this feature allows to minimize
       communication delays from the authentication process.

     - Using session key (Kc), the data stream (e.g. digitized voice) is en-
       crypted using the A5 algorithm and properly decrypted at base station.

     - A more complex authentication procedure including exchange of IMSI (In-
       ternational Mobile Subscriber Identity) may be used to authenticate the
       subscriber and at the same time to generate the session key (using an
       combined "A38" algorithm) and transmit it back to the mobile station.

Comparing the European A5 approach with US' "Cripple Clipper Chip", I find some

surprising basic similarities (apart from minor technical differences, such as
key lengths and using ASICs only versus Chipcard in the mobile station):

    1) Both approaches apply the "SbO Principle" (Security by Obscurity): "what
       outsiders don't know, is secure!" Or formulated differently: only
       insiders can know whether it contains built-in trapdoors or whether it
       is really secure!

    2) Both approaches aim at protecting their hemisphere (in the European
       case, including some interest spheres such as "down-under", to serve
       the distinguished British taste:-) from other hemispheres' competition.

The most significant differences are:

    A) that US government tries to masquerade the economic arguments with some
       legalistic phrases ("protect citizen's privacy AND protect them against
       criminal misuse") whereas Western Europeans must not argue as everybody
       knows the dominance of EEC's economic arguments (and the sad situation
       of privacy in most EEC countries :-)

    B) that US government must produce the rather complex "escrow agencies"
       where European law enforcers must only deal with ETSI (manufacturers and
       carriers!) about reduced safety in "A5/n" algorithms (n=1,2,...).

Presently, different "A5/n" algorithms are discussed. Apart from the "secure"
original algorithm A5 (now labeled A5/1), a "less secure, export oriented A5/2"
has been specified (according to my source which may not be fully informed,
this will go to "down-under" :-). One argument for such "A5/n" multiplicity is
that availability of more A5/n algorithms may even allow to select, during
authentication, one algorithm from the set thus improving security of communi-
cation; at the same time, as these algorithms are secret, the secret automatic
selection (e.g. triggered by some obscure function similar to the random ex-
change in the authentication process) may allow to crack the encryted message.

My (contemporary) conclusion is that security of both A5 and CC is questionable
as long as their security cannot be assessed by independent experts. In both
cases, economic interests seem to play a dominant role; there are clear indica-
tions of forthcoming economic "competition", and I wonder which side Japan
will take (maybe they decide to start their own crippled SecureCom standard?)

Klaus Brunnstein (Univ Hamburg; May 3, 1993)

------------------------------

Date: Mon, 17 May 93 14:05:18 PDT
From: jim@RSA.COM (Jim Bidzos)
Subject: NIST Answers to Jim Bidzos' Questions

		[ From RISKS-FORUM Digest 14.62 -- MODERATOR ]

Date:    Mon, 17 May 1993 16:44:28 -0400 (EDT)
From: ROBACK@ECF.NCSL.NIST.GOV
Subject: Answers to Your Questions
To: jim@RSA.COM

To:  Mr. Jim Bidzos, RSA Data Security, Inc.

From:  Ed Roback, NIST

Mr. Ray Kammer asked me to forward to you our answers to the questions you
raised in your e-mail of 4/27.  

We've inserted our answers in your original message.  

          ------------------------------------------------------

From:       SMTP%"jim@RSA.COM" 27-APR-1993 03:13:12.75
To:   clipper@csrc.ncsl.nist.gov
CC:   
Subj:       Clipper questions
...
Date: Tue, 27 Apr 93 00:11:50 PDT
From: jim@RSA.COM (Jim Bidzos)

Here are some questions about the Clipper program I would like to submit.

Much has been said about Clipper and Capstone (the term Clipper will be used
to describe both) recently.  Essentially, Clipper is a government-sponsored
tamper-resistant chip that employs a classified algorithm and a key escrow
facility that allows law enforcement, with the cooperation of two other
parties, to decipher Clipper-encrypted traffic.  The stated purpose of the
program is to offer telecommunications privacy to individuals, businesses, and
government, while protecting the ability of law enforcement to conduct
court-authorized wiretapping.

The announcement said, among other things, that there is currently no plan to
attempt to legislate Clipper as the only legal means to protect
telecommunications.  Many have speculated that Clipper, since it is only
effective in achieving its stated objectives if everyone uses it, will be
followed by legislative attempts to make it the only legal telecommunications
protection allowed. This remains to be seen.

