========================================================================= ________________ _______________ _______________ /_______________/\ /_______________\ /\______________\ \\\\\\\\\\\\\\\\\/ ||||||||||||||||| / //////////////// \\\\\________/\ |||||________\ / /////______\ \\\\\\\\\\\\\/____ |||||||||||||| / ///////////// \\\\\___________/\ ||||| / //// \\\\\\\\\\\\\\\\/ ||||| \//// ========================================================================= EFFector Online Volume 09 No. 03 Mar. 6, 1996 editors@eff.org A Publication of the Electronic Frontier Foundation ISSN 1062-9424 IN THIS ISSUE: Encrypted Communications Privacy Act: Enabling Electronic Envelopes Update on "Decency" Censorship Law Legal Challenges NewsNybbles Electronic Frontiers Georgia Formed AOL Against Government Censorship, For User Empowerment US Customs Decides Internet is Not a Place - Fines Those Who Claim Otherwise Upcoming Events Quote of the Day What YOU Can Do Administrivia * See http://www.eff.org/Alerts/ or ftp.eff.org, /pub/Alerts/ for more information on current EFF activities and online activism alerts! * ---------------------------------------------------------------------- Subject: Encrypted Communications Privacy Act: Enabling Electronic Envelopes ---------------------------------------------------------------------------- Yesterday, Sen. Patrick Leahy, Rep. Robert Goodlatte, and many other Congresspersons introduced two very similar pro-encryption, pro-privacy, pro-Internet bills, one in the House, one in the Senate, to mostly deregulate the export of encryption and to affirm US citizens's rights to use any encryption they wish, with no requirement the users' crypto keys be "escrowed". Below is a statement on the Leahy/Burns/Murray version. Most of the good (and bad) points apply to the Goodlatte version in the House as well, though it has stronger protections against imposition of government-access-to-keys, a very good sign. The new felony category created by both bills has been narrowed since the release below was written, to require that any cryptographic obsctruction of justice be done "in the furtherance" of a crime to be subject to additional criminal penalties. This is an improvement, though not perfect. The significance of these bills is that, like the 1994 Cantwell export deregulation bill, they raise vital issues relating to privacy, security, authentication and responsibility, and competitiveness before Congress, and they do so pre-emptively: It is believed that the Clinton administration is preparing it's own *anti*-crypto legislation at the behest of the FBI and NSA. It is unknown at present what such a bill would look like in detail, but it is unlikely to be favorable to Internet user's privacy rights, digital commerce, system security, or freedom of expression. The current bills give those of us concerned about these issues a head start in educating legislators, the media and the public before the storm hits. Coupled with the EFF/Bernstein and Karn legal cases' constitutional challenge against the crypto export restrictions themselves, the Leahy/Goodlatte legislation is an important step toward securing privacy and confidentiality for users of all new media. FOR IMMEDIATE RELEASE ELECTRONIC FRONTIER FOUNDATION +1 415 436 9333 ask@eff.org March 5, 1996 http://www.eff.org The Electronic Frontier Foundation (EFF) is encouraged to see Congressional support for lifting restrictions on encryption and affirming privacy rights for U.S. citizens. The bill introduced today by Senators Pat Leahy (D-VT), Patricia Murray (D-WA) and Conrad Burns (R-MT) is an important step in reclaiming privacy and encryption rights for society and business. The bill would legalize wide use of "electronic envelopes" to protect private information. Today this information travels on "electronic postcards" which can easily be altered or intercepted. However, the bill also includes key escrow and obstruction of justice provisions which would cause problems if enacted. "The bill provides a new opportunity to bring reason into the crypto policy debate," said EFF co-founder John Gilmore. "We support the Senators for bringing their energy into the process. The bill is a good start, and with healthy debate and modification, it could become acceptable legislation." Electronic privacy and encryption policy is extremely complex because it intertwines our constitutional rights of free speech, publication, association, and protection from self-incrimination and unreasonable search, with issues of wiretapping, spying, military security, personal privacy, and computer security. This bill would pick a new balance among these competing interests, with long-term impacts on our society and economy. EFF is committed to working with government, industry and public interest organizations to raise the level of understanding and debate in resolving these complex issues. EXPORT CONTROL LIBERALIZATION The Encrypted