|
PRIVACY Forum Digest Sunday, 16 January 1994 Volume 03 : Issue 02 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy. CONTENTS GAO Data Matching Report (Dave Banisar) Postal Service Still Selling NCOA Info (Dave Banisar) Wiretaps (John Higgins) Extracts from CPSR Alert 3.01: [1] FBI Pushes for Enhanced Wiretap Capabilities [2] Public Hearings on Privacy in DC & California (Original mailing from Dave Banisar; extracted by MODERATOR) Sprint VoiceCard - Maybe Not Such a Good Thing? (GOODMANS@delphi.com) National Computer Security Association 1994 Security Summit - Washington D.C. 1-25-94 and Encryption Export Control (Sharon Webb) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. ALL submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All submissions included in this digest represent the views of the individual authors and all submissions will be considered to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are also available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". For information regarding the availability of this digest via FAX, please send an inquiry to privacy-fax@vortex.com, call (818) 225-2800, or FAX to (818) 225-7203. ----------------------------------------------------------------------------- VOLUME 03, ISSUE 02 Quote for the day: "... Why can't they be like we were, Perfect in every way! What's the matter with kids to-day?" -- Paul Lynde "Bye, Bye Birdie" (1963) ---------------------------------------------------------------------- Date: Mon, 3 Jan 1994 15:14:32 EST From: Dave Banisar <banisar@washofc.cpsr.org> Subject: GAO Data Matching Report ONE HUNDRED THIRD CONGRESS CONGRESS OF THE UNITED STATES HOUSE OF REPRESENTATIVES COMMITTEE ON GOVERNMENT OPERATIONS 2157 RAYBURN HOUSE OFFICE BUILDING WASHINGTON, DC 20515-8143 PRIVACY CONTROLS OVER COMPUTER MATCHING LARGELY IGNORED Rep. Condit Releases New GAO Report A new General Accounting Office (GAO) report found serious deficiencies in implementation of the 1988 Computer Matching and Privacy Protection Act The report was released today by Rep. Gary A. Condit (D-CA), chairman of the Subcommittee on Information, Justice, Transportation, and Agriculture. Computer matching is the identification of similarities or dissimilarities in data found in two or more computer files. Matching is frequently used to identify delinquent debtors or ineligible program recipients. Computer matching has been criticized as an invasion of privacy, and the Computer Matching and Privacy Protection Act was passed to regulate the use of computer matching by federal agencies. In releasing the report, Rep. Condit said: "Most federal agencies have done a lousy job of complying with the Computer Matching Act. Agencies ignore the law or interpret it to suit their own bureaucratic convenience, without regard for the privacy interests that the law was designed to protect. "As a result, we don't have any idea when computer matching is a cost-effective technique for preventing fraud, waste, and abuse. I support reasonable computer matching that saves money. But if we are losing money, wasting resources, and invading privacy, then it makes no sense. "A broader issue is whether agencies can be expected to police their own operations that affect the privacy of the average citizen. Certainly OMB has done little to assist. We may need a different approach to overseeing federal privacy-related activities." GAO found numerous problems with the implementation of the Act's requirements. Cost-Benefit Analyses: The Act requires that matching programs include an analysis of the costs and benefits of the matching. One of the purposes of the Act was to limit the use of matching to instances where the technique was cost effective. GAO found many problems with implementation of this requirement, including poor quality or non-existent analyses. In 41% of cases, no attempt was made to estimate costs or benefits or both. In 59% of cases whem costs and benefits were esfimted, GAO found that not all reasonable costs and benefits were considered; that inadequate analyses were provided to support savings claims; and that no effort was made after the match to validate estimates. o Data Integrity Boards: The Act requires agencies involved in matching activities to establish a Data Integrity Board to oversee the process. GAO found that the Boards were not providing full and earnest reviews of proposed matches. GAO did not find any instance in which a Board pemianently cancelled an ongoing matching program or refused to approve a newly proposed one. GAO did not find evidence that the requirements of the matching act were used by the Boards to determine if a match should be approved. GAO also found that the implementation of the new procedures does not appear to have had major effects on the most important review process, the decision to conduct the match. GAO found that the Data Integrity Boards generally accepted agencies and states cost-benefit analyses despite their "severe methodological flaws and lack of documentation." The documentation often failed to show how costs and benefits were calculated or the time period for expected savings. Agencies