Source
Automatically imported from: http://commons.somewhere.com:80/rre/1994/OTA.report.on.privacy.html
Content
This web service brought to you by Somewhere.Com, LLC.
OTA report on privacy
```
Date: Tue, 11 Oct 1994 23:16:36 -0400 (EDT)
From: Stanton McCandlish
Forwarded message: From: mdexter@ops.ota.gov (Dexter, Martha Dir.,Info/Pub) Subject: OTA Report on Information Security and Privacy released Date: Tue, 27 Sep 1994 13:54:43 CDT
Reposted from GOVDOC-L: ----------------------------Original message----------------------------
September 23, 1994
---
INFORMATION SECURITY AND PRIVACY IN NETWORK ENVIRONMENTS
---
[The Office of Technology Assessment report "Information Security and Privacy in Network Environments" is now available. The report was released on September 23, 1994. Ordering information and details aboutelectronic access are at the end of this message.]
As electronic transactions and records become central to everything from commerce and tax records to health care, new concerns arise for the security and privacy of networked information. These concerns, if not properly resolved, threaten to limit networking's full potential in terms of participation and usefulness, says the congressional Office of Technology Assessment (OTA) in a report released today.
Some 20 to 30 million people worldwide can exchange messages over the Internet. Every day U.S. banks transfer about $1 trillion among themselves, and New York markets trade an average of $2 trillion in securities. Nearly all of these transactions pass over information networks.
The report "Information Security and Privacy in Network Environments" focuses on safeguarding unclassified information in networks, not on the security or survivability of networks themselves, or on the reliability of network services to ensure information access.
Appropriate safeguards must account for--and anticipate-- technical, institutional, and social changes that increasingly shift responsibility for safeguarding information to the end users, says OTA. The laws currently governing commercial transactions, data privacy, and intellectual property were largely developed for a time when telegraphs, typewriters, and mimeographs were the commonly used office technologies and business was conducted with paper documents sent by mail. Technologies and business practices have dramatically changed, but the law has been slower to adapt, says OTA.
Information safeguards, especially those based on cryptography, are achieving new prominence. OTA emphasizes that decisions about cryptography policy will affect the everyday lives of most Americans because cryptography will help ensure the confidentiality and integrity of health records and tax returns, speed the way to electronic commerce, and manage copyrighted material in electronic form. Congress has a vital role in formulating national cryptography policy, says OTA, and more generally in safeguarding electronic information and commercial transactions and protecting personal privacy in a networked society.
A field of applied mathematics/computer science, cryptography is the technique of concealing the contents of a message by a code or a cipher. The message is unintelligible without special knowledge of some secret (closely held) information, the key that "unlocks" the encrypted text and reveals the original text. Key management is fundamental to security. It includes generation of the encryption key or keys, as well as their storage, distribution, cataloging, and eventual destruction.
The federal government still has the most expertise in cryptography, says OTA. As a developer, user, and regulator of safeguard technologies, the federal government faces a fundamental tension between two important policy objectives: fostering the development and widespread use of cost- effective safeguards; and--through use of federal standards and export controls--controlling the proliferation of commercial safeguard technologies that can impair U.S. signals-intelligence and law-enforcement capabilities.
The concern is reflected in the ongoing debates over key- escrow encryption and the government's Escrowed Encryption Standard (EES). The Clinton Administration announced the "escrowed-encryption" initiative, often called the "Clipper chip," in 1993. This type of encryption is intended to allow easy decryption by law enforcement when the equivalent of a wiretap has been authorized. The Department of Commerce issued the EES, developed by the National Security Agency (NSA), as a federal information processing standard for encrypting unclassified information in February 1994.
The initiative in general and the EES in particular have seen intense public criticism and concern, OTA reports. The controversy and unpopularity stem in large part from privacy concerns and the fact that government-designated "escrow agents" will hold the users' cryptographic keys.
Congress has asked the National Research Council (NRC) to conduct a major study, expected to be available in 1996, which would support a broad review of cryptography. OTA presents several options for congressional consideration in the course of such a review. Because the timing of the NRC review is out of phase with the government's implementation of key-escrow encryption, one option would be to place a hold on further deployment of key-escrow encryption, pending a congressional policy review.
An important outcome of a broad review of national cryptography policy, says OTA, would be the development of more open processes to determine how cryptography will be deployed throughout society, including the development of infrastructures to support electronic commerce and network use of copyrighted materials. More openness would build trust and confidence in government operations and leadership and allow for public consensus-building.
OTA examines and offers policy options for congressional consideration in three areas: 1) cryptography policy, including federal information processing standards and export controls; 2) guidance on safeguarding unclassified information in federal agencies; and 3) legal issues and information security, including electronic commerce, privacy, and intellectual property.
