Slashdot Mirror

Brian Ristuccia writes, "It looks like the ACLU has decided to help Waldo L. Jaquith, Lindsay Haisley and Bennett Haselton, three folks who were running mirror sites of the recently released Cyber Patrol paper and decoding software, respond to the subpoena and confusing e-service messages that have been sent to them via e-mail by Cyber Patrol's law firm."

Links:

• Declan McCullagh's Archive of Case Related Documents
• ACLU Press Release

Text of the ACLU's Press Release:

FOR IMMEDIATE RELEASE
Friday, March 24, 2000

NEW YORK -- The American Civil Liberties Union will enter a Boston court this Monday to argue that a ban on a program allowing users to decode the Internet blocking software Cyber Patrol constitutes a "classic prior restraint on speech" in violation of the U.S. Constitution.

The Cyber Patrol controversy is but the latest round in a heated debate over flaws in so-called filtering software that both "overblocks" non-pornographic Web sites on subjects like Super Bowl XXX and fails to block many sites parents may not deem appropriate for their children.

In legal papers filed with the court today, the ACLU said that Cyber Patrol's lawsuit is unnecessary because the company can easily block their customers from accessing any Web site or page on which the decoding program appears, whereas some of the Web sites may be out of the jurisdiction of the court.

Acting on behalf of three U.S. Web site operators who posted "mirror" copies of the decoding program, the ACLU said their free speech rights would be violated if the court granted the company's request for a preliminary injunction against the Swedish and Canadian creators of the program.

"Under Cyber Patrol's logic, I'd be breaking the law if I bought a Ford Mustang and looked under the hood," said Chris Hansen, a senior ACLU staff attorney and lead counsel in the case. "I don't think it is asking too much for Cyber Patrol and other software companies to tell the American public exactly what their software blocks, especially when Congress wants to force both children and adults to use it."

Last Friday, March 17, U.S. District Judge Edward F. Harrington granted a 10-day temporary restraining order against the creators of the program. Cyber Patrol then sent subpoenas to the ACLU's clients, suggesting that they would be bound by that order and any future court bans.

In addition, at least one American reporter has confirmed receipt of subpoena from Cyber Patrol ordering him to reveal the name of "each and every person who produced, received, viewed, downloaded or accessed" the decoding program from his site.

The Web site operators, Waldo L. Jaquith, Lindsay Haisley and Bennett Haselton, each said that they posted the decoding program as a form of political protest against Cyber Patrol's legal actions and against "censorware" in general. Their Web sites can be found at: www.peacefire.org (Haselton), www.fmp.com (Haisley) and www.waldo.net (Jasquith).

"We thought it would be educational for some politicians, who are recommending blocking software for use in every school in the country, to see the mistakes that the codebreakers found in Cyber Patrol's list," said Haselton, 21, operator of Peacefire.org, a Web site he founded specifically to defend the free-speech interests of people under 18 on the Internet.

Haselton said that Peacefire recently decrypted the lists of sites blocked by two other programs -- I-Gear and X-Stop -- and found that they had error rates between 68 and 76 percent for blocking pages in the educational ".edu" domain.

Haselton, Jasquith, and Haisley are represented as "nonparties" to the Cyber Patrol lawsuit by Hansen of the national ACLU, Sarah Wunsch, an attorney with the ACLU of Massachusetts, David Sobel, general counsel for the Electronic Privacy Information Center based in Washington, and Jessica Littman, a visiting professor of law at New York University.

In 1998, a federal district judge said that forcing adults to use blocking software like Cyber Patrol in public libraries "offends the guarantee of free speech." Last month, a proposal aimed at forcing a Michigan public library to install Web filtering software on computers was defeated by voters.

"With Congress renewing efforts to mandate use of such flawed software in public schools and libraries, the Cyber Patrol battle only serves to emphasize that information on what is blocked must be made available to consumers, let alone libraries and schools," Hansen said.

The hearing in Microsystems Software, Inc. V. Scandinavia Online, IslandNet.com, Eddy L.O. Jansson and Matthew Skala, Civil Action No.00-10488-EFH, will take place on Monday, March 27, at 2:00 p.m. in U.S. District Court in Boston.

The ACLU's opposition to motion for preliminary injunction in the case is online at http://www.aclu.org/court/cyberpatrol_motion.html. The motion to quash subpoenas is online at http://www.aclu.org/court/cyberpatrol_quash.html.

Cyber Patrol is a subsidiary of toy company giant Mattel Inc., which is publicly traded on the New York Stock Exchange.

EPIC, the Electronic Privacy Information Center, has released "Surfer Beware III," a report that claims "few of the 100 most popular shopping websites provide adequate privacy protections for consumers." It's apparently the combination of collecting personal information and delivering profilers' cookies that has them the most concerned. Catchiest quote: "someone other than Santa is reading our Christmas list. These profiling companies know when we are buying and when we are online."

EPIC, the Electronic Privacy Information Center, has released "Surfer Beware III," a report that claims "few of the 100 most popular shopping websites provide adequate privacy protections for consumers." It's apparently the combination of collecting personal information and delivering profilers' cookies that has them the most concerned. Catchiest quote: "someone other than Santa is reading our Christmas list. These profiling companies know when we are buying and when we are online."

Juln and many others noted that EPIC filed suit against the NSA for failing to respond to their FOIA request. Both EPIC and the House Committee which supposedly oversees the NSA have asked for documents about the extent of their domestic spying and ECHELON activities, and the NSA has refused to provide information to either. Sounds like it's time to remind the spies who runs this outfit. The story is available at many major news sites.

The New York Times has a story on the ACLU and EPIC filing suit in the U.S. Court of Appeals to block the wiretapping provisions in CALEA. Go get 'em.

MacRonin writes "ACLU Press Release: 11-18-99 -- Groups Initiate Court Challenge to FBI Wiretap Standards; Say FCC Decision Threatens Communications Privacy." The FCC was granted powers to decide just how CALEA was to be implemented; unfortunately, they granted law enforcement powers which go well beyond the scope of the law. The ACLU and EPIC are now challenging that decision.

coldfusion writes "The American Civil Liberties Union in conjunction with EPIC and others has just launched Echelon Watch, a site which tracks developments about the intelligence gathering organization. The site does a good job of collating all of the information that has spread in the last few months. It also contains a 'write to Congress' component." Update: 11/17 09:30 by J : Baccus just informed us that the NSA has applied for a patent on Echelon-related (tapping) technology.

The IETF will be considering building wiretapping into internet protocols (see previous slashdot story) tonight at their conference; the Washington Post has a story on the subject. A great many civil liberties and technically-oriented organizations have signed onto an Open Letter urging the IETF to reject any attempt to build snooping into the net.

Kathleen Ellis, editor of the Privacy News Portal, attended yesterday's press briefing about a proposed loosening of export restrictions, and wrote the following feature article about the current situation. Click below for more.

