Slashdot Mirror

An anonymous reader writes "From Privacy.org: The U.S. Court of Appeals for the 8th Circuit has upheld (PDF) the Telephone Consumer Protection Act (TCPA) of 1991 against a First Amendment challenge. In the case, Missouri v. American Blast Fax, junk fax company Fax.com and Wal-Mart argued that the law violated the First Amendment because it imposes fines upon companies that send fax advertisements without the consent of the recipient. The case is the latest court victory for opt-in privacy laws." I hope the same logic is applied to spam.

Buck Mulligan writes "The folks at Privacy International are holding a stupid security contest to discover the "world's most pointless, intrusive, annoying and self-serving security measures." Nominations can be submitted by email: stupidsecurity@privacy.org. My vote goes to the Ronald Reagan 'Free Trade' Center in Washington, where you have to show your driver's license to visit the food court. (Having a driver's license proves that you aren't dangerous!)"

Broadcatch writes "At the coming CardTech/SecurTech in Washington D.C. the Transportation Security Administration will make their first public announcement of the Registered Traveler ID Initiative . Seems they haven't gotten the word that ID cards are a bad idea."

str83dge writes "The House of Representatives just passed H.R. 90 which amends the Telecommunications Act to prohibit telemarketers from circumventing caller ID. People can file suit against the telemarketers for minimum damages of $500. Privacy.org has a story here. Question: if they circumvent caller ID, won't it be difficult for the average person to determine who actually is calling them? Let's just hope they take this a step further and apply it to spammers. :)"

cplater writes: "This article discusses Larry Ellison's call for a U.S. national ID card, and his offer to provide the software for such an initiative." There's an advertising slogan to be proud of: 'Oracle, the Big Database behind Big Brother'. Or 'Oracle, the All-Seeing Eye'. Or 'If it's good enough for Orwell, it's good enough for your company'. Update: 09/23 23:22 GMT by M : Richard Jones writes "The British Home Secretary is considering compulsory identity cards, despite the fact that such cards would not have made any difference in the recent terrorist attacks on New York and Washington. The British have generally opposed their reintroduction since the wartime system of identity cards was abolished in 1952."

Imagine Slashdot closing its Your Rights Online section because you no longer have any rights online, and find many of your other rights severely curtailed, too. Saturday a small group of people, including U.S. Representative Lynn Rivers, from Michigan's 13th Congressional District, met in the University of Maryland Baltimore County [UMBC] library to discuss ways to maintain Americans' civil liberties despite major pressure to curtail them in the name of "fighting terrorism." The government does listen, you know, if you speak to the right people in the right way. So here's a guide, a HOWTO, if you will, that will teach you how to lobby effectively for your Constitutional rights.

Let's start with one simple and rather sad truth: You are going to be less free next week than you were last week.

We are already seeing what several newspapers have called "the biggest criminal investigation in history." Sure, a lot of this investigation's energy is being focused on Islamic countries, but it is also going on in Europe and, more than anywhere else, the United States itself. Landlords who have rented to young men with Arab-sounding names are being interrogated. Topless-bar patrons are being asked about conversations they allegedly heard, boasting about upcoming mass destruction.

And then there's email and the World Wide Web. Imagine a technically unhip Senator or Member of Congress who has read about Osama bin Laden allegedly using encrypted email and secret messages hidden in online porn to communicate with his followers and allies. Put the words "Osama bin Laden" in the same sentence as "pornography" and "the Internet," and you had better get out of the way of the avalanche of anti-online privacy laws coming your way -- or get crushed by them, even if people like bin Laden can switch to other means of communication at the drop of a hat.

Worse, disagreeing with the U.S. government right now may almost be viewed as treason in some quarters. "My Country, Right or Wrong" was a popular bumper sticker among the gunrack-and-confederate-flag pickup truck crowd in the late 60s, and this attitude, if not yet the bumper sticker itself, has been making a major comeback

But Dissent We Must
The problem with the "My Country, Right or Wrong" attitude is that it allows our government to go terribly wrong in many ways that may not be made right again for a long time, if ever. As Rep. Rivers pointed out Saturday, once laws are made that are supposed to help law enforcement in some way, they are almost never repealed because Members of Congress don't want to be seen as "soft on terrorism, soft on crime, soft on drugs."

