Dear Readers,

This issue brings with it the program and registration information for the 1997 IEEE Security and Privacy Symposium. The program committee faced a difficult task this year, as paper submissions were up more than 50% over last year. Though this is hard on authors, it is good for the audience, and I think that George Dinolt and Paul Karger, with the advice of the Program Committee, have put together a very interesting two-and-a-half days.

The new year brought to Washington a new Congress that is already introducing security and privacy-related legislation and holding hearings. Tomorrow (if this reaches you on Monday), at 10 am, the second in a series of briefings on security in electronic communication and data storage is scheduled to be held in the Science Committee Hearing Room and will feature Daniel Geer, Daniel Lynch, Tsutomu Shimomura, Geoff Mulligan, Dan Famer, and Gene Spafford. If you are in DC, you might care to visit, and if not, perhaps CSPAN will cover the briefing as well.

The EPIC web site already lists a dozen bills in the House and a half dozen in the Senate that are concerned with privacy. Among them are bills to repeal the Communications Decency Act, bills to prohibit denial of insurance based on genetic information, and even a "Consumer Internet Privacy Protection Act" that would require prior written consent before a computer serice could disclose a subscribers' personal information to a third party. See URL for details.

The Federal Reserve Board, responding to congressional legislation, solicited public comment during the period from December 23 - January 31 on issues to be addressed in a study concerning public availability and use of social security numbers and other sensitive identifying information about consumers. The legislation was apparently stimulated by the Lexis P-Trak incident last year. The Board is required to report to Congress by March 31, 1997, including any suggestions for legislative change. See

The Department of Health and Human Services also sought public comment in January regarding issues in medical privacy. The Health Insurance Portability and Accountability Act passed last year requires HHS to adopt standards providing for "a standard unique health identifier for each individual, employer, health plan, and health care provider for use in the health care system" within 18 months of its passage. The National Committee on Vital and Health Statistics, is to advise HHS about responses to this requirement.

The National Counterintelligence Center (NACIC), a multi-agency organization of the U.S. government (, published a report warning that the Internet is the "fastest growing modus operandi for unsolicited correspondence using computer elicitation between foreign entities and cleared US companies and their employees." Some observers criticized the report as alarmist; you can read it for yourself at:

So far, this winter has treated Washington kindly. Though it was cold enough to skate on the canal during the Inaugural ceremonies, our only significant snowfall came last weekend bringing considerable beauty and relatively little trouble. I hope the weather (whether it's midwinter or midsummer) is as cooperative where you are.

Carl Landwehr
Editor, Cipher