Actually, let me hit you with a few links before you get started:

• EPIC's page on the proposed Cyberspace Electronic Security Act
• Proposed text of the bill
• White House analysis of the bill - really an executive summary
• Wired coverage, by Declan McCullagh
• Update: Press statements, including briefing transcript

Encryption Exports: Small Step Forward, Big Step Back
by Kathleen Ellis
September 17, 1999

Prominent U.S. Government representatives yesterday announced at a White House press briefing that the President was proposing legislation on encryption policy, and that the Department of Commerce was revising its export restrictions on some encryption products. Last year, Vice President Al Gore vowed to further loosen restrictions and propose a solution to the encryption issue, which has been the subject of contentious debate for the past decade.

The legislation, known as the Cyberspace Electronic Security Act of 1999 (CESA), has been transmitted to Congress by President Clinton. The bill purports to strike a "compromise" between the needs of law enforcement for access to data and the needs of Internet users to secure and their e-mail, web transactions, and stored data from hackers or thieves. According to the text of the bill, "society's increasing reliance on information systems in this new environment exposes U.S. citizens, institutions, and their information to unprecedented risks." Despite this acknowledgement, the bill clearly gives consideration to the needs of law enforcement and intelligence agencies first; "The failure to provide law enforcement with the necessary ability to obtain the plaintext version of the evidence makes existing authorities useless."

One of the major provisions of CESA is to allocate $80 million dollars for an FBI "Technical Support Center", which would provide assistance to federal, state, and local law enforcement officials. The bill also reinforces the confidentiality of law enforcement intelligence techniques used to gather information about suspected criminals. "The Department of Justice has developed this legislation with the assistance of agencies in government," said Attorney General Janet Reno. "Law enforcement has tools at its disposal to fight crime, but those tools are rendered useless when encryption gets involved". Reno said that CESA "balances the needs of privacy and public safety".

Perhaps most the most noteworthy provision of the bill is the resurrection of key escrow, a solution long considered insufficient, insecure and obsolete by experts. Key escrow is a technology that entails entrusting one's private keys with a trusted third party, so that theoretically, a law enforcement official would be able to present that third party with a warrant in order to gain access to the plaintext of the encrypted data. Although the bill does not require domestic users to utilize an escrowed cryptosystem, the bill provides a legal framework to protect users from disclosure of their decryption keys by their trusted third party without a court order. The bill also proposes to implement strict guidelines outlining the circumstances under which a law enforcement agent may be granted access to a decryption key held by the third party.

This mention of key escrow worries privacy activists, who have heard the use of such language by the administration before. "This raises the specter of collusion between law enforcement and industry to build back door access into encryption products," says David Sobel, General Counsel for the Electronic Privacy Information Center. According to EPIC's statement, the bill will eventually "provide a legal framework for access to decryption keys," a prospect which worries many activists and internet users alike.

Sobel would rather see the Security and Freedom through Encryption Act determine the U.S. Government's encryption policy. Authored by congressman Bob Goodlatte, SAFE would essentially force the government to reverse its stance on the encryption issue. Unfortunately, passage of the SAFE Act now seems unlikely, in light of Deputy Secretary of Defense John Hamre's remark during the briefing that if the SAFE Act passes the House and Senate, "the Department of Defense will ask the President to veto it".

Also announced at the press conference were revisions to the Department of Commerce's encryption export policy. According to a report released at the briefing, the export requirements will be revised to allow software exports of products of any key length, after the product is first submitted for review by the Commerce Department, and as long as the manufacturer of the product meets strict guidelines for post-export reporting of any user or distributor who obtains the software directly from the licensee. Secretary of Commerce William Daley announced that that the Bureau of Export Administration would streamline the revision and reporting process, but was unclear about specific changes to the current procedure.

Two prominent industry groups are very enthusiastic about this proposal. "Today's decision articulates a policy that is good for America, good for our nation's high-tech industry, and good for the tens of millions of Americans who use computers and want them to be secure" says a press release from Americans for Computer Privacy, a group that has lobbied for legislative reform and is funded primarily by technology companies. In a statement published by the Computer Systems Policy Project, Sun Microsystems President and CEO Scott McNealy (who made headlines on Slashdot for his remarks telling reporters that the privacy issue was a "red herring" and that "you have zero privacy anyway...get over it") said "we applaud the Administration's recognition that the universal use of strong encryption will promote the benefits of a networked world while protecting Americans' privacy, safety and security,". CSPP is comprised of eleven CEOs from major Information Technology companies, such as IBM, Dell, and Intel.

James Steinberg, Deputy Assistant for National Security Affairs, opened the briefing by praising both groups for thier assistance in authoring the proposal, so it's no surprise that they're eager to ingratiate themselves to the Clinton Administration, while at the same time self-importantly emphasizing their effectiveness by declaring a victory. EPIC's David Sobel says "it appears that the FBI and large computer companies have reached an agreement on encryption, but that is not necessarily in the interest of the average computer user." Any compromise reached by these two groups could result in "less security than advertised, with hidden vulnerabilities the government can exploit".

Secretary Daley was repeatedly asked during the briefing what purpose the one-time review served, and under what circumstances an export license exception would be granted or denied; no clear answer was given. The U.S. Government may wish to allow exports only of flawed or escrowed encryption products using encryption above a certain key length, but have given up on explicitly pursuing that as a goal. Large software companies, the kind represented by ACP and CSPP, have lost a lot of business because of the export restrictions, and with each year that passes they may become less likely to object to making a few changes to their crypto modules in order to finally gain access to the foreign market.

In some ways, this proposal is good for the companies who have existed for so long without the ability to export their stronger security products at all until now, but for the rest of us, the proposal is neutral at best and abysmal at worst. As larger, wealthier proponents of crypto liberalization get what they want and contentedly back out of the debate on this issue (as American banks did when they were granted license exception to export security software to their overseas offices), further positive alterations to export policy start to seem less and less likely to happen. This is bad for American cryptographers who wish to discuss their work with their colleagues on the Internet. It's even worse for users, who may end up using insecure products without knowing it.

It's unclear what will happen at this point. The current congressional climate suggests that CESA will not pass without a significant push from the Clinton Administration. Even if the bill is defeated, however, Internet users around the world should continue to be cautious about purchasing commercial encryption products that originate inside the U.S.; you never know what may be lurking within.

Kathleen Ellis, editor of the Privacy News Portal, attended yesterday's press briefing about a proposed loosening of export restrictions, and wrote the following feature article about the current situation. Click below for more.

Actually, let me hit you with a few links before you get started:

• EPIC's page on the proposed Cyberspace Electronic Security Act
• Proposed text of the bill
• White House analysis of the bill - really an executive summary
• Wired coverage, by Declan McCullagh
• Update: Press statements, including briefing transcript

Encryption Exports: Small Step Forward, Big Step Back
by Kathleen Ellis
September 17, 1999

Prominent U.S. Government representatives yesterday announced at a White House press briefing that the President was proposing legislation on encryption policy, and that the Department of Commerce was revising its export restrictions on some encryption products. Last year, Vice President Al Gore vowed to further loosen restrictions and propose a solution to the encryption issue, which has been the subject of contentious debate for the past decade.

