Computer underground Digest Sun July 18 1993 Volume 5 : Issue 53 ISSN 1004-042X Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET) Archivist: Brendan Kehoe Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Ian Dickinson Cpyp Editor: Etaoin Shrdlu, Senior CONTENTS, #5.53 (July 18 1993) File 1--CPSR Urges Revision of Secrecy System File 2--CPSR/Berkeley Meeting on access to govt info File 3--CU in da Newz File 4--More CuD Sources for Non-Interneters --GEnie File 5--Hyde For Wiretaps File 6--Reply to Ferguson File 7--Re: Cu Digest, #5.51 --The AIS BBS Incident File 8--Viruses (Reply to Paul Ferguson) File 9--Another Reply to Paul Ferguson (RE CuD 5.52) File 10--CONGRESS ASKED FOR HEARINGS ON OWENS (INFO ACCESS) BIL Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost electronically from tk0jut2@mvs.cso.niu.edu. The editors may be contacted by voice (815-753-6430), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115. Issues of CuD can also be found in the Usenet comp.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT libraries and in the VIRUS/SECURITY library; from America Online in the PC Telecom forum under "computing newsletters;" On Delphi in the General Discussion database of the Internet SIG; on the PC-EXEC BBS at (414) 789-4210; and on: Rune Stone BBS (IIRG WHQ) (203) 832-8441 NUP:Conspiracy; RIPCO BBS (312) 528-5020 CuD is also available via Fidonet File Request from 1:11/70; unlisted nodes and points welcome. EUROPE: from the ComNet in LUXEMBOURG BBS (++352) 466893; In ITALY: Bits against the Empire BBS: +39-461-980493 ANONYMOUS FTP SITES: UNITED STATES: ftp.eff.org (192.88.144.4) in /pub/cud uglymouse.css.itd.umich.edu (141.211.182.53) in /pub/CuD/cud halcyon.com( 202.135.191.2) in /pub/mirror/cud aql.gatech.edu (128.61.10.53) in /pub/eff/cud AUSTRALIA: ftp.ee.mu.oz.au (128.250.77.2) in /pub/text/CuD. EUROPE: nic.funet.fi in pub/doc/cud. (Finland) ftp.warwick.ac.uk in pub/cud (United Kingdom) COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Authors hold a presumptive copyright, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: Thu, 15 Jul 1993 16:58:33 EST From: David Sobel Subject: File 1--CPSR Urges Revision of Secrecy System CPSR Urges Revision of Secrecy System Computer Professionals for Social Responsibility (CPSR) has called for a complete overhaul in the federal government's information classification system, including the removal of cryptography from the categories of information automatically deemed to be secret. In a letter to a special Presidential task force examining the classification system, CPSR said that the current system -- embodied in an Executive Order issued by President Reagan in 1982 -- "has limited informed public debate on technological issues and has restricted scientific innovation and technological development." The CPSR statement, which was submitted in response to a task force request for public comments, strongly criticizes a provision in the Reagan secrecy directive that presumptively classifies any information that "concerns cryptology." CPSR notes that "while cryptography -- the science of making and breaking secret security codes -- was once the sole province of the military and the intelligence agencies, the technology today plays an essential role in assuring the security and privacy of a wide range of communications affecting finance, education, research and personal correspondence." With the end of the Cold War and the growth of widely available computer network services, the outdated view of cryptography reflected in the Reagan order must change, according to the statement. CPSR's call for revision of the classification system is based upon the organization's experience in attempting to obtain government information relating to cryptography and computer security issues. CPSR is currently litigating Freedom of Information Act lawsuits against the National Security Agency (NSA) seeking the disclosure of technical data concerning the digital signature standard (DSS) and the administration's recent "Clipper Chip" proposal. NSA has relied on the Reagan Executive Order as authority for withholding the information from the public. In its submission to the classification task force, CPSR also called for the following changes to the current secrecy directive: * A return to the "balancing test," whereby the public interest in the disclosure of information is weighed against the claimed harm that might result from such disclosure; * A prohibition against the reclassification of information that has been previously released; * The requirement that the economic cost of classifying scientific and technical be considered before such information may be classified; * The automatic declassification of information after 20 years, unless the head of the original classifying agency, in the exercise of his or her non-delegable authority, determines in writing that the material requires continued classification for a specified period of time; and * The establishment of an independent oversight commission to monitor the operation of the security classification system. The task force is scheduled to submit a draft revision of the Executive Order to President Clinton on November 30. The full text of the CPSR statement can be obtained via ftp, wais and gopher from cpsr.org, under the filename cpsr%crypto%secrecy_statement.txt. CPSR is a national organization of professionals in the computing field. Membership is open to the public. For more information on CPSR, contact . ------------------------------ Date: Thu, 15 Jul 1993 11:09:05 -0700 From: "James I. Davis" Subject: File 2--CPSR/Berkeley Meeting on access to govt info Computer Professionals for Social Responsibility Berkeley Chapter Sunday, July 25, 1993 BMUG Office: 2055 Center Street Berkeley, CA 2:00 - 4:00 p.m. The Federal government produces information in nearly all areas of interest. It not only provides information about its own activities (Congressional Record and the Federal Register) and about the nation (census information), but also in areas of agriculture, commerce, science and even the arts. Numerous laws have been enacted that mandate public access to Federal information. But the fact is that over the last decades, public access to Federal information has been steadily decreasing. Where is Federal information policy going in an electronic age and under a new presidential administration? What is happening to the concept of "free access" to government documents in a period of economic retrenchment? These and other government information issues will be discussed by Gary Peete, UCB Business/Economics Librarian and former head of the Berkeley Government Documents Department. CPSR/Berkeley Chapter welcomes all interested persons to join us for this presentation and open discussion of the issues. ------------------------------ Date: 08 Jul 93 08:24:17 EDT From: Gordon Meyer <72307.1502@COMPUSERVE.COM> Subject: File 3--CU in da Newz Captain Zap and Information Week ================================ The June 21, 1993 issue of Information Week magazine features a cover story on "Hackers for Hire: Would You Trust a Convicted Criminal to Test Your Network's Security?". Pictured on the cover is Ian "Captain Zap" Murphy, president of IAM/Secure Data Systems. IAM/Secure is a firm that employs people convicted of computer crimes to form so-called "tiger teams". Murphy claims to have made over $500,000. a year from his services. Price Waterhouse also offers what it calls "Data Security Penetration Studies" although the firm does not employ any ex-hackers. It offers four levels of services, ranging from using "demon dialers" to find dial-ins to acting as a legitimate user trying to break security from the inside of the system. The article includes comments from Dorothy Denning, Donn Parker, and Phrack prosecutor Bill Cook. The latter warns that firms hiring hackers may inadvertently hire someone who has been targeted by law enforcement. Internal Hackers at Dillard's ============================= The Dillard's department store chain reports that five employees of Norstan Communications broke into Dillard's automated special events ticket sales system. The store was selling tickets for the Phoenix Sun's NBA playoff games. The automated system was purchased from Norstan. Dillard's intends to press charges and beef up the security of the system. (Information Week. June 7, 1993. pg 8) Royalty Attack =============== The Information Industry Association (IIA) joined with business, library , public interest, and press representatives to criticize implementation of a law that directs a government agency to sell public information for a profit. The coalition filed comments to the Federal Maritime Commission in response to the FMC's proposed rules to charge royalty fees for access to and redistribution of public domain data in electronic formats. Calling the approach dictatorial, the IIA says the law "transgresses First Amendment principles and distorts the relationship between citizens and their government." (Communications of the ACM. May 1993. Pg 12 Reprinted with permission) Data Breach Shocks Hospital Group ================================= Information Week (June 14, 1993 pg 14) reports that an accidental security breach at the American Hospital Association revealed the names of 42 employees who were scheduled to be laid off the following week. The article states "The result of the June 4 security breach was total mayhem. Because the layoffs were a surprise to many of the targeted employees, AHA officials feared they or others might be a tempted to retaliate. As a precaution, the AHA shut down its entire computer system that day, a Friday, and sent employees home early". The breach occurred because the confidential document was left in an unprotected subdirectory on a Unix server in the human resources department. Fakeware? ========= After Computer Associates announced that it would give away 1 million copies a new finance package for Intel-based PCs, another company topped the offer by saying it would give away 2 million copies of its software. Unfortunately the other company, Minnesota Software, apparently doesn't exist. Many magazines were taken in by the offer, running stories about it, including Information Week. The state of Minnesota is investigating but says it is a low priority because few complaints have been received about the incident. (Information Week. July 5, 1993. Pg. 8) SRI says 'Shhhh' ============= SRI International, Inc (Menlo Park, CA) has released a report entitled "The State of Security in Cyberspace". According to the report the biggest security flaws in any computer system are the result of procedural and administrative weaknesses, not technical flaws. Most hackers, it says, gain admittance to networks by exploiting widely available, non-proprietary, and public information. SRI advises that above all else, companies should keep information about networks as proprietary as possible. (Information Week. July 5, 1993. Pg. 62) ------------------------------ Date: Mon, 19 Jul 93 03:43:00 BST From: grmeyer@GENIE.GEIS.COM Subject: File 4--More CuD Sources for Non-Interneters -- GEnie This is part of our continuing series of where non-Internet users can find issues of CuD. This installment focuses on GEnie (General Electric Network for Information Exchange). There are two main CuD repositories on GEnie. The PF*NPC RT and the Virus/Security RT. PF*NPC (Public Forum/Non-Profit Connection) Roundtable Keyword: PF =================================================================== Issues of CuD can be found in the Computers & Technology section of the library (library #2). The library features a complete collection of CuD. If you're missing issues from prior years, this is the place to find them. All issues are compressing using ARC for cross-platform compatibility. The library is kept up-to-date will all new CuDs, but there may be several days delay until new issues are uploaded. (Uploading is usually done by Gordon, CuD co-mod, who may wait until two or three issues are waiting to be sent.) If you're looking for a discussion of issues similar to those covered in CuD drop in on Category 7 (Technology) in the PF*NPC Bulletin Board. The bulletin board features many other topics of political and social interest. Virus & Security Roundtable Keyword: VSRT ========================================= The Virus Roundtable on GEnie is loaded with files and discussion of interest to CuD readers. Issues of CuD are located in the section four (publications) of the library. Issues appear here very quickly, usually just a day or two, after they are released. They are compressed in ZIP format. The Bulletin Board section of the Roundtable is filled with topics of interest. You'll find topics for encryption, security concerns, and (of course) viruses. A CuD discussion can be found in category 4 (Computer Security Discussions). Obtaining CuD directly via GEnie ================================= As of July 1, 1993 all GEnie subscribers have access to Internet mail. To obtain a subscription to CuD send a one-line message ('subscribe CuD') to the following address: tk0jut2@niu.bitnet@inet# Note that the '@inet#' is specific to GEnie and signifies that the message is to be sent to the Internet gateway. You'll be added to the CuD mailing list and begin receiving new issues as they are released. Note that CuD issues are typically around 50K in length and are sent as regular ASCII text. If you want to save online time it would be best to download a compressed file from one of the Roundtables. Signing up for GEnie ==================== The Virus and Security Roundtable invites CuD readers to sign-up for GEnie. Simply follow these directions.... 1. Set your modem for half duplex (local echo), at 300, 1200 or 2400 baud. 2. Dial (toll-free) 1-800-638-8369. Upon connection, enter HHH (In Canada, dial 1-800-387-8330) 3. At the U#= prompt, enter XTX99259,GENIE and press RETURN. If you need additional assistance, call 1-800-638-9636 (USA or Canada) to talk to a GEnie Client Services Representative. Postscript/Erratta =================== In CuD 5.49 we ran a transcript of GEnie Virus/Security Roundtable conference. We neglected to mention that the complete transcript is available for downloading in the Virus RT. Also, the transcript is Copyrighted (c)1993 GEnie. It was re-printed with permission. ------------------------------ Date: 11 Jul 93 12:51:42 EDT From: Gordon Meyer <72307.1502@COMPUSERVE.COM> Subject: File 5--Hyde For Wiretaps One of the CuD co-editors recently wrote to Representative Henry J. Hyde (6th District - Illinois - Republican) and asked his position on the digital telephone requirements being sought by the FBI. The following is a verbatim copy of his reply. Congress of the United States House of Representatives Washington, DC Henry J. Hyde 6th District, Illinois Committee: Judiciary, Foreign Affairs Chairman: Republican Policy Committee June 30, 1993 Dear Mr. Meyer: Thank you for your letter. I believe that law enforcement agencies must be able to conduct wire surveillance over the telephone networks. As telephone companies upgrade our nation's telecommunications infrastructure, they must make sure that this vital investigative tool is not lost. Presently, the Baby Bells and the FBI are conferring over how to ensure the future of wire surveillance in a way that will not retard the development of the phone networks. While I hope these negotiations succeed, I will support an appropriate legislative solution if one becomes necessary. Thanks again for writing. Your comments were helpful and welcome. Very truly yours, [sig] Henry J. Hyde HJH:gmf ------------------------------ Date: Tue, 13 Jul 1993 06:32:01 -0700 From: Frank Tirado Subject: File 6--Reply to Ferguson ((MODERATORS' NOTE: A letter circulated by Jim Lipschultz providing in-depth background on the AIS BBS incident as drawn considerable attention. Some readers, apparently attributed Jim's letter to Frank Tirado. Here, Frank removes any misundersandings)). Apparently Fergie attributed Lipschultz's article to me. What follows is my response. ++++++++++++++++++++++++++++Original message++++++++++++++++++++++++++++ AN OPEN LETTER TO PAUL FERGUSON. ******************************************************************* Message from Paul Ferguson to Cory Tucker: "....I find your posts rather humorous, yet at the same time offensive. If Mr. Tirado wishes to confront the issue himself, I'd suggest he do so. His absence here in Fidonet or Usenet somehow diminishes his credibility. In the meantime, please refrain from posting such drivel....." ******************************************************************* I went through the back issues of Crypt, as well as anywhere else I might have been quoted, to see what I might have said to so raise your ire. I'm left with the impression that you ascribe to me the article written by Jim Lipschultz, an article which I helped edit and which I personally found quite droll. Sorry, much as I would like to take credit for his work, the words are all his. You say you found the article offensive? Frankly, that depends on who's on the receiving end, eh? I'd call it irreverent, at worst. Besides, you're a big boy and can handle this sort of thing without loosing your cool....... can't you? But I digress. I find it fitting that I am called upon to defend an issue about which I have strong feelings. But how to go about it? Anything I might say will simply be rehashing what is now history, and will not bring about an ex post facto resurrection of Kim's board. Suffice it to say that, for the most part, my feelings and opinions, as well as those of most of my colleagues, parallel those of Jim's (though I doubt if I could get my point across with such savoir faire). Lets take a look instead at what has been accomplished by shutting down the AIS board: o The information which was on that board is now on four others. Obviously part of your carefully thought out strategy to eliminate such information from "legitimate" boards. If anything, these boards will provide the same services the AIS board did, but to a greater extent. o Kim Clancy is now far more credible than before in the "underground", and an even more desirable commodity among the the above-ground interests. o Closing down the AIS board eliminated a major avenue for the propagation of viruses........ Oops! My imagination ran wild for a moment. You and I both know that not the slightest dent has been made in the flow of information which you and your cohorts find so objectionable. o Now the virus boards cannot point at the AIS board and say: "If they're doing it, why can't we?" I'll grant you this one, but I really can't see virus boards using this defense very successfully, should it ever come to that. o Those individuals who could "legally" (there was nothing illegal about any information obtainable through the AIS board) obtain useful and pertinent information from the underground will now probably gravitate towards hacker or virus boards. You think not? Let's wait and see..... A major victory for the forces of Good? Not at all. Nothing has been accomplished other than to further inflate some people's already grossly bloated egos (you know who you are). Your statement that my "absence here in Fidonet or Usenet somehow diminishes (my) credibility" is ludicrous. In other words, I'm outside of your control so my opinions don't count. Frankly, I reserve the right to disagree with you whenever our views differ. If that means that I refuse to be subject to your petty satrapy, then so be it. And, by the way, what would you say of the credibility of an individual who doesn't have the courage to sign his name to a message accusing someone else of excesses? At least Jim and I sign our names to our posts. Put into the simplest terms, I see the AV community, with some few exceptions, evolving into a kind of priesthood whose Mysteries are composed of polymorphic viruses and source code, hidden behind a veil of mummery and slight of hand. Never mind that virus authors and several hundred thousand people of all ages have access to that self-same information; as a security officer I only need to know what you tell me. Of course, you only are doing this for my own good..... I don't think so. I find it next to impossible to implicitly accept the word of a group whose bottom line is the almighty dollar. Besides, as a self-regulating group you guys can't even police yourselves. I obtained my first 20 viruses from a vendor at the same conference where Peter Tippett first proposed not sharing viruses. The implications should be "crystal clear", considering the plethora live viruses and source code floating around with the imprimatur of the major AV software developers. The fact is that the members of the AV community are nowhere near the paragons of pulchritude they proclaim themselves to be, and the virus underground is not the Evil Empire. If the truth be told, there is both good and bad in each group. Quis custodiet custodians? I find this statement apt as applied to the AV community in general. Who is watching you? I guess I shouldn't worry my little head about this, since you have only our best interests at heart. Finally, here's my bottom line: I will do whatever I think best in order to accomplish my job effectively. If I must, I will collect viruses in order to test the claims of AV products, or source code so that I can understand the inner workings of viruses. That includes access to 40-Hex, Nuke InfoJournal, and whatever else I can get my hands on. That's my decision to make, not yours. I encourage others to make their own decisions based on all available information, and not slavishly follow the dictates of some self-appointed virus gurus. FRANK TIRADO ------------------------------ Date: Tue, 13 Jul 93 10:30:06 CDT From: chris%canary%rio@UUNET.UU.NET(Chris Johnson) Subject: File 7--Re: Cu Digest, #5.51 -- The AIS BBS Incident After reading half a dozen articles about the AIS BBS controversy, I can't help but think that the whole thing smacks of some sort of personal vendetta on the part of Paul Ferguson against Kim Clancy. Perhaps he was only jealous of her growing professional reputation. Or maybe he made a pass at her only to be rebuffed for being the unethical fink that he is. I'm not as willing as Jim Thomas to believe Paul Ferguson was sincere in his concerns. In fact, I don't believe he was at all, but rather his entire intent was to cause trouble for someone, probably Kim. Jim Thomas also writes: "Sadly, I must make one final comment. It's said that some people, angered at this affair, are planning to retaliate against those judged responsible. This would be an ethically bankrupt response. Predatory behavior decivilizes cyberspace just as it does the "real world." The best response to cyber-conflict usually is to air disputes in public and debate them aggressively and honestly. We need fewer, not more, razorblades in the sand if we're to create a civilized environment." I agree, mostly, but the problem is the lack of communications between Cyberspace and the rest of the world. No amount of airing disputes and debating them here in Cyberspace is going to correct the wrong-headed criticism from the print media, congressional members and staff, pressure to change from congressional members and staff, or any sort of reprimand, criticism or loss of reputation Kim Clancy has suffered from her superiors at the Bureau of Public Debt. ------------------------------ Date: Sun, 18 Jul 93 16:58:47 EDT From: joec@CFCSYS.LINET.ORG(Joseph Christie) Subject: File 8--Viruses (Reply to Paul Ferguson) An open letter to Mr. Ferguson I just could not read your response in CUD #5.52 (July 14 1993) without responding. I realize that you are probably quite busy reading(or trashing) large volumes of hate mail so I do not expect a response to this, I just wanted to share my thoughts on this issue with you. In your article you say: >I consider myself a proponent of freedom of >information, but I also believe there are limits to one's freedom. >In fact, I'm most fond of the adage,"The freedom to swing your fist >ends when it meets my face." In other words, one's right to a >particular freedom ends where it infringes on someone else's rights >for safety or privacy, in this instance. Using this logic we should close down or severely restrict access to gasoline stations since there is a known correlation between the number of gasoline related arsons and the availability of gasoline. Society has chosen a different approach, we attempt to teach social responsibility to all potential purchasers of this substance rather than excessively restricting access to it. Repression or limiting access to anything, be it tangible goods or an idea, only creates a black market atmosphere among those who have illicit access in spite of the repression. This mystifies the good/idea and tends to make it more attractive to anti-social individuals. This encourages them to become involved in the activity and even creates or amplifies a competition atmosphere among those involved. I would submit that the open exchange of ideas and information in this area would help to demystify viruses and their creation and lessen it's "fad potential". There will always be those with a curiosity about viruses but if anyone can get a kit and whip out a virus in 5 or 10 minutes, then virus creators will not have the mythical status of folk heroes that was once bestowed on practitioners of this activity a few years ago. Besides, I still think that some good can come from understanding viruses and how they work beyond the field of virus protection. I have a sneaky suspicion that one could learn a lot about how to write a virus program by studying how file compression programs like Stacker and Superstor work. They don't self replicate, but some of their operations seem virus-like other than that. ------------------------------ Date: Sun, 18 Jul 93 23:53:52 CDT From: buhr@CC.UMANITOBA.CA Subject: File 9--Another Reply to Paul Ferguson (RE CuD 5.52) I read your article in the Computer Underground Digest, and I must admit that while your whole handling of the issue disgusts me, and I am actually approaching a state of violent illness just typing this, your pomposity really deserves some form of reproach. Let's skip the preamble about what the distribution of virus code does or doesn't do, and let's cut right to the chase: | I certainly claim no "moral high ground" on the issue. I took what I | thought was the best venue of approach, which was to bring this topic ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | out of the shadows and into the forefront for discussion. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ You did no such thing. "Discussion" was the furthest thing from your mind. Call a spade a spade, man. You sent an anonymous message giving an inaccurate portrayal of the situation (when you apparently should have known better) to people you knew would react---not by rationally discussing the issue---but by taking extreme, immediate measures. As a result, you've seriously damaged the reputation of someone who appears to be a very capable asset to the security community. You've removed a source of information on viral infections that---first-hand testimony has it---was a valuable tool. And you've set a precedent that will undoubtedly seriously skew the information content of that BBS's files. Those documented security flaws? Can't have those on here---this BBS is government funded. An explanation of the failings of such-and-such an encryption scheme? Whoa! Can't let that fall into the wrong hands. Congratulations, you've won one (or more) for the bad guys! And despite your pretense that you are taking great pains not to tread moral high ground, you clearly shot to kill---you manipulated the situation to ensure that your morality, and yours alone, would win the day. As for your anonymity, in addition to affording you a cheap thrill with respect to the whole "cloak-and-dagger" atmosphere, it conveniently shielded you from any call to justify your accusations. In the end, you've gotten your just deserts---it's made you out be a coward, and more people will remember you as such than I'd want were I in your shoes. | Although I may not agree with what you may say, I would give my | life for your right to freedom of expression. You can't imagine how much I doubt this. Cheap lip service does very little for me. For your own sake, I hope you aren't the person your actions (and your writings) suggest. | What happened to the hacker ethic? I seem to recall a "no damage | clause" which still echoes in my mind, especially with the advent | of this fiasco. "Damage?" "Damage," you say, "What Damage?" "AIS | only made it available -- they're not responsible for what is | done with it!" Maybe you should think about your own "no damage clause". Kevin ------------------------------ Date: Fri, 16 Jul 1993 17:07:01 EDT From: love@ESSENTIAL.ORG Subject: File 10--CONGRESS ASKED FOR HEARINGS ON OWENS (INFO ACCESS) BIL Taxpayer Assets Project Information Policy Note June 12, 1993 WASHINGTON, June 12. Today 15 citizen groups wrote to Representative Gary Condit (D-CA) asking for hearings on HR 629, the Improvement of Information Access Act (IIA Act, sometimes referred to as the "Owens bill" after its sponor, Rep. Major Owens of NY). Condit is the new Chair of the House Subcommittee on Government Information. This subcommittee has bottled HR 629 up for the past two years, due primarily to opposition to the bill by lobbyists for commercial data vendors. Groups calling for hearings include the Taxpayer Assets Project, Computer Professionals for Social Responsibility, Public Citizen, Center for Media Education, Association of Research Libraries, Center for Civic Networking, the Information Trust, Consumer Federation of America, FAIR, Government Accountability Project, National Writers Union, Environmental Research Foundation, Federation of American Scientists, Essential Information, and the National Coordinating Committee for the Promotion of History. The letter follows: +++++++++++++++++++++++++++++++ June 12, 1993 Representative Gary Condit Chair, Subcommittee on Government Information, Justice and Agriculture Committee on Government Operations U.S. House of Representatives Washington, DC 20515 Dear Representative Condit: We are writing to request that you hold a hearing of the Subcommittee on Government Information, Justice and Agriculture to consider HR 629, the Improvement of Information Access Act (IIA Act). This legislation, first introduced in 1991, is a very important proposal that would broaden public access to government information resources. The IIA Act reflects the views and needs of the research, education and library community. The issues addressed in the bill are relevant to public access to government information in an era when computers are increasingly important. The IIA Act addresses the following issues: 1. AGENCIES ARE GIVEN A MANDATE TO USE MODERN COMPUTER TECHNOLOGIES TO DISSEMINATE GOVERNMENT INFORMATION Agencies are required to disseminate information in diverse modes and through appropriate outlets, including federal depository libraries, national computer networks such as the Internet, and other outlets. They must assure free or low-cost public access to Government information. Agency dissemination efforts must ensure the timeliness, usefulness, and reliability of the information for the public. Agencies are given a mandate to provide data users with adequate documentation, software, indexes, or other resources that will permit and broaden public access to Government information. Why are these measures needed? While some agencies have taken bold and imaginative steps to broaden public access to Government information through the use of modern information technologies, other agencies actively resist efforts to broaden public access. This bill would give federal agencies a mandate to provide the types of information services and products that are important to data users. 2. STANDARDS Agencies would be required to disseminate information products and services in standardized record formats. Agencies would be required to report annually on efforts to develop or implement standards for file and record formats, software query command structures, user interfaces, and other matters that make information easier to obtain and use, and also on agency provisions for protecting access to records stored with technologies that are superseded or obsolete. The National Institute for Standards and Technology (NIST) and the National Records and Archives Administration (NARA) would be required to develop and periodically revise voluntary performance standards for public access to government records. Why are these measures needed? Many federal agencies have not yet developed standards for information systems, and thus it is often difficult for agencies to share data or for the public to obtain access to agency information resources. 3. PRICING The IIA Act would set a government wide limit on the prices the federal government can charge on information products and services. This price limit would be the incremental cost of dissemination, which is defined to exclude the costs of data collection. Agencies would not be allowed to impose royalties or other fees on the redissemination of federal government information. Why are these measures needed? As federal agencies are faced with difficult fiscal pressures, they are looking at information resources as a source of income. Many agencies price electronic information products and services far above dissemination costs, and impose royalties and restrictions on the redissemination of information. Such policies erode the public's right-to-know, and lead to a society where information is rationed to the most affluent. The IIA Act limits user fees on information products and services to dissemination costs, which is the policy which has long been used for information published in paper formats. Limiting the prices for information products and services to the costs of dissemination is also consistent with the recently revised OMB Circular A-130. 4. PUBLIC NOTICE Perhaps most importantly, the IIA Act would make the federal management of information resources more democratic. Every year federal agencies would be required to publish a report which describes: - the plans to introduce or discontinue information products and services, - the efforts to develop or implement standards for file and record formats, software query command structures and other matters that make information easier to obtain and use, - the status of agency efforts to create and disseminate comprehensive indexes or bibliographies of their information products and services, - the means by which the public may access the agency's information, - the plans for preserving access to electronic information that is stored in technologies that may be superseded or obsolete, and - the agency plans to keep the public aware of its information resources, services and products. Agencies would be required to solicit public comments on this plan, including comments on the types of information collected and disseminated, the agency's methods of storing information, their outlets for disseminating information, the prices they charge for information and the "validity, reliability, timeliness, and usefulness to the public of the information." The agency would be required to summarize the comments it receives and report each year what it has done to respond to the comments received in the previous year. Why are these measures needed? It is essential that federal agencies become more involved with citizens at the grass roots as they design information policies. Citizens have important information regarding the way Government information is used, and they also have important insights regarding emerging information technologies. When issues such as standards are involved, it is essential to have regular and frequent input from citizens regarding the choice of standards, particularly since technologies are rapidly changing. These public notice provisions will empower citizens at the grass roots to shape federal policies in ways that benefit the public. HEARINGS ARE NEEDED ON HR 629 While this important legislation has broad backing from the right to know community, and has been endorsed by such groups as Public Citizen, the American Library Assocation, Computer Professionals for Social Responsibility (CPSR) and the Taxpayer Assets Project, the Subcommittee on Government Information should schedule or conduct a hearing on this bill. Sincerely, James Love, Taxpayer Assets Project; P.O. Box 19367, Washington, DC 20036; 202/387-8030; love@essential.org Paul Wolfson, Public Citizen; 2000 P Street, NW, Suite 700 Washington, DC 20036; 202/833-3000 Pam Gilbert, Congress Watch; 215 Pennsylvania Avenue, SE, Washington, DC 20003; 202/546-4996 Marc Rotenberg, Computer Professionals for Social Responsibility 666 Pennsylvania Avenue, SE, Suite 303, Washington, DC 20003; 202/544-9240; rotenberg@washofc.cpsr.org Tom Devine, Government Accountability Project, 810 First Street, NE, Suite 630, Washington, DC 20002; 202/408-0034 Prue Adler, Association of Research Libraries, 21 Dupont Circle, NW, Washington, DC 20036; 202/296-8656l; prue@cni.org Jeff Chester, Center for Media Education, P.O. Box 330039, Washington, DC 20033; 202/628-2620; cme@digex.net Richard Civille, Center for Civic Networking, P.O. Box 65272 Washington, DC 20035; 202/362-3831; rciville@cap.gwu.edu Page Miller, National Coordinating Committee for the Promotion of History; 400 A Street, SE, Washington, DC 20003; 202/544-2422 Scott Armstrong, The Information Trust, 1330 Connecticut Avenue, NW, Suite 220, Washington, DC 20036; 202/296-4833 Brad Stillman, Legislative Counsel, Consumer Federation of America, 1424 16th Street, NW, Suite 604, Washington, DC 20036 202/387-6121; bstillman@essential.org Janine Jackson, FAIR, 130 West 25th Street, New York, NY 10011; 212/633-6700 John Richard, Essential Information, P.O. Box 19405, Washington, DC 20036; 202/387-8034; jrichard@essential.org Jonathan Tasini, National Writers Union, 739 West 186th Street Apartment 1A, New York, NY 10033; 212/927-1208; 76450.2377@compuserve.com Peter Montague, Environmental Research Foundation, P.O. Box 5036 Annapolis, MD 21403; erf@igc.apc.org Steven Aftergood, Federation of American Scientists, 307 Massachusetts Ave., NE, Washington, DC 20002; 202/675-1012 jstone@igc.apc.org ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ tap+info postings are archived at cpsr.org. ftp: ftp.cpsr.org; gopher: gopher.cpsr.org; wais: wais.cpsr.org To receive tap+info, send a note to tap+info+request@essential.org ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Taxpayer Assets Project, P.O. Box 19367, Washington, DC 20036; v. 202/387+8030; f. 202/234+5176; internet: tap@essential.org ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ------------------------------ End of Computer Underground Digest #5.53 ************************************