=============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 5.11 July 29, 1998 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org ======================================================================= Table of Contents =======================================================================  Senate Makes Stealth Assault on Internet Free Speech  House Approves "Patients Rights Act," Undermines Privacy  New Report on Congress, Money and Privacy  FTC Proposes Privacy Legislation  Wiretap and Surveillance Update  Encryption Policy Update  New Bills and Action in Congress  Upcoming Conferences and Events =======================================================================  Senate Makes Stealth Assault on Internet Free Speech ======================================================================= Without advance notice or public discussion, the U.S. Senate last week approved three controversial measures that could adversely impact free expression on the Internet. By offering the provisions on the Senate floor as amendments to the $33 billion appropriations bill for the Commerce, State and Justice departments (S. 2260), the sponsors avoided debate and apparently reneged on an agreement to consider alternative approaches to the complex issue of children's access to "inappropriate" material. The Senate's stealth action involved the following measures: - The so-called "CDA 2" bill sponsored by Sen. Dan Coats (R-IN). The bill creates criminal penalties for anyone who "through the World Wide Web is engaged in the business of the commercial distribution of material that is harmful to minors" and fails to "restrict access to such material by persons under 17 years of age." Opponents of the bill contend that it, like the unconstitutional Communications Decency Act, would restrict the ability of adults to receive online information because speakers on the Internet are unable to determine the age of potential recipients. - The "Internet School Filtering Act" sponsored by Sen. John McCain (R-AZ). The bill requires schools and libraries receiving federal Internet subsidies to install software "to filter or block matter deemed to be inappropriate for minors." Senate opponents of the filtering bill, led by Sen. Conrad Burns (R-MT) had been assured that the Senate would consider an alternative measure requiring schools and libraries to adopt Internet "acceptable use policies." That agreement was not honored. - An amendment offered by Sen. Christopher Dodd (D-CT) requiring Internet access providers to, "at the time of entering into an agreement with a customer for the provision of Internet access services, offer such customer (either for a fee or at no charge) screening software that is designed to permit the customer to limit access to material on the Internet that is harmful to minors." The Internet provisions of the appropriations bill must now be considered by a House-Senate conference committee that will reconcile discrepancies between the two chambers' versions of the spending bill. The Coats and McCain provisions are likely to be challenged in court if they emerge from the conference committee and are signed into law. The text of the Internet-related amendments to S. 2260 (including a prohibition on Internet gambling) are available at: http://www.epic.org/free_speech/censorship/sen_amend_7_98.html =======================================================================  House Approves "Patients Rights Act," Undermines Privacy ======================================================================= The House of Representatives on July 24 approved a far-reaching bill on health care that seriously undermines the privacy of medical records. The Patients Rights Act -- the official Republican health care plan -- was approved by a partisan vote of 216-210. President Clinton had indicated that he would veto the bill. Among the problems with the bill: - The act permits very broad use of medical information. Under the version passed by the House, information can be disclosed or used "for the purpose of permitting the provider or plan to conduct health care operations." Health care operations is broadly defined and includes research, "health promotion," underwriting and auditing. - The bill preempts states from enacting stronger acts in most areas. There are currently efforts in 16 states to approve laws on genetic privacy and several states have approved comprehensive state medical privacy laws. The weaker federal law would override these efforts. - The bill is silent on law enforcement access to general medical records. - The bill only provides weak penalties for disclosure and misuse. Fines can be as low as $500 and there are no criminal penalties for willful abuses. At most, a company that has a pattern of willfully abusing the privacy of its clients can be fined $100,000. There would also be no independent oversight body to enforce the act. - While the bill prohibits the sale or barter of medical records, it does nothing about the cases where pharmaceutical companies purchase pharmacies to obtain information about their customers. One positive aspect is a provision introduced by Rep. Ron Paul (R-TX) that prohibits promulgation or final adoption of the national patient health identifier (See EPIC Alert 5.10) without prior Congressional enactment of legislation specifically approving the standard. Senators Ashcroft, Leahy and Burns have introduced a bill in the Senate that would strip those