Requesters for the report are the Senate Committee on Governmental Affairs and the House Subcommittee on Telecommunications and Finance.
OTA is a nonpartisan analytical agency that serves the U.S. Congress. Its purpose is to aid Congress with the complex and often highly technical issues that increasingly affect our society.
---
CONGRESSIONAL COMMENT
---
Senator John Glenn (D-OH) Chairman, Senate Committee on Governmental Affairs:
"In the new electronic age, we are relying more and more on information technology to streamline government, educate our children, make health care more accessible and affordable, and make our businesses more productive and competitive. This rush to embrace a new age of technology must not, however, obscure our ongoing responsibility to protect important information and maintain the personal privacy of citizens.
"Because we need policies and practices to match the reality of this new age, I joined with Senator Roth in asking the Office of Technology Assessment (OTA) to study security and privacy issues in the network environment. I am very happy to say that OTA's report provides an excellent summary of these issues. More importantly, OTA spells out clear steps that Congress and the Executive Branch should consider if we are to develop policies and practices equal to the task of providing security and privacy protections in an increasingly networked world.
"The Senate Committee on Governmental Affairs, which I chair has already rung warning bells in this area. Our oversight of agency operations has uncovered threats to security and privacy as diverse as foreigners hacking into Department of Defense computers and IRS employees browsing through computerized taxpayer records. We must recognize that new technologies, particularly the development of computer networks, are leapfrogging security and privacy controls designed for a simpler time. Policies and practices for managing paper file cabinets simply are no match for the instantaneous world-wide flow of data through computer networks.
"Addressing the needs of this new world demands that we find fair balancing points among often competing imperatives for personal privacy, law enforcement, national security, governmental efficiency, and economic competitiveness. OTA's very insightful report highlights the need for the development of new security and privacy controls, which should be done openly, with thorough debate and public accountability. Therefore, in the next Congress, this Committee will continue its oversight of agency operations and will pursue legislation to ensure that government agencies handle data from citizens and businesses responsibly, and that government employees entrusted with maintaining security are held accountable for breaches or misuse of their responsibilities.
"I commend the Office of Technology Assessment for its timely and very insightful contribution to the development of policies and practices that can match the realities of the emerging electronic information age."
Senator William V. Roth, Jr. (R-DE), Ranking Republican, Senate Committee on Governmental Affairs:
"Since 1988, computer network security breaches have grown dramatically, increasing 50% per year on the Internet --today's information highway. The ability of the government to protect Americans' most private information is at stake. For example, the Internal Revenue Service is among those agencies who rely increasingly on computer networks for such things as filing tax returns. Anyone who pays federal taxes has to wonder who might be browsing through their personal financial data.
"We need to recognize the potential danger and act accordingly. Last year, I asked the Office of Technology Assessment to look at such problems and recommend changes. Its report highlights how today's government institutions are poorly structured to deal with information security. Moreover, the report underscores the fact that much more work must be done. I intend to pursue hearings on the report and amendments to the Computer Security Act."
---
HOW TO OBTAIN THIS REPORT
---
ORDERING INFORMATION: For copies of the 252-page report "Information Security and Privacy in Network Environments" for congressional use, please call (202) 224-9241. Copies for noncongressional use are available from the Superintendent of Documents for $16.00 each. To order, call (202) 512-0132 (GPO's main bookstore) or (202) 512-1800 and indicate stock number 052-003-01387-8. Or you can send your check or your VISA or MasterCard number and expiration date to Superintendent of Documents, P.O. Box 371954, Pittsburgh, PA 15250-7974 , [FAX (202) 512-2250]. Federal Express service is available for an additional $8.50 per order. For free 8-page summaries, please call (202) 224-8996 or e-mail pubsrequest@ota.gov.
ELECTRONIC ACCESS: The full report is available electronically. To download via ftp from OTA, use the following procedures: ftp to otabbs.ota.gov (152.63.20.13) Login as anonymous. Password is your e-mail address. The files are located in /pub/information.security and the file names and sizes are:
01README.TXT (3K) 02ORDER.INFO.TXT (4K) FOREWORD.TXT (3K) ADVISORY.PANEL.TXT (3K) STAFF.TXT (1K) TOC.TXT (2K) CH1.TXT (93K) CH2.TXT (169) CH3.TXT (172K) CH4.TXT (299K) APPC.TXT (36K) APPD.TXT (3K) APPE.TXT (4K)
Appendix A--Congressional Letters of Request and Appendix B--Computer Security Act and Related Documents--are not available electronically.
---
Martha Dexter Director, Information Management Office of Technology Assessment mdexter@ota.gov (202) 228-6233
---
mech@eff.org
Online Activist ```
This web service brought to you by Somewhere.Com, LLC.