The legislation, known as the Cyberspace Electronic Security Act of 1999 (CESA), has been transmitted to Congress by President Clinton. The bill purports to strike a "compromise" between the needs of law enforcement for access to data and the needs of Internet users to secure and their e-mail, web transactions, and stored data from hackers or thieves. According to the text of the bill, "society's increasing reliance on information systems in this new environment exposes U.S. citizens, institutions, and their information to unprecedented risks." Despite this acknowledgement, the bill clearly gives consideration to the needs of law enforcement and intelligence agencies first; "The failure to provide law enforcement with the necessary ability to obtain the plaintext version of the evidence makes existing authorities useless."

One of the major provisions of CESA is to allocate $80 million dollars for an FBI "Technical Support Center", which would provide assistance to federal, state, and local law enforcement officials. The bill also reinforces the confidentiality of law enforcement intelligence techniques used to gather information about suspected criminals. "The Department of Justice has developed this legislation with the assistance of agencies in government," said Attorney General Janet Reno. "Law enforcement has tools at its disposal to fight crime, but those tools are rendered useless when encryption gets involved". Reno said that CESA "balances the needs of privacy and public safety".

Perhaps most the most noteworthy provision of the bill is the resurrection of key escrow, a solution long considered insufficient, insecure and obsolete by experts. Key escrow is a technology that entails entrusting one's private keys with a trusted third party, so that theoretically, a law enforcement official would be able to present that third party with a warrant in order to gain access to the plaintext of the encrypted data. Although the bill does not require domestic users to utilize an escrowed cryptosystem, the bill provides a legal framework to protect users from disclosure of their decryption keys by their trusted third party without a court order. The bill also proposes to implement strict guidelines outlining the circumstances under which a law enforcement agent may be granted access to a decryption key held by the third party.

This mention of key escrow worries privacy activists, who have heard the use of such language by the administration before. "This raises the specter of collusion between law enforcement and industry to build back door access into encryption products," says David Sobel, General Counsel for the Electronic Privacy Information Center. According to EPIC's statement, the bill will eventually "provide a legal framework for access to decryption keys," a prospect which worries many activists and internet users alike.

Sobel would rather see the Security and Freedom through Encryption Act determine the U.S. Government's encryption policy. Authored by congressman Bob Goodlatte, SAFE would essentially force the government to reverse its stance on the encryption issue. Unfortunately, passage of the SAFE Act now seems unlikely, in light of Deputy Secretary of Defense John Hamre's remark during the briefing that if the SAFE Act passes the House and Senate, "the Department of Defense will ask the President to veto it".

Also announced at the press conference were revisions to the Department of Commerce's encryption export policy. According to a report released at the briefing, the export requirements will be revised to allow software exports of products of any key length, after the product is first submitted for review by the Commerce Department, and as long as the manufacturer of the product meets strict guidelines for post-export reporting of any user or distributor who obtains the software directly from the licensee. Secretary of Commerce William Daley announced that that the Bureau of Export Administration would streamline the revision and reporting process, but was unclear about specific changes to the current procedure.

Two prominent industry groups are very enthusiastic about this proposal. "Today's decision articulates a policy that is good for America, good for our nation's high-tech industry, and good for the tens of millions of Americans who use computers and want them to be secure" says a press release from Americans for Computer Privacy, a group that has lobbied for legislative reform and is funded primarily by technology companies. In a statement published by the Computer Systems Policy Project, Sun Microsystems President and CEO Scott McNealy (who made headlines on Slashdot for his remarks telling reporters that the privacy issue was a "red herring" and that "you have zero privacy anyway...get over it") said "we applaud the Administration's recognition that the universal use of strong encryption will promote the benefits of a networked world while protecting Americans' privacy, safety and security,". CSPP is comprised of eleven CEOs from major Information Technology companies, such as IBM, Dell, and Intel.

James Steinberg, Deputy Assistant for National Security Affairs, opened the briefing by praising both groups for thier assistance in authoring the proposal, so it's no surprise that they're eager to ingratiate themselves to the Clinton Administration, while at the same time self-importantly emphasizing their effectiveness by declaring a victory. EPIC's David Sobel says "it appears that the FBI and large computer companies have reached an agreement on encryption, but that is not necessarily in the interest of the average computer user." Any compromise reached by these two groups could result in "less security than advertised, with hidden vulnerabilities the government can exploit".

Secretary Daley was repeatedly asked during the briefing what purpose the one-time review served, and under what circumstances an export license exception would be granted or denied; no clear answer was given. The U.S. Government may wish to allow exports only of flawed or escrowed encryption products using encryption above a certain key length, but have given up on explicitly pursuing that as a goal. Large software companies, the kind represented by ACP and CSPP, have lost a lot of business because of the export restrictions, and with each year that passes they may become less likely to object to making a few changes to their crypto modules in order to finally gain access to the foreign market.

In some ways, this proposal is good for the companies who have existed for so long without the ability to export their stronger security products at all until now, but for the rest of us, the proposal is neutral at best and abysmal at worst. As larger, wealthier proponents of crypto liberalization get what they want and contentedly back out of the debate on this issue (as American banks did when they were granted license exception to export security software to their overseas offices), further positive alterations to export policy start to seem less and less likely to happen. This is bad for American cryptographers who wish to discuss their work with their colleagues on the Internet. It's even worse for users, who may end up using insecure products without knowing it.

It's unclear what will happen at this point. The current congressional climate suggests that CESA will not pass without a significant push from the Clinton Administration. Even if the bill is defeated, however, Internet users around the world should continue to be cautious about purchasing commercial encryption products that originate inside the U.S.; you never know what may be lurking within.

Kathleen Ellis, editor of the Privacy News Portal, attended yesterday's press briefing about a proposed loosening of export restrictions, and wrote the following feature article about the current situation. Click below for more.

Actually, let me hit you with a few links before you get started:

• EPIC's page on the proposed Cyberspace Electronic Security Act
• Proposed text of the bill
• White House analysis of the bill - really an executive summary
• Wired coverage, by Declan McCullagh
• Update: Press statements, including briefing transcript

Encryption Exports: Small Step Forward, Big Step Back
by Kathleen Ellis
September 17, 1999

Prominent U.S. Government representatives yesterday announced at a White House press briefing that the President was proposing legislation on encryption policy, and that the Department of Commerce was revising its export restrictions on some encryption products. Last year, Vice President Al Gore vowed to further loosen restrictions and propose a solution to the encryption issue, which has been the subject of contentious debate for the past decade.

The legislation, known as the Cyberspace Electronic Security Act of 1999 (CESA), has been transmitted to Congress by President Clinton. The bill purports to strike a "compromise" between the needs of law enforcement for access to data and the needs of Internet users to secure and their e-mail, web transactions, and stored data from hackers or thieves. According to the text of the bill, "society's increasing reliance on information systems in this new environment exposes U.S. citizens, institutions, and their information to unprecedented risks." Despite this acknowledgement, the bill clearly gives consideration to the needs of law enforcement and intelligence agencies first; "The failure to provide law enforcement with the necessary ability to obtain the plaintext version of the evidence makes existing authorities useless."