provisions from federal law altogether. The Senate is planning to vote on its version of the bill, S. 2330 (the Patients' Bill of Rights Act) as soon as this week. S. 2230 is also weak on privacy. Observers believe that there may be an attempt to attach Senator Jeffords' S. 1921 (Health Care PIN Act) to S. 2230. Medical privacy experts consider that bill to be an assault on medical privacy. More information on the Republican health care bills will be available shortly at a new site on medical privacy set up by the National Coalition for Patients' Rights at: http://www.nationalcpr.org More information on medical privacy is also available from EPIC at: http://www.epic.org/privacy/medical/ =======================================================================  New Report on Congress, Money and Privacy ======================================================================= The Center for Public Integrity, a Washington-based public interest research organization, has released a new report -- "Nothing Sacred: The Politics of Privacy" -- which shows that Congress has often put corporate interests ahead of the basic privacy interests of the American people. The report documents the efforts of various industry groups to block privacy legislation on Capitol Hill. Chuck Lewis, the executive director of the Center, described the results at a press conference held earlier this week at the National Press Club. According to Lewis, when it comes to privacy "the agenda in Congress seems to be set mostly by commercial interests." Lewis emphasized that the Center took no position on particular privacy legislation, but did say that Congress had an important role to help preserve, protect and defend what little privacy we have left. The Center report cites numerous examples where bills were bottled up and effectively killed in Congressional committees when industry groups weighed in. According to the Center, in 1991 and 1993 at the behest of various corporate interests, Congress killed legislation that would have regulated the clandestine videotaping and wiretapping of workers on their jobs. In 1996, after lobbying by the direct-marketing industry, Congress killed a bill that would have restricted companies' gathering of information about children without their parents' consent. Many of the most interesting findings in "Nothing Sacred" concern efforts by the insurance industry and the medical industry to oppose medical privacy legislation, a topic that is now pending on Capitol Hill (see above). "Nothing Sacred: The Politics of Privacy" is available from the Center for Public Integrity, 1634 I Street, NW, Suite 902, Washington, DC 20006; 202-783-3900 (tel); 202-783-3906 (fax); email@example.com and on the Internet at: http://www.publicintegrity.org/nothing_sacred.html =======================================================================  FTC Proposes Privacy Legislation ======================================================================= Testifying before a House Commerce Subcommittee on July 21, Federal Trade Commission Chairman Robert Pitofsky outlined model privacy legislation for commercial transactions on the Internet. Under the FTC proposal, all commercial Web sites that collect personal identifying information from or about consumers online would be required to comply with four basic information practices: Notice, Choice, Security and Access. Pitofsky was joined by Commissioners Sheila F. Anthony, Mozelle W. Thompson, and Orson Swindle. In June the FTC released a report on Internet privacy, "Privacy Online: A Report to Congress," modeled after the 1997 EPIC report, "Surfer Beware: Personal Privacy and the Internet." The FTC report, base on an analysis of the effectiveness of self-regulation as a means of protecting consumer privacy, found that industry's efforts to encourage voluntary adoption of the most basic fair information practices have fallen short of what is needed to protect consumers. Also in June, the Commission released legislative recommendations for protecting children's privacy online. Pitofsky said the implementation of the proposed practices will vary by industry and with technological developments. For this reason, the Commission recommends that any legislation be phrased in general terms and be technologically neutral. Pitofsky also said that the FTC wished to create an incentive for continued participation by industry. The legislative model would provide a means by which industries could develop their own guidelines for protecting consumers' privacy, and that those guidelines could receive governmental approval. Industries also would be required to ensure that they comply with and enforce their guidelines. In addition, the proposal calls for the granting of rule-making authority to the government agency charged with implementing the statute. Rule-making would allow for the promulgation of specific rules and procedures for the approval of industry guidelines. The following materials are available online: FTC Testimony, "Consumer Privacy on the World Wide Web" http://www.ftc.gov/os/9807/privac98.htm FTC Report, "Privacy Online: A Report to Congress" http://www.ftc.gov/reports/privacy3/index.htm EPIC Report, "Surfer Beware: Personal Privacy and the Internet" http://www.epic.org/reports/surfer-beware.html =======================================================================  Wiretap and Surveillance Update ======================================================================= Just Kidding ... The U.S. Department of Justice is now saying that it does not support the proposed amendments to the Communications Assistance for Law Enforcement Act (CALEA) that the FBI had provided to Senators a few weeks ago (See EPIC Alert 5.10). Assistant Attorney General Steven Colgate characterizes the amendment as a "staff document" and describes the language on emergency access to cell phone location information without a warrant as "boneheaded." However, Senate staff reports receiving calls from a senior FBI lobbyist pushing for the amendment even after the New York Times reported on the Bureau proposal. Judge Dismisses Wiretap Suit A federal judge has dismissed the civil lawsuit by Rep. John A. Boehner (R-OH) against Rep. Jim McDermott (D-WA) for McDermott's disclosure of Boehner's cell phone conversations with Speaker Newt Gingrich. The court ruled that, "Although protection of privacy is certainly a substantial government interest, it is not clear that it is an interest 'of the highest order,' such that it can trump defendant's First Amendment rights." The judge was critical of both Congressmen for the political nature of the case. Two Party Consent Nearly Adopted by the Senate. The Senate barely rejected an amendment to S. 2260, the Commerce, State and Justice Appropriations Bill, by a vote to 50-50 that would have required both parties to a telephone conversation to consent before phone calls can be recorded. The amendment was introduced by Senator Dale Bumpers (D-AR). UK Taps Up 25 Percent in 1997. Lord Nolan, the UK Interception of Communications Commissioner, reported this week that wiretapping in the UK increased 25 percent in 1997 over 1996. A total of 1647 taps were authorized under the Interception of Communications Act 1985. The report also said that the phones of several people who were not targets of investigations were bugged because operators got the wrong numbers. Another tribunal also criticized Foreign Minister Robin Cook for failing to read a warrant, leading to an unlawful surveillance operation by the GCHQ spy agency. Justice, the UK affiliate of the International Committee of Jurists, released a report on July 28 critical of current UK law and calling for the improvement of laws governing wiretapping, bugging and video surveillance. More details are available at: http://reports.guardian.co.uk/articles/1998/7/28/p-13297.html Russian Net Surveillance Plan The UK Guardian Newspaper reports that the Russian Federal Security Bureau (formerly the KGB) has a plan that would force all providers of Internet services to install a "black box" snooping device in their main computers. Internet providers would be obliged to build a high-speed data link to the security service's Internet control room so that FSB operators could access a vast amount of information about any user. Perhaps Cisco will have a market for the "Private Doorbell" surveillance-friendly encryption system after all. http://www.fe.msk.ru/libertarium =======================================================================  Encryption Policy Update ======================================================================= A digital signature bill introduced by Senator Spencer Abraham (R-MI) could pass in the Senate within the next week. The Government Paperwork Elimination Act (S. 2107) would set the stage for a national certificate authority infrastructure. Privacy advocates fear that a such a government-sanctioned system could eliminate anonymity by creating an ID for each user of the Internet. In an announcement of one of Europe's most liberal encryption policies, Ireland announced on July 1 that it would not restrict the use or import of cryptographic tools or technology, and would regulate cryptographic exports only out of compliance with the Wassenaar agreement. Law enforcement needs would be accommodated by enacting legislation that would "oblige users of encryption products to release, in response to lawful authorization, either plaintext which verifiably relates to the encrypted data in question or the keys ... necessary to retrieve the plaintext." http://www.irlgov.ie:80/tec/html/signat.htm The Department of Commerce Technical Advisory Committee on key escrow that folded last month has been resurrected by the Department in order to develop a standard for escrow to be used by federal computers and foisted upon the public. The Committee plans to meeting in San Francisco and Orlando in September and October to attempt to come up with a final standard by the end of the year. Americans for Computer Privacy, an industry trade group organized to relax export controls on encryption, launched a multimedia advertising campaign including TV and print ads on export controls. The effort includes an ad based on the infamous "Harry and Louise" campaign against the 1994 Health Care bill, in this case a "middle American" couple sit around talking about crypto policy. See http://www.computerprivacy.com for additional information. More information on encryption policy is available at: http://www.crypto.org/ =======================================================================  New Congressional Bills and Upcoming Hearings ======================================================================= H.R. 4243. Government Waste, Fraud, and Error Reduction Act of 1998. Increases data sharing among federal agencies, proposes using NIST crypto standards (aka key escrow) for systems, recommends using credit