============================================================= @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================ Volume 1.03 June 29, 1994 ------------------------------------------------------------ Published by the Electronic Privacy Information Center (EPIC) Washington, DC (Alert@epic.org) ======================================================================= Table of Contents ======================================================================= [1] ACM to Release Crypto Report, Recommendations [2] US House of Representatives Approve Credit Privacy Bill [3] FCC Caller ID Decision Appealed [4] NY Consumer Board Slams FCC Caller ID Decision [5] SSN and Marketing List Privacy Bills Introduced [6] New Files at the Internet Library [7] Upcoming Conferences and Events ======================================================================= [1] ACM to Release Crypto Report, Recommendations ======================================================================= A press conference will be held at the U.S. Capitol on Thursday, June 30 at 10:30 am to announce the release of a new study on the controversial Clipper cryptography proposal. The study was convened by the Association for Computing Machinery (ACM) and sponsored by the National Science Foundation. The ACM cryptography panel was chaired by Dr. Stephen Kent, Chief Scientist for Security Technology with the firm of Bolt, Beranek and Newman. Dr. Susan Landau, Research Associate Professor in Computer Science at the University of Massachusetts, co-ordinated the work of the panel and did most of the writing. The panel members were Dr. Clinton Brooks, Advisor to the Director, National Security Agency; Scott Charney, Chief of the Computer Crime Unit, Criminal Division, U.S. Department of Justice; Dr. Dorothy Denning, Computer Science Chair, Georgetown University; Dr. Whitfield Diffie, Distinguished Engineer, Sun Microsystems; Dr. Anthony Lauck, Corporate Consulting Engineer, Digital Equipment Corporation; Douglas Miller, Government Affairs Manager, Software Publishers Association; Dr. Peter Neumann, Principal Scientist, SRI International; and David Sobel, Legal Counsel, Electronic Privacy Information Center. The final report of the panel will be made public at the Thursday press conference. Also, the policy committee of the 85,000 member ACM will release a statement on cryptography issues facing the Clinton administration. The conference will be held in the United States Capitol building, room SC-5. For more information, please call the US ACM Washington Office at 202-298-0842. ======================================================================= [2] US House of Representatives Approve Credit Privacy Bill ======================================================================= The US House of Representatives approved substantial revisions to the Fair Credit Reporting Act on June 7. The passing of this bill, following the Senate enactment of a similar bill in May, virtually ensures that long-awaited revisions to the FCRA will finally happen this year. The bill contains a number of improvements over existing law. It prohibits the use of credit reports for directing marketing and unsolicited offers of credit unless the consumer is offered the opportunity to prevent the disclosure of their information. In the case of credit offers, the offer must also be irrevocable and not contingent on obtaining more information from the consumer. Credit agencies are also prohibited from transferring any medical information for either employment or credit purposes without the prior consent of the consumer. Under the bill, consumers have an extended rights of access. Agencies cannot charge more than $3 for one copy per year of a consumer report. Additional reports cannot cost more than $8. After an adverse decision is made based on information in a credit report or incorrect information is found in a report, consumers can receive free reports. To make it easier for consumers to obtain information, all nationally-based agencies must operate toll-free 800 numbers. In addition, the bill implements tougher standards on the accuracy of information. Agencies must investigate all disputed information within 30 days. If information cannot be confirmed, it must be deleted from the record and cannot be reinserted unless the source of the information certifies that it is complete and accurate. Agencies must take reasonable procedures to ensure that incorrect information does not reappear. There is a general prohibition from furnishing incomplete or inaccurate information to a credit agency and every provider has a duty to update and correct any information that they have furnished. Civil and criminal penalties for willful or negligent use of incorrect information are increased. Criminal penalties are increased to two years and a $10,000 fine. Civil penalties are raised to at least $1,000 and attorney fees. There are several controversial provisions in the bill. Under the bill, states a prohibited from enacting stronger protections until 2003. In addition, the FBI may access records by showing a judge that there is a authorized foreign counterintelligence investigation and a minimal showing of facts that there may be a violation of a criminal statute. The bill now goes to a House-Senate conference committee to work out differences between the two bills. Areas of difference include preemption, the duty of providers to furnish correct information, and the FBI access provision. ======================================================================= [3] FCC Caller ID Decision Appealed ======================================================================= Several state utility commissions, including New York's and