One of the major provisions of CESA is to allocate $80 million dollars for an FBI "Technical Support Center", which would provide assistance to federal, state, and local law enforcement officials. The bill also reinforces the confidentiality of law enforcement intelligence techniques used to gather information about suspected criminals. "The Department of Justice has developed this legislation with the assistance of agencies in government," said Attorney General Janet Reno. "Law enforcement has tools at its disposal to fight crime, but those tools are rendered useless when encryption gets involved". Reno said that CESA "balances the needs of privacy and public safety".

Perhaps most the most noteworthy provision of the bill is the resurrection of key escrow, a solution long considered insufficient, insecure and obsolete by experts. Key escrow is a technology that entails entrusting one's private keys with a trusted third party, so that theoretically, a law enforcement official would be able to present that third party with a warrant in order to gain access to the plaintext of the encrypted data. Although the bill does not require domestic users to utilize an escrowed cryptosystem, the bill provides a legal framework to protect users from disclosure of their decryption keys by their trusted third party without a court order. The bill also proposes to implement strict guidelines outlining the circumstances under which a law enforcement agent may be granted access to a decryption key held by the third party.

This mention of key escrow worries privacy activists, who have heard the use of such language by the administration before. "This raises the specter of collusion between law enforcement and industry to build back door access into encryption products," says David Sobel, General Counsel for the Electronic Privacy Information Center. According to EPIC's statement, the bill will eventually "provide a legal framework for access to decryption keys," a prospect which worries many activists and internet users alike.

Sobel would rather see the Security and Freedom through Encryption Act determine the U.S. Government's encryption policy. Authored by congressman Bob Goodlatte, SAFE would essentially force the government to reverse its stance on the encryption issue. Unfortunately, passage of the SAFE Act now seems unlikely, in light of Deputy Secretary of Defense John Hamre's remark during the briefing that if the SAFE Act passes the House and Senate, "the Department of Defense will ask the President to veto it".

Also announced at the press conference were revisions to the Department of Commerce's encryption export policy. According to a report released at the briefing, the export requirements will be revised to allow software exports of products of any key length, after the product is first submitted for review by the Commerce Department, and as long as the manufacturer of the product meets strict guidelines for post-export reporting of any user or distributor who obtains the software directly from the licensee. Secretary of Commerce William Daley announced that that the Bureau of Export Administration would streamline the revision and reporting process, but was unclear about specific changes to the current procedure.

Two prominent industry groups are very enthusiastic about this proposal. "Today's decision articulates a policy that is good for America, good for our nation's high-tech industry, and good for the tens of millions of Americans who use computers and want them to be secure" says a press release from Americans for Computer Privacy, a group that has lobbied for legislative reform and is funded primarily by technology companies. In a statement published by the Computer Systems Policy Project, Sun Microsystems President and CEO Scott McNealy (who made headlines on Slashdot for his remarks telling reporters that the privacy issue was a "red herring" and that "you have zero privacy anyway...get over it") said "we applaud the Administration's recognition that the universal use of strong encryption will promote the benefits of a networked world while protecting Americans' privacy, safety and security,". CSPP is comprised of eleven CEOs from major Information Technology companies, such as IBM, Dell, and Intel.

James Steinberg, Deputy Assistant for National Security Affairs, opened the briefing by praising both groups for thier assistance in authoring the proposal, so it's no surprise that they're eager to ingratiate themselves to the Clinton Administration, while at the same time self-importantly emphasizing their effectiveness by declaring a victory. EPIC's David Sobel says "it appears that the FBI and large computer companies have reached an agreement on encryption, but that is not necessarily in the interest of the average computer user." Any compromise reached by these two groups could result in "less security than advertised, with hidden vulnerabilities the government can exploit".

Secretary Daley was repeatedly asked during the briefing what purpose the one-time review served, and under what circumstances an export license exception would be granted or denied; no clear answer was given. The U.S. Government may wish to allow exports only of flawed or escrowed encryption products using encryption above a certain key length, but have given up on explicitly pursuing that as a goal. Large software companies, the kind represented by ACP and CSPP, have lost a lot of business because of the export restrictions, and with each year that passes they may become less likely to object to making a few changes to their crypto modules in order to finally gain access to the foreign market.

In some ways, this proposal is good for the companies who have existed for so long without the ability to export their stronger security products at all until now, but for the rest of us, the proposal is neutral at best and abysmal at worst. As larger, wealthier proponents of crypto liberalization get what they want and contentedly back out of the debate on this issue (as American banks did when they were granted license exception to export security software to their overseas offices), further positive alterations to export policy start to seem less and less likely to happen. This is bad for American cryptographers who wish to discuss their work with their colleagues on the Internet. It's even worse for users, who may end up using insecure products without knowing it.

It's unclear what will happen at this point. The current congressional climate suggests that CESA will not pass without a significant push from the Clinton Administration. Even if the bill is defeated, however, Internet users around the world should continue to be cautious about purchasing commercial encryption products that originate inside the U.S.; you never know what may be lurking within.

Kathleen Ellis, editor of the Privacy News Portal, attended yesterday's press briefing about a proposed loosening of export restrictions, and wrote the following feature article about the current situation. Click below for more.

Actually, let me hit you with a few links before you get started:

• EPIC's page on the proposed Cyberspace Electronic Security Act
• Proposed text of the bill
• White House analysis of the bill - really an executive summary
• Wired coverage, by Declan McCullagh
• Update: Press statements, including briefing transcript

Encryption Exports: Small Step Forward, Big Step Back
by Kathleen Ellis
September 17, 1999

Prominent U.S. Government representatives yesterday announced at a White House press briefing that the President was proposing legislation on encryption policy, and that the Department of Commerce was revising its export restrictions on some encryption products. Last year, Vice President Al Gore vowed to further loosen restrictions and propose a solution to the encryption issue, which has been the subject of contentious debate for the past decade.

The legislation, known as the Cyberspace Electronic Security Act of 1999 (CESA), has been transmitted to Congress by President Clinton. The bill purports to strike a "compromise" between the needs of law enforcement for access to data and the needs of Internet users to secure and their e-mail, web transactions, and stored data from hackers or thieves. According to the text of the bill, "society's increasing reliance on information systems in this new environment exposes U.S. citizens, institutions, and their information to unprecedented risks." Despite this acknowledgement, the bill clearly gives consideration to the needs of law enforcement and intelligence agencies first; "The failure to provide law enforcement with the necessary ability to obtain the plaintext version of the evidence makes existing authorities useless."

One of the major provisions of CESA is to allocate $80 million dollars for an FBI "Technical Support Center", which would provide assistance to federal, state, and local law enforcement officials. The bill also reinforces the confidentiality of law enforcement intelligence techniques used to gather information about suspected criminals. "The Department of Justice has developed this legislation with the assistance of agencies in government," said Attorney General Janet Reno. "Law enforcement has tools at its disposal to fight crime, but those tools are rendered useless when encryption gets involved". Reno said that CESA "balances the needs of privacy and public safety".

Perhaps most the most noteworthy provision of the bill is the resurrection of key escrow, a solution long considered insufficient, insecure and obsolete by experts. Key escrow is a technology that entails entrusting one's private keys with a trusted third party, so that theoretically, a law enforcement official would be able to present that third party with a warrant in order to gain access to the plaintext of the encrypted data. Although the bill does not require domestic users to utilize an escrowed cryptosystem, the bill provides a legal framework to protect users from disclosure of their decryption keys by their trusted third party without a court order. The bill also proposes to implement strict guidelines outlining the circumstances under which a law enforcement agent may be granted access to a decryption key held by the third party.