reports, National New Hires Data Bases for checking. Introduced by Horn (R-CA) on July 16. Referred to the Committee on Government Reform and Oversight, and in addition to the Committees on the Judiciary, and Ways and Means. H.R. 4250. Patient Protection Act of 1998. Republican Health Care bill. Sets weak standards for privacy, prohibits states from passing stronger protections. Approved by the House 216-210 on July 24. H.R. 4276. Departments of Commerce, Justice, and State, and Judiciary, and Related Agencies Appropriations Act, 1999. $2,965,971,000 for the Federal Bureau of Investigation, $35,929,000 above the appropriation for the current year and $52,353,000 below the request. $6,120,000 and 31 positions to establish three new Computer Investigative and Infrastructure Threat Assessment (CITAC) Teams. No funding for CALEA. Approved by the House Committee on Appropriations, July 20. (H. Rept. 105-636). S. 2260. Departments of Commerce, Justice, and State, the Judiciary, and Related Agencies Appropriations Act, 1999 (see Article 1 above). S. 2294. National Criminal History Access and Child Protection Act. To facilitate the exchange of criminal history records for non criminal justice purposes, to provide for the decentralized storage of criminal history records, to amend the National Child Protection Act of 1993 to facilitate the fingerprint checks authorized by that Act, and for other purposes. Introduced by Hatch (R-UT) on July 13. Approved by Senate on July 13. S. 2330. Patients' Bill of Rights Act. Republican Health Care Bill. Scheduled for vote this week (see Article 2 above). S. 2352. The Patient Privacy Rights Act. Repeals the "unique medical identifiers" requirement of the Health Insurance Portability Law of 1996 (HIPAA). Introduced by Leahy (D-VT) on June 24. Referred to the Committee on Finance. * Hearings Scheduled * July 29. House Committee hearing on Electronic Commerce: The Global Electronic Marketplace. 10:30 a.m. in 2123 Rayburn House Office Building. July 30. House Committee, Subcommittee on Telecommunications, Trade, and Consumer Protection markup of H.R. 3888, the Anti-slamming Amendments Act. 2:00 p.m. in 2123 Rayburn House Office Building. Bill also relates to Spam. =======================================================================  Upcoming Conferences and Events ======================================================================= "Law Enforcement and the March of Technology: The Erosion of Privacy in the Information Age," American Bar Association Annual Meeting. Sunday August 2, 1998, from 2:00 pm to 3:15 pm, Toronto, Canada. Sponsored by the ABA. Contact: Andrew Grosso
Advances in Social Informatics and Information Systems, Baltimore, MD, Aug. 14-16, 1998. Sponsored by the Association for Information Systems Contact: http://info.cwru.edu/rlamb/ais98cfp.htm Fifth Annual Privacy Issues Forum. 2 - 3 September 1998, Wellington, New Zealand. Sponsored by the NZ Privacy Commissioner. Contact: firstname.lastname@example.org The Outlook for Freedom, Privacy and Civil Society on the Internet in Central and Eastern Europe. Budapest, Hungary. 4-6 September 1998. Sponsored by Global Internet Liberty Campaign. Contact: http://www.gilc.org/events/budapest/ Telecommunications Policy Research Conference. October 3-5, 1998 Alexandria, Virginia. Contact: http://www.si.umich.edu/~prie/tprc/ The Public Voice in the Development of Internet Policy. Ottawa, Canada. October 7, 1998. Sponsored by GILC and Privacy International. Contact: email@example.com One Planet, One Net: Governing the Internet Symposium. Boston, Mass, Oct. 10-11. Sponsored by CPSR. Contact: http://www.cpsr.org/conferences/annmtg98/ PDC 98 - the Participatory Design Conference, "Broadening Participation" November 12-14, 1998. Seattle, Washington. Sponsored by Computer Professionals for Social Responsibility in cooperation with ACM and CSCW 98. Contact: http://www.cpsr.org/conferences/pdc98 Computer Ethics. Philosophical Enquiry 98 (CEPE'98). 14-15 December 1998 London, UK. Sponsored by ACMSIGCAS and London School of Economics. http://is.lse.ac.uk/lucas/cepe98.htm 1999 RSA Data Security Conference. January 18-21, 1999. San Jose, California. Sponsored by RSA. Contact: http://www.rsa.com/conf99/ FC '99 Third Annual Conference on Financial Cryptography. February 22-25 1999 Anguilla, B.W.I., (submissions due: September 25, 1998). Computers, Freedom and Privacy (CFP) '99. April 6-8. Washington, DC. Sponsored by ACM. Contact: firstname.lastname@example.org. (Send calendar submissions to email@example.com) ======================================================================= Subscription Information ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. To subscribe or unsubscribe, send email to firstname.lastname@example.org with the subject: "subscribe" (no quotes) or "unsubscribe". A Web-based form is available at: http://www.epic.org/alert/subscribe.html Back issues are available at: http://www.epic.org/alert/ ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail email@example.com, http://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax- deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003. Individuals with First Virtual accounts can donate at http://www.epic.org/epic/support.html Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and funding of the digital wiretap law. Thank you for your support. ---------------------- END EPIC Alert 5.11 ----------------------- .
Alert Home Page | EPIC Home Page