rarely estimated the most significant costs. Overall, GAO found that the Data Integrity Boards provide less than a full and earnest review of matching agreements to detem-dne whether to proceed with proposed matches, but rather a regularization of the approval process. The report is titled Computer Matching: Quality of Decisions and Supporting Analyses Little Affected by 1988 Act. The report number is GAO/PEMD-94-2, and the date is October 18, 1993. Copies can be obtained [for free] from GAO by calling 202-512-6000. ------------------------------ Date: Thu, 6 Jan 1994 14:10:02 EST From: Dave Banisar <banisar@washofc.cpsr.org> Subject: Postal Service Still Selling NCOA Info FOR IMMEDIATE RELEASE: News from the office of January 4, 1994 Congressman Gary A . Condit CALIFORNIA - 15TH DISTRICT 1529 LONGWORTH HOUSE OFFICE BUILDING WASHINGTON, D.C. 20515 (202) 225-6131 CONDIT CLAIMS VICTORY IN FIGHT FOR POSTAL PRIVACY BUT NOTES CONTINUED POSTAL SERVICE VIOLATION OF FEDERAL LAWS Rep. Gary A. Condit (D-CA) today claimed a partial victory in his ongoing battle to compel the U.S. Postal Service to comply with Federal statutes that protect the privacy of customer name and address information. The Postal Service informed Condit today of its intention to alter regulations which currently allow anyone to obtain the new address of someone who has moved simply by presenting the Postal Service with the individual's old address and a $3 fee. However, the Postal Service will continue to sell change of address information to the nation's largest direct mail companies, unless someone can produce a court order to stop the sale. Condit responded to the Postal Service action: "The Postal Service has taken a small positive step to protect personal privacy and safety -- one that I've been strongly advocating. But it still has a long way to go. The Postal Service has no plan to halt its regular sale of change of address information to the junk mail industry. Ordinary citizens who want to protect their privacy will continue to have no recourse. Only those people protected by a court order will be able to prevent the Postal Service from selling their change of address information many thousands of times." Condit chairs the House Committee on Govenunent Operations Subcommittee on Information, Justice, Transportation, and Agriculture, which has oversight jurisdiction over the Postal Service. In November 1992, the Government Operations Committee issued a unanimous report, based on the subcommittee's investigation, which condemned the Postal Service's address dissemination practices. Entitled _Give Consumers a Choice: Privacy Implications of U.S. Postal Service National Change of Address Program_ (House Report 102-1067), the report explained that the Postal Service's address dissemination practices violate federal statutes restricting the release of names and addresses of postal patrons by the Postal Service. The Postal Reorganization Act prohibits the Postal Service from making available any mailing or other list of names or addresses of postal patrons or other persons. The Privacy Act of 1974 prevents agencies, including the Postal Service, from selling or renting an individual's name and address unless the agency has specific legal authority to do so. Condit continued: "I've objected to the Postal Service's sale of address information all along, not just because it violates personal privacy but also because it violates the law. Nothing the Postal Service did today cures its continuous violation of Federal statutes. The Postal Service's disregard for privacy rights and for privacy statutes is callous and irresponsible." Last year, Condit introduced legislation to give postal customers the right to prevent the U.S. Postal Service from giving out their change of address information. H.R. 1344, the Postal Privacy Act of 1993, targets both the Postal Service's $3 sale of an individual's new address and its widespread sale of change of address information through its National Change of Address (NCOA) service. Condit explained the impact of NCOA on personal privacy: "Every year, 40 million people file change of address orders with the Postal Service. Little do they realize that every one of those orders is immediately made public. Under the NCOA program, the Postal Service sells all of those records to 25 of the largest direct mail companies in the country, which in turn resell them to thousands of other mailers." Condit continued, "What makes this practice a real invasion of privacy is that the Postal Service doesn't give anyone a choice about it. If you ask the Postal Service to forward your mail, your new address is automatically made public -- and there is nothing you can do to stop it." Condit's proposed legislation would require the Postal Service to give customers explicit written nodce that their change of address information will be given out and to whom. Moreover, the legislation would require the Postal Service to include a check-off box on change of address cards where people could prevent public access to their address records. Condit added, "The Postal Service has recognized that the sale of