Welcome to Bob Bruen, who has agreed to edit Cipher's previously dormant book review section. In this issue he contributes reviews of two recent books on network security, and I am hoping for more reviews in future issues. If you have books to suggest, or you would like to assist him, you can write him at bruen@mit.edu.

Here are a few news tidbits that I didn't have time to include as full stories:

US non-counterfeitable Social Security Card studies: the Welfare Reform Bill of 1996, now enacted as P.L. 104-193, directs the Commissioner of Social Security to develop a prototype counterfeit- resistant social security card that will be:

• (A) be made of a durable, tamper-resistant material such as plastic or polyester,
• (B) employ technologies that provide security features, such as magnetic stripes, holograms, and integrated circuits, and
• (C) be developed so as to provide individuals with reliable proof of citizenship or legal resident alien status.

Prompted by a lawsuit filed by the ACLU against the state of Georgia, which has passed a law imposing criminal penalties on certain kinds of Internet communications, including some kinds of anonymous messages, the Washington Post noted editorially that 11 states have passed statutes restricting "Internet behavior" and wondered exactly who is covered by these laws -- people within the particular states? all traffic passing through them? The editorial hypothesized that the more local legislation is passed, the stronger will be the demand for anonymous remailers.

Crypto policy debates and activities: although several major companies agreed to get on board with the administration's Key Recovery program, others resisted. As of this mailing, no actual Executive Order has been released that would implement the announced policy, but it has been reported that the administration will name an official who will have the responsibility for marshalling international support for the policy. Japan announced that, under the Wassenaar Arrangement on Export Controls (successor to COCOM), it would lower the threshold above which government approval for crypto export orders is required from the previous $91,000 to about $450. The Internet Architecture Board and the Internet Engineering Steering Group protested the key recovery plan, saying that any type of escrow system would "inevitably weaken the security of the overall cryptographic system, by creating new points of vulnerability that can and will be attacked... Sound cryptographic practice dictates that users never reveal their private keys to anyone, even a certification authority." The White House has asked the Federal Networking Council Advisory Committee to come up with recommendations on information security issues, including the key recovery plan.

A Draft Treaty on Intellectual Property in Respect to Databases, prepared under the World Intellectual Property Organization (WIPO) drew considerable comment and criticism. The primary concern seems to be that scientific and technical data currently available to researchers without charge under fair-use exemptions may, under the proposed treaty, become accessible only via databases that charge for every access. Further information, including a copy of a letter from the heads of the National Academy of Sciences, National Academy of Engineering, and the Institute of Medicine to the Secretary of Commerce is available at http://ksgwww.harvard.edu/iip/intellec.html

Thanks to the many contributors whose names you will find throughout the issue; they have been so generous this month that I won't take up any more space here, except to urge all Cipher readers to keep the contributions coming.

Carl Landwehr
Editor, Cipher