TUCoPS :: Privacy :: priv_302.txt

Privacy Digest 3.02 1/16/94

PRIVACY Forum Digest     Sunday, 16 January 1994     Volume 03 : Issue 02

          Moderated by Lauren Weinstein (lauren@vortex.com)
            Vortex Technology, Woodland Hills, CA, U.S.A.
	
                     ===== PRIVACY FORUM =====

   	  The PRIVACY Forum digest is supported in part by the 
	      ACM Committee on Computers and Public Policy.


CONTENTS 
	GAO Data Matching Report (Dave Banisar)
        Postal Service Still Selling NCOA Info (Dave Banisar)
	Wiretaps (John Higgins)
	Extracts from CPSR Alert 3.01:
	   [1] FBI Pushes for Enhanced Wiretap Capabilities
	   [2] Public Hearings on Privacy in DC & California
	   (Original mailing from Dave Banisar; extracted by MODERATOR)
	Sprint VoiceCard - Maybe Not Such a Good Thing? (GOODMANS@delphi.com)
	National Computer Security Association 1994 Security Summit -
	   Washington D.C. 1-25-94 and Encryption Export Control (Sharon Webb)


 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

ALL submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to
"list-maint@vortex.com".  All submissions included in this digest represent
the views of the individual authors and all submissions will be considered
to be distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system.  Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.  All PRIVACY Forum materials are also
available through the Internet Gopher system via a gopher server on
site "gopher.vortex.com".

For information regarding the availability of this digest via FAX, please
send an inquiry to privacy-fax@vortex.com, call (818) 225-2800, or FAX
to (818) 225-7203.
-----------------------------------------------------------------------------

VOLUME 03, ISSUE 02

   Quote for the day:

	"... Why can't they be like we were,
	     Perfect in every way!
	     What's the matter with kids to-day?"

			-- Paul Lynde
			   "Bye, Bye Birdie" (1963)

----------------------------------------------------------------------

Date:    Mon, 3 Jan 1994 15:14:32 EST    
From:    Dave Banisar <banisar@washofc.cpsr.org>
Subject: GAO Data Matching Report 

                          ONE HUNDRED THIRD CONGRESS

                         CONGRESS OF THE UNITED STATES
                            HOUSE OF REPRESENTATIVES

                       COMMITTEE ON GOVERNMENT OPERATIONS
                       2157 RAYBURN HOUSE OFFICE BUILDING
                           WASHINGTON, DC 20515-8143


           PRIVACY CONTROLS OVER COMPUTER MATCHING LARGELY IGNORED

                    Rep. Condit Releases New GAO Report


           A new General Accounting Office (GAO)  report  found  serious
deficiencies  in  implementation  of the 1988 Computer Matching and Privacy
Protection  Act  The  report  was  released  today  by  Rep.  Gary A.
Condit (D-CA), chairman of the Subcommittee on Information, Justice,
Transportation, and Agriculture.

           Computer matching is the identification of similarities or
dissimilarities in data found in two or more computer files. Matching is
frequently used to identify delinquent debtors or ineligible  program
recipients.  Computer matching has been criticized as an invasion of
privacy, and the Computer Matching and Privacy Protection Act was passed to
regulate the use of computer  matching by federal agencies.

           In releasing the report, Rep. Condit said:  "Most federal
agencies have done a lousy job of complying with the Computer Matching Act.
Agencies  ignore  the  law  or  interpret  it  to  suit  their own
bureaucratic convenience, without  regard  for  the  privacy  interests
that  the  law  was  designed to protect.

           "As a result, we don't have any idea when computer matching  is
a  cost-effective  technique  for preventing fraud, waste, and abuse. I
support reasonable  computer  matching  that  saves  money.  But  if we are
losing money, wasting resources, and invading privacy, then it makes no
sense.

           "A broader issue is whether agencies can be expected to police
their own operations that affect the privacy of the average citizen.
Certainly OMB has done little to assist.  We may need a different approach
to overseeing federal privacy-related activities."

           GAO found numerous problems with the implementation of the Act's
requirements.