address information invades the privacy of sonie people. It is now time to ensure that everyone with a privacy concern has the same rights. My bill would bring the Postal Service into compliance with federal law. More importantly, it would give people a say about how their personal information is used. It would give them the right to say no." 920 13th Street Federal Building Modesto, CA 95354 415 West 18th Street (209) 527-1914 Merced, CA 95340 (209) 383-4455 ------------------------------ Date: Sun, 9 Jan 1994 17:41:52 -0500 (EST) From: John Higgins <higgins@dorsai.dorsai.org> Subject: wiretaps Are the cops tapping your phone? If you live in Oklahoma, Rhode Island or Virginia, probably not. But if you're really paranoid don't move to New York City, New Jersey or Florida. On Jan. 9. New York Newsday published an article on wiretaps listing them by location. Citing a report compiled by the Administrative Office of the United States Courts, the article said that New York State cops lead the country with 197 wiretaps installed in 1992. The aforementioned low-tap states reported intalling just 1 phone or room bug, but of the 39 states that have wiretap statutes 17 reported no taps AT ALL (no, I don't know which states those are). Of the federal jurisdictions not on the list, 44 reported fewer than 10 taps for the year, including 19 who reported one tap and 36 who reported zero. I know that cops hate wiretaps, especially room bugs because they're so labor intensive, but this doesn't seem like a whole lot of wiretaps in some of these areas. Only seven local taps in Massachusetts? Three state wiretaps in all of California? If these are accurate reports, this is far less pervasive than I would have expected. STATE AND LOCAL WIRETAP ACTIVITY (1992) New York 197 Nebraska 4 New Jersey 111 Nevada 4 Florida 80 Utah 3 Pennsylvania 77 Minnesota 3 Maryland 17 California 3 Georgia 16 Colorado 2 Connecticut 15 New Hampshire 2 Texas 14 New Mexico 2 Arizona 12 Virginia 1 Kansas 7 Rhode Island 1 Massachusetts 7 Oklahoma 1 FEDERAL WIRETAP ACTIVITY (1992) Eastern Dist of NY 35 Central Dist of Calif. 14 Southern Dist. of NY 25 Arizona 12 Southern Dist of Fla. 20 Western Dist. of NY 12 New Jersey 18 Easter Dist. of Penn. 12 Northern DIst of Tex. 16 Middle Dist of Florida 11 Colorado 15 Eastern Dist. of Mich. 10 Maryland 15 Southern Dist. of Tex 10 I'm going to try and obtain the full report this week. John M. Higgins higgins@dorsai.dorsai.org Multichannel News CIS:75266,3353 V)212-887-8390/F)212-887-8384 ------------------------------ Date: Thu, 13 Jan 1994 15:42:37 EST From: Dave Banisar <banisar@washofc.cpsr.org> Subject: [ Extracts from CPSR Alert 3.01: [1] FBI Pushes for Enhanced Wiretap Capabilities [2] Public Hearings on Privacy in DC & California -- MODERATOR ] [ Extracted from CPSR Alert, Vol. 3.01, 1/13/94 -- MODERATOR ] [1] FBI Pushes for Enhanced Wiretap Capabilities In the past month, FBI officials have indicated publicly that they are continuing to push for enactment of legislation to mandate the building in of electronic surveillance capabilities into most telecommunications equipment. In addition, there are also reports that the Department of Justice is investigating the possibility of recommending changes in the law to allow for military personnel and equipment to be used by law enforcement for electronic surveillance of Asian speakers. On December 8, FBI Director Louis Freeh spoke at the National Press Club where he stated: In order to keep up with the criminals and to protect our national security, the solution is clear. We need legislation to ensure that telephone companies and other carriers provide law enforcement with access to this new technology. Communications Daily reported that the FBI and the telecommunications carriers have formed a working group to discuss the problem and that the companies might implement the capabilities voluntarily. This working group has met several times. Scripps Howard News Service reported on December 5 that the Department of Justice is considering proposing new legislation to allow the military to assist with wiretaps of Asian suspects. Currently the military is prohibited by the 1878 Posse Comitatus Act, which prohibits the use of military personal and resources in civilian law enforcement activities. It was amended in 1981 to allow for use of military personal and equipment for advice and assistance in drug interdiction. Freeh reportedly told Scripts Howard that "I think that if we had access to 50 or 100 qualified linguists in the Asian language[s] we could probably monitor by ten times our ability to do court-authorized surveillances of Asian organized crime groups." Civil liberties groups are concerned about the military conducting domestic electronic surveillance, especially in light of the recent disclosures by CPSR of the National Security Agency's role in the development of the Digital Signature Standard and the Digital Telephony Proposal. Sources inside the administration indicate that the long awaited inter-agency review of government encryption policy, including Clipper, the Digital Telephony Proposal and export control is due out by