________________ _______________ _______________
/_______________/\ /_______________\ /\______________\
\\\\\\\\\\\\\\\\\/ ||||||||||||||||| / ////////////////
\\\\\________/\ |||||________\ / /////______\
\\\\\\\\\\\\\/____ |||||||||||||| / /////////////
\\\\\___________/\ ||||| / ////
\\\\\\\\\\\\\\\\/ ||||| \////
EFFector Online Volume 09 No. 15 Dec. 20, 1996 email@example.com
A Publication of the Electronic Frontier Foundation ISSN 1062-9424
Court Declares Crypto Restrictions Unconstitutional
eTRUST Launches Pilot Program
More Public Interest Groups Speak Out Against WIPO Treaties
Quote of the Day
What YOU Can Do
* See http://www.eff.org/Alerts/ or ftp.eff.org, /pub/Alerts/ for more
information on current EFF activities and online activism alerts! *
Subject: Court Declares Crypto Restrictions Unconstitutional
COURT DECLARES CRYPTO RESTRICTIONS UNCONSTITUTIONAL
Free Speech Trumps Clinton Wiretap Plan
December 19, 1996, 16:50 Pacific time.
Electronic Frontier Foundation Contacts:
Shari Steele, Staff Attorney
John Gilmore, Founding Board Member
Cindy Cohn, McGlashan & Sarrail
San Francisco - On Monday, Judge Marilyn Hall Patel struck down Cold War
export restrictions on the privacy technology called cryptography. Her
effort to force companies to build "wiretap-ready" computers,
The decision is a victory for free speech, academic freedom, and the
free to collaborate with their peers in the United States and in other
countries. This will enable them to build a new generation of tools
for protecting the privacy and security of communications.
The Clinton Administration has been using the export restrictions to goad
companies into building wiretap-ready "key recovery" technology. In a
November Executive Order, President Clinton offered limited
administrative exemptions from these restrictions to companies which
agree to undermine the privacy of their customers. Federal District
Judge Patel's ruling knocks both the carrot and the stick out of
Clinton's hand, because the restrictions were unconstitutional in the
The Cold War law and regulations at issue in the case prevented
American researchers and companies from exporting cryptographic
carrying of an object across a national border. However, the
as well as discussions with foreigners inside the U.S. They also define
"software" to include printed English-language descriptions and
The secretive National Security Agency has built up an arcane web of
complex and confusing laws, regulations, standards, and secret
nterpretations for years. These are used to force, persuade, or
confuse individuals, companies, and government departments into making
t easy for NSA to wiretap and decode all kinds of communications.
Their tendrils reach deep into the White House, into numerous Federal
agencies, and into the Congressional Intelligence Committees. In
visibility, vocal public disagreement with the spy agency's goals,
commercial and political pressure, and judicial scrutiny.
Civil libertarians have long argued that encryption should be widely
current dominant position in computer technology. Government
officials in the FBI and NSA argue that the technology is too
criminals as well as ordinary citizens.
"We're pleased that Judge Patel understands that our national security
John Gilmore, co-founder of the Electronic Frontier Foundation, which
backed the suit. "There's no sense in 'burning the Constitution in
order to save it'. The secretive bureaucrats who have restricted these
larger understanding of how to support and preserve our democracy."
Reactions to the decision
"This is a positive sign in the crypto wars -- the first rational
the companies most affected by crypto policy.
"It's nice to see that the executive branch does not get to decide
Chairman of PGP, Inc. "It shows that my own common sense
nterpretation of the constitution was correct five years ago when I
thought it was safe to publish my own software, PGP. If only US
Customs had seen it that way." Mr. Zimmermann is a civil libertarian
and gave away a program for protecting the privacy of e-mail. His
"Pretty Good Privacy" program is used by human rights activists
murder by their own countries' secret police.
"Judge Patel's decision furthers our efforts to enable secure electronic
commerce," said Asim Abdullah, executive director of CommerceNet.
Jerry Berman, Executive Director of the Center for Democracy and
Technology, a Washington-based Internet advocacy group, hailed the
victory. "The Bernstein ruling illustrates that the Administration
continues to embrace an encryption policy that is not only unwise, but
also unconstitutional. We congratulate Dan Bernstein, the Electronic
Frontier Foundation, and all of the supporters who made this victory
for free speech and privacy on the Internet possible."
"The ability to publish is required in any vibrant academic discipline,"
This ruling re-affirming our obvious academic right will help American
the popular textbook _Applied Cryptography_, and a director of the
organization of cryptographers.