California's, have petitioned the Federal Communications Commission to reconsider its controversial Caller ID decision. The petitions ask the FCC to reverse its decision mandating per-call blocking for interstate calls and its preemption of state regulations. The commissions are concerned that the federal regulation will limit consumer privacy protection for intra-state calls. It is uncertain if the FCC will take the unusual action of accepting the petitions. Since the Caller ID decision was released in April, two new commissioners have joined the FCC. A total of 48 parties, including telephone companies who are concerned about which party is charged the cost of transmitting the information, have filed petitions asking the FCC to reconsider its decision. Per-call blocking, which is favored by telephone companies, requires that a caller to enter a series of numbers into their telephone before each call to prevent their number from being distributed. Under per-line blocking, privacy blocking is the default and the caller may opt to release their number. The New York Public Utility Commission's petition notes that "there is no technological bar to enabling each state to designate per line or per call blocking and have that privacy notation affixed to that caller's phone calls both intra and interstate." The PUC calls on the FCC, which did not hold a single hearing on Caller ID, to review the decisions of the many states that did hold hearings. Professor Rohan Samarajiva of Ohio State University, who also filed for reconsideration, found that 46 states held hearings on Caller ID before the FCC issued their final decision. He found that as information became more available on Caller ID, the state utility commissioners increasingly required that per-line blocking be offered in addition to per-call. By 1994, 33 jurisdictions developed rules with stronger privacy protection than the FCC decision. 18 states require per-line blocking be offered to all consumers, including Pennsylvania, Ohio, California and New York. CPSR has also filed a petition asking the FCC to revise its decision. CPSR calls for free per-line blocking and note the additional burden of per call blocking will cost consumers who have unlisted telephone numbers $1.2 billion each year through the disclosure of unlisted numbers. They describe the FCCÕs suggestion that consumers who wish to ensure that their numbers remain private purchase equipment as Òunreliable and discriminatory.Ó In addition, the California PUC has filed suit in the 9th Circuit Court of Appeals, asking the court to overturn the ruling and prevent its implementation. The FCC decision on Caller ID and the CPSR Petition for Reconsideration are available from cpsr.org. See below for details. ======================================================================= [4] NY PUC Letter to FCC on Caller ID ======================================================================= The following is a letter set by New York State Public Utility Committee Chairman Peter Bradford to FCC Chairman Reed Hundt on the FCC's Caller ID decision. For more information, contact Stacey Harwood at 518-473-0276. STATE OF NEW YORK PUBLIC SERVICE COMMISSION ALBANY 12223 PETER A. BRADFORD THREE EMPIRE STATE PLAZA CHAIRMAN (518)474-2530 June 1, 1994 Reed Hundt, Chairman Federal Communications Commission 1919 M Street, N.W. Washington, DC 20554 Dear Chairman Hundt: I am writing to express My concern about the Federal Communications Commission's recent decision (Docket #91-281) limiting the range of privacy protections available to telephone callers in connection with Call ID service. The potential preemptive features of this decision undermine sensible allocation of responsibility between state and federal jurisdictions, namely that the federal government preempt only where issues of overriding national concern are clearly at stake and then only after strong proof that no alternative approach will protect the national concerns. All of these essential elements (clear national concern, strong proof, and the absence of other alternatives) are lacking here. Instead, the casual reasoning and the destructive remedy mock stated Clinton Administration eagerness to work with the states to assure that telecommunications decisions are sensitive to important consumer issues. The FCC's decision appears to ignore the states' considerable experience with Call ID. Prior to its authorization of Call ID, the New York Public Service Commission (like many other states) conducted extensive customer outreach and education programs to determine how best to balance the privacy interests of the calling and called parties. many witnesses, including psychiatrists, social workers, police, other public safety officials, as well as family violence crisis centers, saw danger and/or nuisance in Call ID without the option of per line blocking. These hearings established that privacy protection consisting only of per call blocking represents the worst of all worlds. The harassing caller is unlikely to forget to use per call blocking. It is the customer who does not realize the implications of the availability of Call ID to commercial number gatherers (or others who may abuse it) who is likely to make his or her telephone number inadvertently available. As a result, we concluded that in New York callers should have the option of both per call and per line blocking. Since Call ID service was approved with these options two years ago, no complaints have been received from either Call ID subscribers or callers on the issue of blocking. Furthermore, the market for Call ID does not seem to be hurt by the availability of per line blocking, for subscription rates are at least as high in states