the end of January. The report is expected to be classified. ------------------------------------------------------------- [2] Public Hearings on Privacy in DC & California The Information Infrastructure Task Force (IITF) Privacy Working Group has announced two public hearings on privacy and the NII to be held in Sacramento, Ca and Washington, DC The meetings are organized by the US Office of Consumer Affairs. They are the first meetings in nearly twenty years to be held outside Washington on privacy. The public meetings will examine privacy issues relating to such areas as law enforcement, financial services, information technology, and direct marketing. Representatives from the public, private and non-profit sectors will attend. CPSR has been asked to participate at both hearings. The California meeting, January 10th and llth, will be hosted by Jim Conran, Director, California Department of Consumer Affairs in the First Floor Hearing Room at 400 R Street in Sacramento. The Washington, DC meeting, January 26th and 27th, will be held at the U.S. Department of Commerce Auditorium, 14th & Constitution Ave. NW. Registration begins at 8:30am, meetings at 9am. The public is invited to attend, question speakers and to make brief comments, but space is limited. Concise written statements for the record should be sent to "Privacy," USOCA, 1620 L Street NW, Washington DC 20036 or faxed to (202)634-4135. For more Information, Contact Pat Faley or George Idelson at (202)634-4329. ------------------------------ Date: Thu, 13 Jan 1994 01:00:12 EDT From: GOODMANS@delphi.com Subject: Sprint VoiceCard - Maybe Not Such a Good Thing? [ From TELECOM Digest Vol. 14, Issue 28 -- MODERATOR ] I was intrigued by the Sprint commericals on their voicecard and called them to get more information. I was quickly turned off from it after speaking with one of their reps: To use it you dial an 800 number;announce your SSN plus 1 digit; announce the programmed number (ie call joe) I don't know about you but I don't want to announce my SSN to the world, especially in a crowded airport! Also: the surcharge per call is $1.00, its limited to domestic calls only, charged $5 a month, have to be a Sprint Dial 1 customer, and the list is limited to 10 people. It does not have any of the features the AT&T and MCI card have: information services (weather, news) and conference calling. What does everyone else think? ------------------------------ Date: Thu, 06 Jan 1994 20:39:24 -0400 (EDT) From: SHARONWEBB@delphi.com Subject: National Computer Security Association 1994 Security Summit - Washington D.C. 1-25-94 and Encryption Export Control [ From RISKS-FORUM Digest Vol. 15, Issue 38 -- MODERATOR ] [This message was received rather late, even if the R.S.V.P. deadline was extended from 2 Jan! But you may want to respond anyway. Besides, the Cantwell Bill is included below, and it may be of interest to many RISKS readers. PGN] This is an invitation to join members of the security community, Administration officials, and members of Congress in a discussion of security on the National Information Infrastructure and encryption export controls. The meeting will be held at the Washington Convention Center on January the 25th, 1994. The meeting will begin at 8 a.m. and will adjourn at 3 p.m. The purpose of this meeting is in response to a request from Secretary of Commerce Ron Brown at the recent 1993 Technology Summit in San Francisco. Secretary Brown asked that a meeting be held to bring together industry and government to start an open dialog, which will help shape information security policy as the United States moves forward into a more global economy. Everyone will have a chance to express their opinions and concerns. During this meeting individual committees will be formed to study and make recommendations on specific areas of information security as it relates to the NII ( this will also become known as the International Information Infrastructure). R.S.V.P.'s are required NO LATER THAN January 2, 1994 [apparently extended to 10 Jan. PGN]. Please call Paul Gates at the National Computer Security Association (717) 258-1816. All attendees will be sent an agenda, a copy of the NII, the Clinton Administration's Technology Policy and a copy of the Cantwell Bill which deals with encryption export controls. NOTE: If you cannot attend in person but would still like to participate we will be offering on-line opportunities. Sharon Webb voice# (404) 475-8787Director, Legislative Affairs, National Computer Security Association P.S. Attached please find a copy of the Cantwell Bill, my comments and the NCSA's Encryption Export Control Survey . Please send ALL responses to either my fax #(404) 740-8050 OR EMAIL to me via SHARONWEBB@ DELPHI.com 103D Congress 1st Session H.R. 3627 IN THE HOUSE OF REPRESENTATIVES Ms. CANTWELL (for herself and____) introduced the following bill which was referred to the Committee on_____________________________. A BILL To amend the Export Administration Act of 1979 with respect to the control of computers and related equipment. Be enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. GENERALLY AVAILABLE SOFTWARE. Section 17 of the Export Administration Act of 1979 (50 U.S.C. App. 2416) is amended by adding at the end thereof the following new subsection "(g) COMPUTERS AND RELATED EQUIPMENT - "(1) GENERAL RULE. - Subject to paragraphs (2) and (3) the Secretary shall have exclusive authority to control exports of all computer hardware, software and technology for information security (including encryption), except that which is specifically designed or modified for - "(A) military use, including command, control and intelligence applications; or "(B) Cryptanalytic Functions "(2) ITEMS NOT REQUIRING LICENSES - No validated license may be required, except pursuant to the Trading With The Enemy Act of the International Emergency Economic Powers Act (but only to the extent that the authority of such Act is not exercised to extend controls imposed under this Act), for the export or reexport of- "(A) any software, including software with encryption capabilities, that is "(i) generally available, as is, and is, and is designed for installation by the user or "(ii) in the public domain or publicly available because it is generally accessible to the interested public in any form; or "(B)" any computing device solely because it incorporates or employs in any form software (including software with encryption capabilities) exempted from any requirement for a validated license under subparagraph (A). "(3) SOFTWARE WITH ENCRYPTION CAPABILITIES - The Secretary shall authorize the export or reexport of software with encryption capabilities for nonmilitary end-uses in any country to which exports of such software are permitted for use by financial institutions not controlled in fact by united states persons, unless there is substantial evidence that such software will be - "(A) diverted to a military end-use or an end-use supporting international terrorism: "(B) modified for military or terrorist end-use; or "(C) re-exported without requisite United States authorization. "(4) DEFINITIONS - As used in this subsection- "(A) the term 'generally available' means, in the case of software (including software with encryption capabilities), software that is offered for sale, license, or transfer to any person without restriction through any commercial means, including, but not limited to, over-the-counter retail sales, mail order transactions, phone order transactions, electronic distribution, or sale on approval; "(B) the term 'as is' means, in the case of software (including software with encryption capabilities), a software program that is not designed, developed, or tailored by the vendor for specific purchasers, except that such purchasers may supply certain installation parameters needed by the software program to function properly with the purchaser's system and may customize the software program by choosing among options contained in the software program; "(C) the term 'is designed for installation by the purchaser' means, in the case of software (including software with encryption capabilities - "(i) the software company intends for the purchaser (including any licensee or transferee), who may not be the actual program user, to install the software program on a computing device and has supplied the necessary instructions to do so, except that the company may also provide telephone help line services for software installation, electronic transmission, or basic operations; and- "(ii) that the software program is designed for installation by the purchaser without further substantial support by the supplier; "(D) the term 'computing device' means a device which incorporates one or more microprocessor-based central processing units that can accept, store, process or provide out-put of data; and "(E) the term 'computer hardware', when used in conjunction with information security, includes, but is not limited to, computer systems, equipment, application-specific assemblies, modules and integrated circuits". END of BILL FROM: Secure Systems Group International, Inc TO: Bob Bales Director, National Computer Security Association (717) 258-1816 Re: Encryption Export Bill (Cantwell) Bob - Here are some of the comments that we passed along to Maria Cantwell's office regarding the Bill on the export of encryption technologies. I hope you find it useful. I understood the purpose of this Bill was to reduce export controls and restrictions of software that is either based on encryption or that contained encryption. As I read the Bill everything was fine until paragraph (3) -( You understand that I am reading this from a laypersons point of view and if you can clear up any misinterpretations I would appreciate it). In paragraph (3) the Bill states software containing encryption can be exported freely "unless there is substantial evidence that such software will be: (A) diverted to a military end-use or end-use supporting international terrorism: (B) modified for military or terrorist end user or (C) re-exported without requisite United States Authorization." or that software which is "... specifically designed or modified for (A) military use, including command, control, and intelligence applications; or (B) cryptanalytic functions I think that before I or others from the security side decide to support or not to support this Bill we have some questions that need answers. 100 Nobel Court, Suite 400, Alpharetta, GA. 30202 Voice (404) 475-8787 FAX (404) 740-8050 Member of National Computer Security Association and the American Electronics Association 1. Who will be asked to determine whether such restrictions are appropriate? The NSA? The CIA? The FBI? Does it remain the same as under the current law? Assuming that the technical overview of military applications for encryption remains the NSA - what makes it in their interest to let ANY encryption out of the country that will make their job more difficult? (A little like letting the fox guard the chickens) 2. What constitutes substantial evidence 'of or 'designed for' military use? Is it measured by the relative strength of the algorithm or key management system or by the mere fact it is longer than the DES which is 56 bits? I feel that some sort of definition needs to be included. What can and what cannot be exported? A list of commercially available encryption software algorithms that are pre-approved - (i.e. DES, RSA, PGP, RC4, DSS, etc.) would be nice. Is selling an encryption product to a foreign military contractor the same as selling to the military itself, and who makes the judgment call? 3. Will export licenses be required - will denials be explained so that the exporter and the public understand the reasons for the denial? 4. If a denial is issued, will the exporter have any forum for appeal? Since Secretary of Commerce Ron Brown has exclusive control over the export rules, it is obvious that the intelligence community can have a single, important, point of focus for influence. (Yes I an slightly suspicious). In theory, the intelligence overseers could disapprove any license to a FRIENDLY Government or customer on the assumption that their military would use it just because its within their borders. It is unlikely that German forces will revert to DES, but their interest in RSA or PGP or triple DES may have such applications. It would still be in the NSA's best interest to limit the export of such software. My major objection to the Bill as I have understood it is that Commerce, based on advice from the intelligence community (i.e. NSA), still has arbitrary control over what encryption may be exported or not. How is this that much different from what we have today? This version of the Bill would still permit the Secretary to arbitrarily restrict export of some algorithms with no technical benchmarks in place (i.e. length of key, number of bits). There will be some algorithms that the U.S. would want to restrict it would be a great help to all to compile a list of accepted algorithms for export such as is done with computer exports which are measured in MIPS. In general, I like the Bill - we NEED it ! - but I feel that it leaves a lot of room for confusion. Let me know what your thoughts are on this - thanks. Sharon Webb, President National Computer Security Association Encryption Export Control Survey The purpose of this survey is to quantify the business opportunities lost because of the U.S. policy on the exportation of encryption algorithms such as DES, RSA, etc. If we are to make ANY impact AT ALL, the security community needs to let Congress that economic HARM is being done due to the export control on encryption technologies. Please take the time to fill this out and return it to NCSA NO LATER THAN FRIDAY JANUARY 7, 1994. NCSA FAX (717) 243-8642. The results will be presented to Congress in order to further efforts to release export controls on certain encryption technologies. 1) Are you a manufacturer of products that utilize encryption methods? YES NO 2) What forms of encryption do you use? 3) Is you product Hardware Software or Both . 4) Have you experienced a loss of sales OVERSEAS due to export controls? YES NO (If the answer is YES, please list the country, the customer (optional), the dollar amount lost and who got the business (Competitor). If there is a way for you to be able to know WHY a bid was lost let us know.) 5) Have you experienced a loss of sales HERE in the U.S. and Canada to foreign competition? YES NO (If the answer is YES, please list the customer (Optional), the dollar amount and who got the business (Competitor). 6) What percentage of your business is U.S. based? International? (what country(ies) make up the largest portion of your International sales? Who are you? (Optional) and additional comments: (Use additional paper if necessary) Attached is a file called NCSASUR.DOC. This file contains an open invitation to the meeting in Washington D.C. on January 25th. Italso contains a copy of the Cantwell Bill and my comments. The final page is the VERY IMPORTANT NCSA Encryption Export Control Survey. We need as many QUALIFIED (names and phone numbers attached) responses ASAP!!!! Thank You Sharon Webb - Director, Legislative Affairs NCSA voice#(404) 475-8787 fax# (404) 740-8050 email SHARONWEBB@Delphi.com ------------------------------ End of PRIVACY Forum Digest 03.02 ************************