Minutes of the Computer System Security and
Privacy Advisory Board Meeting
June 2-4 1998
National Institute of Standards and Technology
Gaithersburg, MD


Tuesday, June 2, 1998

A quorum being present, the meeting was called to order by 
Chairman Willis Ware at 9:00 a.m.   In addition to the 
Chairman, those members present were: Genevieve Burns, John 
Davis, Addison Fischer, Joe Leo, Randy Sanovic, George Spix, 
George Trubow, Linda Vetter, and Jim Wade.  The Board 
Secretary, Ed Roback, welcomed the members and reviewed the 
agenda and related handout material that had been provided.
Chairman Ware discussed briefly the latest announcement of 
the PDD63 effort and the related press report by James 
Anderson of UPI.

US Government Perspective on Privacy Issues
Richard Guida
Department of the Treasury

The Board received a briefing by Mr. Richard Guida, newly 
appointed GITS Security Champion [Reference #1].  Access to 
the FPKI Steering Committee can be found at the following 
website address: [http://www.gits.fed.gov/].
Mr. Guida has initially spent the majority of his time 
dealing with the question of the federal public key 
infrastructure.  In his presentation to the Board he 
reviewed the goal, charter and activities, current agency 
actions, key recovery demonstration project and the 
challenges.  He distributed copies of an action plan for the 
committee [Reference #2].    He referred to a document 
entitled Access with Trust and a report of Phase I Key 
Recovery Demonstration Project.  Both are expected to become 
public by the end of June.    Mr. Guida indicated that it 
had not been decided just where the Bridge Certification 
Authority would reside within the federal government, but 
suggested perhaps at NTIS.   Over three dozen PKI 
applications are in various stages of use, and there are 
four principal PKI initiatives.    The Phase II effort is 
expected to be underway sometime late this summer/early 
fall.  He sees the challenges ahead as the uncertainty in 
general and fear of the unknown, questions of liability, 
fraud interoperability and whether or not there is a 
“business case” for an application.   With regard to the 
question of funding for the next several years, Phase II 
funding is expected to come from support by all the 
agencies.   The current staff is made up of Mr. Guida and 
Denise Silverberg.   He hopes to add staff from other 
agencies.  His goal is to have the Federal PKI Steering 
Committee serve as the policy management authority (PMA) for 
the government.  Mr. Guida will be invited to attend future 
Board meetings to provide activity updates to the Board.   
[Action:  Secretariat]
Board Discussion

For the record, all confidential financial disclosure and 
foreign agents forms have been received from the Board 
members.
A motion was made by George Trubow and seconded by George 
Spix to accept the minutes of the March 1997 Board meeting.  
The motion was unanimously approved.
Willis Ware asked how the Department of Commerce/National 
Institute of Standards and Technology  (DOC/NIST) and 
National Security Agency (NSA) are planning to respond to 
the activities as outlined in the PPD63.    Mr. Roback said 
that Commerce will have a major portion of work activity but 
it was unlikely that NIST would be in the lead for the 
Department.
U.S. Government Perspective on Privacy Issues
Duaine Priestly
International Trade Administration [ITA]

Mr. Priestly attended on behalf of Barbara Wellbery, General 
Counsel for National Telecommunication and Information 
Administration [NTIA], who was unable to attend because of 
an unexpected schedule conflict.    Mr. Priestly provided 
information on ITA’s efforts to focus on privacy and the 
future of electronic commerce.  The greatest threat to 
electronic commerce is its privacy impact.     Statistics 
show that there are currently 5.4 million people using the 
Internet to make purchases.  By 2002, ITA estimates that 45 
million people will use the Internet to make purchases of 
over $350 per person per year.     Also, 61% of the people 
currently not online would consider it if their personal 
privacy could be guaranteed.   ITA continues to work with 
NTIA to assure appropriate privacy guidelines are developed 
and implemented.

Mr. Priestly went on to discuss the Administrations views of 
self-regulation for protecting the privacy rights of 
individuals on the Internet.   He reviewed the 1980 OECD 
privacy principles/guidelines and indicated that these 
principles were recently reaffirmed.  It is anticipated that 
all the European Union (EU) members will implement a 1995 EU 
directive on privacy by October of this year.   The United 
States approach on this issue is for industry to be more 
self-regulatory but to have appropriate legislation in 
place.   In 1995, the Clinton Administration issued 
guidelines covering the global information infrastructure 
(GII) issue and Internet protection.  The Telecommunications 
Reform Act also contains provisions to protect personal 
privacy.

Secretary of Commerce Daley, NTIA Under Secretary Larry 
Irving, and Ira Magaziner have spent considerable time 
speaking to advocacy groups on the importance of this 
privacy matter.   The Information Technology Policy Council 
has developed a code of conduct to be implemented by the 
association, and, in October 1998 in Ottawa, there will be a 
ministerial meeting on electronic commerce which will focus 
on privacy as one of its major topics. 

Mr. Priestly offered the following email address containing 
current documentation on electronic commerce issues: 
www.ecommerce.doc.gov/.
NIST Project Updates - Part 1
Ed Roback
NIST

Ed Roback briefed the Board on the current activities of the 
development of the Advanced Encryption Standard (AES) 
[Reference #3].  The AES process was announced in January 
1997 and a call for candidate algorithms was issued in 
September 1997.   All complete and proper candidate 
algorithms will be announced at the first AES conference in 
August 1998 and public analysis will begin.   A second AES 
Conference will be held about March 1999, the finalist 
algorithm candidates will be announced in August 1999, and a 
third AES Conference will be held the Spring of 2000.   It 
is anticipated that the recommended AES will be forwarded to 
the Secretary of Commerce for approval in March 2001.  The 
expectation is that the algorithm will be good for a 25-30 
year period.
Next, Mr. Roback reported on the status of the Technical 
Advisory Committee to Develop a Federal Information 
Processing Standard for the Federal Key Management 
Infrastructure.  Their last meeting will be held on June 17-
19, 1998, where the final draft report will be discussed.  
Mr. Roback reviewed the strict focus of the Committee and 
the recommendations contained in the current draft report.  
Technology of Documentation Authentication  Systems (DAS), 
Inc.
Jeffery B. Ritter, Director, DAS, Inc.
Michael W. White, Technology Officer, DAS, Inc.

Mr. Jeffery Ritter, Director of DAS, presented an overview 
of the technology of DAS [Reference #4].   Their goal is to 
bridge the gap between the public sector and the government 
sector and the internet and electronic documentation.  His 
presentation included the challenges of electronic 
documents, the government’s perspective, design 
requirements, DocuGuard,™ the process which provides 
verifiable electronic documents, and the government’s 
emerging requirements.   The attributes of successful 
electronic commerce systems include core infrastructures 
that allow structured transactions, pre-established 
accounts, known participants or intermediaries, system rules 
governing verification, finality, error resolution, risk 
allocation, integration with existing laws, and trusted 
third party as content repository.  The government 
perspective is that the government has an essential function 
in assuring the integrity and authenticity of information.   
It is the repository and custodian of transaction records; 
venues for dispute resolution and proof, market 
integrity/licensing/public welfare; and commercial operating 
data.  Much of the information for which the government is 
custodian or auditor originates in the private sector.  The 
government remains the ultimate guardian of trust in the 
information assets of society and faces many challenges to 
build trust in the information society.  Mr. Ritter reviewed 
the DAS commercial design considerations.  Mr. White 
explained the technical functions of the DAS system.  
DocuGuard™ software products and services include 
workstation application, trusted custodial utility and 
certification authority and public key infrastructure.

Recessed at 4:45 p.m.


Wednesday, June 3, 1998

Board Discussion

The Board reconvened at 9:10 a.m.  Discussions included the 
topic of self-regulation issues.   The Board does not 
believe that the Administration’s current approach to the 
privacy issues with regard to the EU/OECD activities is on 
target.  The suggestion was made to consider inviting 
private sector industry representatives to attend a meeting 
to present their views on the self-regulation issue.  
[Action:  Secretariat]

The Board discussed the proposed new and prospective 
members’ informal guide that had been drafted by Board 
Secretary Ed Roback.   Several editorial changes were made 
to the guide.   A new draft will be done and sent to the 
members for their review and comment.  All agreed that it 
was a useful document.

Americans for Privacy Briefing
Greg Garcia, Coalition Manager
Americans for Computer Privacy (ACP)

Mr. Greg Garcia presented an overview of the activities of 
the Americans for Computer Privacy [Reference #5].    Their 
mission is to preserve individual privacy and institutional 
security, support eventual elimination of encryption export 
controls, and oppose new restrictions on domestic use. The 
coalition was officially started in March 1997 but has been 
informally active since 1992.    The membership consists of 
about 40 interest groups and 80 companies.  They represent 
industry vendors and users, financial services/
e-commerce, senior citizens, civil liberties, taxpayer 
advocates, and auto and petroleum industries.  Mr. Ed 
Gillispie is the Executive Director.  Mr. Garcia reviewed 
the status of the ACP’s discussions with the Administration 
and what the ACP proposal covers.   The ACP supports the 
SAFE Act.   Garcia suggested that this Board might be in 
position to suggest methods to establish a National Center 
for Secure Network Communications (NET) within the 
government.  There are two pieces of legislation on the Hill 
covering SAFE and E-PRIVACY.  The ACP has solicited the 
Administration to come to an expedient resolution of these 
two legislative proposals.  However, they do not anticipate 
that the Congress will accomplish this in this Congressional 
year, but remain confident that there will be resolution by 
the Administration in the future. 

Privacy Updates - Privacy, Crypto and CALEA Review
Marc Rotenberg, Director
Electronic Privacy Information Center (EPIC)

Mr. Marc Rotenberg updated the Board on recent privacy and 
cryptography issues [Reference #6].   In the privacy arena, 
Mr. Rotenberg reported that there are approximately 90 bills 
pending action on the Hill.    He reported that the 
Administration has a dilemma of whether or not to continue 
their current policies or change course.  There is support 
for self-regulation.  There has been an announcement of an 
electronic bill of rights; however, no plans have been 
forthcoming to implement it.  The issues they face include 
medical privacy, identity theft, kids privacy, Social 
Security Number protection, cellular privacy, and 
unsolicited commercial email.  They maintain their support 
for law enforcement access.  Internationally, they are 
opposed to the European Unions (EU) privacy directive.   
Rotenberg reported that, generally speaking, the perception 
is that in the privacy arena the United States has regressed 
over the past 20 years. 

On the cryptography front, he discussed the February 1998 
Global Internet Library Campaign (GILC) Report, Cryptography 
and Liberty:  An International Survey of Encryption Policy, 
a survey of international developments.   It is a 
comprehensive review of international policies indicating 
that few countries have restrictions on manufacture, use or 
sale of encryption products and service.   This report will 
be updated annually and is available at the website address 
[http://www.gilc.org].    Mr. Rotenberg said that there is 
still pending cryptography legislation  (Ascroft-Leahy, 
Goodlatte) on the Hill awaiting further action, however, he 
does not anticipate passage in this Congressional year.

CIO Security Committee Update
Dennis Steinauer, NIST

Mr. Dennis Steinauer of the NIST Computer Security Division 
reported on the 1998 objectives of the CIO Security 
Committee.   They plan to promote security awareness and 
held a security awareness workshop in February; issue a 
“best practices” report, and address technology and 
resources available today.  They are working on the 
transition of the Federal Computer Incident Response 
Capability (FedCIRC) effort from NIST to the General 
Services Administration (GSA) and have plans to identify 
technology resource issues and recommend solutions.   They 
also plan to work with others to identify innovative ways to 
fund security programs.

In response to a Board member’s query regarding NIST’s 
continued presence in the FedCIRC activities, Mr. Steinauer 
indicated that NIST will continue with the type of guidance 
it has given in the past and stay closely involved in this 
effort, in the statistical analysis effort in particular. 

Communications Assistance for Law Enforcement Act of 1994 
(CALEA) Implementation and Digital Signature Certificates
Daniel Weitzner, Deputy Director
Center for Democracy and Technology (CDT)

Mr. Dan Weitzner briefed the Board on two major issues that 
the CDT has been following: CALEA and Federal Digital 
Signature Certificate Authorities.  He stated that these 
issues are about the introduction of new technology that 
will have enormous impact on people’s privacy rights.  

The CDT sees CALEA as the last chapter in a thirty-year 
history involving federal wiretap laws and the attempt to 
balance constitutional privacy protections and law 
enforcement interests [Reference #7].   The CALEA contains 
both a floor and a ceiling on surveillance capabilities.   
While what is out there now is somewhat benign, next 
generation services will really push the law enforcement 
issues, stated Weitzner.    In a CDT filing to the Federal 
Communication Commission, the CDT invoked them to ensure 
that the fundamental privacy/law enforcement balance is 
adequately maintained and stated that it is their 
responsibility to prevent the imposition of capabilities 
that would upset the fundamental balance at the heart of the 
Act.

Mr. Weitzner said that the CDT feels there is a dramatic 
privacy dilemma in the certificate authority effort of the 
federal government.  They have reviewed procurement plans 
and other plans of the Public Key Infrastructure Steering 
Committee’s effort and regularly communicate with officials 
at the GSA.    What they have seen so far causes them 
overall worry that the government approach might work and 
thus create authentication architecture that has massive 
privacy problems.  CDT believes there could be too much 
federal involvement with the establishment of the PKI pilots 
to the determent of personal privacy.

Mr. Weitzner also mentioned that the Federal Trade 
Commission (FTC) would issue a report this month on a survey 
of websites to see which ones contained privacy policies.  
They have challenged the private sector to get their act 
together with regard to self-regulation issues.    
Preliminary reports indicate that of the approximately 
25,000 sites surveyed less than 10% of them have privacy 
policies.   The CDT is very encouraged by the self-
regulatory efforts though they haven’t seen much happening.  

Following Mr. Weitzner’s presentation, time had been set 
aside for public participation.  There being no public 
participation, the meeting was recessed at 4:55 p.m.


Thursday, June 4, 1998

The meeting was reconvened at 9:10 a.m.


NIST Projects Updates - Part II

The first presentation was an update on the activities of 
the FedCIRC project given by David Adler of GSA [Reference 
#8].  This activity is being transferred from NIST to GSA to 
administer.  Mr. Adler reviewed the FedCIRC concept, 
relationships, approach and services of this government-wide 
capability for computer incident response and handling.

Mark Wilson of NIST gave a briefing on the new NIST IT 
Security Training Guideline, Special Publication 800-16.  
[Reference #9].   The document is being printed in loose-
leaf format and is also available on-line at 
[http://csrc.nist.gov/training/welcome.html].   Highlights 
include the learning continuum, basic literacy and role-
based training.   Introductory copies of this training 
guideline will be distributed to the Board.  The Board was 
very complimentary of the work effort put into this document 
and extended thanks to the Federal Information Systems 
Security Educators Association (FISSEA) working group who 
were responsible for the development of the document.

Next, Fran Nielsen of NIST discussed the GITS security 
project training initiative [Reference #10].   This effort 
establishes a focal point for the development of IT SEC 
training materials for governmentwide use.  In March 1998, 
NIST received funding to continue this work effort.  Dr. 
Nielsen reviewed the proposed project plan that includes a 
repository of donated training material and how it will 
relate to SP-800-16.  A preliminary meeting with the 
original proposers of this project has been scheduled, a 
FISSEA work group has been established and a small purchase 
contract will be awarded to jump-start this work effort.

Board Discussion and Planning for September Meeting Agenda

The Board members considered a proposed resolution drafted 
by Board Members Genny Burns and Jim Wade to express their 
concerns about the Administration’s current policy on self-
regulation to meet the EU requirements of privacy for anyone 
conducting business within an EU country.[Reference #11].  
After reviewing this draft and further discussion the Board 
took the action to authorize the Chairman to prepare a 
letter to be sent to the Secretary of Commerce that would 
include the Board’s concerns on this matter.

Next the Board turned its attention to possible areas of 
interest that they wish to focus on at their September 
meeting.    Topics included:

? briefing by GITS Privacy Champion, Becky Burr
? update on GITS Security activities
? EU, OECD, US views on self-regulation
? FTC on-line privacy report
? BBBOnline, Inc. brief on self regulation and privacy 
issues
? NRC trustworthiness report
? update on activities of the CIO Security Committee
? update on activities of OMB/OIRA
? congressional updates on the Computer Security 
Enhancement Act
? medical privacy issues and the universal health care 
identifier
? NIST training initiative update


PCCIP/PDD63 Activities Update
Irvin Pikus, Commissioner
President’s Commission on Critical Infrastructure Protection

As a result of the efforts of the President’s Commission on 
Critical Information Protection, a Presidential Decision 
Directive #63 was issued on May 22, 1998.  Mr. Pikus 
presented an overview on the Administration’s policies and 
key elements of this directive.  It calls for the 
appointment of a national coordinator for security, 
infrastructure protection and counter-terrorism.  There will 
be a critical infrastructure assurance office established 
with the responsibility for protecting federal government 
critical infrastructures, especially cyber-based systems.  
The head of this office will be Dr. Jeffery Hunker.  

The Department of Commerce (DOC) role is as lead agency for 
the information and communications sector.  The National 
Information and Telecommunications Administration will be 
the lead DOC agency working collaboratively with NIST.   
Their role will be to assist federal agencies in 
implementing best practices for information assurance; work 
with Department of Defense and the private sector in 
developing security related best practice standards; develop 
plans for the protection of  “federal critical 
infrastructures;” and work with the White House’s Office of 
Science and Technology Policy on research and development 
strategies.

In response to the Board’s offer to help, Mr. Pikus said 
that the Board could be a good venue for policy issues, a 
forum to explore industry and government perspectives on 
critical infrastructure protection and could suggest ways to 
ensure that privacy concerns are taken into account.   
Chairman Ware mentioned that this Board had set a precedent 
with conducting forums for review of the Clipper Chip issue, 
and could hold privacy forums should they be 
invited/requested to do so by the CIAO.

Board Discussion


The Board directed Chairman Ware to prepare an appropriate 
letter to the Secretary of Commerce with copies to the 
Directors of NTIA and NIST offering the Board’s assistance 
with regard to the implementation of the PPD 63.   
Additional letters of our offer of assistance would also be 
sent to CIAO head, Dr. Jeffery Hunker and the Directors of  
DOC’s Bureau of Export Administration, National 
Telecommunications and Information Administration and 
National Institute of Standards and Technology.

Mr. Roback reported on the status of the government-member 
vacancy currently open on the Board.  He also reported that 
he plans to publish a Federal Register notice requesting 
nominations for candidates of membership.

There being no further business, the meeting was adjourned 
at 12:05 p.m.


References:

#1	Guida Presentation
#2	FPKI Steering Committee Action Plan
#3	Roback Presentation
#4	Ritter/White Presentation				
#5	Garcia Presentation				
#6	Rotenberg Presentation
#7	CDT filling to the FTC re CALEA
#8	Adler Presentation
#9	Wilson Presentation
#10	Nielsen Presentation				
#11	Draft proposed resolution