Kevin McCurley, President of the International Association for
Cryptologic Research, said, "Basic research to further the
understanding of fundamental notions in information should be welcomed
by our society. The expression of such work is closely related to one
of the fundamental values of our society, namely freedom of speech."
Background on the case
The plaintiff in the case, Daniel J. Bernstein, Research Assistant
"encryption algorithm" (a recipe or set of instructions) that he
Bernstein sued the government, claiming that the government's
(AECA) and its implementing regulations, the International Traffic in Arms
(source code), they were not protected by the First Amendment. On
April 15, 1996, Judge Patel rejected that argument and held for the
first time that computer source code is protected speech for purposes
of the First Amendment.
Details of Monday's Decision
Judge Patel ruled that the Arms Export Control Act is a prior restraint
on speech, because it requires Bernstein to apply for and obtain from
the government a license to publish his ideas. Using the Pentagon
national security alone does not justify a prior restraint."
Judge Patel also held that the government's required licensing
Government acts legally to suppress protected speech, it must reduce
the chance of illegal censorship by the bureaucrats involved -- in this
case, the State Department's Office of Defense Trade Controls (ODTC).
Her decision states: "Because the ITAR licensing scheme fails to provide
for a time limit on the licensing decision, for prompt judicial review
and for a duty on the part of the ODTC to go to court and defend a
unconstitutional prior restraint in violation of the First Amendment."
She also ruled that the export controls restrict speech based on the
content of the speech, not for any other reason. "Category XIII(b) is
the topic of encryption." The Government had argued that it restricts
the speech because of its function, not its content.
The judge also found that the ITAR is vague, because it does not
adequately define how information that is available to the public
"through fundamental research in science and engineering" is exempt
from the export restrictions. "This subsection ... does not give
failure to precisely define what objects and actions are being
unable to publish his encryption algorithm for over four years. Many
other cryptographers and ordinary programmers have also been restrained
from publishing because of the vagueness of the ITAR. Brian
Behlendorf, a maintainer of the popular public domain "Apache" web
code was deemed by the NSA to violate the ITAR." Judge Patel also
adopted a narrower definition of the term "defense article" in order to
The immediate effect of this decision is that Bernstein now is free to
teach his January 13th cryptography class in his usual way. He can
class's materials with other professors, without being held in
violation of the ITAR. "I'm very pleased," Bernstein said. "Now I
n the Northern District of California (containing San Francisco and Silicon
Valley) or throughout the country. Check with your own lawyer if
you contemplate taking action based on the decision.
object code (the executable form of computer programs which source
code is automatically translated into) have been overturned. It may
be that existing export controls will continue to apply to runnable
case challenges that part of the restrictions.
ABOUT THE ATTORNEYS
Lead counsel on the case is Cindy Cohn of the San Mateo law firm of
McGlashan & Sarrail, who is offering her services pro bono. Major
additional pro bono legal assistance is being provided by Lee Tien of
Berkeley; M. Edward Ross of the San Francisco law firm of Steefel,
Levitt & Weiss; James Wheaton and Elizabeth Pritzker of the First
Amendment Project in Oakland; and Robert Corn-Revere, Julia Kogan,
and Jeremy Miller of the Washington, DC, law firm of Hogan & Hartson.
ABOUT THE ELECTRONIC FRONTIER FOUNDATION
The Electronic Frontier Foundation (EFF) is a nonprofit civil
liberties organization working in the public interest to protect
nformation. EFF is a primary sponsor of the Bernstein case. EFF
Bernstein legal team, and helped collect members of the academic
community and computer industry to support this case.
Full text of the lawsuit and other paperwork filed in the case is
available from EFF's online archives at:
The full text of Monday's decision is available at:
Subject: eTRUST Launches Pilot Program
FOR IMMEDIATE RELEASE 12/20/96
eTRUST LAUNCHES PILOT PROGRAM
Trial of Global Initiative to Increase
Consumer Trust and Confidence in Electronic Transactions
establishing consumer trust and confidence in electronic information exchange,
s launching its pilot program. The purpose of the pilot is to test the
effectiveness and market desirability of the eTRUST "trustmark" program and to
mplementation. The information gathered will be invaluable in developing
The pilot will focus on addressing privacy issues of data collection on the
dentified as one of the key barriers to the widespread consumer acceptance of
electronic information transactions ranging from commerce to survey data
collection. Non-consentual collection of personal data over the Internet is
creating "databases of liability" and eTRUST provides a reasonable, effective,
and enforceable system to ensure that personally identifiable information is
not abused. eTRUST's privacy guidelines and assurance infrastructure will
allow for informed consent of data collection. Providing a mechanism for
nformed consent will increase the level of trust between online
businesses/organizations and users.