            Cost-Benefit Analyses:  The Act requires that matching programs
include an analysis of the costs and benefits of the matching.  One of the
purposes of the Act was to limit the use of matching to instances where the
technique was  cost  effective.  GAO  found  many  problems  with
implementation  of this requirement, including poor quality or non-existent
analyses.  In  41%  of  cases,  no  attempt  was made to estimate costs or
benefits or both.

            In 59% of cases whem costs and benefits were esfimted, GAO
found that not all reasonable costs and benefits were considered; that
inadequate analyses were provided to support savings claims; and that no
effort was made after the match to validate estimates.

            o Data Integrity Boards: The Act requires agencies involved in
matching activities to establish a Data Integrity Board to oversee the
process. GAO found that the Boards were not providing full and earnest
reviews of proposed matches.  GAO did not find any instance in which a
Board pemianently cancelled an ongoing matching program or refused to
approve a newly proposed one.

            GAO did not find evidence that the requirements of the matching
act were used by the Boards to determine if a match should be approved. GAO
also found that the implementation of the new procedures does not appear to
have had major effects on the most important review process, the decision
to conduct the match.

            GAO found that the Data Integrity Boards generally accepted
agencies and states cost-benefit analyses despite their "severe
methodological flaws and lack of documentation."  The documentation often
failed to show how costs and benefits were calculated or the time period
for expected savings.     Agencies rarely estimated the most significant
costs.

            Overall, GAO found that the Data Integrity Boards provide less
than a full and earnest review of matching agreements to detem-dne whether
to proceed with proposed matches, but rather a regularization of the
approval process.

            The report is titled Computer Matching:  Quality of Decisions
and Supporting Analyses Little Affected by 1988 Act.  The report number is
GAO/PEMD-94-2, and the date is October 18, 1993. Copies can be obtained
[for free] from GAO by calling 202-512-6000.

------------------------------

Date:    Thu, 6 Jan 1994 14:10:02 EST    
From:    Dave Banisar <banisar@washofc.cpsr.org>
Subject: Postal Service Still Selling NCOA Info


                            FOR IMMEDIATE RELEASE:


   News from the office of                     January 4, 1994
   Congressman Gary A . Condit
                                               CALIFORNIA - 15TH DISTRICT

                                                 
   1529 LONGWORTH HOUSE OFFICE BUILDING          
   WASHINGTON, D.C. 20515                        
   (202) 225-6131                                


             CONDIT CLAIMS VICTORY IN FIGHT FOR POSTAL PRIVACY
       BUT NOTES CONTINUED POSTAL SERVICE VIOLATION OF FEDERAL LAWS


 Rep. Gary A. Condit (D-CA) today claimed a partial victory in his ongoing
battle to compel the U.S. Postal Service to comply with Federal statutes
that protect the privacy of customer name and address information. The
Postal Service informed Condit today of its intention to alter regulations
which currently allow anyone to obtain the new address of someone who has
moved simply by presenting the Postal Service with the individual's old
address and a $3 fee. However, the Postal Service will continue to sell
change of address information to the nation's largest direct mail companies,
unless someone can produce a court order to stop the sale.

 Condit responded to the Postal Service action: "The Postal Service has
taken a small positive step to protect personal privacy and safety -- one
that I've been strongly advocating. But it still has a long way to go. The
Postal Service has no plan to halt its regular sale of change of address
information to the junk mail industry. Ordinary citizens who want to protect
their privacy will continue to have no recourse. Only those people protected
by a court order will be able to prevent the Postal Service from selling
their change of address information many thousands of times."

 Condit chairs the House Committee on Govenunent Operations Subcommittee on
Information, Justice,  Transportation, and Agriculture, which has oversight
jurisdiction over the Postal Service. In November 1992, the Government
Operations Committee issued a unanimous report, based on the subcommittee's
investigation, which condemned the Postal Service's address dissemination
practices. Entitled _Give Consumers a Choice: Privacy Implications of U.S.
Postal Service National Change of Address Program_ (House Report 102-1067),
the report explained that the Postal Service's address dissemination
practices violate federal statutes restricting the release of names and
addresses of postal patrons by the Postal Service. The Postal Reorganization
Act prohibits the Postal Service from making available any mailing or other
list of names or addresses of postal patrons or other persons. The Privacy
Act of 1974 prevents agencies, including the Postal Service, from selling or
renting an individual's name and address unless the agency has specific
legal authority to do so.