>>>>  NIST:       There are no current plans to legislate the use of Clipper. 
                  Clipper will be a government standard, which can be - and
                  likely will be - used voluntarily by the private sector. The
                  option for legislation may be examined during the policy
                  review ordered by the President.

The proposal, taken at face value, still raises a number of serious questions.

What is the smallest number of people who are in a position to compromise the
security of the system? This would include people employed at a number of
places such as Mikotronyx, VSLI, NSA, FBI, and at the trustee facilities.  Is
there an available study on the cost and security risks of the escrow process?

>>>>  NIST:       It will not be possible for anyone from Mykotronx, VLSI,
                  NIST, NSA, FBI (or any other non-escrow holder) to
                  compromise the system.  Under current plans, it would be
                  necessary for three persons, one from each of the escrow
                  trustees and one who knows the serial number of the Clipper
                  Chip which is the subject of the court authorized electronic
                  intercept by the outside law enforcement agency, to conspire
                  in order to compromise escrowed keys.  To prevent this, it
                  is envisioned that every time a law enforcement agency is
                  provided access to the escrowed keys there will be a record
                  of same referencing the specific lawful intercept
                  authorization (court order).  Audits will be performed to
                  assure strict compliance.  This duplicates the protection
                  afforded nuclear release codes.  If additional escrow agents
                  are added, one additional person from each would be required
                  to compromise the system.  NSA's analysis on the security
                  risks of the escrow system is not available for public
                  dissemination.

How were the vendors participating in the program chosen? Was the process
open?

>>>> NIST:        The services of the current chip vendors were obtained in
                  accordance with U.S. Government rules for sole source
                  procurement, based on unique capabilities they presented. 
                  Criteria for selecting additional sources will be
                  forthcoming over the next few months.  

                  AT&T worked with the government on a voluntary basis to use
                  the "Clipper Chip" in their Telephone Security Device.  Any
                  vendors of equipment who would like to use the chips in
                  their equipment may do so, provided they meet proper
                  government security requirements.

A significant percentage of US companies are or have been the subject of an
investigation by the FBI, IRS, SEC, EPA, FTC, and other government agencies.
Since records are routinely subpoenaed, shouldn't these companies now assume
that all their communications are likely compromised if they find themselves
the subject of an investigation by a government agency?  If not, why not?

>>>> NIST:        No.  First of all, there is strict and limited use of
                  subpoenaed material under the Federal Rules of Criminal
                  Procedure and sanctions for violation.  There has been no
                  evidence to date of Governmental abuse of subpoenaed
                  material, be it encrypted or not.  Beyond this, other
                  Federal criminal and civil statutes protect and restrict the
                  disclosure of proprietary business information, trade
                  secrets, etc.  Finally, of all the Federal agencies cited,
                  only the FBI has statutory authority to conduct authorized
                  electronic surveillance.  Electronic surveillance is
                  conducted by the FBI only after a Federal judge agrees that
                  there is probable cause indicating that a specific
                  individual or individuals are using communications in
                  furtherance of serious criminal activity and issues a court
                  order to the FBI authorizing the interception of the
                  communications. 

What companies or individuals in industry were consulted (as stated in the
announcement) on this program prior to its announcement? (This question seeks
to identify those who may have been involved at the policy level; certainly
ATT, Mikotronyx and VLSI are part of industry, and surely they were involved
in some way.)

>>>> NIST:        To the best of our knowledge: AT&T, Mykotronx, VLSI, and
                  Motorola.  Other firms were briefed on the project, but not
                  "consulted," per se.

Is there a study available that estimates the cost to the US government of the
Clipper program?

>>>> NIST:        No studies have been conducted on a government-wide basis to
                  estimate the costs of telecommunications security
                  technologies.  The needs for such protection are changing
                  all the time.

There are a number of companies that employ non-escrowed cryptography in their
products today.  These products range from secure voice, data, and fax to
secure email, electronic forms, and software distribution, to name but a few.
With over a million such products in use today, what does the Clipper program
envision for the future of these products and the many corporations and
individuals that have invested in and use them?  Will the investment made by
the vendors in encryption-enhanced products be protected? If so, how?  Is it
envisioned that they will add escrow features to their products or be asked to
employ Clipper?