This mention of key escrow worries privacy activists, who have heard the use of such language by the administration before. "This raises the specter of collusion between law enforcement and industry to build back door access into encryption products," says David Sobel, General Counsel for the Electronic Privacy Information Center. According to EPIC's statement, the bill will eventually "provide a legal framework for access to decryption keys," a prospect which worries many activists and internet users alike.

Sobel would rather see the Security and Freedom through Encryption Act determine the U.S. Government's encryption policy. Authored by congressman Bob Goodlatte, SAFE would essentially force the government to reverse its stance on the encryption issue. Unfortunately, passage of the SAFE Act now seems unlikely, in light of Deputy Secretary of Defense John Hamre's remark during the briefing that if the SAFE Act passes the House and Senate, "the Department of Defense will ask the President to veto it".

Also announced at the press conference were revisions to the Department of Commerce's encryption export policy. According to a report released at the briefing, the export requirements will be revised to allow software exports of products of any key length, after the product is first submitted for review by the Commerce Department, and as long as the manufacturer of the product meets strict guidelines for post-export reporting of any user or distributor who obtains the software directly from the licensee. Secretary of Commerce William Daley announced that that the Bureau of Export Administration would streamline the revision and reporting process, but was unclear about specific changes to the current procedure.

Two prominent industry groups are very enthusiastic about this proposal. "Today's decision articulates a policy that is good for America, good for our nation's high-tech industry, and good for the tens of millions of Americans who use computers and want them to be secure" says a press release from Americans for Computer Privacy, a group that has lobbied for legislative reform and is funded primarily by technology companies. In a statement published by the Computer Systems Policy Project, Sun Microsystems President and CEO Scott McNealy (who made headlines on Slashdot for his remarks telling reporters that the privacy issue was a "red herring" and that "you have zero privacy anyway...get over it") said "we applaud the Administration's recognition that the universal use of strong encryption will promote the benefits of a networked world while protecting Americans' privacy, safety and security,". CSPP is comprised of eleven CEOs from major Information Technology companies, such as IBM, Dell, and Intel.

James Steinberg, Deputy Assistant for National Security Affairs, opened the briefing by praising both groups for thier assistance in authoring the proposal, so it's no surprise that they're eager to ingratiate themselves to the Clinton Administration, while at the same time self-importantly emphasizing their effectiveness by declaring a victory. EPIC's David Sobel says "it appears that the FBI and large computer companies have reached an agreement on encryption, but that is not necessarily in the interest of the average computer user." Any compromise reached by these two groups could result in "less security than advertised, with hidden vulnerabilities the government can exploit".

Secretary Daley was repeatedly asked during the briefing what purpose the one-time review served, and under what circumstances an export license exception would be granted or denied; no clear answer was given. The U.S. Government may wish to allow exports only of flawed or escrowed encryption products using encryption above a certain key length, but have given up on explicitly pursuing that as a goal. Large software companies, the kind represented by ACP and CSPP, have lost a lot of business because of the export restrictions, and with each year that passes they may become less likely to object to making a few changes to their crypto modules in order to finally gain access to the foreign market.

In some ways, this proposal is good for the companies who have existed for so long without the ability to export their stronger security products at all until now, but for the rest of us, the proposal is neutral at best and abysmal at worst. As larger, wealthier proponents of crypto liberalization get what they want and contentedly back out of the debate on this issue (as American banks did when they were granted license exception to export security software to their overseas offices), further positive alterations to export policy start to seem less and less likely to happen. This is bad for American cryptographers who wish to discuss their work with their colleagues on the Internet. It's even worse for users, who may end up using insecure products without knowing it.

It's unclear what will happen at this point. The current congressional climate suggests that CESA will not pass without a significant push from the Clinton Administration. Even if the bill is defeated, however, Internet users around the world should continue to be cautious about purchasing commercial encryption products that originate inside the U.S.; you never know what may be lurking within.

Kathleen Ellis, editor of the Privacy News Portal, attended yesterday's press briefing about a proposed loosening of export restrictions, and wrote the following feature article about the current situation. Click below for more.

Actually, let me hit you with a few links before you get started:

• EPIC's page on the proposed Cyberspace Electronic Security Act
• Proposed text of the bill
• White House analysis of the bill - really an executive summary
• Wired coverage, by Declan McCullagh
• Update: Press statements, including briefing transcript

Encryption Exports: Small Step Forward, Big Step Back
by Kathleen Ellis
September 17, 1999

Prominent U.S. Government representatives yesterday announced at a White House press briefing that the President was proposing legislation on encryption policy, and that the Department of Commerce was revising its export restrictions on some encryption products. Last year, Vice President Al Gore vowed to further loosen restrictions and propose a solution to the encryption issue, which has been the subject of contentious debate for the past decade.

The legislation, known as the Cyberspace Electronic Security Act of 1999 (CESA), has been transmitted to Congress by President Clinton. The bill purports to strike a "compromise" between the needs of law enforcement for access to data and the needs of Internet users to secure and their e-mail, web transactions, and stored data from hackers or thieves. According to the text of the bill, "society's increasing reliance on information systems in this new environment exposes U.S. citizens, institutions, and their information to unprecedented risks." Despite this acknowledgement, the bill clearly gives consideration to the needs of law enforcement and intelligence agencies first; "The failure to provide law enforcement with the necessary ability to obtain the plaintext version of the evidence makes existing authorities useless."

One of the major provisions of CESA is to allocate $80 million dollars for an FBI "Technical Support Center", which would provide assistance to federal, state, and local law enforcement officials. The bill also reinforces the confidentiality of law enforcement intelligence techniques used to gather information about suspected criminals. "The Department of Justice has developed this legislation with the assistance of agencies in government," said Attorney General Janet Reno. "Law enforcement has tools at its disposal to fight crime, but those tools are rendered useless when encryption gets involved". Reno said that CESA "balances the needs of privacy and public safety".

Perhaps most the most noteworthy provision of the bill is the resurrection of key escrow, a solution long considered insufficient, insecure and obsolete by experts. Key escrow is a technology that entails entrusting one's private keys with a trusted third party, so that theoretically, a law enforcement official would be able to present that third party with a warrant in order to gain access to the plaintext of the encrypted data. Although the bill does not require domestic users to utilize an escrowed cryptosystem, the bill provides a legal framework to protect users from disclosure of their decryption keys by their trusted third party without a court order. The bill also proposes to implement strict guidelines outlining the circumstances under which a law enforcement agent may be granted access to a decryption key held by the third party.

This mention of key escrow worries privacy activists, who have heard the use of such language by the administration before. "This raises the specter of collusion between law enforcement and industry to build back door access into encryption products," says David Sobel, General Counsel for the Electronic Privacy Information Center. According to EPIC's statement, the bill will eventually "provide a legal framework for access to decryption keys," a prospect which worries many activists and internet users alike.