Communications Privacy bill would make long-overdue changes to the export restrictions currently hampering the deployment of privacy and security "envelopes" for Windows, Unix, the Mac, and the Internet. The bill: * Moves export control of all non-military information security products, incuding encryption, to the Commerce Dept., whose rules protect constitutional rights and reflect market realities. * Requires that no license be required to export generally available mass-market software, public domain software, and computers that include such software. * Requires that export be authorized for non-military encryption software to any country where similar software is exportable from the U.S. to foreign financial institutions. * Requires that export be authorized for encryption hardware if a comparable product is available overseas. The above changes would significantly improve the nation's crypto policy. But they make detailed changes in a very complex section of the law and regulations. There is a significant risk that they will be implemented by the Administration in a different fashion than Congress intended. This happened in 1987, for example, when Congress tried to eliminate NSA meddling with civilian computers by passing the Computer Security Act. It was subverted by a series of Presidential directives and agreements among Executive Branch departments. The result today is that NSA is still in control of domestic security and privacy policy. We would encourage futher deregulation as a simpler, more effective, and far more reliable solution. The bill should simply eliminate all export controls on non-military encryption. CRIMINALIZATION OF ENCRYPTION AND ENCOURAGEMENT OF KEY ESCROW The following provisions raise serious concerns about the imbalance between the rights of the people and the desires of the goverment. EFF feels that the impact of these provisions must be closely considered, and will work to modify or remove them to better serve the public interest. The bill: * Makes it a new crime to "use encryption to obstruct justice", with 5-10 year sentences, plus fines. In plain language, this is a extra criminal charge that can be applied when police are frustrated in an investigation but happen to catch someone breaking the law in some other way. It's like Adding an extra ten-year jail term if you close your curtains while committing a crime. Americans have the right to protect their own privacy by any nonviolent means, and we expect that encryption will soon be built into all computers, phones, and networks. * Provides a legal infrastructure for key escrow, a system in which all users' keys are copied to permit government access. The Clinton Administration has been pushing key escrow to replace its failed "Clipper chip", out of fear that if Americans have real privacy they will abuse it. These provisions in the bill would encourage people to use the flawed key-copying system. CLARIFICATION AND REFINEMENT The are a number of areas of the bill that would benefit from additional debate and clarification. Specifically, where the bill: * Explicitly does not mandate key escrow, but fails to prohibit the Administration from attempting to impose it with regulations. * Outlaws disclosure of others' keys except to the government, with 1-2 year sentences, plus fines, but includes a broad "good faith" exemption for when the government does something illegal or unconstitutional. * Requires disclosure of other peoples' keys to the government, under the same procedures currently used for wiretaps, searches of online records and backup tapes, and fishing expeditions in billing records. The provision does not always require adversary legal process, in which citizens can argue for their privacy before a judge, but instead relies solely on the integrity of prosecutors. * Legalizes the use any encryption "except as provided in this Act...or in any other law". EFF'S PROPOSED CRYPTO-PRIVACY PRINCIPLES EFF's Cryptography and Privacy Policy Principles, which were originally written during the Clipper Chip debate, are the touchstone by which we measure privacy legislation and policy issues: * Private-sector access to encryption technology must not be hindered, either by regulation of what crypto may be used domestically, or by restriction on what may be exported. * Government policy on encryption usage and standards must be set in open forums with proper attention paid to public input. Secret hearings and classified algorithms have no part to play in a democratic process. * Encryption must become part of the "information infrastructure" to protect personal, commercial and governmental privacy and security. Cryptographic tools must not be crippled or weakened for the convenience of government agents, and users must be free to choose what encryption they prefer and whether and to whom they will reveal encryption keys. Law enforcement must obtain court orders, not simply administrative subpoenas