+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
 
ACM WASHINGTON UPDATE
U.S. Office of Public Policy of the Association for Computing
Machinery
 
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
 
December 8, 2000 Volume 4.8
 
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
CONTENTS
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

INTRODUCTION

POLICY BRIEFS:
ICANN Approves New Top Level Domain Names
ICANN Purposes At Large Study; Solicits Comments; ICC Reacts
COE Cybercrime Treaty Revised
DOJ Releases Cybercrime Treaty FAQ
Carnivore Review Released
Neumann Paper on Vote Tabulation

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
INTRODUCTION
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

The Association for Computing Machinery is an international
professional society whose 80,000 members (60,000 in the U.S.)
represent a critical mass of computer scientists in education,
industry, and government. The USACM provides a means for promoting
dialogue on technology policy issues with United States policy makers
and the general public. The WASHINGTON UPDATE reports on activities
in Washington, which may be of interest to those in the computing and
information policy communities and will highlight USACM's involvement
in many of these issues.

To subscribe to the ACM WASHINGTON UPDATE send an e-mail to
listserv@acm.org with "subscribe WASHINGTON-UPDATE" (no quotes) in
the body of the message. Back issues are available at:
http://www.acm.org/usacm

For information about joining the Association for Computing
Machinery, see: http://www.acm.org/membership/join.html

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
POLICY BRIEFS
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
ICANN APPROVES NEW TOP LEVEL DOMAIN NAMES

On November 16, ICANN selected registrars for new top level domain
names; .aero - Societe Internationale de Telecommunications
Aeronautiques SC,.biz - JVTeam, LLC, .coop - National Cooperative
Business Association, .info - Afilias, LLC, .museum - Museum Domain
Management Association, .name - Global Name Registry, LTD and .pro -
RegistryPro, LTD. Negotiation with potential registrars are scheduled
for completion on December 31, 2000. Afterwards, ICANN will forward
its recommendations to the U.S. Department of Commerce, who will give
final approval.

More information is available at:
http://www.icann.org/announcements/icann-pr16nov00.htm

More information on the selection of the top level domain names is
available at:
http://www..icann.org/tlds/
http://cyber.law.harvard.edu/icann/la2000/

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
ICANN PURPOSES AT LARGE STUDY; SOLICITS COMMENTS; ICC REACTS

The ICANN board has announced a comprehensive study of the concept,
structure and processes relating to an "At Large" membership for the
Corporation. The study will discuss whether the ICANN board should
include At Large directors,the optimal selection of At Large
directors, how many At Large directors there should be, and what the
function and composition of the At Large membership should be.  ICANN
is soliciting comments for the Clean Sheet study through December
27th. ICANN's study posits a need to avoid "fraud, abuse or capture
by determined minorities."

ICANN At Large members have formed the Interim Coordinating Committee
to promote user participation in ICANN by Internet users, facilitate
self-organization of the ICANN At Large members and foster democratic
participation in the ICANN process. Perhaps the highest priority item
for ICC is responding to the ICANN At Large study and advocating an
increased role for At Large members. Other issues of ICC concern
include the legal status of At Large members and the availability of
membership data and access to the ICANN-Announce mailing list.

More information is available at:
http://www.icann.org/at-large/study-comments.htm

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
COE CYBERCRIME TREATY REVISED

The Council of Europe has released version number 24 of the Draft
Treaty on Cybercrime. The most recent draft is a revision of the
Treaty and a result of objections by civil liberties to the prior
incarnation of the Treaty. The Treaty was redrafted on November 19.
Civil liberties groups objected to the mandatory retention of
records, provisions that could implicate security testing, the
expansion of criminal copyright infringement and provisions that
could be used to require ISPs to control the availability of third
party information.

The Global Internet Liberty Campaign wrote a letter to the Council of
Europe, criticizing the Cybercrime drafts. One of the organizations
signing that letter was the ACM.

Version 24 is available at:
http://conventions.coe.int/treaty/EN/projets/cybercrime24.htm

Version 22 is available at:
http://conventions.coe.int/treaty/EN/projets/cybercrime22.htm

The Global Internet Liberty Campaign's letter to the Council of
Europe on the Cybercrime Draft is available at:
http://www.gilc.org/privacy/coe-letter-1000.html

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
DOJ RELEASES CYBERCRIME TREATY FAQ

In concert with the release of the revised COE Treaty, the Department
of Justice released a Frequently Asked Questions. The FAQ describes
the US role in the Cybercrime Treaty, the Treaty's timetable, the
implementing legislation that would be necessary for the US to sign
the Treaty, and attempts to answer objections raised by civil
liberties groups. In order to ratify the Treaty, FAQ says that US law
1) must eliminate the minimum dollar damage threshold for federal
computer fraud liability, 2) prohibit the possession and traffic of
devices and programs designed to damage systems or data, 3) increase
criminal copyright liability. The FAQ also explained how to comment
on the Treaty.

In response to civil liberty objection, the FAQ claims:
1) that the Treaty requires prohibitions of "hacker tools" only when
the possession is with intent to commit further crimes defined
by the Treaty, 2) that prohibition on pornography that "appears" to
be child  pornography is both constitutional and necessary, 3) that
requirements for mandatory retention of ISP data will be triggered
only when the ISP has the data and can be ordered to preserve the
data and, 4) that ISP liability for third party content only applies
when the ISP is aware of the content of the data.
 
The FAQ is available at:
http://www.usdoj.gov:80/criminal/cybercrime/COEFAQs.htm

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
CARNIVORE REVIEW RELEASED

The independent review of the Carnivore email interception device
used by the Federal Bureau of Investigation has been released and
posted.

In summary, the review found that if Carnivore was used correctly, it
provided investigators "with no more information than is permitted by
a given court order," that Carnivore posed no security risk to the
ISP where it was installed, that Carnivore reduced but did not
eliminate the risk of unauthorized monitoring of communications by
FBI personnel and that while "operational procedures or practices
appear sound, Carnivore does not provide protections, especially audit
functions, commensurate with the level of the risks." Technical
comments on the Draft Report were due on December 1. The IIT Research
Institute will publish a final report on December 8.

OpenCarnivore, a group composed of Stephen Bellovin, David Farber,
Peter Neumann (all ACM members) and others, released formal comments
on the Independent review on December 3, 2000. The issues raised by
the formal comments on the independent review included the lack of
evidence of a systematic search for bugs, such as potential buffer
overflows, a "lack of analysis of operational and 'systems' issues,
including interactions between the Carnivore code and its host
environment and operating system and the inadequacy of the discussion
of audit and logging, which was considered especially serious in
light of the use of "PC Anywhere" and "Administrator" logins for
remote access.

The Draft Review is available at:
http://www.usdoj.gov/jmd/publications/carnivore_draft_1.pdf

The formal comments are available at:
http://www.crypto.com/papers/carnivore_report_comments.html

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
NEUMANN PAPER ON VOTE TABULATION

Rebecca Mercuri and Peter Neumann's January Inside Risks column in
Communications of the ACM detailed the potential for error in the
automation of vote tabulation. The column advocates the return to
lever-style voting machines:
"For decades, voters have been required to use inherently flawed
punched-card systems, which are misrepresented as providing 100%
accuracy (``every vote counts'') -- even though this assertion is
widely known to be patently untrue. Lest you think that other voting
approaches are better, mark-sense systems suffer from many of the
same problems described above. Lever-style voting machines offer more
security, auditability, and a significantly better user interface,
but these devices have other drawbacks -- including the fact that no
new ones have been manufactured for decades."

A copy of the Inside Risks column is available at:
http://www.csl.sri.com/neumann/insiderisks.html

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Washington Update is a biweekly publication of the U.S. Public Policy
Office of the Association for Computing. http://www.acm.org/usacm.