Sobel would rather see the Security and Freedom through Encryption Act determine the U.S. Government's encryption policy. Authored by congressman Bob Goodlatte, SAFE would essentially force the government to reverse its stance on the encryption issue. Unfortunately, passage of the SAFE Act now seems unlikely, in light of Deputy Secretary of Defense John Hamre's remark during the briefing that if the SAFE Act passes the House and Senate, "the Department of Defense will ask the President to veto it".

Also announced at the press conference were revisions to the Department of Commerce's encryption export policy. According to a report released at the briefing, the export requirements will be revised to allow software exports of products of any key length, after the product is first submitted for review by the Commerce Department, and as long as the manufacturer of the product meets strict guidelines for post-export reporting of any user or distributor who obtains the software directly from the licensee. Secretary of Commerce William Daley announced that that the Bureau of Export Administration would streamline the revision and reporting process, but was unclear about specific changes to the current procedure.

Two prominent industry groups are very enthusiastic about this proposal. "Today's decision articulates a policy that is good for America, good for our nation's high-tech industry, and good for the tens of millions of Americans who use computers and want them to be secure" says a press release from Americans for Computer Privacy, a group that has lobbied for legislative reform and is funded primarily by technology companies. In a statement published by the Computer Systems Policy Project, Sun Microsystems President and CEO Scott McNealy (who made headlines on Slashdot for his remarks telling reporters that the privacy issue was a "red herring" and that "you have zero privacy anyway...get over it") said "we applaud the Administration's recognition that the universal use of strong encryption will promote the benefits of a networked world while protecting Americans' privacy, safety and security,". CSPP is comprised of eleven CEOs from major Information Technology companies, such as IBM, Dell, and Intel.

James Steinberg, Deputy Assistant for National Security Affairs, opened the briefing by praising both groups for thier assistance in authoring the proposal, so it's no surprise that they're eager to ingratiate themselves to the Clinton Administration, while at the same time self-importantly emphasizing their effectiveness by declaring a victory. EPIC's David Sobel says "it appears that the FBI and large computer companies have reached an agreement on encryption, but that is not necessarily in the interest of the average computer user." Any compromise reached by these two groups could result in "less security than advertised, with hidden vulnerabilities the government can exploit".

Secretary Daley was repeatedly asked during the briefing what purpose the one-time review served, and under what circumstances an export license exception would be granted or denied; no clear answer was given. The U.S. Government may wish to allow exports only of flawed or escrowed encryption products using encryption above a certain key length, but have given up on explicitly pursuing that as a goal. Large software companies, the kind represented by ACP and CSPP, have lost a lot of business because of the export restrictions, and with each year that passes they may become less likely to object to making a few changes to their crypto modules in order to finally gain access to the foreign market.

In some ways, this proposal is good for the companies who have existed for so long without the ability to export their stronger security products at all until now, but for the rest of us, the proposal is neutral at best and abysmal at worst. As larger, wealthier proponents of crypto liberalization get what they want and contentedly back out of the debate on this issue (as American banks did when they were granted license exception to export security software to their overseas offices), further positive alterations to export policy start to seem less and less likely to happen. This is bad for American cryptographers who wish to discuss their work with their colleagues on the Internet. It's even worse for users, who may end up using insecure products without knowing it.

It's unclear what will happen at this point. The current congressional climate suggests that CESA will not pass without a significant push from the Clinton Administration. Even if the bill is defeated, however, Internet users around the world should continue to be cautious about purchasing commercial encryption products that originate inside the U.S.; you never know what may be lurking within.

Kathleen Ellis, editor of the Privacy News Portal, attended yesterday's press briefing about a proposed loosening of export restrictions, and wrote the following feature article about the current situation. Click below for more.

Actually, let me hit you with a few links before you get started:

• EPIC's page on the proposed Cyberspace Electronic Security Act
• Proposed text of the bill
• White House analysis of the bill - really an executive summary
• Wired coverage, by Declan McCullagh
• Update: Press statements, including briefing transcript

Encryption Exports: Small Step Forward, Big Step Back
by Kathleen Ellis
September 17, 1999

Prominent U.S. Government representatives yesterday announced at a White House press briefing that the President was proposing legislation on encryption policy, and that the Department of Commerce was revising its export restrictions on some encryption products. Last year, Vice President Al Gore vowed to further loosen restrictions and propose a solution to the encryption issue, which has been the subject of contentious debate for the past decade.

The legislation, known as the Cyberspace Electronic Security Act of 1999 (CESA), has been transmitted to Congress by President Clinton. The bill purports to strike a "compromise" between the needs of law enforcement for access to data and the needs of Internet users to secure and their e-mail, web transactions, and stored data from hackers or thieves. According to the text of the bill, "society's increasing reliance on information systems in this new environment exposes U.S. citizens, institutions, and their information to unprecedented risks." Despite this acknowledgement, the bill clearly gives consideration to the needs of law enforcement and intelligence agencies first; "The failure to provide law enforcement with the necessary ability to obtain the plaintext version of the evidence makes existing authorities useless."

One of the major provisions of CESA is to allocate $80 million dollars for an FBI "Technical Support Center", which would provide assistance to federal, state, and local law enforcement officials. The bill also reinforces the confidentiality of law enforcement intelligence techniques used to gather information about suspected criminals. "The Department of Justice has developed this legislation with the assistance of agencies in government," said Attorney General Janet Reno. "Law enforcement has tools at its disposal to fight crime, but those tools are rendered useless when encryption gets involved". Reno said that CESA "balances the needs of privacy and public safety".

Perhaps most the most noteworthy provision of the bill is the resurrection of key escrow, a solution long considered insufficient, insecure and obsolete by experts. Key escrow is a technology that entails entrusting one's private keys with a trusted third party, so that theoretically, a law enforcement official would be able to present that third party with a warrant in order to gain access to the plaintext of the encrypted data. Although the bill does not require domestic users to utilize an escrowed cryptosystem, the bill provides a legal framework to protect users from disclosure of their decryption keys by their trusted third party without a court order. The bill also proposes to implement strict guidelines outlining the circumstances under which a law enforcement agent may be granted access to a decryption key held by the third party.

This mention of key escrow worries privacy activists, who have heard the use of such language by the administration before. "This raises the specter of collusion between law enforcement and industry to build back door access into encryption products," says David Sobel, General Counsel for the Electronic Privacy Information Center. According to EPIC's statement, the bill will eventually "provide a legal framework for access to decryption keys," a prospect which worries many activists and internet users alike.

Sobel would rather see the Security and Freedom through Encryption Act determine the U.S. Government's encryption policy. Authored by congressman Bob Goodlatte, SAFE would essentially force the government to reverse its stance on the encryption issue. Unfortunately, passage of the SAFE Act now seems unlikely, in light of Deputy Secretary of Defense John Hamre's remark during the briefing that if the SAFE Act passes the House and Senate, "the Department of Defense will ask the President to veto it".

Also announced at the press conference were revisions to the Department of Commerce's encryption export policy. According to a report released at the briefing, the export requirements will be revised to allow software exports of products of any key length, after the product is first submitted for review by the Commerce Department, and as long as the manufacturer of the product meets strict guidelines for post-export reporting of any user or distributor who obtains the software directly from the licensee. Secretary of Commerce William Daley announced that that the Bureau of Export Administration would streamline the revision and reporting process, but was unclear about specific changes to the current procedure.