to seize keys or decrypt and search encrypted information. * Government policy regarding emerging technologies like encryption must not erode Constitutional protections. In particular, any such policies must be compatible with the rights to freedom of speech, press and association, freedom from coerced self-incrimination, and freedom from unreasonable search and seizure. * Encryption will be built into all next-generation Internet, communications and computer technology. There must be no government policy equating use of encryption with evidence of criminal behavior, nor the creation of any new crime category that holds encryption users liable for making criminal investigation more difficult. * Government at all levels should explore cryptography's potential to replace identity-based or dossier-based systems - such as driver's licenses, credit cards, social security numbers, and passports - with less invasive technology. The Encrypted Communications Privacy bill at this time passes some of these tests, and we are committed to working with industry, government, and public interest organiations to address the remaining issues. BACKGROUND: EFF AND CRYPTO-PRIVACY POLICY The Electronic Frontier Foundation (EFF) is a nonprofit public interest organization devoted to the protection of online privacy and free expression. EFF was founded in 1990, and is based in San Francisco, California. The International Traffic in Arms Regulations (ITARs), administered by the State Department, and in the background by the National Security Agency, unreasonably treat encryption software and hardware as if they were weapons of war, like rockets and bombs. It has proven very difficult to deploy U.S.-made encryption products in an increasingly important global market due to these regulations, at a time when the need for online security systems for personal and commercial use has never been more keenly felt. EFF has for several years led efforts to fend off governmental attempts to restrict the development and public availability of secure privacy technology. In 1993-4, EFF and other civil liberties organizations successfully opposed implementation of the U.S. Administration's "Clipper" or "Skipjack" system - hardware encryption for voice and data communications in which all encryption keys are held by government for the convenience of law enforcement and intelligence agencies. In 1994, we helped ensure that crypto export became a major legislative topic, laying the groundwork for eventual liberalization of the ITARs. In 1994 and 1995 EFF opposed implementation of and helped defeat funding for the FBI's "Digital Telephony" scheme, in which up to one person on every city block could be simultaneously wiretapped. In 1995, we filed an ongoing federal lawsuit with mathematician Daniel Bernstein, challenging the constitutionality of the export control laws. ONLINE RESOURCES FOR MORE INFORMATION Please see EFF's Internet archives for more details on this and other issues. EFF Privacy & Encryption Archive: http://www.eff.org/pub/Privacy/ EFF Legal Issues & Policy Archive: http://www.eff.org/pub/Legal/ Action Alerts: http://www.eff.org/pub/Alerts/ Topical Index of the EFF Archive: http://www.eff.org/links.html CONTACT INFORMATION The Electronic Frontier Foundation 1550 Bryant St., Suite 725 San Francisco CA 94103 USA +1 415 436 9333 (voice) +1 415 436 9993 (fax) Internet: ask@eff.org John Gilmore, Co-founder and Member of the Board gnu@eff.org +1 415 221 6524 ------------------------------ Subject: Update on "Decency" Censorship Law Legal Challenges ------------------------------------------------------------ The Communications Decency Amendment to the Telecom Act, and another Telecom Act provision in a different section of that huge piece of legislation, have come under concerted attack in no less than four federal lawsuits filed nearly immediately after passage. EFF, the ACLU, and many other organizations and invividual plaintiff, most of them online content producers, filed suit in the US District Court for the Eastern Dist. of Pennsylvania, Feb. 8, 1996, before Judge Ronald Buckwalter. The judge commended the plaintiffs on a well preprated case, and issued a temporary restraining order against enforcement of certain provisions of the CDA (in particular the "indecency" ban, but not the "patently offensive material" ban), calling the CDA "unconstitutional". Subsequent to this, attorneys for our side obtained an agreement from the Justice Department, who also appear to recognize the new laws unconstitutionality, to not enforce any of the CDA's challenged provisions. This case is ACLU, et al. v. Reno, and will soon be before a 3-judge panel who are expected to issue a longer-lasting and more complete preliminary injunction against CDA enforcement until the Supreme Court can hear the meat of the case. This case is likely to be fast-tracked, and may reach the highest court in the land before the year is