>>>> NIST:        Again, the Clipper Chip is a government standard which can
                  be used voluntarily by those in the private sector.  We also
                  point out that the President's directive on "Public
                  Encryption Management" stated: "In making this decision, I
                  do not intend to prevent the private sector from developing,
                  or the government from approving, other microcircuits or
                  algorithms that are equally effective in assuring both
                  privacy and a secure key-escrow system."  You will have to
                  consult directly with private firms as to whether they will
                  add escrow features to their products.

Since Clipper, as currently defined, cannot be implemented in software, what
options are available to those who can benefit from cryptography in software?
Was a study of the impact on these vendors or of the potential cost to the
software industry conducted?  (Much of the use of cryptography by software
companies, particularly those in the entertainment industry, is for the
protection of their intellectual property.)


>>>> NIST:        You are correct that, currently, Clipper Chip functionality
                  can only be implemented in hardware.  We are not aware of a
                  solution to allow lawfully authorized government access when
                  the key escrow features and encryption algorithm are
                  implemented in software.  We would welcome the participation
                  of the software industry in a cooperative effort to meet
                  this technical challenge.  Existing software encryption use
                  can, of course, continue.  

Banking and finance (as well as general commerce) are truly global today. Most
European financial institutions use technology described in standards such as
ISO 9796.  Many innovative new financial products and services will employ the
reversible cryptography described in these standards.  Clipper does not comply
with these standards. Will US financial institutions be able to export
Clipper?  If so, will their overseas customers find Clipper acceptable?  Was a
study of the potential impact of Clipper on US competitiveness conducted? If
so, is it available? If not, why not?

>>>> NIST:        Consistent with current export regulations applied to the
                  export of the DES, we expect U.S. financial institutions
                  will be able to export the Clipper Chip on a case by case
                  basis for their use.  It is probably too early to ascertain
                  how desirable their overseas customers will find the Clipper
                  Chip.  No formal study of the impact of the Clipper Chip has
                  been conducted since it was, until recently, a classified
                  technology; however, we are well aware of the threats from
                  economic espionage from foreign firms and governments and we
                  are making the Clipper Chip available to provide excellent
                  protection against these threats.  As noted below, we would
                  be interested in such input from potential users and others
                  affected by the announcement.  Use of other encryption
                  techniques and standards, including ISO 9796 and the ISO
                  8730 series, by non-U.S. Government entities (such as
                  European financial institutions) is expected to continue.

I realize they are probably still trying to assess the impact of Clipper, but
it would be interesting to hear from some major US financial institutions on
this issue.

>>>> NIST:        We too would be interested in hearing any reaction from
                  these institutions, particularly if such input can be
                  received by the end of May, to be used in the
                  Presidentially-directed review of government cryptographic
                  policy.

Did the administration ask these questions (and get acceptable answers) before
supporting this program? If so, can they share the answers with us? If not,
can we seek answers before the program is launched?

>>>> NIST:        These and many, many others were discussed during the
                  development of the Clipper Chip key escrow technology and
                  the decisions-making process.  The decisions reflect those
                  discussions and offer a balance among the various needs of
                  corporations and citizens for improved security and privacy
                  and of the law enforcement community for continued legal
                  access to the communications of criminals.

------------------------------

Date:    Sun, 16 May 93 21:01:10 -0100
From:    rfcalvo@guest2.atimdr.es (Rafael Fernandez Calvo)
Subject: Data Protection Agency created in Spain 

    CCCCC  LL     II
   CC      LL     II
   CC      LL     II    --  N E W S   FROM   S P A I N  --- May 16, 1993
    CCCCC  LLLLLL II

 COMMISSION for LIBERTIES
 and INFORMATICS (*)

    DATA PROTECTION AGENCY CREATED BY THE SPANISH COVERNMENT
    --------------------------------------------------------

 The Government of the Kingdom of Spain approved on May 4th, 1993
the Estatute of the Data Protection Agency (Agencia de Proteccion de
Datos), the body that, according to the Law on Protection of Personal
Data (whose acronym is LORTAD) approved by the Spanish Parliament
in October 1992, will watch over proper observance of this law.

 According to its Estatute, the Agency is an independent body, headed
by its Director, who will be nominated by the Government among the
members of the Consultive Council. The Council will have nine members,
elected for a period of four years by the Congress, the Senate, the
Ministry of Justice, the Regional Governments, the Federation of
Provinces and Cities, the Royal Academy of History, the Council of
Universities, the Council of Consumers and Users, and the Council of
Chambers of Commerce, respectively. Trade Unions and DP Professionals
will not be represented in spite of the proposals of CLI, that also
submitted one of having the Director nominated by the Council itself
instead of by the Government in order to insure the independence of
the Agency

 Among the powers of the Agency are those of dictating fines of up to
1 Million US $ and sealing personal data files of companies and entities
that infringe the law. The Agency will the body representing Spain in the
European Community, the Council of Europe and the Schengen Agreement on
free circulation of people within the EC borders for all the matters
regarding personal data protection.

 The Data Protection Agency will have to be created in the middle
of a sharp campaign for Congress and Parliament in elections that will
be held on June 6, whose outcome, according to the polls, will be very
tight between the ruling Socialist Party and the center-right People's
Party, with a well placed third party: United Left (a communist-led
coalition). These two parties gave strong support to the position of
CLI with regard to the LORTAD during its discussion in Congress and
Senate.

 CLI achieved in February its goal of seeing the appeal against the
Personal Data Law put before the Constitutional Court of Spain by the
Ombudsman, the Peoples' Party and the Regional Parliament of Catalonia.
The appeals address basically the concerns of CLI that the law
establishes a lot of unjustified exceptions in favour of Government with
regard to the rights that citizens have about their personal data. Even
though the appeals don't interrupt the application of the law since Jan.
31, they leave the door open to its modification in the sense promoted by
CLI.

 Let's recall that Spain is one of the very few countries whose Carta
Magna foresees the dangers that can stem from misuse of Information
Technology. In fact, its Constitution establishes that a "law will limit
the use of Information Technologies in order to protect citizens' honour
and their personal and family privacy as well as the unrestricted
exercise of their rights" (article 18.4).

 The position of CLI about the LORTAD can be summarized as follows:

- The law does not fulfill the expectations arisen, although it is a step
forward in comparison with the current situation of "allegality" that has
been a constant source of severe abuse against privacy.

- The good side of the law is the regulation of personal data files
in the hands of companies and private entities. Citizens will have
wide rights to access, modification and cancellation of this kind of
records.

- The bad side stems from the following facts:

a) The bill gives excessive and uncontrolled power to Policy Forces
over collection and computerization of highly sensitive data: ideology,
religion, beliefs, racial origin, health and sexual orientation.

b) Computerized personal data records in the hands of all branches
of Public Administrations will be in many cases excluded from the rights
(access, modification, cancellation) given to citizens with regard to
the same kind of data in the hands of private companies.

c) The Data Protection Agency that will watch over proper observance of
the law will have scarce autonomy from the Government, that will
nominate and dismiss its Director.


* SOME WORDS ABOUT CLI

 The --Commission for Liberties and Informatics, CLI-- is an independent
and pluralistic organization that was officially constituted in April
'91.

 Its mission is to "promote the development and protection of
citizens' rights, specially privacy, against misuse of Information
Technologies".

 As of May '93, CLI is composed by nine organizations, with
a joint membership of about 3,000,000 people. They cover a very
wide spectrum of social interest groups: associations of computer
professionals, judges, civil rights leagues, trade unions, consumers
groups, direct marketing industry, etc.

 CLI is confederated with similar bodies created in some other Spanish
Regions such as Valencia, Basque Country and Catalonia, and has fluid
working relationships with many public and private Data Protection bodies
and entities all over the world, including CNIL, CPSR and Privacy
International.

 CLI has its headquarters in:

Padilla 66, 3 dcha.
E-28006 Madrid, Spain

Phone: (34-1) 402 9391
Fax: (34-1) 309 3685
E-mail: rfcalvo@guest2.atimdr.es

------------------------------

Date:    Fri, 14 May 1993 08:04:11 -0700
From:    bjones@weber.ucsd.edu (Bruce Jones)
Subject: Calif requires ID?

A couple of nights ago on the local TV news I heard that 
California now requires that all adults carry identification 
at all times.

Can anyone offer any pointers to more information on this subject?

Bruce Jones - bjones@ucsd.edu

	[ I have never heard of such a requirement here in California!
	  If anyone knows otherwise on this topic, we'd like to hear
	  about it! -- MODERATOR ]

------------------------------

End of PRIVACY Forum Digest 02.18
************************

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH