Volume 3.08 April 11, 1996
 CDA Trial Update -- DoJ to Present Testimony  House Passes Health Care Bill  Congress to Vote on Terrorism Bill Next Week  Insiders Sell Info on 11,000 people from SSA Computers  California, Minnesota Debate Comprehensive Privacy Bills  Illinois to Stop Selling DMV Records  DOD Key Escrow System Problems Surface  Upcoming Conferences and Eventss
 CDA Trial Update -- DoJ to Present Testimony
The Justice Department will begin its defense of the Communications Decency Act (CDA) in federal court in Philadelphia on Friday, April 12. Somewhat surprisingly, the government plans to call only two witnesses. The first, Special Agent Howard A. Schmidt of the Air Force Office of Special Investigations, is (according to DOJ) "expected to present a demonstration and testify concerning access to information, including sexually explicit material, that is available online." The second witness will be Dr. Dan R. Olsen, Jr., Professor of Computer Science at Brigham Young University, who is expected to testify "concerning technical issues related to the 'safe harbor' defenses" under the CDA. Both government witnesses were examined by ACLU, EPIC and ALA attorneys in depositions conducted earlier this week. Agent Schmidt's testimony centered on his use of various Internet "search engines" to locate material he characterized as "sexually explicit." The downloaded images will be introduced as evidence on April 12. During his deposition, Schmidt declined to offer his opinion as to what kinds of information could be deemed "indecent" or "patently offensive" within the meaning of the CDA. Dr. Olsen of BYU described various approaches that could be employed to tag online material as inappropriate for minors, as well as technical means for restricting access to particular Internet sites through the use of "age verification" systems. Olsen asserted that these techniques would enable content providers to comply with the CDA, although he acknowledged that they are not widely available at the present time. Presentation of the government's case is expected to continue on Monday, April 15. If plaintiffs elect to present rebuttal testimony, it will be heard on April 26. The three-judge court has scheduled final legal arguments in the case for June 3. Additional information on the CDA constitutional challenge initiated by the ACLU, EPIC and a coalition of other organizations, is available at: http://www.epic.org/free_speech/censorship/lawsuit/
 House Passes Health Care Bill
On March 28, the House of Representatives approved HR 3103, the Health Coverage Availability and Affordability Act of 1996. The bill includes provisions on "Administrative Simplification" that affect the privacy of medical records. The provisions delegate all authority for the setting of privacy and security standards to the Secretary of Health and Human Services. The Secretary is given 18 months to issue regulations protecting the security and confidentiality of electronic medical records. To determine security, the regulations must take into account a number of factors which water down the security guidelines, while not examining the effect on health care of having insecure systems. The standards for privacy are similarly weak and leave HHS with nearly unfettered discretion to determine authorized and unauthorized uses. Another controversial area is the choice of the identification number. The bill requires that HHS choose the ID number and that "the Secretary shall take into account multiple uses for identifiers." There have been several indications that the HHS plans to use the Social Security Number (SSN) as the medical identification number since the Social Security Administration is part of HHS. However, unlike the Bennett bill (S. 1360), the House bill does not prevent states from enacting stronger medical privacy laws. While it does preempt states from enacting laws that require information to be maintained in written rather than electronic form, it allows states to adopt laws that "are more stringent than the requirements, standards, or implementation specifications under this part with respect to the privacy of individually identifiable health information." The Senate is also working on a health care bill introduced by Senators Kassebaum and Kennedy. That bill does not contain the administrative simplification provisions of the House bill. More information is available at: http://www.epic.org/privacy/medical/
 Congress to Vote on Terrorism Bill Next Week
A House-Senate conference committee is expected to vote next week on the controversial counter-terrorism bill. Earlier this week, the Republican members of the committee met behind closed doors to finish amending the bill. The full committee is scheduled to vote and approve the Republican changes on Monday. On Tuesday, the full Senate is expected to vote on the conference committee draft. The House is expected to vote on Wednesday or Thursday. Friday is the anniversary of the bombing of the Oklahoma City federal building and political pressure is on to have a bill completed by then. A Senate bill passed last year with several provisions increasing the collection of personal information and expanding wiretapping, including funding for the Digital Telephony bill. The House bill, stripped of those provisions, passed last month in a close floor vote. President Clinton has been pushing the conferees to include the Senate provisions in the final bill. The House members of the conference committee are Representatives Hyde (R-IL), McCollum (R-FL), Schiff (R-NM), Buyer (R-ID), Barr (R-GA), Conyers (D-MI), Schumer (D-NY), and Berman (D-CA). The Senate members are Hatch (R-UT), Thurmond (R-SC), Simpson (R-WY), Biden (D-DE), and Kennedy (D-MA). More information and the texts of the House and Senate bills is available at: HTTP://www.epic.org/privacy/terrorism/
 Insiders Sell Info on 11,000 people from SSA Computers
According the NY Times, several employees of the New York offices of the Social Security Administration are being investigated for leaking thousands of sensitive files from SSA to groups engaged in credit fraud. According to reports, several employees illegally examined over 11,000 records of individuals and disclosed Social Security Numbers and mothers' maiden names to fraudsters. One SSA employee examined 10,000 files since January 1995. Another ten employees pulled the records of over 1,200 other individuals. The records were then used to set up charge accounts in the victims' names. The SSA did not detect the illegal practices until Citibank informed the agency of a large amount of fraud involving stolen cards. A New York City public employee has been charged with fraud. No employees of the SSA have yet been arrested.
 California, Minnesota Debate Comprehensive Privacy Bills
In Minnesota, the state House of Representatives has passed HB 2816, an online privacy bill that would restrict service providers from disclosing consumers' information without their consent. It requires online providers to display pages setting forth their privacy policies and to ask subscribers to select the extent to which they authorize secondary uses of personal information. Individuals can sue for $500 and damages for each violation. The Minnesota House overwhelmingly passed the bill in early March, but the state Senate passed a bill that would only create a privacy study commission. The House rejected the Senate amendment and the bill currently is in a conference committee. A copy of the Minnesota House bill is available at: http://www.epic.org/privacy/internet/MinnHB2816.html In California, a hearing is scheduled for the first week of May on SB 1659, which would prohibit the use or distribution of personal information without the permission of the individual. The bill was introduced by State Senator Steve Peace of San Diego, who noted that current laws and self-help are not adequate: "so many files are kept on us without our knowledge that it would be a full-time job just trying to find out who has them." The bill includes findings on the California Constitution's right to privacy. It states: "No person or corporation may use or distribute for profit any personal information concerning a person without that person's written consent. Such information includes, but is not limited to, an individual's credit history, finances, medical history, purchases, and travel patterns." More information on efforts to stem the collection of personal information is available at: http://www.epic.org/privacy/junk_mail/
 Illinois to Stop Selling DMV Records
Illinois Secretary of State George Ryan announced on April 2 that the state would stop its 30-year practice of selling records from the Department of Motor Vehicles (DMV) to direct marketers starting January 1, 1997. The Illinois DMV currently sells information from driver's license applications and automobile registrations including the names, addresses, weights, and heights of individuals. More than 14,000 people had already asked to be removed from the DMV lists under a 1993 law. Ryan said that the change was being made at the request of thousands of citizens who were not aware of their ability to be removed from the lists. The lists will still be available for political and research purposes and to other government agencies and insurance companies. The state has earned an average of $600,000 per year on the sales.
 New Electronic Resources
The EPIC Privacy Archives have been expanded to include documents on 17 different areas of privacy. New information is available on ID cards, welfare reform, educational privacy, Cable TV records and Caller ID: http://www.epic.org/privacy The EPIC Online Guide to Privacy Resources has been updated to include new sites and conferences: http://www.epic.org/privacy/privacy_resources_faq.html
 Upcoming Conferences and Events
Information Leakage by World Wide Web Browsers: How to Blackmail Someone With Their Own Web Surfing Habits with Shabbir J. Safdar of Voters Telecommunications Watch. April 16, 1996. Washington, DC. Sponsored by the Institute for Computer and Telecommunications Systems Policy, George Washington University. Contact http://www.seas.gwu.edu/seas/ictsp/Activities/Seminars/. Colloque: Big Brother Quebec inc. April 17, 1996. Montreal, Canada. Sponsored by Association securite informatique de Quebec. Contact: A. Bayle (514) 395-8689 or email email@example.com. Conference on Technological Assaults on Privacy, April 18-20, 1996. Rochester Institute of Technology, Rochester, New York. Contact: Wade Robison, firstname.lastname@example.org, by FAX at (716) 475-7120, or by phone at (716) 475-6643. Electronic Democracy. April 24-25, 1996. Ottawa, Ontario. Sponsored by Riley Information Services. Contact: email@example.com or http://www.rileyis.com. RSA Day in Washington. April 25, 1996. Washington, D.C. Sponsored by RSA Data Security. Contact: Layne Kaplan Events (415) 340-9300 or http://www.rsa.com. Computerizing Medical Records and Health Information: The Societal Benefits and Privacy Issues with Professor Alan Westin and EPIC's Marc Rotenberg. April 26, 1995. Washington, DC. Sponsored by the Institute for Computer and Telecommunications Systems Policy, George Washington University. Contact http://www.seas.gwu.edu/seas/ictsp/ Activities/Seminars/. IEEE Symposium on Security and Privacy. May 6-8, 1996. Oakland, CA. Sponsored by IEEE. Contact: firstname.lastname@example.org or http://www.cs.pdx.edu/SP96. Workshop on Medical Records Privacy. May 10, 1996. Washington, DC. Sponsored by the Consumer Project on Technology. Contact Manon Ress (202) 387-8030 or email email@example.com. http://www.essential.org/cpt. Visions of Privacy for the 21st Century: A Search for Solutions. May 9-11, 1996. Victoria, British Columbia. Sponsored by The Office of Information and Privacy Commissioner for the Province of British Columbia and the University of Victoria. Program at http://www.cafe.net/gvc/foi Internet Privacy and Security Workshop. May 20-21, 1996. Haystack Observatory, MA. Sponsored by Federal Networking Council and MIT. Contact: firstname.lastname@example.org. InfoWarCon (Europe) '96, Defining the European Perspective. May 23-24, 1996. Brussels, Belgium. Sponsored by the National Computer Security Association. Contact: email@example.com. Practicing Law Institute's 16th Annual Institute on Computer Law: Understanding the Business and Legal Aspects of the Internet, June 17-18, 1996, San Francisco. firstname.lastname@example.org for info--or call 800/477 0300. Australasian Conference on Information Security and Privacy. June 24-26, 1996. New South Wales, Australia. Sponsored by Australasian Society for Electronic Security and University of Wollongong. Contact: Jennifer Seberry (email@example.com). Personal Information - Security, Engineering and Ethics. 21-22 June, 1996. Isaac Newton Institute, Cambridge. Sponsored by Cambridge University and British Medical Association. Paper submission due 10 May 1996. Contact: Ross Anderson (firstname.lastname@example.org). Privacy Laws & Business 9th Annual Conference. July 1-3, 1996. St. John's College, Cambridge, England. Contact: Ms. Gill Ehrlich +44 181 423 1300 (tel), +44 181 423 4536 (fax). Surveillance Expo 96. August 19-21. McLean, Virginia. Sponsored by Ross Associates. Contact: Marilyn Roseberry 703-450-2200. Fifth International Information Warfare Conference, "Dominating the Battlefields of Business and War", September 5-6, 1996. Washington, DC. Sponsored by Interpact, NCSA, OSS. Contact: email@example.com Advanced Surveillance Technologies II. Sponsored by EPIC and Privacy International. September 16, 1996. Ottawa, Canada. Contact: firstname.lastname@example.org or http://www.privacy.org/pi/conference/ 18th International Conference of Data Protection and Privacy Commissioners. September 18-20, 1996. Ottawa, Canada. Sponsored by the Privacy Commissioner of Canada. (Send calendar submissions to Alert@epic.org)
The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. To subscribe, send email to email@example.com with the subject: "subscribe" (no quotes). Back issues are available via http://www.epic.org/alert/
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues relating to the National Information Infrastructure, such as the Clipper Chip, the Digital Telephony proposal, medical record privacy, and the sale of consumer data. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, email firstname.lastname@example.org, HTTP://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003. Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and funding of the National Wiretap Plan. Thank you for your support.