out. The injunction trial has tentatively been scheduled for March 21 and 22, with the government getting a hearing Apr. 11 and 12. April 1 has also been reserved in case it is needed. The 3 judges will be Appeals Judge Sloviter, District Judge Dalzell, and and District Judge Buckwalter. The CDA provisions of the bill are also being challenged by another suit filed around the same time by an online newspaper, _The_American_Reporter_, in the New York State Southern District US Court. This case and the EFF/ACLU case raise most of the same issues, though with different focusses in some areas. The cases dove-tail quite nicely. In simultaneous action, Arthur Sanger, the Center for Reproductive Law & Policy, Planned Parenthood of New York, and several other plaintiffs filed a suit in challenging the constitutionality of Rep. Henry Hyde's last-minute amendment to the Telecom Bill making it illegal to post certain kinds of abortion-related information online. This statute is arguably duplicative with current law - the old Comstock obscenity code, which is not medium dependent and therefore already includes the Internet, has banned this abortion info since the 19th Century, but has simply not be enforced much. The case seeks to strike down the abortion part of it completely. The judge in this case did not issue a restraining order, apparently finding that the lack of enforcement, and the Dept. of Justices (fairly weak) assurances that they would not enforce this portion of the Telecom Bill either, as indicactive of little enough risk to let the case proceed without directly enjoining enforcement. This case, Sanger v. Reno, is ongoing in the US District Court for the Eastern Dist. of New York State. The Justice Department has openly acknowledged the unconstitutionality of the abortion-related provisions. WHAT YOU CAN DO Feb. 26, the Center for Democracy and Technology, the Am. Library Assoc., Wired Magazine, and additional plaintiffs from the online services industry, filed a fourth suit, in the same district as the ACLU & EFF suit, again challenging the unconstitutional "decency" provisions of the Telecom bill. This case has a rather unique feature: You can add yourself as a plaintiff at no expense! One of the plaintiffs is the Citizen's Internet Empowerment Coalition - a coaltion you can join by filling out a WWW form at: http://www.cdt.org/ciec/ DEADLINE: March 15, 1996! As of March 1, the CIEC members numbered over 5000. This latest case does not conflict with the other cases in anyway, and may be merged with the EFF/ACLU case. The CIEC/CDT plaintiffs have also filed for a preliminary injunction. Hearing date is set for March 21. Updates on these cases will be made at http://www.eff.org/pub/Alerts/index.html#cda on a regular basis. ------------------------------ Subject: NewsNybbles -------------------- * Electronic Frontiers Georgia Formed A new state-level grassroots action organization has formed in Atlanta. "Electronic Frontiers Georgia is a civil liberties organization that has been formed to fight for freedom, privacy, and access on [the US State of] Georgia's computer networks." Monthly physical meetings are held in Atlanta. Contact: efg@ninja.techwood.org WWW: http://montag33.residence.gatech.edu/~efg/ For a list of other such groups (and other organization of various kinds that have something to do with online civil liberties, access and society), see our Online Activism Organizations FAQ at: http://www.eff.org/pub/Activism/activ_groups.faq ftp.eff.org, cd /pub/Activism/, get activ_groups.faq gopher.eff.org, path: 1/Activism, get activ_groups.faq * AOL Against Government Censorship, For User Empowerment According to an AP newswire, America Online chairman Steve Case said Tues. that Internet censorship "is a very difficult, very sensitive issue which requires a dialogue...for what the right balance is going to be...this is a new medium and it does require a different perspective, and we're going to be calling for a new framework that recognizes [that]." Case said online content filtration, that would allow parents to block child access to inappropriate materials, is the right solution, rather than censorship. * US Customs Decides Internet is Not a Place - Fines Those Who Claim Otherwise A "virtual" software corporation, ACD, with software engineers in both California and Hungary, but no real physical business infrastructure, was recently slapped with an $85 fine by US Customs. ACD's product, EPublisher for the Web, was developed over the Internet with no physical meetings or other contact between the developers. When Hungarian developers sent versions of the software on diskette to their US counterparts, the shipment was stopped by Customs at LAX (the major Los Angeles airport) for "mark violation". The Hungarians had marked "Country of Origin" on the forms as "Internet", as the product was not decidably made in Hungary or the US, and the owners of the intellectual