Date: Tue, 06 Jul 93 16:37:26 EST
Errors-To: Comp-privacy Error Handler <comp-privacy-request@PICA.ARMY.MIL>
From: Computer Privacy Digest Moderator <comp-privacy@PICA.ARMY.MIL>
To: Comp-privacy@PICA.ARMY.MIL
Subject: Computer Privacy Digest V3#001
Computer Privacy Digest Tue, 06 Jul 93 Volume 3 : Issue: 001
Today's Topics: Moderator: Dennis G. Rears
CPSR Workplace Privacy Test
Legality of electronic records - NM
Digital Signature Scandal
The Computer Privacy Digest is a forum for discussion on the
effect of technology on privacy. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy
(Moderated). Submissions should be sent to
comp-privacy@pica.army.mil and administrative requests to
comp-privacy-request@pica.army.mil.
Back issues are available via anonymous ftp on ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
Organization: CPSR Civil Liberties and Computing Project
From: Dave Banisar <banisar@washofc.cpsr.org>
Date: Fri, 2 Jul 1993 16:00:05 EST
Subject: CPSR Workplace Privacy Test
CPSR Workplace Privacy Testimony
=====================================================
Prepared Testimony
and
Statement for the Record
of
Marc Rotenberg,
Director, CPSR Washington office,
Adjunct Professor, Georgetown University Law Center
on
H.R. 1900,
The Privacy for Consumers and Workers Act
Before
The Subcommittee on Labor-Management Relations,
Committee on Education and Labor,
U.S. House of Representatives
June 30, 1993
Mr. Chairman, members of the Subcommittee, thank
for the opportunity to testify today on H.R. 1900, the
Privacy for Consumers and Workers Act. My name is Marc
Rotenberg and I am the director of the CPSR Washington
office and an adjunct professor at Georgetown University
Law Center where I teach a course on information privacy
law.
Speaking on behalf of CPSR, we strongly endorse the
Privacy for Consumers and Workers Act. The measure will
establish important safeguards for workers and consumers
in the United States. We believe that H.R. 1900 is
particularly important as our country becomes more
dependent on computerized information systems and the
risk of privacy abuse increases.
CPSR has a special interest in workplace privacy.
For almost a decade we have advocated for the design of
computer systems that better serve the needs of
employees in the workplace. We do not view this
particular goal as a trade-off between labor and
management. It is our belief that computer systems and
information policies that are designed so as to value
employees will lead to a more productive work
environment and ultimately more successful companies and
organizations. As Charles Hecksher of the Harvard
Business School has said good managers have no use for
secret monitoring.
Equally important is the need to ensure that
certain fundamental rights of employees are safeguarded.
The protection of personal privacy in the information
age may be as crucial for American workers as the
protection of safety was in the age of machines.
Organizations that fail to develop appropriate workplace
privacy policies leave employees at risk of abuse,
embarrassment, and harassment.
The concern about workplace privacy is widely felt
in the computer profession. This month MacWorld
magazine, a leading publication in the computer
industry, released a special report on workplace
privacy. The report, based on a survey of 301 companies
in the United States and authored by noted science
writer Charles Piller, made clear the need for a strong
federal policy.
Among the key findings of the MacWorld survey:
> More than 21 percent of those polled said that
they had "engaged in searches of employee
computer files, voice mail, electronic mail, or
other networking communications."
> "Monitoring work flow" is the most frequently
cited reason for electronic searches.
> In two out of three cases, employees are not
warned about electronic searches.
> Only one third of the companies surveyed have a
written policy on privacy
What is also interesting about the MacWorld survey
is the high level of concern expressed by top corporate
managers about electronic monitoring. More than a half
of those polled said that electronic monitoring was
either "never acceptable" or "usually or always
counterproductive." Less than five percent believed
that electronic monitoring was a good tool to routinely
verify honesty.
These numbers suggest that managers would support a
sensible privacy law. Indeed, they are consistent with
other privacy polls conducted by Professor Alan Westin
for the Lou Harris organization which show that managers
are well aware of privacy concerns and may, with a
little prodding, agree to sensible policies.
What would such a policy look like? The MacWorld
report also includes a model privacy policy that is
based on several U.S. and international privacy codes.
Here are the key elements:
> Employees should know what electronic
surveillance tools are used, and how management
will use the data gathered.
> Management should minimize electronic monitoring
as much as possible. Continuous monitoring
should not be permitted.
> Data should only be used for clearly defined,
work-related purposes.
> Management should not engage in secret
monitoring unless there is credible evidence of
criminal activity or serious wrongdoing.
> Data gathered through monitoring should not be
the sole factor in employee evaluations.
> Personal information gathered by employers
should not be disclosed to any third parties,
except to comply with legal requirements.
> Employees or prospective employees should not be
asked to waive privacy rights.
> Managers who violate these privacy principles
should be subject to discipline or termination.
Many of these provisions are contained in H.R.
1900, the Privacy for Consumers and Workers Act.
Clearly, the policies and the bill itself are not
intended to prohibit monitoring, nor to prevent
employers from protecting their business interests.
What the bill will do is help establish a clear
framework that ensures employees are properly notified
of monitoring practices, that personal information is
not misused, and that monitoring capability is not
abused. It is a straightforward, sensible approach that
does not so much balance rights as it clarifies
interests and ensures that both employers and employees
will respect appropriate limitations on monitoring
capability.
The need to move quickly to establish a framework
for workplace privacy protection is clear. Privacy
problems will become more acute in the years ahead as
new monitoring schemes are developed and new forms of
personal data are collected. As Professor Gary Marx has
made clear, there is little that can be imagined in the
monitoring realm that can not be achieved. Already,
some members of the computer profession are wearing
"active badges" that provide full-time geographical
monitoring. Properly used, these devices help employees
use new tools in the hi-tech workplace. Improperly
used, such devices could track the physical movements of
an employee throughout the day, almost like a blip on a
radar screen.
Computers are certainly powerful tools. We believe
that they can be used to improve productivity and
increase job satisfaction. But this requires that
appropriate policies be developed to address employee
concerns and that laws be passed, when necessary, to
ensure that computer abuse does not occur.
This concludes my testimony. I would be pleased to
answer your questions.
=====================================================
------------------------------
Date: Sat, 3 Jul 1993 06:12:42 -0400
From: Monty Solomon <monty@proponent.com>
Subject: Legality of electronic records - NM
Begin forwarded message:
Date: Fri, 2 Jul 1993 23:15:55 -0600 (MDT)
From: "Thaddeus P. Bejnar" <LGLLAWLIB@technet.nm.org>
To: info-law@brl.mil
Subject: Legality of electronic records - NM
Apologies for cross-posting:
-------------------------------------------------------------------
Legality of Electronic Records
New Mexico has just produced a draft rule for public comment
entitled:
PERFORMANCE GUIDELINES FOR THE LEGAL ACCEPTANCE OF PUBLIC RECORDS
PRODUCED BY INFORMATION TECHNOLOGY SYSTEMS
It deals with the requirements that state information systems
should meet in order to have the data that they contain be
admissibility into evidence.
It is not technology specific. Public comments are solicited
through September 15, 1993. The printed copy is 17 pages.
Electronic copies can be requested over e-mail from:
Internet: lgllawlib@technet.nm.org
Bitnet: lgllawl@USCN
or in writing from:
LERAC
State Records Center & Archives
404 Montezuma
Santa Fe, N.M. 87501
P.S. If any kind soul out there would like to post it to an ftp
site that would be wonderful. Just let me know.
--Thaddeus P. Bejnar
Internet: lgllawlib@technet.nm.org
Bitnet: lgllawl@USCN
------------------------------
From: friedman@gnu.ai.mit.edu (Noah Friedman)
Date: Tue, 29 Jun 93 16:30:21 edt
Subject: Digital Signature Scandal
[The following is an official announcement from the League for Programming
Freedom. Please redistribute this as widely as possible.]
Digital Signature Scandal
Digital signature is a technique whereby one person (call her
J. R. Gensym) can produce a specially encrypted number which anyone
can verify could only have been produced by her. (Typically a
particular signature number encodes additional information such as a
date and time or a legal document being signed.) Anyone can decrypt
the number because that can be done with information that is
published; but producing such a number uses a "key" (a password) that
J. R. Gensym does not tell to anyone else.
Several years ago, Congress directed the NIST (National Institute of
Standards and Technology, formerly the National Bureau of Standards)
to choose a single digital signature algorithm as a standard for the
US.
In 1992, two algorithms were under consideration. One had been
developed by NIST with advice from the NSA (National Security Agency),
which engages in electronic spying and decoding. There was widespread
suspicion that this algorithm had been designed to facilitate some
sort of trickery.
The fact that NIST had applied for a patent on this algorithm
engendered additional suspicion; despite their assurances that this
would not be used to interfere with use of the technique, people could
imagine no harmless motive for patenting it.
The other algorithm was proposed by a company called PKP, Inc., which
not coincidentally has patents covering its use. This alternative had
a disadvantage that was not just speculation: if this algorithm were
adopted as the standard, everyone using the standard would have to pay
PKP.
(The same patents cover the broader field of public key cryptography,
a technique whose use in the US has been mostly inhibited for a decade
by PKP's assiduous enforcement of these patents. The patents were
licensed exclusively to PKP by the Massachusetts Institute of
Technology and Stanford University, and derive from taxpayer-funded
research.)
PKP, Inc. made much of the suspect nature of the NIST algorithm and
portrayed itself as warning the public about this.
On June 8, NIST published a new plan which combines the worst of both
worlds: to adopt the suspect NIST algorithm, and give PKP, Inc. an
*exclusive* license to the patent for it. This plan places digital
signature use under the control of PKP through the year 2010.
By agreeing to this arrangement, PKP, Inc. shows that its concern to
protect the public from possible trickery was a sham. Its real desire
was, as one might have guessed, to own an official national standard.
Meanwhile, NIST has justified past suspicion about its patent
application by proposing to give that patent (in effect) to a private
entity.
Instead of making a gift to PKP, Inc., of the work all of us have paid
for, NIST and Congress ought to protect our access to it--by pursuing
all possible means, judicial and legislative, to invalidate or annull
the PKP patents. If that fails, even taking them by eminent domain is
better (and cheaper in the long run!) than the current plan.
You can write to NIST to object to this giveaway. Write to:
Michael R. Rubin
Active Chief Counsel for Technology
Room A-1111, Administration Building,
National Institute of Standards and Technology
Gaithersburg, Maryland 20899
(301) 975-2803.
The deadline for arrival of letters is around August 4.
Please send a copy of your letter to:
League for Programming Freedom
1 Kendall Square #143
P.O.Box 9171
Cambridge, Massachusetts 02139
(The League for Programming Freedom is an organization which defends
the freedom to write software, and opposes monopolies such as patented
algorithms and copyrighted languages. It advocates returning to the
former legal system under which if you write the program, you are free
to use it. Please write to the League if you want more information.)
Sending copies to the League will enable us to show them to elected
officials if that is useful.
This text was transcribed from a fax and may have transcription
errors. We believe the text to be correct but some of the numbers
may be incorrect or incomplete.
---------------------------------------------------------------------
** The following notice was published in the Federal Register, Vol.
58, No. 108, dated June 8, 1993 under Notices **
National Institute of Standards and Technology
Notice of Proposal for Grant of Exclusive Patent License
This is to notify the public that the National Institute of
Standards and Technology (NIST) intends to grant an exclusive
world-wide license to Public Key Partners of Sunnyvale, California
to practice the Invention embodied in U.S. Patent Application No.
07/738.431 and entitled "Digital Signature Algorithm." A PCT
application has been filed. The rights in the invention have been
assigned to the United States of America.
The prospective license is a cross-license which would resolve a
patent dispute with Public Key Partners and includes the right to
sublicense. Notice of availability of this invention for licensing
was waived because it was determined that expeditious granting of
such license will best serve the interest of the Federal Government
and the public. Public Key Partners has provided NIST with the
materials contained in Appendix A as part of their proposal to
NIST.
Inquiries, comments, and other materials relating to the prospec-
tive license shall be submitted to Michael R. Rubin, Active Chief
Counsel for Technology, Room A-1111, Administration Building,
National Institute of Standards and Technology, Gaithersburg,
Maryland 20899. His telephone number is (301) 975-2803. Applica-
tions for a license filed in response to this notice will be
treated as objections to the grant of the prospective license.
Only written comments and/or applications for a license which are
received by NIST within sixty (60) days for the publication of this
notice will be considered.
The prospective license will be granted unless, within sixty (60)
days of this notice, NIST receives written evidence and argument
which established that the grant of the license would not be
consistent with the requirements of 35 U.S.C. 209 and 37 CFR 404.7.
Dated: June 2, 1993.
Raymond G. Kammer
Acting Director, National Institute Standards and Technology.
Appendix "A"
The National Institute for Standards and Technology ("NIST") has
announced its intention to grant Public Key Partners ("PKP")
sublicensing rights to NIST's pending patent application on the
Digital Signature Algorithm ("DSA").
Subject to NIST's grant of this license, PKP is pleased to declare
its support for the proposed Federal Information Processing
Standard for Digital Signatures (the "DSS") and the pending
availability of licenses to practice the DSA. In addition to the
DSA, licenses to practice digital signatures will be offered by PKP
under the following patents:
Cryptographic Apparatus and Method ("Diffie-Hellman")
No. 4,200,770
Public Key Cryptographic Apparatus and Method
("Hellman-Merkle") No. 4,315,552
Exponential Cryptographic Apparatus and Method
("Hellman-Pohlig") No. 4,434,414
Method For Identifying Subscribers And For Generating
And Verifying Electronic Signatures In A Data Exchange
System ("Schnorr") No. 4,995,082
It is PKP's intent to make practice of the DSA royalty free for
personal, noncommercial and U.S. Federal, state and local
government use. As explained below, only those parties who enjoy
commercial benefit from making or selling products, or certifying
digital signatures, will be required to pay royalties to practice
the DSA.
PKP will also grant a license to practice key management, at no
additional fee, for the integrated circuits which will implement
both the DSA and the anticipated Federal Information Processing
Standard for the "key escrow" system announced by President Clinton
on April 16, 1993.
Having stated these intentions, PKP now takes this opportunity to
publish its guidelines for granting uniform licenses to all parties
having a commercial interest in practicing this technology:
First, no party will be denied a license for any reason other that
the following:
(i) Failure to meet its payment obligations,
(ii) Outstanding claims of infringement, or
(iii) Previous termination due to material breach.
Second, licenses will be granted for any embodiment sold by the
licensee or made for its use, whether for final products software,
or compfinal products software,
or components such as integrated circuits and boards, and regard-
less of the licensee's channel of distribution. Provided the
requisite royalties have been paid by the seller on the enabling
component(s), no further royalties will be owned by the buyer for
making or selling the final product which incorporates such
components.
Third, the practice of digital signatures in accordance with the
DSS may be licensed separately from any other technical art covered
by PKP's patents.
Fourth, PKP's royalty rates for the right to make or sell products,
subject to uniform minimum fees, will be no more than 2 1/2% for
hardware products and 5% for software, with the royalty rate
further declining to 1% on any portion of the product price
exceeding $1,000. These royalty rates apply only to noninfringing
parties and will be uniform without regard to whether the licensed
product creates digital signatures, verifies digital signatures or
performs both.
Fifth, for the next three (3) years, all commercial services which
certify a signature's authenticity for a fee may be operated
royalty free. Thereafter, all providers of such commercial
certification services shall pay a royalty to PKP of $1.00 per
certificate for each year the certificate is valid.
Sixth, provided the foregoing royalties are paid on such products
or services, all other practice of the DSA shall be royalty free.
Seventh, PKP invites all of its existing licensees, at their
option, to exchange their current licenses for the standard license
offered for DSA.
Finally, PKP will mediate the concerns of any party regarding the
availability of PKP's licenses for the DSA with designated
representatives of NIST and PKP. For copies of PKP's license
terms, contact Michael R. Rubin, Acting Chief Counsel for Technolo-
gy, NIST, or Public Key Partners.
Dated: June 2, 1993.
Robert B. Fougner, Esq.,
Director of Licensing, Public Key Partners,
310 North Mary Avenue, Sunnyvale, CA 94033
[FR Doc. 93-13473 Filed 8-7-93; 8:45 am]
------------------------------
End of Computer Privacy Digest V3 #001
******************************