 Condit continued: "I've objected to the Postal Service's sale of address
information all along, not just because it violates personal privacy but
also because it violates the law. Nothing the Postal Service did today cures
its continuous violation of Federal statutes. The Postal Service's disregard
for privacy rights and for privacy statutes is callous and irresponsible."

 Last year, Condit introduced legislation to give postal customers the right
to prevent the U.S. Postal Service from giving out their change of address
information. H.R. 1344, the Postal Privacy Act of 1993, targets both the
Postal Service's $3 sale of an individual's new address and its widespread
sale of change of address information through its National Change of Address
(NCOA) service.

 Condit explained the impact of NCOA on personal privacy: "Every year, 40
million people file change of address orders with the Postal Service. Little
do they realize that every one of those orders is immediately made public.
Under the NCOA program, the Postal Service sells all of those records to 25
of the largest direct mail companies in the country, which in turn resell
them to thousands of other mailers."

Condit continued, "What makes this practice a real invasion of privacy is
that the Postal Service doesn't give anyone a choice about it. If you ask
the Postal Service to forward your mail, your new address is automatically
made public -- and there is nothing you can do to stop it."

Condit's proposed legislation would require the Postal Service to give
customers explicit written nodce that their change of address information
will be given out and to whom. Moreover, the legislation would require the Postal
Service to include a check-off box on change of address cards where people
could prevent public access to their address records.

Condit added, "The Postal Service has recognized that the sale of address
information invades the privacy of sonie people. It is now time to ensure
that everyone with a privacy concern has the same rights. My bill would
bring the Postal Service into compliance with federal law. More importantly,
it would give people a say about how their personal information is used. It
would give them the right to say no."
   

920 13th Street                                       Federal Building
Modesto, CA 95354                                     415 West 18th Street
(209) 527-1914                                        Merced, CA 95340
                                                      (209) 383-4455

------------------------------

Date:    Sun, 9 Jan 1994 17:41:52 -0500 (EST)
From:    John Higgins <higgins@dorsai.dorsai.org>
Subject: wiretaps

Are the cops tapping your phone? If you live in Oklahoma, Rhode Island or
Virginia, probably not. But if you're really paranoid don't move to New York
City, New Jersey or Florida.
 
On Jan. 9. New York Newsday published an article on wiretaps listing them by
location. Citing a report compiled by the Administrative Office of the United
States Courts, the article said that New York State cops lead the country with
197 wiretaps installed in 1992. The aforementioned low-tap states reported
intalling just 1 phone or room bug, but of the 39 states that have wiretap
statutes 17 reported no taps AT ALL (no, I don't know which states those are).
 
Of the federal jurisdictions not on the list, 44 reported fewer than 10 taps
for the year, including 19 who reported one tap and 36 who reported zero.
 
I know that cops hate wiretaps, especially room bugs because they're so labor
intensive, but this doesn't seem like a whole lot of wiretaps in some of these
areas. Only seven local taps in Massachusetts? Three state wiretaps in all of
California? If these are accurate reports, this is far less pervasive than I
would have expected.
 
STATE AND LOCAL WIRETAP ACTIVITY (1992)
New York                 197 Nebraska                 4
New Jersey               111 Nevada                   4
Florida                  80  Utah                     3
Pennsylvania             77  Minnesota                3
Maryland                 17  California               3
Georgia                  16  Colorado                 2
Connecticut              15  New Hampshire            2
Texas                    14  New Mexico               2
Arizona                  12  Virginia                 1
Kansas                   7   Rhode Island             1
Massachusetts            7   Oklahoma                 1
 
FEDERAL WIRETAP ACTIVITY (1992)
Eastern Dist of NY       35  Central Dist of Calif.   14
Southern Dist. of NY     25  Arizona                  12
Southern Dist of Fla.    20  Western Dist. of NY      12
New Jersey               18  Easter Dist. of Penn.    12
Northern DIst of Tex.    16  Middle Dist of Florida   11
Colorado                 15  Eastern Dist. of Mich.   10
Maryland                 15  Southern Dist. of Tex    10
 
I'm going to try and obtain the full report this week.