property rights to the product are in no single physical location. ACD's Laslo Chaki says, "We had to pay an $85 fine for mark violation. Virtual company, in virtual city with $85 real fine!" Though the intent of the "Country" section on customs forms is to ascertain where a particular package was shipped from, and the listing of the country of origin as "Internet" is somewhat silly in this context, the lack of any sense of humor on the part of Customs is not particularly encouraging. You might want to be careful with those RSA t-shirts - Customs just might handle them as munitions after all, and regard you as an unlicensed international arms dealer, at this rate. ------------------------------ Subject: Calendar of Events --------------------------- This schedule lists events that are directly EFF-related. A much more detailed calendar of events likely to be of interest to our members and supporters is maintained at: ftp: ftp.eff.org, /pub/EFF/calendar.eff gopher: gopher.eff.org, 1/EFF, calendar.eff http://www.eff.org/pub/EFF/calendar.eff Mar. 14 - National Silence Protest against the CDA! See WWW site for more info. URL: http://www.eff.org/BlueRibbon/activism2.html#law Mar. 15 - LAST CHANCE to add your name as a plaintiff in lawsuit against Net censorship bill! See WWW site for more info. URL: http://www.cdt.org/ciec/ Mar. 27- 30 - CFP96, the Sixth Conference on Computers, Freedom, & Privacy; MIT, Cambridge, Massachusetts. Sponsored by ACM SIGCOMM, SIGCAS, SIGSAC, and the World Wide Web Consortium. This is THE electronic privacy conference. Speakers include EFF representatives (and CFP is also the time and place of the EFF Pioneer Awards ceremony.) Email: cfp96-info@mit.edu URL: http://web.mit.edu/cfp96 June 30 - Electronic Freedom March on Washington! See WWW site for more info. URL: http://march.tico.com/ ------------------------------ Subject: Quote of the Day ------------------------- "Two-point-five million use America Online. That's like a city. Parents wouldn't let their kids go wandering in a city of 2.5 million people without them, or without knowing what they're going to be doing." - Pam McGraw, America Online spokesperson, in "Children Lured From Home by Internet Acquaintances" by David Foster, Associated Press, June 13, 1995 Find yourself wondering if your privacy and freedom of speech are safe when bills to censor the Internet are swimming about in a sea of of surveillance legislation and anti-terrorism hysteria? Worried that in the rush to make us secure from ourselves that our government representatives may deprive us of our essential civil liberties? Concerned that legislative efforts nominally to "protect children" will actually censor all communications down to only content suitable for the playground? Alarmed by commercial and religious organizations abusing the judicial and legislative processes to stifle satire, dissent and criticism? Join EFF! Even if you don't live in the U.S., the anti-Internet hysteria will soon be visiting a legislative body near you. If it hasn't already. ------------------------------ Subject: What YOU Can Do ------------------------ * The Communications Decency Act & Other Censorship Legislation The Communications Decency Act and similar legislation pose serious threats to freedom of expression online, and to the livelihoods of system operators. The legislation also undermines several crucial privacy protections. JOIN THE ANTI-CDA LAWSUIT AS A PLAINTIFF! MARCH 15 DEADLINE: http://www.cdt.org/ciec/ Business/industry persons concerned should alert their corporate govt. affairs office and/or legal counsel. Everyone should write to their own Representatives and Senators, letting them know that such abuses of public trust will not be tolerated, that legislators who vote against your free speech rights will be voted against by you in the next elections. Join in the Blue Ribbon Campaign - see http://www.eff.org/blueribbon.html PARTICIPATE IN BLUE RIBBON ACTIVISM EFFORTS: http://www.eff.org/blueribbon/activism.html Support the EFF Cyberspace Legal Defense Fund: http://www.eff.org/pub/Alerts/cyberlegal_fund_eff.announce For more information on what you can do to help stop this and other dangerous legislation, see: ftp.eff.org, /pub/Alerts/ gopher.eff.org, 1/Alerts http://www.eff.org/pub/Alerts/ If you do not have full internet access (e.g. WWW), send your request for information to ask@eff.org. * New Crypto-Privacy Legislation Urge your Senators and Representatives to call for hearings! Not much else needs to be done on this right this moment, but expect this issue to heat up rapidly. Pointers to Congress contact info are below. Keep an eye on http://www.eff.org/pub/Activism/index.html#crypto * Digital Telephony/Comms. Assistance to Law Enforcement Act The FBI is now seeking both funding for the DT/CALEA wiretapping provisions, and preparing to require that staggering numbers of citizens be simultaneously wiretappable. To oppose the funding, write to your own Senators and Representatives urging them to vote against any appropriations for wiretapping. We are aware of no major action on this threat at present, but keep your eyes peeled. It will be back. * Anti-Terrorism Bills Numerous bills threatening your privacy and free speech have been introduced this year. None of them are close to passage at this very moment, but this status may change. Urge your Congresspersons to oppose these unconstitutional and Big-Brotherish bills. * The Anti-Electronic Racketeering Act This bill is unlikely to pass in any form, being very poorly drafted, and without much support. However, the CDA is just as bad and passed with flying colors [the jolly roger?] in the Senate. It's better to be safe than sorry. If you have a few moments to spare, writing to, faxing, or calling your Congresspersons to urge opposition to this bill is a good idea. * Medical Privacy Legislation Several bills relating to medical privacy issues are floating in Congress right now. Urge your legislators to support only proposals that *truly* enhance the medical privacy of citizens. More information on this legislation will be available at http://www.eff.org/pub/Privacy/Medical/ soon. Bug mech@eff.org to make it appear there faster. :) * Find Out Who Your Congresspersons Are Writing letters to, faxing, and phoning your representatives in Congress is one very important strategy of activism, and an essential way of making sure YOUR voice is heard on vital issues. EFF has lists of the Senate and House with contact information, as well as lists of Congressional committees. (A House list is included in this issue of EFFector). These lists are available at: ftp.eff.org, /pub/Activism/Congress_cmtes/ gopher.eff.org, 1/EFF/Issues/Activism/Congress_cmtes http://www.eff.org/pub/Activism/Congress_cmtes/ The full Senate and House lists are senate.list and hr.list, respectively. Those not in the U.S. should seek out similar information about their own legislative bodies. EFF will be happy to archive any such information provided. If you are having difficulty determining who your Representatives are, try contacting your local League of Women Voters, who maintain a great deal of legislative information, or consult the free ZIPPER service that matches Zip Codes to Congressional districts with about 85% accuracy at: http://www.stardot.com/~lukeseem/zip.html Computer Currents Interactive has provided Congress contact info, sorted by who voted for and against the Communcations Decency Act: http://www.currents.net/congress.html * Join EFF! You *know* privacy, freedom of speech and ability to make your voice heard in government are important. You have probably participated in our online campaigns and forums. Have you become a member of EFF yet? The best way to protect your online rights is to be fully informed and to make your opinions heard. EFF members are informed and are making a difference. Join EFF today! For EFF membership info, send queries to membership@eff.org, or send any message to info@eff.org for basic EFF info, and a membership form. ------------------------------ Administrivia ============= EFFector Online is published by: The Electronic Frontier Foundation 1550 Bryant St., Suite 725 San Francisco CA 94103 USA +1 415 436 9333 (voice) +1 415 436 9993 (fax) Membership & donations: membership@eff.org Legal services: ssteele@eff.org General EFF, legal, policy or online resources queries: ask@eff.org Editor: Stanton McCandlish, Online Activist, Webmaster (mech@eff.org) Assoc. Editors: Ryan Thornburg, Communications Intern (rmt@eff.org) Dennis Derryberry, Communications Intern (dennis@eff.org) This newsletter is printed on 100% recycled electrons. Reproduction of this publication in electronic media is encouraged. Signed articles do not necessarily represent the views of EFF. To reproduce signed articles individually, please contact the authors for their express permission. Press releases and EFF announcements may be reproduced individ- ually at will. To subscribe to EFFector via email, send message body of "subscribe effector-online" (without the "quotes") to listserv@eff.org, which will add you to a subscription list for EFFector. Back issues are available at: ftp.eff.org, /pub/EFF/Newsletters/EFFector/ gopher.eff.org, 1/EFF/Newsletters/EFFector http://www.eff.org/pub/EFF/Newsletters/EFFector/ To get the latest issue, send any message to effector-reflector@eff.org (or er@eff.org), and it will be mailed to you automagically. You can also get the file "current" from the EFFector directory at the above sites at any time for a copy of the current issue. HTML editions available at: http://www.eff.org/pub/EFF/Newsletters/EFFector/HTML/ at EFFweb. HTML editions of the current issue sometimes take a day or longer to prepare after issue of the ASCII text version. ------------------------------ End of EFFector Online v09 #03 Digest ************************************* $$