with per line blocking as elsewhere. Nevertheless, the FCC decision contemplates preemption of state requirements inconsistent with a federal per-call-blocking- only regime. Since per line blocking only for intrastate calls does not seem feasible, New York's standard (and those of some 40 other states) will be preempted. Protracted litigation over the FCC decision is certain and may impede the introduction of interstate Call ID service. Several states, including New York are seeking reconsideration of the FCC decision and California has challenged the FCC order in court. Customer confusion and disappointment with limitations on privacy options will spawn a host of complaints. Furthermore, it will be hard for state regulators, to justify the current surcharge for unpublished listings while telephone companies market a service that compromises the value of those listings. I have enclosed a recent New York notice raising this concern for parties in two major cases. Telephone companies are not likely to go forward with Call ID if they must forego tens of millions of dollars per year in charges for unpublished numbers. I hope that the FCC will think again about the impact of this decision. It is likely to damage the prospects for Call ID, and it is certain to damage federal-state relations in the communications area at a time when much depends on our mutual trust and cooperation. Sincerely, /sig Peter Bradford ======================================================================= [5] SSN and Marketing Lists Privacy Bills Introduced ======================================================================= Rep. Dean Gallo (R-NJ) introduced on May 5 two bills to improve consumer privacy. HR 4353 requires that companies that compile personal information about consumers for the purpose of selling marketing lists must notify the consumers about the potential sale of the lists. Consumers may ask to be removed from the lists before they are sold. The Federal Trade Commission is authorized to investigate and enforce violations. The bill has been referred to Committee on Energy and Commerce. HR 4354 amends the Social Security Act to prohibit any person, company, or government agency from transferring a persons SSN or any derivative of it without the written consent of the person. It has been referred to the Ways and Means Committee. ======================================================================= [6] Files Available for retrieval ======================================================================= The CPSR Internet Library is a free service available via FTP/WAIS/Gopher/listserv from cpsr.org:/cpsr. Materials from Privacy International, the Taxpayers Assets Project and the Cypherpunks are also archived. For more information, contact ftp-admin@cpsr.org. Files on Caller ID: /privacy/communications/caller_id/ The FCC decision - fcc_caller_id_decision_94.txt. CPSR Petition for Reconsideration - CPSR_RFR_on_FCC_Caller-ID_Order.txt ======================================================================= [7] Upcoming Privacy Related Conferences and Events ======================================================================= DEF CON ][ ("underground" computer culture) "Load up your laptop Muffy, we're heading to Vegas!" The Sahara Hotel, Las Vegas, NV. July 22-24. Contact: dtangent@defcon.org. Hackers on Planet Earth: The First US Hacker Congress. Hotel Pennsylvania, New York City, NY. August 13-14. Sponsored by 2600 Magazine. Contact: 2600@well.sf.ca.us. Technologies of Surveillance; Technologies of Privacy. The Hague, The Netherlands. September 5. Sponsored by Privacy International and EPIC. Contact: Simon Davies (davies@privint.demon.co.uk). 16th International Conference on Data Protection. The Hague, Netherlands. September 6-8. Contact: B. Crouwers 31 70 3190190 (tel), 31-70-3940460 (fax). CPSR Annual Meeting. University of California, San Diego. October 8-9. Contact: Phil Agre Symposium: An Arts and Humanities Policy for the National Information Infrastructure. Boston, Mass. October 14-16. Sponsored by the Center for Art Research in Boston. Contact: Jay Jaroslav (jaroslav@artdata.win.net). Third Biannual Conference on Participatory Design, Chapel Hill, North Carolina. October 27-28. Sponsored by CPSR. Contact: trigg@parc.xerox.com. Ethics in the Computer Age Conference. Gatlinburg, Tennessee. November 11-13. Sponsored by ACM. Contact: jkizza@utcvm.utc.edu (Send calendar submissions to Alert@epic.org) ======================================================================= To subscribe to the EPIC Alert, send the message: "subscribe cpsr-announce " (without quotes or brackets) to listserv@cpsr.org. You may also receive the Alert by reading the USENET newsgroup comp.org.cpsr.announce ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues relating to the National Information Infrastructure, such as the Clipper Chip, the Digital Telephony proposal, medical record privacy, and the sale of consumer data. EPIC is sponsored by the Fund for Constitutional Government and Computer Professionals for Social Responsibility. EPIC publishes the EPIC Alert and EPIC Reports, pursues Freedom of Information Act litigation, and conducts policy research on emerging privacy issues. For more information email info@epic.org, or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). The Fund for Constitutional Government is a non-profit organization established in 1974 to protect civil liberties and constitutional rights. Computer Professionals for Social Responsibility is a national membership organization of people concerned about the impact of technology on society. For information contact: cpsr@cpsr.org ------------------------- END EPIC Alert 1.03 -------------------------