Two prominent industry groups are very enthusiastic about this proposal. "Today's decision articulates a policy that is good for America, good for our nation's high-tech industry, and good for the tens of millions of Americans who use computers and want them to be secure" says a press release from Americans for Computer Privacy, a group that has lobbied for legislative reform and is funded primarily by technology companies. In a statement published by the Computer Systems Policy Project, Sun Microsystems President and CEO Scott McNealy (who made headlines on Slashdot for his remarks telling reporters that the privacy issue was a "red herring" and that "you have zero privacy anyway...get over it") said "we applaud the Administration's recognition that the universal use of strong encryption will promote the benefits of a networked world while protecting Americans' privacy, safety and security,". CSPP is comprised of eleven CEOs from major Information Technology companies, such as IBM, Dell, and Intel.

James Steinberg, Deputy Assistant for National Security Affairs, opened the briefing by praising both groups for thier assistance in authoring the proposal, so it's no surprise that they're eager to ingratiate themselves to the Clinton Administration, while at the same time self-importantly emphasizing their effectiveness by declaring a victory. EPIC's David Sobel says "it appears that the FBI and large computer companies have reached an agreement on encryption, but that is not necessarily in the interest of the average computer user." Any compromise reached by these two groups could result in "less security than advertised, with hidden vulnerabilities the government can exploit".

Secretary Daley was repeatedly asked during the briefing what purpose the one-time review served, and under what circumstances an export license exception would be granted or denied; no clear answer was given. The U.S. Government may wish to allow exports only of flawed or escrowed encryption products using encryption above a certain key length, but have given up on explicitly pursuing that as a goal. Large software companies, the kind represented by ACP and CSPP, have lost a lot of business because of the export restrictions, and with each year that passes they may become less likely to object to making a few changes to their crypto modules in order to finally gain access to the foreign market.

In some ways, this proposal is good for the companies who have existed for so long without the ability to export their stronger security products at all until now, but for the rest of us, the proposal is neutral at best and abysmal at worst. As larger, wealthier proponents of crypto liberalization get what they want and contentedly back out of the debate on this issue (as American banks did when they were granted license exception to export security software to their overseas offices), further positive alterations to export policy start to seem less and less likely to happen. This is bad for American cryptographers who wish to discuss their work with their colleagues on the Internet. It's even worse for users, who may end up using insecure products without knowing it.

It's unclear what will happen at this point. The current congressional climate suggests that CESA will not pass without a significant push from the Clinton Administration. Even if the bill is defeated, however, Internet users around the world should continue to be cautious about purchasing commercial encryption products that originate inside the U.S.; you never know what may be lurking within.

Bobalu writes "Below is a link to a NY Times article saying Nortel has supplied the software needed so: ``Carriers can now begin taking steps to correct technological impediments within their networks that currently prevent law enforcement from being able to carry out court-ordered electronic surveillance directed at suspected criminals and terrorists,'' Attorney General Janet Reno said in a statement. Joy." Click below to get some background, and the link to the story.

The article is actually an AP article, and this is a temporary URL but will probably remain available throughout today. If it's not available, just search your favorite news site which carries an AP feed.

Background: In 1994, the FBI, complaining about pedophiles and terrorists on the internet, got Congress to pass a law requiring all telecommunications providers to make their networks easily tappable. One example of the necessity for such which is still trotted out by the FBI is solving kidnappings - "What if your child was kidnapped?". However, try as I might, I can't think of any situation in which a wiretap (which has to be placed on a known entity) would help locate a missing child. If you know who's got the kid...go get him.

The primary stated reason for the law was that the telcoms were upgrading to digital from analog, and therefore the men in black couldn't just hook up an alligator clip to the wires anymore... the law was explicitly stated to NOT expand law-enforcement access to communications but simply make sure that they could access digital phone lines. The telecommunications companies fought the law until Congress added $500,000,000 in government subsidies for them, when they promptly shut up.

Unfortunately (but expectedly), the FBI has interpreted the law as granting them free rein to tap anything at any time. The FCC is granted the power to implement CALEA - and the current FCC commissioners would make Big Brother proud. So the FBI has sought and received, as of August 30, substantial additional tapping powers - they will now receive the current location of cell-phone users during the tap, the ability to listen in on conference calls even if the tapped party has left the conversation, and a couple of other minor enhancements which slowly yet steadily erode your privacy.

More important, the FBI has also sought the ability to tap packet-switched communications - by which I mean, of course, the big bad Internet. This authority, never enacted in law, has nevertheless been granted by the FCC, to be implemented by the telcoms no later than September 2001.

Recently there have been stories about companies in Russia having to provide the ability for police to tap internet communications. U.S. folks laughed at those poor bastards, living in a surveillance state. The only difference between Russia and the U.S. is: the Russians are more upfront about their surveillance.

See EPIC's wiretap page for more. -- michael

As promised last Friday, here's more on the Munich conference. Pay attention or wait to be forced to label your internet content. It's your choice.

A number of articles have appeared in the online press about Munich. Half of them are just rehashes of press releases - nothing very useful there. Some of them are fairly in-depth (we think CNET and the NY Times had the best coverage), but none of them really give you the big picture. We're going to try to. Let us know how we do.

The first thing that the press is missing is that there are (well, were) two meetings in Munich, not one. The first is the one you heard about: a meeting called by the Bertelsmann Foundation, part of the huge Bertelsmann publishing empire, which sponsored the Internet Content Summit. They're getting together to have a little feel-good session about "self-regulation" of internet content. By self-regulation they don't mean that end-users regulate their own behavior; they mean that ISPs regulate users instead of government doing so directly. Users will still be regulated, of course. And the regulation will be driven by what the national government wants. It's just that government will lay their heavy hands upon the ISPs, and the ISPs will act as the enforcers rather than law enforcement. Think of it as a distributed system - government assumes the role of a second-line rather than first-line manager. At a previous internet content summit, this type of regulation was described as "soft law" versus "hard law", and we think that's a good way to think about it. They are not talking about voluntary, individual actions of corporations - they are talking about imposing laws and restraints on the citizenry through another means. Self-regulation = soft law, but law nonetheless.

The first meeting is interesting for a number of reasons, but not terribly ominous - the people meeting were not previously working together, and all that will come out of it is thoughts and ideas. The second meeting is rather more dangerous.

The second meeting, scheduled in conjunction with the first, was of the principals of INCORE, Internet Content Rating for Europe. This group consists of a number of European corporations and protect-the-children groups and their sole goal is to establish a single rating system for use across Europe (they're also coordinating with Australia). Of course, the members of this group overlap significantly with the first - for example, Jens Waltermann, director of the Bertelsmann Foundation and sponsor of the first meeting, is also one of the prime movers in INCORE - which ought to tell you why the Bertelsmann conference is so slanted towards ratings systems as the sole means of protecting the children.

But why is this going forward? As at least one slashdot poster pointed out in the discussions of last week's article, rating systems have been discussed before, and haven't come to anything yet.