Companies or organizations participating in the eTRUST pilot will apply one or
more of three privacy "trustmarks" on their Websites depending on how they
* Anonymous or No Exchange - no data is collected on the user.
* One-to-One Exchange - data is collected only for the site owner's
* Third Party Exchange - data is collected and provided to specified
third parties but only with the user's knowledge and consent.
The "trustmark" system allows the user to be informed of exactly how
their personal data is being used.
The "trustmarks" will also be backed by an assurance process which includes
third-party review and spot auditing. The Assurance Process committee of
eTRUST which includes leading companies like Coopers & Lybrand LLP and KPMG LLP
s developing a formal review process for Websites which will be tested during
"Coopers & Lybrand is exceedingly pleased to be involved in setting the
Sapienza, Jr., Partner of Coopers & Lybrand LLP's Computer Assurance Services.
Up to 100 sites, carefully chosen to cover a broad spectrum of Web activities,
"trustmark" system include:
* CommerceNet - http://www.commerce.net
* Electronic Frontier Foundation - http://www.eff.org
* BritNet - http://www.britnet.co.uk
* Webcrawler - http://frontend.webcrawler.com
* Narrowline - http://www.narrowline.com
* WorldPages - http://www.worldpages.com
* Xcert Software - http://www.xcert.com
* Down Syn Online - http://www.epix.net/~mcross/down-syn.html
Sites will be added throughout December 1996 and the pilot will be conducted
through the first quarter of 1997. eTRUST demonstrated the
"trustmark" system at the Internet World Show in New York, December 11-13,
eTRUST has already received widespread support from industry, consumer groups,
and the government. CommerceNet, the premier industry association for
leading electronic consumer advocacy group have partnered to move forward to
mplement the eTRUST program.
"The eTRUST project is critical to building public trust in online
transactions," said Marty Tenenbaum, Chairman of CommerceNet. "It assures
ndividuals will receive full disclosure on how and where information will be
used and gives them the opportunity to opt out of a transaction."
"We are very concerned with protecting the privacy of users. The eTRUST pilot
s a major step forward in creating trust online and ensuring the development
of a healthy electronic society and in turn a healthy marketplace," says Lori
Fena, Executive Director of the Electronic Frontier Foundation.
"People's awareness of how their online behavior is being monitored and
commoditized is approaching a new high watermark," said Eric Theise,
Narrowline's EVP of Research and Information Architecture. "Our online media
buying and market research systems are less intrusive and more secure than
others, and eTRUST's framework for assessing, refining, and disclosing data
order to reach an international consensus on appropriate levels of privacy and
transactional security and how these will be enforced. By significantly
enhancing consumer trust and confidence in electronic transactions, eTRUST
eTRUST is a global initiative whose mission is to establish trust and
confidence in electronic communication by creating an infrastructure to
address issues such as privacy and transactional security. The initiative was
launched in July 1996 by the Electronic Frontier Foundation (EFF) and a group
of pioneering Internet companies. CommerceNet and the EFF then partnered in
October 1996 to move forward in implementing the initiative. More information
about eTRUST and its pilot program can be found at http://www.etrust.org/
CommerceNet is a non-profit industry association and recognized leader working
to transform the Internet into a global electronic marketplace. Launched in
April 1994, the Silicon Valley-based organization has over 200 members
More information about CommerceNet can be found at http://www.commerce.net/
Electronic Frontier Foundation
The Electronic Frontier Foundation is a non-profit civil liberties
organization working in the public interest to promote, privacy, free
expression, and social responsibility in new media. More information about
EFF can be found at http://www.eff.org/
Electronic Frontier Foundation
Subject: More Public Interest Groups Speak Out Against WIPO Treaties
An Open Letter To The Delegates Of The WIPO Diplomatic Conference
December 18, 1996
We are writing to urge the delegates at this diplomatic
conference to defer final action on the three proposed
treaties. The discussions so far have just began to shed light
on many of the problematic areas of the treaties. We believe
there is much more to be gained from further study, and we are
concerned that hasty action on novel changes in intellectual
this respect, one has to ask why WIPO, a United Nations body,
s acting as a super Parliament or Congress on issues which
traditional lawmaking processes.
While there are many problems with the three treaties,
allow us to highlight four areas of concern.
Are Far Too Broad.
In an effort to give copyright owners the broadest
authorization of the "direct and indirect" reproduction of a
(Treaty 1, Article 7). National exceptions would be allowed
for some temporary or incidental reproductions, provided that
the reproductions are "authorized by the author" or otherwise
be, or how a patchwork system of national exemptions will
achieve the international uniformity the treaty seeks.