Carry this a little farther. What about treason charges? At what point does it become illegal to speak out against a planned US government action that, on its face, is being taken to fight against the Terrorist Enemy, whoever he or she may be, even though that action may have very bad, long-term consequences for ordinary American citizens who want nothing more that to live their own lives quietly without being afraid of their own government?

Rep. Rivers said half the people in her district's gut reaction to the idea of legislation allowing government to read their email without getting a warrant first was along the lines of, "So what? I don't break any laws, so I have nothing to hide."

Long-time EPIC activist Kathleen Ellis told Rep. Rivers she believed questions about privacy should not be asked in the context of email. "Ask people if they should have the right to keep a secret and almost all of them will answer 'Of course,'" she said. Ellis also mentioned that cryptography is the email equivalent of an envelope on a letter sent by postal mail. "Unencrypted email is like a postcard," she said, "open for anyone to read. Ask people if they want all mail to be as open as a postcard and they're going to say no."

From that point on, the meeting focused on tactics. The question in the room wasn't, "Are privacy and freedom of speech good?" but "What can we do to protect our privacy and freedom of speech?"

Background on the Meeting Itself
The forum in which all this discussion took place was decidedly unofficial. It was an informal meeting thrown together hastily by local Linux user and ham radio afficianado Rob Carlson. Carlson sent a meeting notice to several email lists and posted it at cluebot.com. 13 people showed up at Saturday's gathering, most of whom were Baltimore and Washington D.C. area privacy advocates and/or Linux users. I was there myself for that reason. Wired News reporter Declan McCullagh is another "local" who hangs in the same circles, which explained his presence.

Rep. Rivers was there because her husband, William Simpson, is a computer consultant involved with the Internet Engineering Task Force [IETF] who spotted Carlson's notice on one of the cryptography-oriented email lists he's on. He had driven Rivers' chief of staff, who needed to get back to Washington but was marooned in Michigan by the airlines shutdown, to D.C., and was taking his Congresswoman wife back to her district for a little rest and some scheduled meetings (Congress had adjourned until Friday, Sept. 21), and they noticed that UMBC was on their way. So there they were, not dressed in "mover and shaker" clothing but looking like anyone else taking a 1000+ mile car trip.

One doesn't usually think of a Member of Congress fitting in with a group of downdressed geeks, but this one sure did. We only knew what she did for a living because Carlson asked everyone in the little circle to identify themselves by name and job, and when it was her turn Rep. Rivers gave her name as "Lynn," then added "Rivers," and softly, sort of as an aside, mentioned that she was "in Congress." Her husband had already mentioned that they were "from Michigan," which was curious enough in itself for a meeting with a decidedly local orientation. But Linux folks are friendly, and Rep. Rivers was as welcome as anyone else even though she was from out of town -- and freely admitted she used Mac OS, not Linux, both at home and in her office.

When he organized the meeting, Carlson said, "I didn't know whether no one or 100 people would show up." 13 did. And revolutions have started with as few as 13 people, so why shouldn't a strong pro-Constitution lobbying movement? The next step is to get 13 more, and another 13, and so on. This means calling and emailing friends until there are 13X13X13X13.... people talking to their elected representatives about privacy issues in terms they can understand, that will help them change their minds.

How You Can Lobby Against Anti-Privacy Laws
Start with this line Rep. Rivers laid on us, which is not new but needs to be said over and over: "Democracy is not a spectator sport."

Those Americans who don't vote, no matter how they excuse this failure, have no right to criticize their government. And those who don't bother to tell their elected representatives what they want and don't want their government to do should not act shocked when the government passes laws they don't like. It gets sickening, going to hearing after hearing about proposed laws like UCITA, DMCA, and SSSCA and always seeing a whole bunch of industry lobbyists wearing expensive suits, but hardly ever anyone who could be classified as an "ordinary citizen."

You need to make some noise instead of letting "them" talk while you sit around and let "them" get their way. Pump up the volume. Take some of the time you spend posting on Slashdot and register to vote. Write email and snail mail letters, send faxes, and make phone calls to Congresspeople and Senators and other representatives, and tell other people (13X13X13X13.... voices, remember) to do the same. This, not just complaining, is what this whole representative government thing is all about.

Rep. Rivers says phone calls "...have a sense of personal contact to them," and this makes them the most effective grassroots lobbying tool. "Stick to one issue," she advises. "Don't come up with a laundry list."

Also send email and write letters, even though they probably won't have as much impact as calls. And don't forget the fax machine; reps who are too technically unhip to read email read faxes. The ACLU and NRA have both famously used fax as a means of rapid communication with legislators for many years.

Now comes the matter of what to say. A letter, call or email that starts with something like, "I has nevir voted for you I am not registered to vote but you got to lisen to me," will go nowhere, says Rivers, pointing out that many pro-Napster messages she got were along those lines -- and got ignored. Better, she says, is something that tells your representative you are a computer professional (or manager or student or business owner or whatever) whose business, occupation or future will be hurt by whatever legislation you are working against. In this case (this week), privacy and online crypto are under attack. Next week, who knows?

So you're not a business owner? Know any? Know anyone who depends on privacy to transact their business? How about your doctor? Doesn't he or she want to keep patient records confidential? Ditto any lawyer you know. If a lawyer is serious about maintaining client trust, he or she certainly doesn't want the government snooping on email through Carnivore or a similar system with a less aggressive name. Other businesses have client information they want to private, along with trade secrets and other information they would rather not share with competitors. These are all points to bring up rationally, in an orderly debate format, when communicating with an elected rep, and they are ones you should ask others to bring up, too.

Stay calm, in other words. Assume your representative is sane and really wants to do what's right and what most people want, based on the input he or she gets. Your trick is to become part of that input, and right now the input you need to give must be strong and focused because Congress is caught up in post-attack hysteria and, like the rest of us, is saying, "We need to do something to help those poor victims and their families and make sure nothing this awful ever happens again."

The only problem here is that what Congress does is make laws, not post on Slashdot, and a law made in the same emotional heat as a flame post on Slashdot can't be moderated down to -1 after it is passed. Once that law is on the books, if you break it you can be arrested, tried, and fined or sent to jail. You've heard the saying, "If [guns/crypto/brains] are outlawed, only outlaws will have [guns/crypto/brains]." It's true, you know.

Right now, legitimate Americans are in danger of having many of their Constitutional freedoms revoked by a government that is doing its best, possibly in a misguided way, to protect its citizens. This is not about Disney's copyrights or the freedom to play DVDs on computers running Linux. The current debate is about much more basic issues than those, issues I will not repeat here because they have been written about so extensively elsewhere.

An Aside: How Congress Works
Rep. Rivers said it this way: "The House [of Representatives] is ruled by brute force."

Since she was talking to geeks who follow such things, she used the DMCA as an example. She told us that the "unanimous" vote that got DMCA through the House was not really unanimous at all; that the bill got through a committee dominated by a powerful chairman (which is how bills generally get to the floor for a vote) and that the Speaker called for a voice vote. "Most yelled 'Aye,'" Rivers said, and some yelled 'Nay.'"

The voices yelling "Aye" were the loudest, so DMCA passed by acclamation. Brute Force. People yelling at the top of their lungs. If 50 loud voices had yelled "Nay" instead of "Aye," perhaps we wouldn't have the DMCA as law today, and the EFF wouldn't be begging for money to get it overturned in the courts.

Now think about a Member of Congress who is hearing, right now, from all the "Kill-the-Arab-bastards-and-stamp-out-Internet-porn" crowd loudly and repeatedly by phone, fax, mail and email, but isn't hearing from you. Who is shouting the loudest? Which wheel is so squeaky that it is going to get the grease? So far, it's not the voices of reason and Constitutionality. They are getting drowned out. Heck, they are hardly there at all. At least Rep. Rivers isn't hearing them, and if she isn't hearing them -- with her ear attuned to Internet privacy matters and a totally Net-hip husband at her side -- you can bet the rest of Congress don't even know those voices (yours) exist.

Don't Delay! Do It Today!
Congress reconvenes Friday, September 21. The anti-privacy bills and anti-privacy amendments to various anti-terrorist bills are being written now, not someday. This means you must act immediately. If you put off those calls and emails to friends asking them to help support their right to communicate with each other in private, and to live without fear of police breaking down their doors or seizing their computer hard drives without warrants for even a few days, it is going to be too late. We are in the grip of national hysteria. A $40 billion appropriations bill to support the war on terrorism was passed a few days ago, with bipartisan support, almost without debate.

I'm going to admit that I am as ready to kick terrorist butt as anyone else, so I can't really blame Congress for being so gung-ho that it will pass all kinds of measures that will make America a less free country for decades to come in response to the current emergency. All I'm really asking Congress to do -- and asking you to join me in asking Congress to do, and to convince 13X13X13.... others to ask your Representative and your Senator to do -- is remember that the freedoms that make this country great must not be forgotten in our rush to avenge our fallen fellow Americans and our attempts to keep ourselves safe from future terrorist attacks.

Specifically (concentrate on one issue, remember), as a Net user I am concerned about watching our online privacy and freedoms evaporate if the government makes strong cryptography illegal or tries to have it controlled by agencies like the NSA, CIA, and FBI, or starts reading all of our private email without due cause and legitimate judicial warrants.

The deadline is Friday. That's when the legislative fur will start to fly. So let's get to work now!

• How to find your representative
• How to contact your senator

Sarcasmo writes: "Apparently, the ACLU and EPIC plan to file suit in order to challenge the legality of the Children's Online Protection Act." While the link in there leads to a privacy.org, here's a direct link to the article. Either one will tell you that the groups will "attempt to have the new law struck down on First Amendment and due-process grounds." Best of luck to them.

Sarcasmo writes: "Apparently, the ACLU and EPIC plan to file suit in order to challenge the legality of the Children's Online Protection Act." While the link in there leads to a privacy.org, here's a direct link to the article. Either one will tell you that the groups will "attempt to have the new law struck down on First Amendment and due-process grounds." Best of luck to them.

Publishing and Broadcasting Ltd, Australia's biggest media company and allied to Microsoft, has teamed with IT services company, Acxiom, to create that country's biggest private data repository, according to this story. It will hold the cross-matched details of Australia's 20 million people culled from government electoral rolls, Microsoft-related Web sites including Hotmail and Passport, credit card reports, casino records, bank statements and a variety of undisclosed other sources to provide marketing profiles of the country's entire population. The plan is then to sell these to marketers, insurers, banks and others. Naturally, consumer advocates and privacy groups are wary. A similar Government-sponsored scheme, the Australia Card, was universally rejected by citizens more than ten years ago. Australians are generally not protected by any privacy laws. What do you think: is it ok for private enterprise to hold such detailed information on our private lives, offering these to the highest bidder? Is privacy dead?

Kathleen Ellis, editor of the Privacy News Portal, attended yesterday's press briefing about a proposed loosening of export restrictions, and wrote the following feature article about the current situation. Click below for more.

Actually, let me hit you with a few links before you get started:

• EPIC's page on the proposed Cyberspace Electronic Security Act
• Proposed text of the bill
• White House analysis of the bill - really an executive summary
• Wired coverage, by Declan McCullagh
• Update: Press statements, including briefing transcript

Encryption Exports: Small Step Forward, Big Step Back
by Kathleen Ellis
September 17, 1999

Prominent U.S. Government representatives yesterday announced at a White House press briefing that the President was proposing legislation on encryption policy, and that the Department of Commerce was revising its export restrictions on some encryption products. Last year, Vice President Al Gore vowed to further loosen restrictions and propose a solution to the encryption issue, which has been the subject of contentious debate for the past decade.

The legislation, known as the Cyberspace Electronic Security Act of 1999 (CESA), has been transmitted to Congress by President Clinton. The bill purports to strike a "compromise" between the needs of law enforcement for access to data and the needs of Internet users to secure and their e-mail, web transactions, and stored data from hackers or thieves. According to the text of the bill, "society's increasing reliance on information systems in this new environment exposes U.S. citizens, institutions, and their information to unprecedented risks." Despite this acknowledgement, the bill clearly gives consideration to the needs of law enforcement and intelligence agencies first; "The failure to provide law enforcement with the necessary ability to obtain the plaintext version of the evidence makes existing authorities useless."

One of the major provisions of CESA is to allocate $80 million dollars for an FBI "Technical Support Center", which would provide assistance to federal, state, and local law enforcement officials. The bill also reinforces the confidentiality of law enforcement intelligence techniques used to gather information about suspected criminals. "The Department of Justice has developed this legislation with the assistance of agencies in government," said Attorney General Janet Reno. "Law enforcement has tools at its disposal to fight crime, but those tools are rendered useless when encryption gets involved". Reno said that CESA "balances the needs of privacy and public safety".

Perhaps most the most noteworthy provision of the bill is the resurrection of key escrow, a solution long considered insufficient, insecure and obsolete by experts. Key escrow is a technology that entails entrusting one's private keys with a trusted third party, so that theoretically, a law enforcement official would be able to present that third party with a warrant in order to gain access to the plaintext of the encrypted data. Although the bill does not require domestic users to utilize an escrowed cryptosystem, the bill provides a legal framework to protect users from disclosure of their decryption keys by their trusted third party without a court order. The bill also proposes to implement strict guidelines outlining the circumstances under which a law enforcement agent may be granted access to a decryption key held by the third party.

This mention of key escrow worries privacy activists, who have heard the use of such language by the administration before. "This raises the specter of collusion between law enforcement and industry to build back door access into encryption products," says David Sobel, General Counsel for the Electronic Privacy Information Center. According to EPIC's statement, the bill will eventually "provide a legal framework for access to decryption keys," a prospect which worries many activists and internet users alike.

Sobel would rather see the Security and Freedom through Encryption Act determine the U.S. Government's encryption policy. Authored by congressman Bob Goodlatte, SAFE would essentially force the government to reverse its stance on the encryption issue. Unfortunately, passage of the SAFE Act now seems unlikely, in light of Deputy Secretary of Defense John Hamre's remark during the briefing that if the SAFE Act passes the House and Senate, "the Department of Defense will ask the President to veto it".

Also announced at the press conference were revisions to the Department of Commerce's encryption export policy. According to a report released at the briefing, the export requirements will be revised to allow software exports of products of any key length, after the product is first submitted for review by the Commerce Department, and as long as the manufacturer of the product meets strict guidelines for post-export reporting of any user or distributor who obtains the software directly from the licensee. Secretary of Commerce William Daley announced that that the Bureau of Export Administration would streamline the revision and reporting process, but was unclear about specific changes to the current procedure.

Two prominent industry groups are very enthusiastic about this proposal. "Today's decision articulates a policy that is good for America, good for our nation's high-tech industry, and good for the tens of millions of Americans who use computers and want them to be secure" says a press release from Americans for Computer Privacy, a group that has lobbied for legislative reform and is funded primarily by technology companies. In a statement published by the Computer Systems Policy Project, Sun Microsystems President and CEO Scott McNealy (who made headlines on Slashdot for his remarks telling reporters that the privacy issue was a "red herring" and that "you have zero privacy anyway...get over it") said "we applaud the Administration's recognition that the universal use of strong encryption will promote the benefits of a networked world while protecting Americans' privacy, safety and security,". CSPP is comprised of eleven CEOs from major Information Technology companies, such as IBM, Dell, and Intel.

James Steinberg, Deputy Assistant for National Security Affairs, opened the briefing by praising both groups for thier assistance in authoring the proposal, so it's no surprise that they're eager to ingratiate themselves to the Clinton Administration, while at the same time self-importantly emphasizing their effectiveness by declaring a victory. EPIC's David Sobel says "it appears that the FBI and large computer companies have reached an agreement on encryption, but that is not necessarily in the interest of the average computer user." Any compromise reached by these two groups could result in "less security than advertised, with hidden vulnerabilities the government can exploit".

Secretary Daley was repeatedly asked during the briefing what purpose the one-time review served, and under what circumstances an export license exception would be granted or denied; no clear answer was given. The U.S. Government may wish to allow exports only of flawed or escrowed encryption products using encryption above a certain key length, but have given up on explicitly pursuing that as a goal. Large software companies, the kind represented by ACP and CSPP, have lost a lot of business because of the export restrictions, and with each year that passes they may become less likely to object to making a few changes to their crypto modules in order to finally gain access to the foreign market.

In some ways, this proposal is good for the companies who have existed for so long without the ability to export their stronger security products at all until now, but for the rest of us, the proposal is neutral at best and abysmal at worst. As larger, wealthier proponents of crypto liberalization get what they want and contentedly back out of the debate on this issue (as American banks did when they were granted license exception to export security software to their overseas offices), further positive alterations to export policy start to seem less and less likely to happen. This is bad for American cryptographers who wish to discuss their work with their colleagues on the Internet. It's even worse for users, who may end up using insecure products without knowing it.

It's unclear what will happen at this point. The current congressional climate suggests that CESA will not pass without a significant push from the Clinton Administration. Even if the bill is defeated, however, Internet users around the world should continue to be cautious about purchasing commercial encryption products that originate inside the U.S.; you never know what may be lurking within.

Kathleen Ellis, editor of the Privacy News Portal, has written an excellent feature about how The President's Export Council Subcommittee on Encryption (PECSENC) has recommended dropping almost all export controls on strong crypto, and why it is unlikely that this group's recommendations will be acted on in any meaningful way. (More below)

White House Subcommittee Endorses Crypto Reform.
Will Someone Please Listen?
By Kathleen Ellis

Another shot was fired in one of the longest-lasting and most contentious battles regarding Internet policy last Wednesday, when a White House advisory subcommittee announced it has recommended that the Clinton Administration all but reverse its restrictive stance on the export of encryption products.

The President's Export Council Subcommittee on Encryption (PECSENC) was formed earlier this year by the White House to provide guidance in the U.S. Government's development of encryption policy, which has been the subject of heated debate. As many Slashdot readers already know, the government has insisted for years that liberalizing encryption export could cause serious problems for national security by giving terrorists and criminals access to the technology. Of course, net activists and industry folk assert that the right to privacy supercedes the wishes of any bureaucrat, and that terrorists and criminals can just as easily get their crypto from any other country that does not restrict cryptographic exports.

Critics of the Administration's policy had expected to gain little support through the subcommittee's recommendations. William Crowell, the subcommittee's chairman, is currently President and CEO of Cylink Corporation, an internet security firm, but previously served as Deputy Director for the National Security Agency. Several committee members also had ties to law enforcement or other government agencies; Stewart Baker, an attorney with the Washington-based Steptoe & Johnson, is former general counsel to the NSA and is a vocal opponent of loosening restrictions on encryption. Steve Walker is former president of Trusted Information Systems (now owned by Network Associates), a leading producer of key escrowed encryption products, which the FBI has lobbied to make mandatory even for domestic use.

Despite these ties, however, the subcommittee cited a need for the U.S. government to "recognize market realities" and reverse its course on encryption policy. Among its recommendations:

- License-Free Zones: Recognizing that the European Union is planning to drop all cryptographic export rules between member countries, the US should likewise identify a list of countries which do not pose any major terrorist threat, and allow encryption export (hardware and software products) without a license.

- On-Line Merchants: On-line merchants based in other countries will be added to the list of business types permitted to have encryption products exported to them from the US. Banks and a limited number of other financial institutions currently enjoy this license exception.

- Mass-market hardware and software: Mass-market products which utilize up to 128-bit key length triple DES will enjoy license exception. "The US government should recognize the difficulty of controlling mass-market products once they are allowed to be exported to even limited sectors".

The subcommittee also suggests eliminating cumbersome reporting requirements for manufacturers of encryption products, as well as removal of source code, cryptographic Application Programming Interfaces and devices such as encrypting routers from the list of restricted technologies.

So cypherpunks across the nation will soon be free to export their code at will? Subcommittee chairman William Crowell is hesitant to say yes. "The Administration will have its own ideas about which of these recommendations are implementable. Vice President Gore has said that the administration would consider additional liberalization over what they announced last year, so it was important to get these recommendations to the table while they were thinking about it". He expects that the administration will make further changes to its export policy based on the recommendations sometime in September.

There are other signs of change on the horizon regarding the government's attitude toward encryption. The successor to the current Data Encryption Standard algorithm, which will be used by the U.S. Government for a multitude of purposes, will be chosen by the National Institute of Standards and Technology with the next few months. Four out of the five Advanced Encryption Standard finalists were developed, at least in part, by cryptographers based overseas or holding foreign citizenships. The fact that such decisions could be made by NIST requires the acknowledgement, at least on some level, that good encryption can be produced in countries not affected by U.S. export law, and hence, can be made available around the world.

However, one prominent activist is still skeptical about the potential effect this announcement may actually have on U.S. policy. "This doesn't change policy, this is just yet another group that has come forward and said 'the U.S. policy is abysmal, it needs to be scrapped'" says David Banisar, Deputy Director of Privacy International, and co-author of "The Electronic Privacy Papers". "Many distinguished groups in the past have made similar recommendations...the Clinton Administration has thus far rejected any attempts to dramatically reform export control laws".

Banisar likened the potential influence of the PECSENC recommendations to those of a report published by the National Research Council in 1996. Much more conservative than the PECSENC subcommittee's suggestions, "Cryptography's Role In Securing the Information Society" was written by a committee comprised of government officials, representatives from the computing industry, and academics. The NRC committee's recommendation that 56-bit DES encryption took two years for the Bureau of Export Administration to implement, and many of the other valuable points in the report have never been implemented. The NRC report suggested that U.S. policy should take into account the "nonconfidentiality uses" encryption has to offer. U.S. policy still does not support the use of encryption for the purposes of authentication, which the committee identified as an "important crime-fighting measure". Indeed, one would think that the F.B.I. and the Department of Commerce would hasten to encourage the use of such technologies.

Banisar also expressed concerns about the provisions favoring online merchants. "The e-commerce exports have already been promised to online merchants...they will get what they want, which helps the Clinton Administration divide and conquer their opposition". Banisar stated that civil libertarians lost a powerful lobbying ally when banks were granted the same licensing exemptions now promised to entrepreneurs online. "When a wealthier group gets what they want, they stop fighting, and the everyday users get screwed."

It also seems that the recommendations do not go far enough to help the people who need encryption technology most. Barbara Simons is President of the Association for Computing Machinery and one of the members of the PECSENC committee. "It appears that the recommendations don't address the needs of people working for human rights in countries with repressive regimes," she says.

The human rights issue is a valid one within the debate on U.S. encryption policy. The American Association for the Advancement of Science's Cryptography, Scientific Freedom, and Human Rights program trains human rights workers to use encryption technology in countries like Guatemala and China, where oppressive governments have a way of making insurrectionists disappear. A letter from AAAS to the House or Representatives Committee on International relations states that "human rights activists are killed, tortured, disappeared and jailed for trying to expose horrendous abuses...[they] use encryption to protect themselves, the victims and eyewitnesses they are interviewing, and human rights colleagues around the world when they communicate sensitive information on grave abuses of human rights".

It would be wise and compassionate for the Clinton Administration to authorize a new class of license exceptions for human rights workers travelling into countries that don't fall under the "favored nations" exemptions for encryption exports. If national security were really a concern in these cases, they could add strict guidelines describing who the software could legally be distributed to within those countries. Unfortunately, PECSENC seems to have overlooked this important issue.

Despite these shortcomings, there are some definite gains to be made by following PECSENC's recommendations. Net activists will be keeping their fingers crossed when the White House reviews them next month. Progress has been far too slow in coming, and if there's ever been a time for our government to start making some positive decisions, this certainly is it.