What happened is the government (the European Commission, in this case) decided to get serious. They buckled down, and at the end of 1998, allocated funds to be spent on the development of a global rating system. About $11 million is allocated to be spent on developing this system, so the corporate participants can be reasonably assured of being reimbursed for all their plane fares and hotel costs. (Question: if it's so voluntary, how come the government is paying people to develop it?)

The European Commission's plan runs from January 1999 to December 2002, four years. 1999 is scheduled for development and meetings. 2000 is scheduled for rollout and beta testing. 2001 and 2002 are allocated for the encouragement process and tweaking - making sure everyone is toeing the line. There's plenty of time allocated because it's important to make sure that the resulting rating system aligns with national laws - for instance, since Germany outlaws hate speech, one of the rating categories will involve hate speech, and Germany will outlaw the transmission of any content rated in this category into the country. Laws can be "hung" off the rating categories, if they're set up properly.

The rating system will be based off the American Recreational Software Advisory Council's system, that they originally developed for video games and then, when threatened by Congress with the CDA, transformed for internet content. (The funny thing is, for the first year that RSACi was being promoted for use on webpages, it still had all the original references to video games. Pretty sad.) RSAC was recently folded into the Internet Content Rating Association, basically so they can revamp the RSACi system and submit it to the European Commission for approval and funding. Who is the chairman of ICRA's board of directors? Jens Waltermann again. Are you beginning to see a pattern?

Civil liberties groups world-wide have finally recognized the threat that government-mandated rating systems pose to the internet. The ACLU was the first major group to speak out against them, in their 1997 paper Fahrenheit 451.2: Is Cyberspace Burning?. But for this Munich conference, the chorus was loud and close to unanimous - the Global Internet Liberty Coalition condemned it, the ACLU condemned it, Electronic Frontiers Australia condemned it, Internet Freedom (UK civil liberties group) condemned it.

Several civil liberties groups managed to wrangle themselves invitations to the conference. The Electronic Privacy Information Center is attending and distributing a book free of charge to all participants (besides the attack on free speech, EPIC is irritated because the European Commission has also recommended that online anonymity be strictly prohibited for all European Union residents - after all, if they're anonymous, it's harder to make them obey the law). Nadine Strossen of the ACLU published the statement she's making to the Conference, harshly opposing the labeling requirements; even Esther Dyson, a tremendous supporter of rating systems, expressed her unease at the slant of the conference.

Strossen's comments above neatly summarize the civil liberties community's objections to so-called self-rating systems, and we urge all readers to take a look at that link above. She makes several points:

1. Self-Rating Schemes Will Cause Controversial Speech To Be Censored
2. Self-Rating Is Burdensome, Unwieldy, and Costly
3. Conversation Can't Be Rated
4. Self-Ratings Will Only Encourage, Not Prevent, Government Regulation
5. Self-Ratings Schemes Will Turn the Internet into a Homogenized Medium Dominated by Commercial Speakers

Strossen is far more eloquent than we are, and she makes the points extremely well. Take a look, it's worth your time.

But back to the conference. The main document to come out of the conference is their Memorandum on Self-Regulation (538K), released yesterday. A number of "internet experts" contributed to the report - mostly these same people we've been seeing, representatives of the companies that want the Net to be kid-friendly (increase profits!) and protect-the-children groups from throughout Europe, and representatives from various governmental agencies. They lay out their censorship proposal in some detail. The basics are laid out in a single phrase: "Content providers worldwide must be mobilized to label their content...".

Prepare to get mobilized.

"It is in the best interest of industry," they say, to take the steps necessary to "enhance consumer confidence" and meet "business objectives." The suits invited must all have nodded their heads to this one: if only they could get the obnoxious people off the net, then all the soccer moms and grandpas would feel safe enough to fire up a browser and finally type in their credit card numbers.

So, problem: naughty stuff on the net. Answer? Open source! <spit>

On p. 59 of the 60-page memo is a neat diagram that looks almost like an API to a multi-layer code library. Except in this case, the bottom slice is the underlying technology of censorship (PICS), and the top slice is the user's experience of censorship (at the browser).

Sitting on top of PICS is Layer 1, in which the content creators - that's you, me, and everyone else who makes anything public on the internet - label our data with a "basic vocabulary" of keywords. If we write porn, we call it porn. Simple enough so far?

Next comes Layer 2, which is where the fun stuff starts to happen. Here, third parties can invent "template profiles." These combine the keywords in interesting ways. The idea is that in one country, the ratings systems will typically rate porn as bad but violence as OK; in another, perhaps the opposite; someone else will invent a profile for use in schools that blocks everything noneducational; a profile for your company's router might block all sports but let profanity through; a national profile for Australia might block all sex but let stupid political grandstanding through; and so on.

These template profiles should be, according to Bertelsmann, "open source."

How are they going to do this? They can't rely on a NetNanny or SurfWatch to rate the net: censorware has been a dismal failure in practice, the software just doesn't work because there's too much of the net and too few censorware employees to evaluate it all.

What they need instead is for you, the author, to do their work for them. Remember that "basic vocabulary" of keywords? It turns out you're not just going to pick porn vs. non-porn. Oh no. After all, you have to provide enough information for the profiles to work with.

That means you're going to be rating everything you publish according to:

"e.g.: gratuitous violence,
frontal nudity,
explicit sexual acts,
crude language,
vulgar language,
sports,
extreme hate speech,
arts,
aggressive violence,
death to humans,
medicine,
non-explicit sexual acts,
strong language,
history, ..."

E.g.? E.g.!? There's more?

Well, there has to be more. In fact, Bertelsmann has only scratched the surface. In order for there to be enough "template profiles" to be worth mentioning, the variety of keywords has to be extreme.

Be ready to run down a checklist for everything you write and decide whether it contains gratuitous or non-gratuitous violence, explicit or non-explicit sex acts. Please rate from 1 to 10 how much art and history was in that last post of yours. Don't think you'll have a choice about doing it - your ISP will be enforcing it upon you, as a condition of service.

And the "template profiles" that are provided for the end user? These profiles are just simple sets that group the predefined keywords together. If I'm the CEO of NetSitterPatrol, I group keywords 1, 3, 5, and 12 together and call it "NetSitterPatrol Profile."

And if I'm a national government that's cracking down on porn, violence, hate speech, or vulgar language (your government wouldn't do anything like that, would it?), I'll just add the keywords for indecency, abortion information, hate speech, racism, or whatever else I want to censor, and give the list to the backbone providers in my country to filter out and protect the delicate citizens. Hey look, I'm an open source programmer!

by Michael Sims and Jamie McCarthy

Judg3 writes "Apparently the United States federal government began a plan in 1997 to start a national photographic database, digitizing driver's license photos among other things. More details are availible online. " It's being test piloted in 3 states currently, while kudos goes to Electronic Privacy Information Center for uncovering the information about this program. As would be expected the bogeymen are "illegal immigrants and terrorists".

James Morris writes "Junkbusters in assocication with EPIC are planning a boycott in response to the proposed Intel Processor Serial Number (PSN). Junkbusters' assessment of the PSN scheme and a FAQ about the Boycott may be found here. "