The starting point for the reproduction rights are so open
ended that it would be seem to make the memorization of a poem
a violation of the author's exclusive rights.
The issue of the rights of the public to use computers to
view, study and analyze works is important. Overbroad
example, the new smart searching engines on the Internet's
World Wide Web routinely read hundreds of thousands, if not
millions of Web pages, in order to create indexes and abstracts
of articles and other works. These new and important software
tools will vastly expand our ability to identify and locate
There is also considerable concern that the "Right of
Reproduction" (Article 7), combined with the "Right of
Communication," (Article 10) are written in such a way that
nfringements. Several major ISPs have noted that if they are
liable for infringements by their customers, they will be
compelled to engage in intrusive surveillance of private
communications. This indeed was the concern of eleven CEOs of
major Internet and Telecommunication firms , who wrote
We strongly urge that no treaty be finalized at this time.
However, we would add that the proposed December 12, 1996
amendments by the 30 African countries offer a much better
approach (CRNR/DC/56, Treaty No. 1, Article 7 and Article 10),
and are preferred to the far too restrictive versions that have
been advanced by the United States Delegation.
Any language in a treaty that prohibits the development
of new information technologies is problematic, since there are
likely to be competing public interests. The Chairman's
(Article 13), and Treaty No. 2 (Article 22), are far too broad.
They would make unlawful "any . . . device, product or
component incorporated into a device or product, the primary
the rights under this treaty." (From Treaty 1, Article 13).
Taken with the rest of these deeply flawed treaties, there
nformation technologies. For example, the popular Web browser
Netscape would arguably be an illegal device, not only because
t is used for reading documents into memory to display them,
but because it has features which permit the easy reading and
features have made an important contribution to the explosive
failed to compete with the more open Internet model.
Also, the new generation of Internet searching and index
tools mentioned above would likely be challenged under the
Again, the language offered as a substitute by the 30
African countries is a better approach. Countries would be
adequate legal protection and effective legal
remedies against the circumvention of effective
technological measures that are used by rights
holders in connection with the exercise of their
rights under this Treaty and that restrict acts, in
respect of their works, which are not authorized by
the rights holders concerned or permitted by law.
(CRNR/DC/56, Treaty 1, Article 13).
The more flexible language offered by the African
countries would give each nation greater latitude in
mplementing anti-circumvention legislation. This is
mportant, given the rapid growth of the Internet, the novelty
of the technology and the Internet culture, and the need to
encourage rather than discourage the development of new
However, we cannot endorse even this approach, at this
time. The issue of anti-circumvention is not ripe for
legislation or treaty, given:
- the lack of experience in matters concerning the Internet
by many legislators or policy makers,
- the uncertainty concerning the extent to which new
encryption based technologies can protect rights owners
without additional legal remedies, and
- the need to gain a better model for enforcement in a world
with transnational data flows and radically different
concepts of fair use of copyrighted materials.
We come from a tradition of using information products and
newspapers, books, recorded music, and listening to broadcast
television and radio can be done in anonymity. The development
of cable television, video rental stores, online communications
and other technologies are leading to an explosive growth in
the ability of the government and private corporations to
conduct surveillance of what information we receive or share
friends and colleagues without surveillance. When it is
owners, it is desirable and important to seek those roads which
are consistent with a significant degree of personal privacy.
This principle should be specifically addressed in the
As noted above, there are specific concerns about privacy
n the section of the treaties dealing with the liability of
"Rights Management Information" may be used to provide
mechanisms for tracking document usage. Countries should be
both permitted and encouraged to limit the types of
technologies used for "rights management information" in order
to protect personal privacy.
New Property Right To Facts Or Other Public Domain Information.
There is widespread opposition to the concepts underlying
the proposed database treaty, and no action should be taken at
this time. As presently drafted, the treaty would give
events, give stock exchanges permanent "ownership" of share
creating abstracts of scientific journals or web pages as an
nfringement of a database extraction right, and create many
other unintended consequences.
The fact that organizations such as Dun and Bradstreet,
Bloomberg, and STATS, Inc (sports statistics), vigorously
oppose the treaty because it goes too far illustrates the
complexity of this issue. Value added information providers
are both producers and consumers of information. This proposal
s so deeply flawed it cannot be salvaged at this conference.
