============================================================= @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================= Volume 2.10 September 24, 1995 ------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, DC info@epic.org http://www.epic.org/ *Special Edition: International Privacy* --> CPSR Annual Conference is October 7-8 in Chicago <-- ======================================================================= Table of Contents ======================================================================= [1] PI Calls for CCTV Debate [2] PI/EPIC Conference Explores Surveillance Technologies [3] Dutch-Canadian Report Endorses Anonymity [4] CSA Announces Privacy Standards [5] Around the Globe: Privacy Notes [6] Upcoming Conferences and Events ======================================================================= [1] Privacy International Calls for CCTV Debate ======================================================================= [On September 8, ABC News 20/20 ran a special segment on Closed Circuit Television and the growth of surveillance technologies. Simon Davies, Director General of Privacy International, spoke about the threat to democratic government. He provided this statement from London] PRIVACY INTERNATIONAL BACKGROUND In recent years, the use of Closed Circuit Television (CCTV) in the UK has grown to unprecedented levels. Between 150 and 300 million pounds per year is now spent on a surveillance industry involving an estimated 200,000 cameras. According to the British Security Industry Association, more than three quarters of these systems have been professionally installed. Most towns and cities are moving to CCTV surveillance of public areas, housing estates, car parks and public facilities. Growth in the market is estimated at fifteen to twenty per cent annually. Many Central Business Districts in Britain are now covered by surveillance camera systems involving a linked system of cameras with full pan, tilt, zoom and infrared capacity. Their use on private property is also becoming popular. Increasingly, police and local councils are placing camera systems into housing estates and red light districts. Residents Associations are independently organising their own surveillance initiatives. Tens of thousands of cameras operate in public places,; in phone booths, vending machines, buses, trains, taxis, alongside motorways and inside Automatic Teller Machines. Barclays has pioneered the use of pin-hole cameras in its cash machines, and this lead is being followed by other banks. The government is heavily promoting the use of video surveillance as a key plank in its law and order strategy. One initiative was to offer a funding pot to support local CCTV projects. The Home Secretary first announced the CCTV competition on 18 October 1994. There were 480 bids from local authorities, community groups, schools and industrial estates. Nationally, more than one hundred schemes received a share of the 5 million funding, with a further 13.8 million levered in from other partnerships. National winners of the Home Office CCTV competition were announced in March. These systems involve sophisticated technology. Features include night vision, computer assisted operation, and motion detection facilities which allows the operator to instruct the system to go on red alert when anything moves in view of the cameras. Camera systems increasingly employ bullet-proof casing, and automated self defence mechanisms. The clarity of the pictures is usually excellent, with many systems being able to read a cigarette packet at a hundred metres. The systems can often work in pitch blackness, bringing images up to daylight level. According to statistics published by police districts and local councils, the effect on crime is dramatic. Car theft is reduced by up to ninety percent, while assaults and theft drop by as much as 75 per cent. IMPACT The justification for CCTV is seductive, but the evidence is not convincing. In a report to the Scottish Office on the impact of CCTV, Jason Ditton, Director of the Scottish Centre for Criminology, argued that the claims of crime reduction are little more than fantasy. "All (evaluations and statistics) we have seen so far are wholly unreliable", The British Journal of Criminology described the statistics as "....post hoc shoestring efforts by the untrained and self interested practitioner. In short, the crime statistics are without credibility. They are collected over too short a time, in dubious circumstances, and without regard for statistical conventions. Different categories of crime are indiscriminately combined, concealing possible increases in some and decreases in others. The crime statistics rarely, if ever, reflect the hypothesis that CCTV merely displaces criminal activity to areas outside the range of the cameras. One of the features of current surveillance practice is that the cameras are often installed in high-rent commercial areas. Crime may be merely pushed from high value commercial areas into low rent residential areas. Councils often find that it is impossible to resist demands for such systems. Originally installed to deter burglary, assault and car theft, in practice most camera systems have been used to combat what town officials call ''anti-social behavior,'' including many such minor offences as littering, urinating in public, traffic violations, fighting, obstruction, drunkenness, and evading meters in town parking lots. They have also been widely used to intervene in other undesirable behaviour such as underage smoking and a variety of public order transgressions. According to a Home Office promotional booklet, CCTV can be a solution for such problems as vandalism, drug use, drunkenness, racial harassment, sexual harassment, loitering and disorderly behaviour. Other innovative uses are constantly being discovered. The cameras are particularly effective in detecting people using marijuana and other substances. Authorities in Britain are slowly pushing out the limits of camera surveillance. For the past ten years, hospitals have used Covert Video Surveillance (CVS) to monitor parents who visit their children. These videos are taken by concealed cameras and microphones located behind the walls of specially prepared surveillance rooms, and are used in cases of unexplained injuries or illnesses. The video surveillance boom is likely to extend even inside the home. Andrew May, Assistant Chief Constable of South Wales, has urged victims of domestic violence to conceal video cameras in their homes to collect evidence. Michael Jack, then Minister for State at the Home Office was reported as responding that the idea brought a "freshness of approach" which highlighted the role of new technology. CONCERNS Privacy International believes the CCTV trend involves a number of grave risks. A situation is developing in which CCTV surveillance is so commonplace that fundamental changes are occuring in policing, community development policy and personal privacy. Privacy International is calling on the UK government to prohibit or restrict the use of three categories of CCTV equipment, and to institute a range of protections and legislation to cover all systems. The categories that require immediate restriction are : Computerised Face Recognition (CFR) systems that have the capacity to automatically compare faces captured on CCTV, with a database of facial images. Several police and commercial organisations are developing this technology. Manchester City Football Club has installed a system at its Maine Road Ground. Infra-red, high sensitivity equipment, and systems operating outside the visible light spectrum. These include Forward Looking Infra-red Radar (FLIR) systems able to detect activity behind walls, and infra-red systems able to detect activities in darkness. Miniature and micro-engineered devices designed for covert surveillance. Around 125,000 of these devices are sold each year from UK surveillance equipment outlets. The current legal situation is that visual surveillance escapes the cover of law. Privacy International believes this is an unacceptable situation. Surveillance should not be conducted without legal protections, and legislation should be passed without delay. Planning jurisdiction should be returned to Councils to re-establish some democratic mechanism in the development of wide-scale urban CCTV systems. There is a grave risk that the CCTV industry is out of control. Fueled by fear of crime, the systems take on a life of their own, defying quantification and quashing public debate. In a very short time, the systems have challenged some fundamental tenets of justice, and created the threat of a surveillance society. Other more traditional approaches to law enforcement and social justice are being undermined without due process. CCTV is emerging as one of this centuries most profoundly important developments, and its implications need urgently to be debated. [More information about Privacy International may be found at http://www.privacy.org/pi/] ======================================================================= [2] PI Conference Explores Surveillance Technologies ======================================================================= More than 60 people attended the joint EPIC/Privacy International conference on Advanced Surveillance Technologieson September 4, on Copenhagen, Denmark. Presentations explored the revolution in policing technologies, individual tracking in modern transportation systems, surveillance of Internet communications, and identification systems. The conference was reported in the Sunday Times of London, the New Scientist, and several other European publications. Privacy International and EPIC announced that they would host Advanced Surveillance Technologies II on September 17, 1996 in Ottawa, Canada in conjunction with the 18th International Conference of Data Protection and Privacy Commissioners. More information about the Advanced Surveillance Technology conference is available at http://www.privacy.org/pi/conference/ ======================================================================= [3] Dutch-Canadian Report Endorses Anonymity ======================================================================= The Dutch Data Protection Authority (Registratiekamer) and the Information and Privacy Commissioner for the Province of Ontario, Canada (IPC) have just released a new report "Privacy-Enhancing Technologies: The Path to Anonymity." The study is the first ever undertaken by two privacy agencies and offers a strong policy basis for privacy-enhancing technologies. The report recommends that: 1. International information systems design standards should be developed incorporating the need to examine whether an individual's identity is truly required for the operation of various process within the system. 2. At the design stage of any new information system, or when revising one, the collection and retention of identifiable personal information should be kept to an absolute minimum. 3. Consistent with the privacy principles that information system should be transparent and open to view to data subjects, they should also provide users with the ability to control the disclosure of their personal information. Data subjects must be placed in a position to decide for themselves whether or not their identity should be revealed or maintained in an information system. 4. Data protection commissioners, privacy commissioners and their staff should make every effort to educate the public and raise levels of awareness in the area of privacy-enhancing technologies. The use of privacy-enhancing technologies by public and private sector organizations should be also encouraged. The report is available from Office of the Information and Privacy Commissioner/Ontario, 80 Bloor St., West, Suite 1700, Toronto, Ontario Canada M5S 2V1 or 1/800-387-0073 416/326-3333 fax 416/325-9195. There is no cost for the report. ======================================================================= [4] CSA Announces Privacy Standards ======================================================================= The Canadian Standards Association has released a new report to promote privacy standards in the private sector, "Implementing Privacy Codes of Practice" is a comprehensive review of the development and implementation of privacy codes. The report includes the CSA Model Code and describes methods for implementation. The CSA Model Code is based on the following ten principles that should apply to all technologies and types of businesses: 1. *Accountability.* An organization is responsible for personal information under its control and shall designate a person who is accountable for the organization's compliance with the following principles. 2. *Identifying Purposes.* The purposes for which personal information is collected shall be identified but he organization at or before the time the information is collected. 3. *Consent.* The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. 4. *Limiting Collection.* The collection of personal information shall be limited to that which is necessary for the purposed identified by the organization. Information shall be collected by fair and lawful means. 5. *Limiting Use, Disclosure, Retention.* Personal information shall not be used or disclosed for purposed other than those for which it was collected, except with the consent of the individual as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes. 6. *Accuracy.* Personal information shall be as accurate, complete and up-to-date as is necessary for the purposes for which it is being used. 7. *Safeguards.* Personal information shall be protected by security safeguards appropriate to the sensitivity of the information. 8. *Openness.* An organization shall made readily available to an individual specific information about its policies and practices relating to its handling of personal information. 9. *Individual Access.* Upon request an individual shall be informed of the existence, use, and disclosure of personal information about the individual and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. 10. *Challenging Compliance.* An individual shall be able to challenge compliance with the above principles with the person who is accountable within the organization. David McKendry, National Director of Consumer Affairs Consulting at Price Waterhouse and chair of the CSA's Technical Committee on Privacy, said "Consumers need to be assured that their personal privacy is not threatened in the information age." This is a comprehensive report that should be very useful to private organizations that are planning to implement privacy codes. The report includes particularly useful tips for making privacy codes work in practice such as organizational incentives for adopting privacy codes The report was prepared by Canadian privacy expert Colin Bennet who is also author of Regulating Privacy: Data Protection and Public Policy in Europe and the United States (Cornell 1992). More information about the CSA report is available from bankj@csa.mhs.compuserve.com or The Director, Standards Programs, Standards Development, Canadian Standards Association, 178 Rexdale Blvd., Etobicoke, Ontario, Canada M9W 1R3. ======================================================================= [5] Around the Globe: Privacy Notes ======================================================================= [From *Privacy Times,* an excellent newsletter on privacy issues. Contact Evan Hendricks at privacytimes@dgs.dgsys.com] Canadian Privacy Commissioner Bruce Phillips has issued a strong call for legislation giving consumers rights to control information about themselves held by banks, telecommunications firms and interpovincial transportation companies. "Reluctantly, and by stages I have come to the view that 'volunteerism' is inadequate," said Phillips. "Collection of personal information information, much of it without knowledge or consent, is now a huge business and getting more huge all the time. as individuals we have a right to exercise some control over this traffic, but all the jawboning of recent years has had little impact." Phillips report discuss the information superhighway, encryption, DNA, drug testing, and model privacy codes. Contact Office of Privacy Commission, 112 Kent St., Ottawa, Ontario K1A 1H3 613/995-2410, 613/995-1501 (fax). In New Zealand, Privacy Commissioner Bruce Slane has published a proceeding of the June 1995 Privacy Issues Forum held at the Victoria University of Wellington. The 280-page report covers technology, genetic information, surveillance and investigation, children's rights, employer/employees rights, credit reporting, tasks of a privacy officer, data matching and public registers. Slane has also announced the creation of a home page: http://www.kete.co.nz or http://www.kete.co.nz/privacy/welcome.htm. Contact: PO Box 466, New Zealand, (64-9 302 2160; 6-49 202-2305 (fax)). Elizabeth France, the United Kingdom's Data Protection Registrar, has issued he first annual report since replacing Eric Howe last September. "Using Law to Protect Your Information" discusses efforts to spread awareness and create a culture of data protection. Contact: D.P. Registrar, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF; 44 625 535 711; 44 625 524 510 [fax]) ======================================================================= [6] Upcoming Privacy Related Conferences and Events ======================================================================= Electronic Democracy '95. October 2-3. Ottawa, Ontario. Sponsored by Riley Information Services. Speakers include Robert Ellis Smith, Jim Warren, Ontario Privacy Commissioner Tom Wright and Canadian National Archivist Jean-Pierre Wallot. Contact 416/593-7352, 416/593-0249 (fax) or email 76470.336@compuserve. *********************************** The Good, the Bad, and the Internet, A Conference on the Big Issues in Information Technology, CPSR Annual Meeting, 750 South Halsted, Chicago Circle Center, University of Illinois - Chicago, IL, October 7-8. Plenary sessions on: * Democratizing the Internet * Which way for Privacy and Civil Liberties ? * Technology and Jobs: New jobs ? No jobs? Rethinking work * Local Initiatives in Democratizing Technology * Election Year 1996: Towards a Technology Platform plus workshops, hands-on demos, and a virtual conference Contact: http://www.cs.uchicago.edu/discussions/cpsr/, http://www.cpsr.org/home, cpsrannmtg@cpsr.org ************************************* 18th National Information Systems Security Conference. October 10-13. Baltimore, MD. Sponsored by NSA and NIST. Contact: 301-975-3883. Smithsonian Institution, "Frontiers in Cyberspace: Encryption, Privacy, and Cybercodes. October 25, 1995. Marc Rotenberg, Director, Electronic Privacy Information Center (EPIC), Philip Zimmerman, Creator, Pretty Good Privacy (PGP); Stewart Baker, Attorney, Steptoe & Johnson. Contact: Melody Curtis (CurtisM@aol.com) Managing the Privacy Revolution. October 31 - November 1, 1995. Washington, DC. Sponsored by Privacy & American Business. Speakers include Mike Nelson (White House) C.B. Rogers (Equifax) and Marc Rotenberg (EPIC). Contact Alan Westin 201/996-1154. Innovation and the Information Environment. November 3-4. University of Oregon School of Law in Eugene, Oregon. Contact: Keith Aoki KAOKI@law.uoregon.edu. National Privacy and Public Policy Symposium. November 2-4., Hartford, Cosponsored by the Connecticut Foundation for Open Government. Contact Richard Akeroyd, rakeroyd@csunet.ctsateu.edu 203/566-4301 (tel), 203/566-8940 (fax) 22nd Annual Computer Security Conference and Exhibition. November 6-8, Washington, DC. Sponsored by the Computer Security Institute. Contact: 415-905-2626. Global Security and Global Competitiveness: Open Source Solutions. November 7-9. Washington, D.C. Sponsored by OSS. Contact: Robert Steele oss@oss.net. 11th Annual Computer Security Applications Conference: Technical papers, panels, vendor presentations, and tutorials that address the application of computer security and safety technologies in the civil, defense, and commercial environments. December 11-15, 1995, New Orleans, Louisiana. Contact Vince Reed at (205)890-3323 or vreed@mitre.org. Computers Freedom and Privacy '96. March 27-30. Cambridge, Mass. Sponsored by MIT, ACM and WWW Consortium. Contact cfp96@mit.edu or http://www-swiss.ai.mit.edu/~switz/cfp96 Conference on Technological Assaults on Privacy, April 18-20, 1996. Rochester Institute of Technology, Rochester, New York. Papers should be submitted by February 1, 1996. Contact Wade Robison privacy@rit.edu, by FAX at (716) 475-7120, or by phone at (716) 475-6643. Australasian Conference on Information Security and Privacy June 24-26, 1996. New South Wales, Australia. Sponsored by Australasian Society for Electronic Security and University of Wollongong. Contact: Jennifer Seberry (jennie@cs.uow.edu.au). Visions of Privacy for the 21st Century: A Search for Solutions. May 9-11, 1996. Victoria, British Columbia. Sponsored by The Office of Information and Privacy Commissioner for the Province of British Columbia and the University of Victoria. Program at http://www.cafe.net/gvc/foi 18th International Conference of Data Protection and Privacy Commissioners. Sponsored by the Privacy Commissioner of Canada. September 18-20, 1996. Ottawa, Canada. Advanced Surveillance Technologies II. Sponsored by EPIC and Privacy International. September 17, 1995. Ottawa, Canada. Contact pi@privacy.org International Colloquium on the Protection of Privacy and Personal Information. Commission d'acces a l'information du Quebec. May 1997. Quebec City, Canada. (Send calendar submissions to Alert@epic.org) ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. To subscribe, send the message: SUBSCRIBE CPSR-ANNOUNCE Firstname Lastname to listserv@cpsr.org. You may also receive the Alert by reading the USENET newsgroup comp.org.cpsr.announce. Back issues are available via http://www.epic.org/alert/ or FTP/WAIS/Gopher/HTTP from cpsr.org /cpsr/alert/ and on Compuserve (Go NCSA), Library 2 (EPIC/Ethics). ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues relating to the National Information Infrastructure, such as the Clipper Chip, the Digital Telephony proposal, medical record privacy, and the sale of consumer data. EPIC is sponsored by the Fund for Constitutional Government and Computer Professionals for Social Responsibility. EPIC publishes the EPIC Alert and EPIC Reports, pursues Freedom of Information Act litigation, and conducts policy research on emerging privacy issues. For more information, email info@epic.org, WWW at HTTP://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. (202) 544-9240 (tel), (202) 547-5482 (fax). The Fund for Constitutional Government is a non-profit organization established in 1974 to protect civil liberties and constitutional rights. Computer Professionals for Social Responsibility is a national membership organization of people concerned about the impact of technology on society. For information contact: cpsr-info@cpsr.org If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003. Your contributions will help support Freedom of Information Act litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and funding of the National Wiretap Plan.. Thank you for your support. ------------------------ END EPIC Alert 2.10 ------------------------