John M. Higgins                   higgins@dorsai.dorsai.org
Multichannel News                 CIS:75266,3353
                                  V)212-887-8390/F)212-887-8384

------------------------------

Date:    Thu, 13 Jan 1994 15:42:37 EST
From:    Dave Banisar <banisar@washofc.cpsr.org>
Subject: [ Extracts from CPSR Alert 3.01:
	   [1] FBI Pushes for Enhanced Wiretap Capabilities
	   [2] Public Hearings on Privacy in DC & California
						-- MODERATOR ]
	  

    [ Extracted from CPSR Alert, Vol. 3.01, 1/13/94 -- MODERATOR ]

[1] FBI Pushes for Enhanced Wiretap Capabilities

In the past month, FBI officials have indicated publicly that they are
continuing to push for enactment of legislation to mandate the building
in of electronic surveillance capabilities into most telecommunications
equipment. In addition, there are also reports that the Department of
Justice is investigating the possibility of recommending changes in the
law to allow for military personnel and equipment to be used by law
enforcement for electronic surveillance of Asian speakers.

On December 8, FBI Director Louis Freeh spoke at the National Press
Club where he stated:

     In order to keep up with the criminals and to protect our
     national security, the solution is clear. We need legislation
     to ensure that telephone companies and other carriers provide
     law enforcement with access to this new technology.

Communications Daily reported that the FBI and the telecommunications
carriers have formed a working group to discuss the problem and that
the companies might implement the capabilities voluntarily. This
working group has met several times.

Scripps Howard News Service reported on December 5 that the Department
of Justice is considering proposing new legislation to allow the
military to assist with wiretaps of Asian suspects. Currently the
military is prohibited by the 1878 Posse Comitatus Act, which prohibits
the use of military personal and resources in civilian law enforcement
activities. It was amended in 1981 to allow for use of military
personal and equipment for advice and assistance in drug interdiction.

Freeh reportedly told Scripts Howard that "I think that if we had
access to 50 or 100 qualified linguists in the Asian language[s] we
could probably monitor by ten times our ability to do court-authorized
surveillances of Asian organized crime groups."

Civil liberties groups are concerned about the military conducting
domestic electronic surveillance, especially in light of the recent
disclosures by CPSR of the National Security Agency's role in the
development of the Digital Signature Standard and the Digital Telephony
Proposal.

Sources inside the administration indicate that the long awaited
inter-agency review of government encryption policy, including Clipper,
the Digital Telephony Proposal and export control is due out by the end
of January. The report is expected to be classified.

   -------------------------------------------------------------

[2] Public Hearings on Privacy in DC & California

The Information Infrastructure Task Force (IITF) Privacy Working Group
has announced two public hearings on privacy and the NII to be held in
Sacramento, Ca and Washington, DC  The meetings are organized by the US
Office of Consumer Affairs. They are the first meetings in nearly
twenty years to be held outside Washington on privacy.

The public meetings will examine privacy issues relating to such areas
as law  enforcement, financial  services, information technology, and
direct marketing.  Representatives from the public, private  and
non-profit sectors will attend.  CPSR has been asked to participate at
both hearings.

The California meeting, January 10th and llth, will be hosted  by Jim
Conran,  Director, California Department of Consumer Affairs in the
First Floor Hearing Room at 400 R Street in Sacramento. The Washington,
DC meeting, January 26th and 27th, will be held at the U.S. Department
of Commerce Auditorium, 14th & Constitution Ave. NW. Registration
begins at 8:30am, meetings at 9am.

The public is invited to attend, question speakers and to make brief
comments, but space is limited.  Concise written statements for the
record should be sent to "Privacy," USOCA, 1620 L Street NW, Washington
DC 20036 or faxed to (202)634-4135.

For more Information, Contact Pat Faley or George Idelson at
(202)634-4329.

------------------------------

Date: Thu, 13 Jan 1994 01:00:12 EDT
From: GOODMANS@delphi.com
Subject: Sprint VoiceCard - Maybe Not Such a Good Thing?

     [ From TELECOM Digest Vol. 14, Issue 28 -- MODERATOR ]

I was intrigued by the Sprint commericals on their voicecard and
called them to get more information.  I was quickly turned off from it
after speaking with one of their reps:

To use it you dial an 800 number;announce your SSN plus 1 digit;
announce the programmed number (ie call joe)

I don't know about you but I don't want to announce my SSN to the
world, especially in a crowded airport!  Also: the surcharge per call
is $1.00, its limited to domestic calls only, charged $5 a month, have
to be a Sprint Dial 1 customer, and the list is limited to 10 people.
It does not have any of the features the AT&T and MCI card have:
information services (weather, news) and conference calling.

What does everyone else think?

------------------------------

Date: Thu, 06 Jan 1994 20:39:24 -0400 (EDT)
From: SHARONWEBB@delphi.com
Subject: National Computer Security Association 1994 Security Summit -
         Washington D.C. 1-25-94 and Encryption Export Control


    [ From RISKS-FORUM Digest Vol. 15, Issue 38 -- MODERATOR ]


  [This message was received rather late, even if the R.S.V.P. deadline 
  was extended from 2 Jan!  But you may want to respond anyway.  Besides,
  the Cantwell Bill is included below, and it may be of interest to many
  RISKS readers.  PGN]

This is an invitation to join members of the security community,
Administration officials, and members of Congress in a discussion of security
on the National Information Infrastructure and encryption export controls.

The meeting will be held at the Washington Convention Center on January the
25th, 1994. The meeting will begin at 8 a.m. and will adjourn at 3 p.m.

The purpose of this meeting is in response to a request from Secretary of
Commerce Ron Brown at the recent 1993 Technology Summit in San Francisco.
Secretary Brown asked that a meeting be held to bring together industry and
government to start an open dialog, which will help shape information security
policy as the United States moves forward into a more global economy. Everyone
will have a chance to express their opinions and concerns.

During this meeting individual committees will be formed to study and make
recommendations on specific areas of information security as it relates to the
NII ( this will also become known as the International Information
Infrastructure).

R.S.V.P.'s are required NO LATER THAN January 2, 1994 [apparently extended to
10 Jan.  PGN]. Please call Paul Gates at the National Computer Security
Association (717) 258-1816. All attendees will be sent an agenda, a copy of
the NII, the Clinton Administration's Technology Policy and a copy of the
Cantwell Bill which deals with encryption export controls.

NOTE: If you cannot attend in person but would still like to participate we
will be offering on-line opportunities.

Sharon Webb     voice# (404) 475-8787Director, Legislative
Affairs, National Computer Security Association

P.S. Attached please find a copy of the Cantwell Bill, my
comments and the NCSA's Encryption Export Control Survey .

Please send ALL responses to either my fax #(404) 740-8050 OR
EMAIL to me via SHARONWEBB@ DELPHI.com

103D Congress
1st Session
                                               H.R. 3627

IN THE HOUSE OF REPRESENTATIVES

Ms. CANTWELL (for herself and____) introduced the following bill which was
referred to the Committee on_____________________________.

                                                     A BILL

To amend the Export Administration Act of 1979 with respect to the control of
computers and related equipment.

Be enacted by the Senate and House of Representatives of the United States of
America in Congress assembled,


SECTION 1. GENERALLY AVAILABLE SOFTWARE.

 Section 17 of the Export Administration Act of 1979 (50 U.S.C.  App. 2416) is
amended by adding at the end thereof the following new subsection

     "(g) COMPUTERS AND RELATED EQUIPMENT -

 "(1) GENERAL RULE. - Subject to paragraphs (2) and (3) the Secretary shall
have exclusive authority to control exports of all computer hardware, software
and technology for information security (including encryption), except that
which is specifically designed or modified for -

     "(A) military use, including command, control and intelligence
applications; or
     "(B) Cryptanalytic Functions

"(2) ITEMS NOT REQUIRING LICENSES - No validated license may be required,
except pursuant to the Trading With The Enemy Act of the International
Emergency Economic Powers Act (but only to the extent that the authority of
such Act is not exercised to extend controls imposed under this Act), for the
export or reexport of-

    "(A) any software, including software with encryption capabilities, that
is

     "(i) generally available, as is, and is, and is designed for installation
by the user or
     "(ii) in the public domain or publicly available because it is generally
accessible to the interested public in any form; or

           "(B)" any computing device solely because it incorporates or
employs in any form software (including software with encryption capabilities)
exempted from any requirement for a validated license under subparagraph (A).

"(3) SOFTWARE WITH ENCRYPTION CAPABILITIES - The Secretary shall authorize the
export or reexport of software with encryption capabilities for nonmilitary
end-uses in any country to which exports of such software are permitted for
use by financial institutions not controlled in fact by united states persons,
unless there is substantial evidence that such software will be -

     "(A) diverted to a military end-use or an end-use supporting
international terrorism:

      "(B)  modified for military or terrorist end-use; or

      "(C) re-exported without requisite United States authorization.

"(4) DEFINITIONS - As used in this subsection-

    "(A) the term 'generally available' means, in the case of software
(including software with encryption capabilities), software that is offered
for sale, license, or transfer to any person without restriction through any
commercial means, including, but not limited to, over-the-counter retail
sales, mail order transactions, phone order transactions, electronic
distribution, or sale on approval;

    "(B) the term 'as is' means, in the case of software (including software
with encryption capabilities), a software program that is not designed,
developed, or tailored by the vendor for specific purchasers, except that such
purchasers may supply certain installation parameters needed by the software
program to function properly with the purchaser's system and may customize the
software program by choosing among options contained in the software program;

   "(C) the term 'is designed for installation by the purchaser' means, in the
case of software (including software with encryption capabilities -

    "(i) the software company intends for the purchaser (including any
licensee or transferee), who may not be the actual program user, to install
the software program on a computing device and has supplied the necessary
instructions to do so, except that the company may also provide telephone help
line services for software installation, electronic transmission, or basic
operations; and-

    "(ii) that the software program is designed for installation by the
purchaser without further substantial support by the supplier;

    "(D) the term 'computing device' means a device which incorporates one or
more microprocessor-based central processing units that can accept, store,
process or provide out-put of data; and

    "(E) the term 'computer hardware', when used in conjunction
with information  security, includes, but is not limited to,
computer systems, equipment,  application-specific assemblies,
modules and integrated circuits". END of BILL

FROM: Secure Systems Group International, Inc
TO: Bob Bales
Director, National Computer Security Association
(717) 258-1816

Re: Encryption Export Bill (Cantwell)
Bob -

Here are some of the comments that we passed along to Maria Cantwell's office
regarding the Bill on the export of encryption technologies. I hope you find
it useful.

I understood the purpose of this Bill was to reduce export controls and
restrictions of software that is either based on encryption or that contained
encryption. As I read the Bill everything was fine until paragraph (3) -( You
understand that I am reading this from a laypersons point of view and if you
can clear up any misinterpretations I would appreciate it).

 In paragraph (3) the Bill states software containing encryption can be
exported freely "unless there is substantial evidence that such software will
be:

(A) diverted to a military end-use or end-use supporting international
terrorism:

(B) modified for military or terrorist end user or

(C) re-exported without requisite United States Authorization."

or that software which is

"... specifically designed or modified for

(A) military use, including command, control, and intelligence applications;
or

(B) cryptanalytic functions

I think that before I or others from the security side decide to support or
not to support this Bill we have some questions that need answers.


100 Nobel Court, Suite 400, Alpharetta, GA. 30202 Voice (404) 475-8787 FAX
(404) 740-8050

Member of National Computer Security Association and the American Electronics
Association

1. Who will be asked to determine whether such restrictions are appropriate?
The NSA? The CIA? The FBI? Does it remain the same as under the current law?
Assuming that the technical overview of military applications for encryption
remains the NSA - what makes it in their interest to let ANY encryption out of
the country that will make their job more difficult? (A little like letting
the fox guard the chickens)

2. What constitutes substantial evidence 'of or 'designed for' military use?
Is it measured by the relative strength of the algorithm or key management
system or by the mere fact it is longer than the DES which is 56 bits? I feel
that some sort of definition needs to be included. What can and what cannot be
exported? A list of commercially available encryption software algorithms that
are pre-approved - (i.e. DES, RSA, PGP, RC4, DSS, etc.) would be nice. Is
selling an encryption product to a foreign military contractor the same as
selling to the military itself, and who makes the judgment call?

3. Will export licenses be required - will denials be explained so that the
exporter and the public understand the reasons for the denial?

4. If a denial is issued, will the exporter have any forum for appeal?

Since Secretary of Commerce Ron Brown has exclusive control over the export
rules, it is obvious that the intelligence community can have a single,
important, point of focus for influence. (Yes I an slightly suspicious). In
theory, the intelligence overseers could disapprove any license to a FRIENDLY
Government or customer on the assumption that their military would use it just
because its within their borders. It is unlikely that German forces will
revert to DES, but their interest in RSA or PGP or triple DES may have such
applications.  It would still be in the NSA's best interest to limit the
export of such software.

My major objection to the Bill as I have understood it is that Commerce, based
on advice from the intelligence community (i.e.  NSA), still has arbitrary
control over what encryption may be exported or not. How is this that much
different from what we have today?

This version of the Bill would still permit the Secretary to arbitrarily
restrict export of some algorithms with no technical benchmarks in place (i.e.
length of key, number of bits). There will be some algorithms that the U.S.
would want to restrict it would be a great help to all to compile a list of
accepted algorithms for export such as is done with computer exports which are
measured in MIPS.

In general, I like the Bill - we NEED it ! - but I feel that it leaves a lot
of room for confusion.

Let me know what your thoughts are on this - thanks.

Sharon Webb, President
National Computer Security Association Encryption Export Control Survey

The purpose of this survey is to quantify the business opportunities lost
because of the U.S. policy on the exportation of encryption algorithms such as
DES, RSA, etc. If we are to make ANY impact AT ALL, the security community
needs to let Congress that economic HARM is being done due to the export
control on encryption technologies.

Please take the time to fill this out and return it to NCSA NO
LATER THAN FRIDAY JANUARY 7, 1994.         NCSA FAX (717)
243-8642.

The results will be presented to Congress in order to further efforts to
release export controls on certain encryption technologies.
                                                     

1) Are you a manufacturer of products that utilize encryption methods?

		YES 			NO 

2) What forms of encryption do you use?                         

3) Is you product  Hardware    Software    or    Both .

4) Have you experienced a loss of sales OVERSEAS due to export controls?

		YES 			NO 

(If the answer is YES, please list the country, the customer (optional), the
dollar amount lost and who got the business (Competitor). If there is a way
for you to be able to know WHY a bid was lost let us know.)

5) Have you experienced a loss of sales HERE in the U.S. and Canada to foreign
competition?
		YES 			NO 

(If the answer is YES, please list the customer (Optional), the dollar amount
and who got the business (Competitor).

6) What percentage of your business is U.S. based?  International?

  (what country(ies) make up the largest portion of your International sales?
                                                                
Who are you?  (Optional) and additional comments: (Use additional paper if
necessary)

Attached is a file called NCSASUR.DOC. This file contains an open invitation
to the meeting in Washington D.C. on January 25th. Italso contains a copy of
the Cantwell Bill and my comments. The final page is the VERY IMPORTANT NCSA
Encryption Export Control Survey. We need as many QUALIFIED (names and phone
numbers attached) responses ASAP!!!!
 
Thank You
 
Sharon Webb - Director, Legislative Affairs NCSA
voice#(404) 475-8787
fax# (404) 740-8050
email SHARONWEBB@Delphi.com

------------------------------

End of PRIVACY Forum Digest 03.02
************************

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH