########## ########## ########## | A GUIDE TO EFF LEGAL SERVICES ########## ########## ########## | #### #### #### | ######## ######## ######## | EFF TESTIMONY ON DIGITAL PRIVACY ######## ######## ######## | AS GIVEN BY DAVID FARBER #### #### #### | ########## #### #### | WHAT EFF DID ON YOUR SUMMER VACTION ########## #### #### | ===================================================================== EFFector Online September 18, 1992 Issue 3.05 A Publication of the Electronic Frontier Foundation ISSN 1062-9424 ===================================================================== EFF LEGAL SERVICES by Mike Godwin EFF Staff Counsel, Cambridge Because the EFF has spent the last year developing and publicizing our policy-focused efforts at our new Washington office, many of our constituents have wondered whether EFF is still active on the civil-liberties front. The answer to that question is an unqualified "Yes!" This activity has been less well-publicized, however, often because of the privacy interests of most of the people who seek EFF help with their individual cases. I want to take this opportunity to let our members and constituents know what kind of legal services we offer, and what kind of casework we do. The primary legal services I provide are basic counselling and referrals. EFF does not charge for this, and you do not have to be an EFF member to call or write and ask for help. I answer general questions about computer law and telecommunications law at the federal level as well as in the jurisdictions in which I am admitted to the bar (currently Texas and Washington, D.C.). When appropriate, I instruct people to seek further consultation with lawyers in their respective jurisdictions, giving them referrals to specific lawyers when possible. (EFF maintains a database of attorneys who've volunteered to do some kinds of work on these kinds of cases.) I often mail out source materials to individuals and organizations. (One of the most frequently requested materials is the original complaint filed by Steve Jackson Games in its lawsuit against the U.S. government--many lawyers find that the complaint is a good primer on civil-liberties issues raised by the search and seizure of a computer bulletin-board system.) More frequently, I talk to people on the telephone. The kinds of questions I deal with tend to fall into the following four general areas: GENERAL QUESTIONS ABOUT LEGAL ISSUES A caller may be a sysop who's been told by someone that it's against the law to read users' e-mail, and she wants to know whether this is true. Or it may be a user who wants to know if it's legal to upload a scanned image of a copyrighted photograph to a BBS for downloading by other users. Or it may be a hobbyist programmer who wonders if he may be held liable if a computer virus he writes somehow "escapes" and infects and damages other systems. Usually these questions are aimed at *anticipated* legal risks (the caller wants to know ahead of time if her actions will lead to legal trouble), but a significant number of the calls are from people who wonder if their *current* activities are illegal or create risks of legal liability. For example, a lot of sysops of "pirate" BBSs have acquired the notion that they can't be held liable for providing access to unauthorized copies of commercial software because it's "the guy downloading the stuff who's doing the copying"--I tell them they are mistaken and point out the legal risks of providing such access. A small but consistent fraction of callers prefer to remain anonymous. I respect their wishes, and try to give just as much help to anonymous callers as to those who identify themselves. REQUESTS FOR HELP IN CRIMINAL CASES Basically, these types of requests fall into two categories, which I call "target cases" and "non-target cases": A "target case" is one in which the request is from some one (the "target") who is very likely to become, or who has already become, a defendant in a state or federal case. I may get the request from the target personally, or I may get a call from the target's lawyer. (If the target doesn't have a lawyer, my first priority is to do what I can to help him get one. Although EFF does not normally provide funds for legal representation in criminal cases, I can tell a caller how to go about contacting a private defense lawyer or a public defender.) I'll ask the caller for basic facts about the case, and, once I'm in contact with his lawyer, I'll do what I can to help the lawyer learn the relevant law and gather the necessary facts to prepare the case. Even the very best defense lawyers are likely to be unfamiliar with the legal and evidentiary issues raised by computer-crime investigations--I'm often able to give them a running start on their case preparation. On a few occasions, a case may raise a particularly unusual and important civil-liberties issue, and I'll make a recommendation to EFF management as to whether EFF should formally support the case in some way. A "non-target case" is one in which the person asking for assistance or advice is not an actual or prospective defendant, but her rights or interests have somehow been affected by a criminal investigation or by the actions of law-enforcement officials. (The classic example is one in which a non-target sysop's BBS or networked computer has been seized as part of an investigation of one the system's users.) As in target cases, I may advise her lawyer, but I often can resolve things quickly by acting directly as a representative for the person asking for help. For example, in a recent Washington State case, I helped a non-target negotiate a quick return of his equipment, which federal agents had seized and searched as part of a multi-state criminal investigation. REQUESTS FOR HELP IN CIVIL CASES. Normally, EFF won't take sides in a civil case unless it clearly raises an important civil-liberties issue. One such case involved the manufacturers of a VCR-programming device who threatened to sue individuals participating in a discussion of their coding algorithms on the Usenet newsgroup sci.crypt. The company's lawyer insisted that the Usenetters' efforts at figuring out the algorithms by deducing them from the codes published in TV Guide listings and elsewhere was a violation of their copyright, patent, and trade-secret interests. I researched their claim and confirmed the Usenet posters' belief that their research did not violate any intellectual-property protections of the manufacturers' products, and I represented their position to the manufacturer, telling the company that the posters were engaged in Constitutionally protected speech and inquiry. After several convesations between me and the company's lawyer, the company dropped its claims. (The sci.crypt posters' research was eventually published as a paper in the journal CRYPTOLOGIA--Vol. XVI, Number 3, July 1992--in which the authors thanked EFF for their legal assistance.) REQUESTS FOR HELP IN SITUATIONS WHERE THERE'S NO CRIMINAL OR CIVIL CASE This category includes situations in which, for example, a college student has his computer-access privileges suspended because a "hacker newsletter" is discovered by a system administrator rummaging through the student's directory. (I've explained to more than one system administrator that mere possession of such information does not make one a computer intruder, and that their rummaging may have violated the students' rights.) Or a university computer center may decide to suspend some kinds of Usenet newsgroups, justifying their actions by saying they're afraid the sexually oriented newsgroups are illegal. (I've written and spoken to university administrators to explain that virtually none of the discussions in the sexually oriented newsgroups on Usenet qualify legally as "obscenity"--instead, they're protected expression under established American Constitutional law.) Or a group of sysops may be concerned about their local phone company's efforts to impose business rates on nonprofit BBS phone lines. (I now refer most such calls to Shari Steele, ssteele@eff.org, the staff counsel of EFF's Washington office, who has given special study to these issues.) In addition to individual casework: I have represented EFF's legal services primarily on three forums--the WELL, Usenet, and CompuServe. As a result of my presence there, I have been receiving an increasing amount of casework, requests for legal advice, and invitations to speak. The number of these cases has increased in response to my presence online--it also has increased in response to my public appearances. After the Second Computers, Freedom, and Privacy conference, for example, I had three or four cases referred to me by people who met me in Washington. It is important that EFF members and constituents recognize we are here to help you solve individual problems as well as promote your interests on general policy issues. If you are running into a legal problem, or if you simply have a general legal question, or even if you're having a problem on the Electronic Frontier and you're not sure whether or not it's a legal problem, you should call me, Mike Godwin, at 617-864-0665, or send me electronic mail at mnemonic@eff.org or at 76711,317 on CompuServe. I won't always be able to help, but I'm always willing to listen. And I may be able to help more often than you'd think. -==--==--==-<>-==--==--==- From the Univ of Wisconsin Microelectronics bulletin, Prof. F Cerrina as the author: "After the Microlithography '92 conference in Japan, we toured some of the leading electronics laboratories. Our visit to Hitachi's Central Research Lab included an amusing demonstration of the resolution of current lithography. On a four-inch wafer, they printed a map of the world that included the streets of London down to the smallest alleys. It's now possible to put a fully detailed map of the world on a six-inch wafer." Food for thought... (Submitted by Gary Delp ) -==--==--==-<>-==--==--==- Following are excerpts from the testimony of Professor David Farber, a member of the EFF Board of Directors, before the Computer Systems Security and Privacy Advisory Board of the National Institute of Standards and Technology (NIST) on September 16, 1992. Mr. Chairman and Members of the Advisory Board: My name is David Farber. I am Professor of Computer Science at the University of Pennsylvania and a member of the Board of Directors of the Electronic Frontier Foundation (EFF). I am here today representing only the views of EFF. I want to thank you for inviting us to testify today as part of your investigation. We are pleased to be included at this early phase of the Advisory Board's inquiry and offer a brief set of principles for proceeding with this inquiry. First, it is essential that in examining discrete issues such as the desirability of various cryptography standards, the Board take a comprehensive view of what we call "digital privacy" policy as a whole. Such a comprehensive view requires a clear vision of the underlying civil liberties issues at stake: privacy and free speech. It also requires looking beyond the cryptography questions raised by many to include some of law enforcement's recent concerns about the pace of digital infrastructure innovation. Second, for the sake of promoting innovation and protecting civil liberties, the Board should bear in mind the principle that computer security policy is fundamentally a concern for domestic, civilian agencies. This principle, as articulated in the Computer Security Act of 1987, can serve as an important guide to the work of this Board. A. THE GROWING IMPORTANCE OF DIGITAL PRIVACY TECHNOLOGY With dramatic increases in reliance on digital media for communications on the part of private individuals, government, and corporations, the need for comprehensive protection of privacy in these media grows. For most in this room, the point seems trite, but the digital communications revolution (which we stand at only the very beginning of), is the key event of which the Advisory Board should take note. As an example, a communication which is carried on paper through the mail system, or over the wire-based public telephone network is relatively secure from random intrusion by others. But the same communication carried over a cellular or other wireless communication system, is vulnerable to being overheard by anyone who has very inexpensive, easy-to-obtain scanning technology. For the individual who relies on digital communications media, reliable privacy protection cannot be achieved without the protection of robust encryption technology. While legal restrictions on the use of scanners or other technology which might facilitate such invasions of privacy seem to be attractive preventative measures, these are not lasting or comprehensive solutions. We should have a guarantee -- with physics and mathematics, not only with laws -- that we can give ourselves real privacy of personal communications through technical means. Encryption strong enough that even the NSA can't break it. We already know how to do this, but we have not made encryption technology widely available for public use because of public policy barriers. B. THE BOARD SHOULD UNDERTAKE A COMPREHENSIVE REVIEW OF DIGITAL PRIVACY ISSUES Inasmuch as digital privacy policy has broad implications for constitutional rights of free speech and privacy, and for international competitiveness and economic vitality in the information age, these issues must be explored and resolved in an open, civilian policy context. These questions are simply too important to be decided by the national security establishment alone. This principle is central to the Computer Security Act of 1987.1 The structure of the Act, which is the basis for the authority of this Advisory Board, arose, in significant part, from the concern that the national security establishment was exercising undue control over the flow of public information and the use of information technology.2 When considering the law in 1986, the committee asked the question, "whether it is proper for a super-secret agency [the NSA] that operates without public scrutiny to involve itself in domestic activities...?" The answer was a clear no, and the authority for establish computer security policy was vested in NIST (the NBS). In this context, we need a robust public debate over our government's continuing heavy-handed efforts to control commercially developed cryptography. It is no secret that throughout the cold war era, the Defense and State Departments and the National Security Agency have used any and all means, including threats of prosecution, control over research, and denial of export licenses to prevent advanced secret coding capabilities from getting into the hands of our adversaries. NSA does this to maximize its ability to intercept and crack all international communications of national security interest. Now the Cold War is over but the practice continues. In recent years, Lotus, Microsoft, and others have developed or tried to incorporate powerful encryption means into mass market software to enhance the security and privacy of business, financial, and personal communications. In an era of computer crime, sophisticated surveillance technologies, and industrial espionage it is a laudable goal. Although NSA does not have the authority to interfere with domestic distribution of DSA, RSA, and other encryption packages, its licensing stranglehold over foreign distribution has unfortunate consequences. Domestic firms have been unable to sell competitive security and privacy products in international markets. More important, because the cost of producing two different products is often prohibitive, NSA policy encourages firms to produce a single product for both domestic and worldwide use, resulting in minimal privacy and security for users both here and abroad. While we all recognize that NSA has legitimate national security concerns in the post cold war era, this is a seriously flawed process. Foreign countries or entities who want to obtain advanced encryption technology can purchase it through intermediaries in the United States or from companies in a host of foreign countries who are not subject to US export restrictions. There is a big, big hole in the national security dike. By taking a page out of the Emperor's New Clothes, NSA opts to act as if the process works by continuing to block export. In order to get some improvement in mass market encryption, the Software Publishers Association, representing Microsoft, Lotus, and others, had to use the threat of legislation to get NSA to engage in the negotiations that finally led NSA to agree to expedited clearance for the export of RSA encrypting software of limited key lengths. Still, all concede that the agreement does not go far enough and that far more powerful third-party products are commonly available in the US, including the fifteen-year-old US Data Encryption Standard. SPA knows that specifying maximum key lengths offers little long-term security given advances in computer processing power, but was willing to compromise because of NSA's refusal to budge. Does this kind of policy make any sense in the post Cold War era? Mass market products offer limited security for our citizens and businesses. Determined adversaries can obtain much more powerful products from foreign countries or by purchasing it here in the US. Is the NSA policy of slowing down the pace of encryption use by foreigners and adversaries --even if demonstrable--any longer worth the significant price we pay in terms of failing to meet our own communications privacy and security needs? That is the policy challenge for this Board to address by a frank, open, and inclusive public debate. C. THE BOARD MUST ADDRESS THE DIGITAL PRIVACY ISSUE IN A COMPREHENSIVE MANNER WHICH REQUIRES CONSIDERING THE FBI'S DIGITAL TELEPHONY PROPOSAL AND ITS IMPLICATIONS. The public policy debate on electronic privacy issues over the last few years has demonstrated that a comprehensive approach to digital privacy policy cannot be complete without examining both questions regarding the availability of encryption technology, and the corresponding infrastructure issues, such as those raised by the FBI's Digital Telephony Proposal. Attempts to solve one issue without addressing the other is an exercise in irrational policy-making and should be avoided by this Advisory Board. Last year, the FBI first proposed a "Sense of the Congress" resolution stating that communications firms and computer and communications equipment manufacturers were obligated to provide law enforcement access to the "plain" text of all voice, data, and video communications, including communications using software encryption. The Electronic Frontier Foundation (EFF) played an active and leading role both in opposing such a law and in seeking to find more acceptable means for meeting legitimate law enforcement needs. Because of our advocacy and coalition-building efforts with communications and privacy groups, we were successful in persuading Senate Judiciary Chairman Joseph Biden to remove the Sense of the Congress Resolution from active consideration as part of Omnibus crime legislation last year. Putting aside its attempt to control the use of encryption systems, this year the FBI has come forward with proposed legislation that would require telephone companies, electronic information providers, and computer and communications equipment manufacturers to seek an FCC "license" or Attorney General "certification" that their technologies are susceptible to electronic surveillance. We are in danger of creating a domestic version of the export control laws for computer and communications technology. While the FBI claims that neither of this year's proposals address encryption issues, the Bureau has made it clear it plans to return to this issue in the future. The Board needs to hear from the broad coalition made up of telephone companies such as AT&T, computer firms such as IBM, Sun Microsystems, and Lotus Development Corporation, and public interest groups such as the EFF. The EFF will shortly release a white paper representing coalition views on the need for the FBI to explore more realistic, less vague, and potentially onerous policy options for meeting legitimate law enforcement needs. The resulting multi-front battle being waged about digital privacy creates formidable roadblocks to a final resolution of the policy disputes at issue. Those who seek greater privacy and security cannot trust a settlement on one front, because their victory is likely to be undermined by action on the other issue. And law enforcement and national security concerns cannot be adequately addressed without a sense of the overall solution being proposed on both the encryption and infrastructure fronts. This Advisory Board can play a valuable role for the policy process by conducting a comprehensive review of digital privacy and security policy, with a consideration of both of these sets of issues. 1 Pub.L.No. 100-235. 2 House Committee On Government Operations, H.R. Rep. No. 99-753, Pt. 2, at 5. -==--==--==-<>-==--==--==- From "Levitating Trains and Kamikaze Genes: Technological Literacy for the 1990's" Describing the difference between computer hardware and software: "Those parts of the system that you can hit with a hammer (not advised) are called hardware; those program instructions that you can only curse at are called software." -==--==--==-<>-==--==--==- WHAT EFF DID WHILE YOU WERE TANNING You can't fool us. We saw your I'm-on-vacation bounce notices after shipping each EFFector Online. And while you were out prematurely aging your skin, the EFF had a busy summer. Both Danny Weitzner of the D.C. office and Mike Godwin of the Cambridge office took bar exams in July: Danny in New York and Mike in Massachusetts (Mike is already a member of the Texas and D.C. bars). Both have recovered and are waiting for their results. CAMBRIDGE: # Mitchell Kapor was a keynote speaker for EFF at the International Networking Conference, 1992, in Kobe, Japan where he spoke on global networking and the EFF's role in the creation of online communities around the world. He also appeared before the National Association of Regional Utility Commissions as a means of opening EFF's state by state drive to make ISDN happen nationwide. In addition, he has, as usual, been active in fundraising efforts for EFF within the computer industry. # In addition to his bar exam, Mike flew to San Francisco several times as part of the planning committee for Computers, Freedom, and Privacy III; chaired two meetings of the Massachusetts Computer Crime Council; assisted counsel for several federal computer crime cases under indictment; and fielded many, many legal questions on the phone and online. # The publications department (Gerard Van der Leun and Rita Rouvalis) produced a full line of pamphlets, white papers, bumper stickers, and information disks in addition to several issues of EFFector Online and @eff.org; staffed booths at ONE BBSCon and IBECC '92 in Denver, Colorado in August; and laid the groundwork on such projects as The EFF Guide to Cyberspace and the upcoming EFFECTOR3 magazine. # EFF Tech (Chris Davis and Helen Rose) upgraded the Washington, D.C. office's connection to the Internet from a dialup SLIP connection to a 56K leased line; reorganized the anonymous FTP archives for faster and easier access to the EFF's online documents; began a series of Postscript versions of EFF documents with about-eff; and made arrangements to appear on a panel discussing the Internet and the National Public Network in New York City in late September. WASHINGTON D.C.: # Jerry Berman appeared before American Bar Association Conference in San Francisco on the Panel on Virtual Reality and Future Network Policy; appeared before Computer Systems Policy Project in Massachusetts to discuss Open Platform Initiative of the EFF; was on a panel that briefed the City Council and Mayor of Seattle. He arranged for many computer and communications firms to sign the EFF-drafted White Paper opposing FBI digital Telephony proposal to be released September 16 in D.C. He also, with the aid of the Washington staff, pulled together the second meeting of the Communications Policy Forum under EFF auspices to discuss the NSF's draft solicitation on the Internet and NREN. # Danny Weitzner drafted Open Platform amendments, making narrowband ISDN deployment a national policy, for Rep. Ed Markey's latest telecommunications regulation bill; was elected Chair of the Public Policy and Strategy committee of the North American ISDN Users' Forum; and initiated a plan to take the Open Platform initiative to state public utility commissions in order to ensure reasonably priced ISDN service in the states. # Andrew Blau testified at Colorado PUC on making ISDN available to residential subscribers; met with Executive Leadership of NCSL's Task Force on Info Policy; spoke at National Federation of Local Cable Programmers' Annual Convention on Video Dialtone, "Electronic Frontiers", and Community Communications Coalitions; was a panelist on "Government Initiatives to Promote Public Data Networks"; met with disability rights activists, seniors, and others about meeting their future telecommunications needs; and documented uses/application of ISDN technology in small business, education, health and other settings. # Shari Steele made presentations on the EFF, our National Public Network proposal, electronic democracy and BBSs being charged business telephone rates at ONE BBSCon and IBECC; began writing a monthly legal column for BBS Callers Digest; and made presentations on the EFF to the Capital Area SysOps Association (CASA) and a course on Computers, Freedom and Privacy at the George Washington University. -==--==--==-<>-==--==--==- MEMBERSHIP IN THE ELECTRONIC FRONTIER FOUNDATION If you support our goals and our work, you can show that support by becoming a member now. Members receive our magazine, EFFECTOR, our bi- weekly electronic newsletter, EFFector Online, the @eff.org newsletter and special releases and other notices on our activities. But because we believe that support should be freely given, you can receive these things even if you do not elect to become a member. Our memberships are $20.00 per year for students, $40.00 per year for regular members. You may, of course, donate more if you wish. Our privacy policy: The Electronic Frontier Foundation will never, under any circumstances, sell any part of its membership list. We will, from time to time, share this list with other non-profit organizations whose work we determine to be in line with our goals. If you do not grant explicit permission, we assume that you do not wish your membership disclosed to any group for any reason. ---------------- EFF MEMBERSHIP FORM --------------- Mail to: The Electronic Frontier Foundation, Inc. 155 Second St. #35 Cambridge, MA 02141 I wish to become a member of the EFF I enclose:$__________ $20.00 (student or low income membership) $40.00 (regular membership) $100.00(Corporate or company membership. This allows any organization to become a member of EFF. It allows such an organization, if it wishes to designate up to five individuals within the organization as members.) I enclose an additional donation of $ Name: Organization: Address: City or Town: State: Zip: Phone:( ) (optional) FAX:( ) (optional) Email address: I enclose a check [ ] . Please charge my membership in the amount of $ to my Mastercard [ ] Visa [ ] American Express [ ] Number: Expiration date: Signature: Date: I hereby grant permission to the EFF to share my name with other non-profit groups from time to time as it deems appropriate [ ] . Initials: Your membership/donation is fully tax deductible. ===================================================================== EFFector Online is published by The Electronic Frontier Foundation 155 Second Street, Cambridge MA 02141 Phone: +1 617 864 0665 FAX: +1 617 864 0866 Internet Address: eff@eff.org Reproduction of this publication in electronic media is encouraged To reproduce signed articles individually, please contact the authors for their express permission. ===================================================================== This newsletter is printed on 100% recycled electrons. Downloaded From P-80 International Information Systems 304-744-2253