The controversy over the database treaty should also serve as a
concerning information is something to be protected and
In closing, we urge the delegates to reflect upon how the
unique features of the Internet have contributed to its amazing
change the Internet culture. Not only is the Internet a
flourishing and dynamic place to publish information, as
evidenced by the astronomical rates of growth in usage and
there are serious threats to the commercial content industry
Much of the concern over unauthorized reproductions of
owners of the works. Indeed, the Internet indexing and
abstracting tools which are threatened by these treaties offer
nappropriate unauthorized reproductions of works.
This transparency of publishing activities on the Internet
s something new. We are also just beginning to understand the
engines which drive the dynamic growth of this publishing
about fair use and other matters which are central to these ill
Finally, there is great opposition to the treaties by the
to conclude this Diplomatic Conference without taking action on
any of the treaties.
Union for the Public Domain, Computer Professionals for Social
Responsibility, Consumer Project on Technology, Net Action, Citizen
Advocacy Center, AIDS Education Global Information System, Visual
Resources Association, Utility Consumers' Action Network, Alliance for
Sources of Information about the WIPO Treaties on the Internet:
Against the Treaties:
Union for the Public Domain http://www.public-domain.org
Digital Future Coalition http://www.dfc.org/dfc
For the Treaties
Creative Incentive Coalition http://www.cic.org
For comments on this letter, contact James Love, +1 202 387 8030;
Home +1 xxx xxx xxxx [redacted for privacy reasons - firstname.lastname@example.org];
 PSI, Net, America Online, Bell Atlantic, BellSouth, Compuserve, MCI,
MFS Communications, Netcom On-line Communications, NYNEX, Prodigy, UUNET.
Subject: What YOU Can Do
* The Communications Decency Act & Other Censorship Legislation
The Communications Decency Act and similar legislation pose serious
threats to freedom of expression online, and to the livelihoods of system
operators. The legislation also undermines several crucial privacy
Supreme Court. But, bowing to pressure from theocratic organization,
Congress is likely to introduce and attempt to pass a slightly modified
version. Let your legislators know you will not stand for censorship,
nor for the wasting of millions of tax dollars on years of Supreme Court
litigation over laws that should never have even been proposed much less
Business/industry persons concerned should alert their corporate govt.
affairs office and/or legal counsel about such censorship measures,
TODAY, while there is still time to plan.
Join in the Blue Ribbon Campaign - see http://www.eff.org/blueribbon.html
Support the EFF Cyberspace Legal Defense Fund:
for information to email@example.com.
censorious legislation is turning up at the US state and non-US
national levels. Don't let it sneak by you - or by the online activism
community. Without locals on the look out, it's very difficult for the
Net civil liberties community to keep track of what's happening locally
as well as globally.
* Find Out Who Your Congresspersons Are
Writing letters to, faxing, and phoning your representatives in Congress
s one very important strategy of activism, and an essential way of
making sure YOUR voice is heard on vital issues.
try contacting your local League of Women Voters, who maintain a great
that matches Zip Codes to Congressional districts with about 85%
Computer Currents Interactive has provided Congress contact info, sorted
by who voted for and against the Communications Decency Act:
fortunately, been voted out of office.)
* Join EFF!
You *know* privacy, freedom of speech and ability to make your voice heard
n government are important. You have probably participated in our online
campaigns and forums. Have you become a member of EFF yet? The best way to
opinions heard. EFF members are informed and are making a difference. Join
For EFF membership info, send queries to firstname.lastname@example.org, or send any
message to email@example.com for basic EFF info, and a membership form.
EFFector Online is published by:
The Electronic Frontier Foundation
San Francisco CA 94103 USA
+1 415 436 9333 (voice)
+1 415 436 9993 (fax)
Membership & donations: firstname.lastname@example.org
Legal services: email@example.com
General EFF, legal, policy or online resources queries: firstname.lastname@example.org
Editor: Stanton McCandlish, Online Activist, Webmaster (email@example.com)
This newsletter is printed on 100% recycled electrons.
Reproduction of this publication in electronic media is encouraged. Signed
articles do not necessarily represent the views of EFF. To reproduce
ually at will.
To subscribe to EFFector via email, send message body of "subscribe
effector-online" (without the "quotes") to firstname.lastname@example.org, which will add
you to a subscription list for EFFector.
Back issues are available at:
To get the latest issue, send any message to email@example.com (or
firstname.lastname@example.org), and it will be mailed to you automagically. You can also get
the file "current" from the EFFector directory at the above sites at any
time for a copy of the current issue. HTML editions available at:
at EFFweb. HTML editions of the current issue sometimes take a day or
longer to prepare after issue of the ASCII text version.
End of EFFector Online v09 #15 Digest