============================================================== @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================== Volume 6.09 June 10, 1999 -------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org ======================================================================= Table of Contents =======================================================================  EPIC Survey Finds Few Crypto Controls  Banking Official Cites Growing Privacy Concerns  Minnesota Sues Bank for Customer Data Sales  Safe Harbor Sunk?  Arizona Restricts Use of Student Social Security Numbers  Anti-Abortion Webmaster Sues ISP Over Shut-Down  EPIC Bookstore - "Visions of Privacy"  Upcoming Conferences and Events =======================================================================  EPIC Survey Finds Few Crypto Controls ======================================================================= This week the Electronic Privacy Information Center released the second annual survey of encryption policies around the globe. "Cryptography and Liberty 1999" finds that few countries restrict the use, manufacture, or sale of encryption products and services. However, export controls that allow countries to license products before they may be shipped overseas continue to be a significant obstacle to the widespread availability of encryption, according to the report. Encryption technology is considered essential for online privacy and security. But law enforcement and intelligence agencies have lobbied national governments to maintain export controls to prevent the widespread availability of the product. According to the EPIC report, few countries today impose domestic controls on encryption and there is little interest in techniques, such as "key escrow" or "key recovery," that would enable government access to private messages. EPIC noted that the OECD Cryptography Guidelines, adopted in 1997 by the Paris-based organization, are encouraging further liberalization of controls on encryption. In particular, the French government has backed off a proposal for key escrow encryption. However, a recently adopted agreement on export controls, championed the United States, may lead to more restrictive policies in some Northern European countries that previously did not license the export of encryption products. "Cryptography & Liberty" was conducted with the assistance of members of the Global Internet Liberty Campaign, an international association of organizations working to promote free expression and protect privacy on the Internet. The survey was released the same week that the U.S. Congress considered legislation that would relax export controls in the United States. On June 9, the House Intelligence Committee held a hearing on the Security and Freedom through Encryption Act, sponsored by Rep. Bob Goodlatte (R-VA). The Senate Commerce Committee on June 10 considered encryption legislation sponsored by Sen. John McCain (R-AZ). A separate survey prepared by Professor Lance Hoffman examines the foreign availability of encryption products. The report, "Growing Development of Foreign Encryption Products in the Face of U.S. Export Regulations," found that at least 167 foreign cryptographic products use strong encryption in the form of these algorithms: Triple DES, IDEA, BLOWFISH, RC5, or CAST-128. The report also identified 512 foreign companies that either manufacture or distribute foreign cryptographic products in at least 67 countries outside the United States. The report raises further questions about the reasonableness of U.S. export control policy. "Cryptography & Liberty 1999" is available online at the EPIC web site. The bound, paper version of the report can be also purchased on-line at the EPIC bookstore, which is operated in association with Amazon.com. Cryptography and Liberty 1999 (online) is available at: http://www2.epic.org/reports/crypto1999.html Cryptography and Liberty 1999 (paper) is available at: http://www.amazon.com/exec/obidos/ISBN=1893044033/electronicprivacA "Growing Development of Foreign Encryption Products" is available at: http://www.computerprivacy.org/ =======================================================================  Banking Official Cites Growing Privacy Concerns ======================================================================= Comptroller of the Currency John D. Hawke Jr. warned banks on June 7 to stop what he called the abusive practice of selling customers' personal data to telemarketing firms or face possible action by Congress. Hawke, who oversees nationally chartered banks, said the practice by a few banks raises "serious legal concerns," which his office and other federal banking agencies are examining. "Unfortunately, there's mounting evidence of an increase in banking practices that are at least seamy, if not downright unfair and deceptive -- practices that virtually cry out for government scrutiny," Hawke told bank lending officers at a meeting in San Francisco. "One must be troubled about the implications of this practice for the preservation of customer confidence in the confidentiality of the bank-customer relationship." The Comptroller's comments came as some members of Congress are promoting legislation that would give consumers the right to stop affiliated banks, brokerage firms and insurance companies from sharing personal financial data. A bill sponsored by Rep. Jay Inslee (D-WA) would allow consumers to "opt out" of personal data-sharing among affiliated financial companies. The legislation follows a proposal made last month by President Clinton, who urged Congress to strengthen consumers' rights when banks and other financial companies attempt to share information about them (see EPIC Alert 6.07). In addition, several members of the House Banking Committee have promised action. Rep. John J. LaFalce (D-NY) plans to introduce legislation to restrict the sharing of information about credit card customers. Rep. Marge Roukema (R-NJ), chair of the House Banking Subcommittee on Consumer Credit, plans hearings on privacy July 21 and 22. House Banking Committee Chairman Jim Leach (R-IA) said a lawsuit filed by the Minnesota Attorney General (see below) shows that privacy is an issue "that demands continued oversight." The text of the Comptroller General's speech is available at: http://www.occ.treas.gov/ftp/release/99-51a.txt =======================================================================  Minnesota Sues Bank for Customer Data Sales ======================================================================= Minnesota's Attorney General filed suit on June 8 against U.S. Bank, charging that the bank violated the Fair Credit Reporting Act and state consumer protection laws when it sold confidential customer information to a telemarketing company. The lawsuit alleges that U.S. Bank sold customer data from its own and other databases to MemberWorks Inc., a Connecticut telemarketing firm. Customer information that U.S. Bank allegedly shared with MemberWorks included names, addresses, and telephone numbers of primary and secondary customers, checking account numbers, credit card numbers, social security numbers, date of birth, account status and frequency of use, gender, marital status, homeowner status, occupation, the date the customer opened a particular account, average account balance, year-to-date finance charges for credit card accounts, credit insurance status, and information about the customer's most recent purchase by credit card. The suit alleges that the bank also allowed MemberWorks to charge customer accounts without obtaining written authorization, as required by rules established by the National Automated Clearing House Association. "Minnesota customers who are telemarketed by MemberWorks and its agents are unaware at the time of the solicitation that their credit card numbers and/or checking account numbers are already in the telemarketers' possession," the complaint says. Minnesota Attorney General Mike Hatch charges that U.S. Bank violated four specific provisions of the federal Fair Credit Reporting Act. The suit also alleges three counts of state law violations -- failing to prevent consumer fraud, false advertising, and deceptive trade practices. "People are appropriately careful about protecting their Social Security number, checking, and credit card information," Hatch said in a statement after the suit was filed. "When a bank hands out this information to the highest bidder, it has to answer to its customers and to the Attorney General's office." Additional information on the Minnesota litigation (including the text of the complaint) is available at: http://www.ag.state.mn.us/home/files/news/pr_usbank1_06091999.html =======================================================================  Safe Harbor Sunk? ======================================================================= Early reports on the day-long meeting at the end of May between top negotiators for the United States and the European Union suggest that there will be no agreement on the "Safe Harbor" proposal before the U.S.-EU summit in Germany later this month. The Department of Commerce has been urging officials of the European Union to agree that the U.S. system of "self-regulation" provides adequate privacy protection and that no further legislation is necessary to protect the interests of European citizens whose personal information is processed in the United States. European privacy officials participated in extensive meetings with U.S. trade officials but were unable to resolve key questions about enforcement, access, and implementation. A group of experts wrote recently: Data protection rules only contribute to the protection of individuals to the extent to which they are followed in practice. In an entirely voluntary scheme such as this compliance with the rules must be at least guaranteed by an independent investigative mechanism for complaints and sanctions which must be, on the one hand dissuasive and, on the other give individual compensation where appropriate. Consumer and privacy organizations on both sides of the Atlantic also objected to the Safe Harbor proposal. The Trans Atlantic Consumer Dialogue, representing sixty consumer groups in the United States and Europe, adopted a resolution last month in opposition to the Safe Harbor proposal. This week Jim Murray, President of the European Consumers Organization (BEUC), wrote to Jacques Santer, President of the European Commission, and EC Members Mario Monti and Emma Bonino to express further concern about the Safe Harbor proposal. Mr. Murray said that, "Without simple and effective complaint and redress procedures, the proposed U.S. regime would not have sufficient deterrents to prevent abuse of consumer rights, even in flagrant cases." The text of the Safe Harbor Proposal is available at: http://www.ita.doc.gov/ecom The Trans Atlantic Consumer Dialogue resolution is available at: http://www.tacd.org/meeting1/electronic.html#safe The European Consumers' Organization website: http://www.beuc.org/ =======================================================================  Arizona Restricts Use of Student Social Security Numbers ======================================================================= Newly-enacted legislation in Arizona prohibits the use of Social Security numbers as a student identification numbers in universities. Wisconsin enacted such a similar law last year. The Arizona bill (SB 1399) prohibits a university under the jurisdiction of the Arizona board of regents or a community college district under the jurisdiction of the state board of directors for community colleges from assigning a student an identification number which is identical to, or incorporates any portion of, the student's Social Security number. The restriction becomes effective on June 30, 2002. The bill also prohibits universities and community college districts from displaying a student's Social Security number or any four consecutive digits of a student's Social Security number on the Internet or on any publicly accessible document. The legislation allows a student to consent to the use of his or her Social Security number as their ID number and stipulates that community colleges and universities can electronically transfer data and are not prohibited from complying with any federal reporting requirements. More information on the privacy implications of the misuse of Social Security numbers is available at: http://www.epic.org/privacy/ssn/ =======================================================================  Anti-Abortion Webmaster Sues ISP Over Shut-Down ======================================================================= The operator of a controversial anti-abortion website has filed a $250 million breach of contract suit against his former service provider. Otis O'Neal Horsley filed suit against MindSpring Enterprises Inc. in a Georgia state court earlier this week, alleging breach of contract for the shutting down of the "Nuremberg Files" site, which featured pictures of aborted fetuses and the names of doctors providing abortion services. Horsley alleges the Atlanta-based ISP damaged his political campaign to stop legal abortion and his ability to solicit financial support when it shut down the site in February. MindSpring began a review of the site after an Oregon jury found some of Horsley's colleagues in the anti-abortion movement in violation of the federal access to abortion clinic law in January. Although Horsley was not a defendant in the case, the Nuremberg Files site was a central element of the trial. The Web site solicited and posted information such as where abortion doctors lived, their work habits, vehicle descriptions and tag numbers, places of worship and details about their families. He listed names of abortion doctors on the site and crossed out the names of doctors who had been killed. =======================================================================  EPIC Bookstore - "Visions of Privacy" ======================================================================= A new collection of articles, edited by Colin J. Bennettt and Rebecca Grant, offers fresh and intriguing perspectives on the timeless problem of privacy protection. Available now at the EPIC Bookstore. "As the world moves into the twenty-first century, cellular systems, high-density data storage, and the Internet are just a few of the new technologies that promise great advances in productivity and improvements in the quality of life. Yet these new technologies also threaten personal privacy. A surveillance society, in which the individual has little control over personal information, may be the logical result of deregulation, globalization, and a mass data-processing capacity." - From the introduction. "Visions of Privacy: Policy Choices for the Digital Age" (University of Toronto Press 1999). List $22.95. http://www.epic.org/bookstore/ =======================================================================  Upcoming Conferences and Events ======================================================================= INET 99. San Jose, Calif., June 22-25, 1999. Sponsored by the Internet Society. Contact: http://www.isoc.org/inet99/ Privacy Laws & Business 12th Annual International Conference -- "New Data Protection Law: Issues, Solutions, Action." June 28-30, 1999, St John's College, Cambridge, United Kingdom. Contact: Privacy Laws & Business, Tel: + 44 (0) 181 423 1300, Fax: + 44 (0) 181 423 4536, e-mail: email@example.com, or http://www.privacylaws.co.uk National Coalition to Protect Political Freedom, 3rd Annual Meeting. Georgetown University Law Center, Washington, DC. July 9-10, 1999. Contact: Kit Gage 301-587-7442, firstname.lastname@example.org Jurisdiction: Building Confidence in a Borderless Medium. Queen Elizabeth Hotel, Montreal, Canada, July 26-27, 1999. Sponsored by the Internet Law and Policy Forum. Contact: Marilyn Malenfant +1.514.744.0408 or email@example.com. ABA Annual Conference, Section of International Law and Practice. "Privacy Issues in Electronic Commerce." August 9, 1999. Atlanta, Georgia. Contact http://www.abanet.org/annual/99/home.html The 21st International Conference on Privacy and Personal Data Protection. Hong Kong, September 13-14, 1999. A distinguished group of over 50 speakers/panelists from overseas and Hong Kong will explore the theme of "Privacy of Personal Data, Information Technology & Global Business in the Next Millennium."" Sponsored by the Office of the Privacy Commissioner for Personal Data in Hong Kong. Contact: firstname.lastname@example.org "A Privacy Agenda for the 21st Century."" Sept 15. Hong Kong Convention and Exhibition Centre, Hong Kong PRC. Contact: email@example.com. Information Security Solutions Europe 1999. Oct 4-6. Maritim proArte Hotel, Berlin, Germany. contact http://www.eema.org/isse/ RSA 2000. The ninth annual RSA Data Security Conference and Expo. San Jose McEnery Convention Center. San Jose, CA. January 16-20, 2000, Contact: http://www.rsa.com/rsa2000/ ======================================================================= Subscription Information ======================================================================= The EPIC Alert is a free biweekly publication of the Electronic Privacy Information Center. A Web-based form is available for subscribing or unsubscribing at: http://www.epic.org/alert/subscribe.html To subscribe or unsubscribe using email, send email to firstname.lastname@example.org with the subject: "subscribe" (no quotes) or "unsubscribe". Back issues are available at: http://www.epic.org/alert/ ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, e-mail email@example.com, http://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "The Fund for Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers. Thank you for your support. ---------------------- END EPIC Alert 6.09 ----------------------- .
Alert Home Page | EPIC Home Page